|
|
Line 1: |
Line 1: |
| {{Infobox cryptographic hash function
| | They are typically a free website that are pre-designed for enabling businesses of every size in marking the presence on the internet and allows them in showcasing the product services and range through images, contents and various other elements. This one is one of the most beneficial features of Word - Press as this feature allows users to define the user roles. Change the site's theme and you have essentially changed the site's personality. Out of the various designs of photography identified these days, sports photography is preferred most, probably for the enjoyment and enjoyment associated with it. By using this method one can see whether the theme has the potential to become popular or not and is their any scope of improvement in the theme. <br><br>These websites can be easily customized and can appear in the top rankings of the major search engines. If a newbie missed a certain part of the video then they could always rewind. Which is perfect for building a mobile site for business use. Now, I want to anxiety that not every single query will be answered. Now a days it has since evolved into a fully capable CMS platform which make it, the best platform in the world for performing online business. <br><br>ve labored so hard to publish and put up on their website. The following piece of content is meant to make your choice easier and reassure you that the decision to go ahead with this conversion is requited with rich benefits:. Are you considering getting your website redesigned. You can allow visitors to post comments, or you can even allow your visitors to register and create their own personal blogs. Have you heard about niche marketing and advertising. <br><br>You can add keywords but it is best to leave this alone. Cameras with a pentaprism (as in comparison to pentamirror) ensure that little mild is lost before it strikes your eye, however these often increase the cost of the digital camera considerably. Enterprise, when they plan to hire Word - Press developer resources still PHP, My - SQL and watch with great expertise in codebase. Fast Content Update - It's easy to edit or add posts with free Wordpress websites. The Pakistani culture is in demand of a main surgical treatment. <br><br>If you're ready to check out more regarding [http://9ja.in/backup_plugin_528577 wordpress backup] check out our web site. This advice is critical because you don't want to waste too expensive time establishing your Word - Press blog the exact method. By using Word - Press MLM websites or blogs, an online presence for you and your MLM company can be created swiftly and simply. Must being, it's beneficial because I don't know about you, but loading an old website on a mobile, having to scroll down, up, and sideways' I find links being clicked and bounced around like I'm on a freaking trampoline. And, it is better that you leave it on for the duration you are writing plugin code. However, if you're just starting out your blog site or business site, you can still search for an ideal theme for it without breaking your bank account. |
| | name = Very Smooth Hash (VSH)
| |
| | image =
| |
| | caption =
| |
| <!-- General -->
| |
| | designers = [[Scott Contini]], [[Arjen Lenstra|Arjen K. Lenstra]], [[Ron Steinfeld]]
| |
| | publish date = 2005
| |
| | series =
| |
| | derived from =
| |
| | derived to = VSH*
| |
| | related to =
| |
| | certification =
| |
| <!-- Detail -->
| |
| | digest size = 1024 bits and up
| |
| | structure =
| |
| | rounds =
| |
| | cryptanalysis =
| |
| }}
| |
| In [[cryptography]], '''Very Smooth Hash (VSH)''' is a {{not a typo|provably}} secure [[cryptographic hash function]] invented in 2005 by Scott Contini, Arjen Lenstra and Ron Steinfeld.
| |
| <ref name="main">{{Citation
| |
| | last1 = Contini | first1 = S.
| |
| | last2 = Lenstra | first2 = A.
| |
| | last3 = Steinfeld | first3 = R.
| |
| | contribution = VSH, an Efficient and Provable Collision-Resistant Hash Function.
| |
| | year = 2005
| |
| | contribution-url = http://eprint.iacr.org/2005/193.pdf }}
| |
| </ref>
| |
| [[Provably secure cryptographic hash function|Provably secure]] means that finding collisions is as difficult as some known hard mathematical problem. Unlike other {{not a typo|provably}} secure [[Collision resistance|collision-resistant]] hashes, VSH is efficient and usable in practice. [[Big O notation|Asymptotically]], it only requires a single multiplication per log(''n'') message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.
| |
| | |
| Two major variants of VSH were proposed. For one finding a [[Collision resistance|collision]] is {{not a typo|provably}} as difficult as finding a nontrivial modular square root of a very smooth number modulo ''n''. The other one uses a prime modulus ''p'' (with no [[Trapdoor function|trapdoor]]), and its security proof relies on the hardness of finding discrete logarithms of very smooth numbers modulo ''p''. Both versions have similar efficiency.
| |
| | |
| VSH is not suitable as a substitute for a [[random oracle]], but can be used to build a {{not a typo|provably}} secure randomized trapdoor hash function. This function can replace the [[trapdoor function]] used in the [[Cramer–Shoup cryptosystem|Cramer-Shoup signature scheme]], maintaining its provable security while speeding up verification time by about 50%.
