Abstract
We study the power of preprocessing adversaries in finding bounded-length collisions in the widely used Merkle-Damgård (MD) hashing in the random oracle model. Specifically, we consider adversaries with arbitrary S-bit advice about the random oracle and can make at most T queries to it. Our goal is to characterize the advantage of such adversaries in finding a B-block collision in an MD hash function constructed using the random oracle with range size N as the compression function (given a random salt).
The answer to this question is completely understood for very large values of B (essentially \(\Omega(T)\)) as well as for B = 1, 2. For \(B\approx T\), Coretti et al. (EUROCRYPT '18) gave matching upper and lower bounds of \(\tilde\Theta(ST^2/N)\). Akshima et al. (CRYPTO '20) observed that the attack of Coretti et al. could be adapted to work for any value of B > 1, giving an attack with advantage \(\tilde\Omega(STB/N + T^2/N)\). Unfortunately, they could only prove that this attack is optimal for B = 2. Their proof involves a compression argument with exhaustive case analysis and, as they claim, a naive attempt to generalize their bound to larger values of B (even for B = 3) would lead to an explosion in the number of cases needed to be analyzed, making it unmanageable. With the lack of a more general upper bound, they formulated the STB conjecture, stating that the best-possible advantage is \(\tilde O(STB/N + T^2/N)\) for any B >1.
In this work, we confirm the STB conjecture in many new parameter settings. For instance, in one result, we show that the conjecture holds for all constant values of B, significantly extending the result of Akshima et al. Further, using combinatorial properties of graphs, we are able to confirm the conjecture even for super constant values of B, as long as some restriction is made on S. For instance, we confirm the conjecture for all \(B \le T^{1{/}4}\) as long as \(S \le T^{1{/}8}\). Technically, we develop structural characterizations for bounded-length collisions in MD hashing that allow us to give a compression argument in which the number of cases needed to be handled does not explode.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Hamza Abusalah, Joël Alwen, Bram Cohen, Danylo Khilko, Krzysztof Pietrzak & Leonid Reyzin (2017). Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space. In Advances in Cryptology - ASIACRYPT, 357–379.
Leonard Adleman (1978). Two theorems on random polynomial time. In Symposium on Foundations of Computer Science, SFCS, 75– 83.
Akshima, David Cash, Andrew Drucker & Hoeteck Wee (2020). Time-Space Tradeoffs and Short Collisions in Merkle-Damgård Hash Functions. In Advances in Cryptology - CRYPTO, 157–186.
Akshima, Siyao Guo & Qipeng Liu (2022). Time-Space Lower Bounds for Finding Collisions in Merkle-Damgård Hash Functions. In Advances in Cryptology - CRYPTO, 192–221.
Elad Barkan, Eli Biham & Adi Shamir (2006). Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs. In Advances in Cryptology - CRYPTO, 1–21.
Itay Berman, Akshay Degwekar, Ron D. Rothblum & Prashant Nalini Vasudevan (2018). Multi-Collision Resistant Hash Functions and Their Applications. In Advances in Cryptology - EUROCRYPT, 133–161.
Nir Bitansky, Yael Tauman Kalai & Omer Paneth (2018). Multicollision resistance: a paradigm for keyless hash functions. In STOC, 671–684.
Dror Chawin, Iftach Haitner & Noam Mazor (2020). Lower Bounds on the Time/Memory Tradeoff of Function Inversion. In Theory of Cryptography - TCC, 305–334.
Kai-Min Chung, Siyao Guo, Qipeng Liu & Luowen Qian (2020). Tight Quantum Time-Space Tradeoffs for Function Inversion. In FOCS, 673–684.
Sandro Coretti, Yevgeniy Dodis & Siyao Guo (2018a). Non- Uniform Bounds in the Random-Permutation, Ideal-Cipher, and Generic-Group Models. In Advances in Cryptology - CRYPTO, 693–721.
Sandro Coretti, Yevgeniy Dodis, Siyao Guo & John P. Steinberger (2018b). Random Oracles and Non-uniformity. In Advances in Cryptology - EUROCRYPT, 227–258.
