METHOD FOR THE CONSTRUCTION OF HASH FUNCTIONS BASED ON SYLVESTER MATRICES, BALANCED INCOMPLETE BLOCK DESIGNS AND
ERROR-CORRECTING CODES
RELATED APPLICATIONS
This application relates to our corresponding Application filed on the same date and entitled "A Key Agreement Protocol Based On Network Dynamics."
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to hash functions for mapping a set of input values S to a set of output T. More particularly, the present invention relates to hash functions for mapping a set of keys S to a set of target values T, which hash functions can be used to detect if two elements s, s' e S are in fact the same element and to respectively store and retrieve data into an from a memory.
2. Discussion of the Related Art
Hash functions are transformations that map from larger domains to smaller ranges. In many applications, such as digital signatures, it is necessary to have an irreversible function which takes an input string and returns a bit string of fixed length. Such one-way functions are referred to as one-way hash functions.
Hashing also may be viewed as a way to assign an abbreviation to a name. In this case the property of giving different results for different inputs is a desirable one. In practice, this property is required to be true "most of the time." That is, there should be a
very low probability of getting the same result whenever the inputs are different. Hash functions having this property are usually referred to as "collision free" [10].
Hash functions commonly used in encryption systems include message digest (MD5), secure hashing algorithm (SHA) and secure hashing standard (SHS) and are based on subjecting the input(s) to several rounds of certain modular arithmetic operations and taking appropriate sub-strings from the results. Other techniques involve the use of substitution boxes (S-boxes) or even the use of encryption algorithms, such as data encryption standard (DES) and advanced encryption standard (AES) since encryption algorithms can be considered as particular cases of hash functions.
Yet another and more general approach is to choose (randomly or not) one or more hash functions from a large set of such functions such that the resulting hash is some combination of the results of the application of these hash functions to the same input.
SUMMARY OF THE INVENTION
The present invention provides a hash function H such that for two strings s and s' the condition s ≠ s' can be detected by applying this hash function H to each string and
checking that H(s) ≠ H(5f). Conversely, by using the present invention, evidence for the equality of s and s' can be obtained by verifying that H(s) = H^1) for many different hash functions H.
Consider the case where S consists of a subset of the vector space of dimension n over the finite field having only two elements, 0 and 1. That is to say, assume that S is a set of strings s of binary bits, each string having length n.
Similarly, assume that T is a subset of the vector space of dimension m over the same finite field. That is to say, assume that T is a set of strings of binary bits, each string having length m.
Suppose further that it is desired to map S to T using a hash function H. The values of a hash function H may be written as a combination, such as a concatenation, of functions H(s) = (h/(s), h2(-r), ... , m sy) where each function h,(_f) e {0,1}. The function H is completely determined by the projected functions h;, h2, ... , m. Therefore it suffices to consider hash functions which take their values in the finite field, {0,1 }. In summary, hash functions mapping a set of binary ^-vectors to the set {0,1} are constructed by the present invention.
The present invention provides a method and apparatus for constructing a hash function H that maps strings s of S to strings H(s) of T, wherein
H(s) = (hι(s), h2(s), ... , m(s)) such that each h,(s) € { 0, 1 } , all h,(s) being based on one of Sylvester matrices, balanced incomplete block designs, and error-correcting codes. BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates construction of a hash function according to an embodiment of the present invention employing block designs.
FIG. 2 illustrates construction of a hash function according to an embodiment of the present invention employing algebraic codes.
FIG. 3 illustrates construction of a hash function according to the present invention for an input key corresponding to data to be stored/retrieved in/from a memory by a computer apparatus.
FIG. 4 illustrates a computer apparatus at cryptographic station A and B that employs a hash function constructed according to the present invention to obtain an unconditionally secure cryptographic key from the keys received at each station.
FIG. 5 illustrates determining equality of tow input strings by a computer apparatus at station A and B using a hash function H constructed according to the present invention.
FIG. 6 illustrates a computer apparatus obtaining a cryptographic digital signature from an algorithm that uses a hash function, the has function being constructed according to the present invention.
FIG. 7 illustrates a computer apparatus constructing a hash function according to the present invention for a given input string and then using this hash function to perform cryptographic message authentication.
DETAILED DESCRIPTION OF THE INVENTION
The present invention provides a method for obtaining a hash function H = ( ι(s), h2(s),...,hm(s)) over a given finite field using Sylvester matrices, block designs or algebraic codes.
Hash Functions Using Block Designs
Referring now to FIG. 1, a suitable hash function H(s) = (h (s), h2(s), ... , h„.t(s)) can be obtained in the following way. Let s = {s\, s2, ... , sn} 10 be a binary vector of length n. In one preferred embodiment, a set of n - 1 functions {h;(s), h2(s), ... ,h„.t($)}, where t > 0, is obtained as follows.