| |
| | |
| == VSN and VSSR ==
| |
| All cryptographic hash functions that are now widely used are not based on hard mathematical problems. Those few functions that are constructed on hard mathematical problems are called [[Provably secure cryptographic hash function|provably secure]]. [[Collision resistance|Finding collisions]] is then known to be as hard as solving the hard mathematical problem. For the basic version of Very Smooth Hash function, this hard problem is to find modular square roots (VSSR) of certain special numbers (VSN).<ref name="main" /> This is assumed to be as hard as [[Integer factorization|factoring integers]].
| |
| | |
| For a fixed constant ''c'' and ''n'' an integer ''m'' is a '''Very Smooth Number (VSN)''' if the largest prime factor of ''m'' is at most (log ''n'')<sup>''c''</sup>.
| |
| | |
| An integer ''b'' is a '''Very Smooth Quadratic Residue''' modulo ''n'' if the largest prime in ''b''’s factorization is at most (log ''n'')<sup>''c''</sup> and there exists an integer ''x'' such that <math>b \equiv x^2 \mod n</math>. The integer ''x'' is said to be a [[Quadratic residue|Modular Square Root]] of ''b''.
| |
| | |
| We are interested only in non-trivial square roots, those where ''x''<sup>2</sup> ≥ ''n''. If ''x''<sup>2</sup> < ''n'', the root can be easily computed using algorithms from fields of [[Characteristic (algebra)|characteristics]] 0, such as real field. Therefore they are not suitable in cryptographic primitives.
| |
| | |
| '''Very Smooth Number Nontrivial Modular Square Root (VSSR)''' is the following problem: Let ''n'' be the product of two unknown primes of approximately the same size and let <math>k\le(\log n)^c</math>. Let <math>p_1 = 2, p_2 = 3, p_3 = 5,\dots </math> be the sequence of primes. VSSR is the following problem: Given ''n'', find <math>x \in \mathbb{Z}^*_n</math> such that <math>\textstyle x^2 \equiv \prod_{i=0}^k p_i^{e_i}</math> and at least one of ''e''<sub>0</sub>,...,''e''<sub>''k''</sub> is odd.
| |
| | |
| The '''VSSR assumption''' is that there is no [[PP (complexity)|probabilistic polynomial]] (in <math>\log n</math>) time algorithm which solves VSSR with [[Negligible function|non-negligible]] probability. This is considered a useless assumption for practice because it does not tell for what size of moduli VSSR is computationally hard. Instead '''The computational VSSR assumption''' is used. It says that solving VSSR is assumed to be as hard as [[Integer factorization|factoring]] a hard to factor <math>s</math> bit modulus, where <math>s</math> is somewhat smaller than the size of <math>n</math>.
| |
| | |
| ===Examples of VSN and VSSR===
| |
| Let the parameters be fixed as follows: <math>c=5</math> and <math>n=31</math>.
| |
| | |
| Then <math>m_1 = 35 = 5 \cdot 7</math> is a Very Smooth Number with respect to these parameters because <math>(\log 31)^5~\dot{=}~7.37</math> is greater than all <math>m_1</math>'s prime factors. On the other hand <math>m_2 = 55 = 5\cdot 11</math> is not a VSN under <math>c=5</math> and <math>n=31</math>.
| |
| | |
| The integer <math>b_1 = 9</math> is Very Smooth Quadratic Residue modulo <math>n</math> because it is Very Smooth Number (under <math>c, n</math>) and we have <math>x_1 = 3</math> such that <math>x_1^2 = b_1</math> (mod <math>n</math>). This is a trivial modular square root, because <math>3^2 \not\geq n</math> and so the modulus is not involved when squaring. | |
| | |
| The integer <math>b_2 = 15</math> is also Very Smooth Quadratic Residue modulo <math>n</math>. All prime factors are smaller than 7.37 and the Modular Square Root is <math>x_2 = 20</math> since <math>20^2 = 400 \equiv 15</math> (mod <math>n</math>). This is thus a non-trivial root. The VSSR problem is to find <math>x_2</math> given <math>b_2</math> and <math>n</math>. And we suppose that this is computationally as hard as factoring <math>n</math>.