Henry Corrigan-Gibbs & Dmitry Kogan (2018). The Discrete- Logarithm Problem with Preprocessing. In Advances in Cryptology - EUROCRYPT, 415–447.
Henry Corrigan-Gibbs & Dmitry Kogan (2019). The Function- Inversion Problem: Barriers and Opportunities. In Theory of Cryptography - TCC, 393–421.
Ivan Damgård (1987). Collision Free Hash Functions and Public Key Signature Schemes. In Advances in Cryptology - EUROCRYPT, 203– 216.
Anindya De, Luca Trevisan & Madhur Tulsiani (2010). Time Space Tradeoffs for Attacks against One-Way Functions and PRGs. In Advances in Cryptology - CRYPTO, 649–665.
Itai Dinur (2020). Tight Time-Space Lower Bounds for Finding Multiple Collision Pairs and Their Applications. In Advances in Cryptology - EUROCRYPT, 405–434.
Yevgeniy Dodis, Siyao Guo & Jonathan Katz (2017). Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited. In Advances in Cryptology - EUROCRYPT, 473–495.
Amos Fiat & Moni Naor (1999). Rigorous Time/Space Trade-offs for Inverting Functions. SIAM J. Comput. 29(3), 790–803.
Cody Freitag, Ashrujit Ghoshal & Ilan Komargodski (2022). Time-Space Tradeoffs for Sponge Hashing: Attacks and Limitations for Short Collisions. In Advances in Cryptology - CRYPTO, 131–160.
Rosario Gennaro & Luca Trevisan (2000). Lower Bounds on the Efficiency of Generic Cryptographic Constructions. In FOCS, 305–313.
Ashrujit Ghoshal & Stefano Tessaro (2020). On the Memory- Tightness of Hashed ElGamal. In Advances in Cryptology - EUROCRYPT, 33–62.
Martin E. Hellman (1980). A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406.
Russell Impagliazzo & Valentine Kabanets (2010). Constructive proofs of concentration bounds. In Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques, 617–631. Springer.
Antoine Joux (2004). Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In Advances in Cryptology - CRYPTO, 306–316.
Ilan Komargodski, Moni Naor & Eylon Yogev (2018). Collision Resistant Hashing for Paranoids: Dealing with Multiple Collisions. In Advances in Cryptology - EUROCRYPT, 162–194.
Ralph C. Merkle (1982). Secrecy, Authentication and Public Key Systems. Ph.D. thesis, UMI Research Press, Ann Arbor, Michigan.
Ralph C. Merkle (1987). A Digital Signature Based on a Conventional Encryption Function. In Advances in Cryptology - CRYPTO, 369–378.
Ralph C. Merkle (1989). A Certified Digital Signature. In Advances in Cryptology - CRYPTO, 218–238.
Robert H. Morris Sr. & Ken Thompson (1979). Password Security - A Case History. Commun. ACM 22(11), 594–597.
Robin A. Moser & Gábor Tardos (2010). A constructive proof of the general lovász local lemma. J. ACM 57(2), 11:1–11:15.
Philippe Oechslin (2003). Making a Faster Cryptanalytic Time- Memory Trade-Off. In Advances in Cryptology - CRYPTO, 617–630.
Dominique Unruh (2007). Random Oracles and Auxiliary Input. In Advances in Cryptology - CRYPTO, 205–223.
Andrew Chi-Chih Yao (1990). Coherent Functions and Program Checkers (Extended Abstract). In STOC, 84–94.
Acknowledgements
Ilan Komargodski is the incumbent of the Harry & Abe Sherman Senior Lectureship at the School of Computer Science and Engineering at the Hebrew University, supported in part by an Alon Young Faculty Fellowship, by a JPM Faculty Research Award, by a grant from the Israel Science Foundation (ISF Grant No. 1774/20), and by a grant from the US-Israel Binational Science Foundation and the US National Science Foundation (BSF-NSF Grant No. 2020643). Part of Ashrujit Ghoshal’s work was done during an internship at NTT Research.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Ghoshal, A., Komargodski, I. On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing. comput. complex. 32, 9 (2023). https://doi.org/10.1007/s00037-023-00243-y
Received:
Published:
DOI: https://doi.org/10.1007/s00037-023-00243-y