(1) Choose a family F of n-t linearly independent (with respect to
symmetric difference) subsets of an n-set Ω = {1,2,3 ή).
(2) Write F = { F/, F2, ..., FM-,}, e.g., as the first n-t rows of an n x n matrix 20.
(3) Then define h;, h2, ... h„.t by h s) = (∑w jn FJ sw)(mod 2), wherein
1 ≤j < n-t. These functions are described in [1] and [2]. Of course any such family F may suffice.
(4) Set H(s) = (h;(5), 2(s), ... , „.t(s)).
However, in a preferred embodiment, when H is employed to encrypt S in order to maximize the difficulty of eavesdropping, F is constructed so that it has regularity properties. That is, it is required that the subset in F be "well spread out." Ideally the family F has the property that any two elements in Ω lie in a constant number of subsets in F. Further, it is desirable also that each subset in F has the same cardinality and that two different subsets in F intersect in a constant number of elements. Indeed these are the criteria that motivated the design of experiments in statistics [3], [4] leading to the combinatorial study of block-designs (see [5] and [6])
In cryptography a condition known as the Avalanche Criterion (AC) is used in the analysis of 5-boxes or substitution boxes (see for example [7], [8]), in which each 5-box takes a 6-bit input and produces a 4-bit output such that bits of a ciphertext depend on bits of a plaintext and bits of a key used to encrypt the plaintext to produce the ciphertext. The present invention adapts this criterion to hash functions such that, given a set of hash functions with values in {0,1}, if one bit of the input string is changed then the
Avalanche Criterion requires that about half of the hash functions should change their output values.
In a preferred embodiment of the present invention, block designs are employed to construct a family of hash functions that satisfies all of these desirable criteria. A particular kind of block design arises from Sylvester matrices, the so-called Hadamard designs. Let H denote a 4 / x 4 t Hadamard matrix. This means that every entry in H is a 1 or -1 and that -HH* = 4t J4t. Assume that such a matrix exists. There is a long standing open conjecture that at least one 4 t x 4 t Hadamard matrix exists for every t. This conjecture has been verified for all t ≤ 117. Furthermore, for infinitely many larger values oft, it is known that a 41 x 4 t Hadamard matrices does exist.
Suppose that H has been normalized so that its first row and first column consist
entirely of l's. A new a 4 t-1 x 4 t-1 matrix H is constructed, all of whose entries are either 0 or 1, as follows. The first row and first column (consisting of all l's) are deleted from H and then every -1 in the remaining matrix is changed to 0. The resulting matrix is
H . This matrix is the incidence matrix 20 of a block design with v = 4 t, k = 2t-l and λ = t - 1. This design is called a Hadamard 2-design.
For each row, r, of H define a linear hash function hτ which maps a 4 t-1 -vector into its dot product with the row r. These 4 t-1 different hash functions satisfy the Avalanche Criterion as well as the other desirable conditions listed above.
If t is odd then these 4 t-1 linear hash functions are linearly independent. This fails if t is even. However, in this case, a large subset to the 4t-l hash functions are linearly independent.
Suppose that n ≠ 3 (mod 4). Then a Hadamard design of size n cannot be constructed. In this case, a preferred embodiment of the present invention requires the use of the least integer n' > n where n' ≡ 3 (mod 4) and the extension of input strings to length n' by padding on the right with (at most 3) zeroes. This results in n' hash functions which are linearly dependent.
Hash Functions Using Algebraic Codes
Traditionally in cryptography binary codes are used as follows (see [9]). A string x is embedded in a code-word x belonging to some code C where x is obtained from x by adjoining to x parity bits corresponding to C. Traditional approaches, on the assumption of few errors, attempt to decode x from x. Here a new approach is provided by the present invention.
Recall that the hash function H is constructed to help decide whether two elements s and s' of S are equal. Consider the special situation where it is known (or known with high probability) that the Hamming distance between 5 and s' is less than some small integer d. In other words it is known that the number of bits where s and s' . differ is less than d.
Referring now to FIG. 2, consider an r x n matrix K 30 which is the parity check matrix of a code of minimum distance at least d. This means that the subspace of vectors perpendicular to every row of K 30 contains only one vector of Hamming weight less than or equal to d, namely, the zero vector. For each row r of K 30 define a function r by taking r(s) to be the dot product of row r and vector s. Thus, given vectors s and s' such that hr(s) = ^s') for all rows r of K 30 then s + s' is an element of the code of
minimum distance d. Therefore either s = s' or else the Hamming distance between s and s' is at least d (s differs from ' by at least d bits) and the desired hash function is H(s) =
Suppose that n is some integer with 64 < n ≤ 128 and that A and B are two binary vectors of length n. An 8 x 128 parity check matrix K 30 is constructed. First, a 7 x 128 matrix
Kis constructed. Consider the 128 columns ofK . All 128 columns of K should be
distinct (different). Take the first 8 columns of K to be:
The remaining 120 distinct columns of K may be arranged in any order, say in lexicographic order.
