2.0 KiB
Lecture 20
Construction of CRHF (Compression Resistant Hash Function)
Let h: \{0, 1\}^{n+1} \to \{0, 1\}^n be a CRHF.
Base on the discrete log assumption, we can construct a CRHF H: \{0, 1\}^{n+1} \to \{0, 1\}^n as follows:
Gen(1^n):(g,p,y)
p\in \tilde{\Pi}_n(p=2q+1)
g generator for group of sequence \mod p (G_q)
y is a random element in G_q
h_{g,p,y}(x,b)=y^bg^x\mod p, y^bg^x\mod p \in \{0,1\}^n
g^x\mod p if b=0, y\cdot g^x\mod p if b=1.
Under the discrete log assumption, H is a CRHF.
- It is easy to sample
(g,p,y) - It is easy to compute
- Compressing by 1 bit
Proof it is a CRHF:
Suppose there exists an adversary \mathcal{A} that can break h with non-negligible probability \mu.
P[(p,g,y)\gets Gen(1^n);(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y):y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p\land (x_1,b_1)\neq (x_2,b_2)]=\mu(n)>\frac{1}{p(n)}
Where y^{b_1}g^{x_1}=y^{b_2}g^{x_2}\mod p is the collision of H.
Suppose b_1=b_2.
Then y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p implies g^{x_1}\equiv g^{x_2}\mod p.
So x_1=x_2 and (x_1,b_1)=(x_2,b_2).
So b_1\neq b_2, Without loss of generality, say b_1=1 and b_2=0.
y\cdot g^{x_1}\equiv g^{x_2}\mod p implies y\equiv g^{x_2-x_1}\mod p.
We can create a adversary \mathcal{B} that can break the discrete log assumption with non-negligible probability \mu(n) using \mathcal{A}.
Let g,p be chosen and set random x such that y=g^x\mod p.
Let the algorithm \mathcal{B} defined as follows:
function B(p,g,y):
(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y)
If (x_1,1) and (x_2,0) and there is a collision:
y=g^{x_2-x_1}\mod p
return x_2-x_1 for b=1
Else:
return "Failed"
P[B\text{ succeeds}]\geq P[A\text{ succeeds}]-\frac{1}{p(n)}>\frac{1}{p(n)}
So \mathcal{B} can break the discrete log assumption with non-negligible probability \mu(n), which contradicts the discrete log assumption.
So h is a CRHF.