| |
| | |
| == VSH Algorithm, basic versions ==
| |
| Let <math>n</math> be a large RSA composite and let <math>p_1 = 2, p_2 = 3, \ldots</math> the sequence of primes. Let <math>k</math>, the block length, be the largest integer such that <math>\textstyle \prod_{i = 1}^k p_i < n</math>. Let <math>m</math> be an <math>\ell</math>-bit message to be hashed consisting of bits <math>(m_1,\ldots,m_{\ell})</math> and assume that <math>\ell < 2^k</math>. To compute the hash of <math>m</math>:
| |
| # ''x''<sub>0</sub> = 1
| |
| # Let <math>L</math>, the smallest integer greater or equal to <math>l/k</math>, be the number of blocks. Let <math>m_i = 0</math> for <math>l < i \leq Lk</math> (padding)
| |
| # Let <math>\textstyle \ell = \sum_{i=1}^k l_i 2^{i-1}</math> with <math>\ell_i \in \{0, 1\}</math> be the binary representation of the message length <math>\ell</math> and define <math>m_{Lk+i}= \ell_i</math> for <math>1 \leq i \leq k</math>.
| |
| # for ''j'' = 0, 1,..., ''L'' in succession compute <math>x_{j+1} = x_j^2 \prod_{i=1}^k p_i^{m_{jk+i}}\mod n</math>
| |
| # return ''x''<sub>''L'' + 1</sub>.
| |
| The function in step 4 is called the compression function.
| |
| | |
| == Properties of VSH ==
| |
| * The message length does not need to be known in advance.
| |
| * A most important theorem states that finding a collision in VSH is as hard as solving VSSR. Thus VSH is (strongly) [[collision resistant]] which also implies second preimage resistance. VSH has not been proven to be pre-image resistant.
| |
| * A curious feature of VSH is that the compression function is not collision-resistant. Nonetheless, the hash function VSH is collision-resistant based on the VSSR assumption. An altered version of VSH, called '''VSH*''', has the compression function collision resistant and furthermore is about 5 times quicker when hashing short messages.
| |
| * Since the output length of VSH is the length of a secure RSA modulus, VSH seems quite suitable in practice for constructing 'hash-then-sign' RSA signatures for arbitrarily long messages. However, such a signature must be designed carefully to ensure its security. The naive approach could be easily broken under [[Ciphertext indistinguishability|CPA (chosen plaintext attack)]].
| |
| * [[Analysis of algorithms|Efficiency]]: The cost of each iteration is less than the cost of 3 modular multiplications. The basic version of VSH altogether requires single multiplication per <math>\Omega(\log n/\log\log n)</math> message-bits.
| |
| | |
| == Variants of VSH ==
| |
| Several improvements, speedups and more efficient variants of VSH have been proposed.<ref name="main" /> None of them changes the underlying concept of the function. These improvements are called:
| |
| | |
| * Cubing VSH (instead of squaring).
| |
| * VSH with increased number of small primes.
| |
| * VSH with precomputed products of primes.
| |
| * Fast VSH.
| |
| * Fast VSH with increased block length.
| |
| | |
| == VSDL and VSH-DL variant ==
| |
| The '''VSH-DL''' is a discrete logarithm variant of VSH that has no [[Trapdoor function|trapdoor]], its security depends on the difficulty of finding discrete logarithm modulo a prime ''p''.<ref name="main" /> | |
| | |
| '''Very Smooth Number Discrete Logarithm (VSDL)''' is a problem where given a very smooth number, we want to find its [[discrete logarithm]] modulo some number ''n''.
| |
| | |
| Similarly as in previous section, by <math>p_i</math> we denote the <math>i</math>-th prime. Let furthermore <math>c</math> be a fixed constant and <math>p</math>, <math>q</math> be primes with <math>p = 2q + 1</math> and let <math>k \leq (\log p)^c</math>. CSDL is the following problem: given <math>p</math>, find integers <math>e_1,...,e_k</math> such that <math>2^{e_1} \equiv \prod_{i=2}^k p_i^{e_i} \mod p</math> with <math>|e_i| < q</math> for <math>i = 1,...,k</math> and at least one of <math>e_1,...,e_k</math> non-zero.
| |
| | |
| The '''VSDL assumption''' is that there is no [[PP (complexity)|probabilistic polynomial]] (in <math>\log p</math>) time algorithm which solves VSDL with [[Negligible function|non-negligible]] probability. There is a strong connection between the hardness of VSDL and the hardness of computing discrete logarithm modulo <math>p</math>, which is reminiscent of, but somewhat weaker than, the connection between VSSR and integer factorization.
| |
| | |
| ==Security of VSH==
| |
| Strong [[collision resistance]] is the only property proven for VSH.