Next, K 30 is obtained from K by adding a row consisting entirely of l's to the
top of K . Then K 30 is the parity check matrix for a code of minimum distance 4. There are 8 hash functions h;, h2, ..., h§ obtained by defining h,- to be the dot product 40 with row i of K 30. Now if n < 128, A and B are extended to new binary strings A ' and B' of length 128 by adding O's to the right of A and B. (Equivalently, the last 128-« columns may be truncated from K 30.) Now if WA") = HB*) for all i = 1,2,...,8 then either A' = B' or else the Hamming distance from A ' to B' is at least 4. Thus, clearly, either A = B or the
Hamming distance from A to B is at least 4. The desired has function is H(_4) = j(A), ... MA).
Security
Finally, consider the extra possibility that it is desired to conceal the values of A and B from some eavesdropper, Eve, who has learned the values h;(.4),
In this case the first 8 bits may be deleted from A and B leaving
binary strings A and B of length «-8. Although 8 bits have been lost from A and B this is compensated for by the fact that Eve's knowledge of the values h,(4) and h,(-9) provides
her with no information about A and B . Apparatus
In a preferred embodiment, as illustrated in FIG. 3, a computer apparatus 60, preferably comprising at least one processor and at least one memory, is able to employ a hash function H(JK) 70 constructed according to the present invention in order to obtain a memory location corresponding to a received input key K associated with a data item 50 and then the same or another computer apparatus 80, preferably comprising at least one processor and at least one memory, is able to retrieve and store, beginning at location H(JT), the received data item associated with the received input key K.
In FIGs. 4-7 the computer apparatus similarly comprises at least one memory and/or at least one processor.
Similarly, FIG. 4 illustrates a computer apparatus 100 at cryptographic stations A and B that is able to employ the hash function constructed according to the present invention 100, to obtain and output 110 of an unconditionally secure cryptographic key from the respective received key KA, KB wherein KA=KB 90.
And, as shown in FIG. 5, determination of the equality of two input strings KA and KB 120 can be accomplished by a computer apparatus 130 employed by station A and B that is able to construct a hash function H and obtain H(KA) and H(Kβ), with station A transmitting H(KA) to station B 140 such that station B is able to verify that H(KA)=H(KB) and thereby conclude that KA= KB 150.
FIG. 6 illustrates a computer apparatus 170 that is able to obtain a cryptographic digital signature for a received input string 160 and then output the obtained cryptographic digital signature 180.
FIG. 7 illustrates a computer apparatus 200 that is able to receive an input string 190 and from this received string is then able to construct a hash function according to the present invention and perform cryptographic message authentication using this hash function, finally outputting the result of the authentication 210.
* * *
It will be understand by those skilled in the art that the above-described embodiments are but examples from which it is possible to deviate without departing from the scope of the invention as defined by the appended claims.
References and Bibliography
The following references as well as any reference mentioned elsewhere in this specification are hereby incorporated by reference as in fully set forth herein.
[1] Charles Bennett, Francois Bessette, Gilles Brassard, Louis Salvail, and John Smolin, Experimental quantum cryptography, EUROPCRYPT '90 (Arhus, Denmark), 1990, pp. 253-265.
[2] Samuel J. Lomonaco, A quick glance at quantum cryptography, Cryptologia 23 (1999), no. 1, 1-41.
[3] R. A. Fisher and F. Yates. Statistical Tables for Biological, Agricultural and Medical Research. Oliver-and-Boyd Ltd., third edition, 1948.
[4] D. Rhaghabarao. Constructions and Combinatorial Problems in the Design of Experiments. John Wiley & Sons, 1971.
[5] H. Lenz Thomas Beth, D. Jungnickel. Design Theory. Cambridge University Press,
1986.
[6] P.J. Cameron and G. E. van Lint. Designs, Graphs, Codes and their Lenghts.
Cambridge University Press, 1991. London Math Soc. Student Text vol 22.
[7] Richard A. Mollin. An Introduction to Cryptography. Chapman & Hall/CRC Press, 2000.
[8] RK Nichols, editor. ICSA Guide to Cryptography. Mc Craw Hill, 1999.
[9] Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert, Privacy Amplification by Public Discussion, Siam J. of Computing, 17, no.2 (1988), 210-229.