| |
| This does not imply preimage-resistance or other
| |
| important hash function properties and the authors state
| |
| that “VSH should not be used to model [[random oracle]]s,” and cannot be substituted into constructions that depend upon them ([[RSA (algorithm)|RSA signatures]], some [[Message authentication code|MACs]]).<ref name="main" /> VSH should not be considered a general-purpose hash function as usually understood in security engineering.
| |
| | |
| ===Multiplicative property===
| |
| VSH is multiplicative: Let ''x'', ''y'', and ''z'' be three bit strings of equal length, where ''z''
| |
| consists only of zero bits and the strings satisfy ''x AND y = z''. It is easy to see that
| |
| ''H(z)H(x OR y) ≡ H(x)H(y) (mod n)''. As a result VSH succumbs to a classical time-memory
| |
| trade-off attack that applies to multiplicative and additive hashes.
| |
| | |
| This fact can be used to construct a preimage attack against VSH of <math>\ell</math> bits which has <math>2^{\ell/2}</math> complexity rather than <math>2^\ell</math> as expected.
| |
| | |
| ===Attack against truncated version===
| |
| VSH produces a very long hash (typically 1024 bits). There are no indications that
| |
| a truncated VSH hash offers security that is commensurate to the hash length.
| |
| | |
| There exists a Partial Collision Attacks on VSH truncated to least significant ''l'' bits.
| |
| <ref name="attack">{{Citation
| |
| | last1 = Saarinen | first1 = M.-J. O.
| |
| | contribution = Security of VSH in the RealWorld
| |
| | year = 2006
| |
| | contribution-url = http://www.tcs.hut.fi/~mjos/doc/saarinen_vsh.pdf }}
| |
| </ref>
| |
| | |
| The complexity of this attack against is:
| |
| * Pre-computing the table offline: <math>2^{\ell/3}</math> time and space.
| |
| * Finding collisions: <math>2^{\ell/3}</math> iterations.
| |
| * Total cost: roughly <math>2^{\ell/3}</math>, rather than <math>2^{\ell/2}</math> as expected from a hash function with good pseudorandomness properties.
| |
| | |
| This probably rules out the applicability of VSH in digital signature schemes which produce
| |
| signatures shorter than the VSH hash result, such as Elliptic Curve signature schemes.
| |
| | |
| ==References==
| |
| {{Reflist}}
| |
| | |
| ==See also==
| |
| * [[Cryptographic hash functions]]
| |
| * [[Provably secure cryptographic hash function]]
| |
| | |
| {{Cryptography navbox | hash}}
| |
| | |
| [[Category:Cryptographic hash functions]]
| |
They are typically a free website that are pre-designed for enabling businesses of every size in marking the presence on the internet and allows them in showcasing the product services and range through images, contents and various other elements. This one is one of the most beneficial features of Word - Press as this feature allows users to define the user roles. Change the site's theme and you have essentially changed the site's personality. Out of the various designs of photography identified these days, sports photography is preferred most, probably for the enjoyment and enjoyment associated with it. By using this method one can see whether the theme has the potential to become popular or not and is their any scope of improvement in the theme.
These websites can be easily customized and can appear in the top rankings of the major search engines. If a newbie missed a certain part of the video then they could always rewind. Which is perfect for building a mobile site for business use. Now, I want to anxiety that not every single query will be answered. Now a days it has since evolved into a fully capable CMS platform which make it, the best platform in the world for performing online business.
ve labored so hard to publish and put up on their website. The following piece of content is meant to make your choice easier and reassure you that the decision to go ahead with this conversion is requited with rich benefits:. Are you considering getting your website redesigned. You can allow visitors to post comments, or you can even allow your visitors to register and create their own personal blogs. Have you heard about niche marketing and advertising.
You can add keywords but it is best to leave this alone. Cameras with a pentaprism (as in comparison to pentamirror) ensure that little mild is lost before it strikes your eye, however these often increase the cost of the digital camera considerably. Enterprise, when they plan to hire Word - Press developer resources still PHP, My - SQL and watch with great expertise in codebase. Fast Content Update - It's easy to edit or add posts with free Wordpress websites. The Pakistani culture is in demand of a main surgical treatment.
If you're ready to check out more regarding wordpress backup check out our web site. This advice is critical because you don't want to waste too expensive time establishing your Word - Press blog the exact method. By using Word - Press MLM websites or blogs, an online presence for you and your MLM company can be created swiftly and simply. Must being, it's beneficial because I don't know about you, but loading an old website on a mobile, having to scroll down, up, and sideways' I find links being clicked and bounced around like I'm on a freaking trampoline. And, it is better that you leave it on for the duration you are writing plugin code. However, if you're just starting out your blog site or business site, you can still search for an ideal theme for it without breaking your bank account.