☆ Universal Hash Functions
A standard collision-resistant hash function is designed to be safe even when its salt is public. But we sometimes encounter situations that require collision resistance, where it is possible to keep the hash function's salt private. If the salt can be private, is it possible to use a simpler kind of hash function?
This chapter introduces universal hash functions, which are a private-salt variant of standard collision-resistant hash functions. Universal hash functions are indeed simpler objects: Their security guarantee is simpler, and in practice they are typically more efficient than CRHFs. There are even some universal hash functions whose security can be proven unconditionally.
11.1. Defining universal hash functions
We present two very different, yet equivalent, definitions for security of a universal hash function (UHF). The first definition is much simpler and easier to use when proving that a construction is a secure UHF. The second definition is more convenient when proving security of a construction that uses a secure UHF.
A function is a secure universal hash function (UHF) if, for all ,
where the probability is over the uniform choice of from . In other words, for all , the following block of code outputs with negligible probability:
This definition can be thought of as a very simple attack scenario. The adversary gets just one chance to find a collision with respect to the UHF key. The adversary knows nothing about the choice of key. In fact, the key is chosen after and are chosen.
The second definition involves an interesting way to think about collision resistance in terms of dictionary data structures. The goal of a dictionary is to provide, for each different , a unique place to store data associated with . Imagine two ways of implementing a dictionary:
-
Data that is associated with is stored in position . This is the “obvious” way to use a dictionary.
-
Data that is associated with is stored in position .
In the absence of collisions in , each distinct item has its own unique place in the data structure, and everything will work as expected. On the other hand, if is a collision in , then items associated with and both want to be stored in the same place in the data structure, causing a conflict.
So one way to say that collisions are hard to find is to demand that these two ways of implementing a dictionary data structure are indistinguishable:
A function is a secure universal hash function (UHF) if the following libraries are indistinguishable:
As mentioned earlier, the two definitions are equivalent.
satisfies definition 11.1.1 if and only if it satisfies definition 11.1.2.
When we prove security of UHF constructions in this chapter, it is more convenient to prove that they satisfy definition 11.1.1. When we use a UHF to construct something else, it is more convenient to use the fact that they satisfy definition 11.1.2. To justify the results in this chapter, it is therefore enough to prove only the forward direction of claim 11.1.3 (definition 11.1.1 definition 11.1.2). The other direction is more of theoretical interest, and left as an exercise.
Proof idea: The main challenge of this proof is to reconcile important distinctions between the two security definitions. The library from definition 11.1.2 implicitly makes many comparisons of hash outputs under the same key, but definition 11.1.1 involves only a single comparison under a key. Also, chooses a UHF key at the beginning of time, whereas definition 11.1.1 chooses it after the potential collision is chosen.
The main idea in the proof is to treat hash collisions as a bad event, and then move all of the bad-event logic to the end of time. That way, the UHF key can be chosen at the end of time, after all UHF inputs have been fixed. Next, we can bound the probability of the bad event using the union bound:
The individual collision events are not independent, since they all involve the same , but they do not need to be independent to apply the union bound. Finally, each term of the form describes a situation that is captured by definition 11.1.1. Namely, a pair of inputs is fixed and then is chosen uniformly. Thus, each probability in this sum is negligible, and so is the bad-event probability.
In the last hybrid, and implement a dictionary indexed by -values, so they provide exactly the same behavior as . Thus, it suffices to show that the bad event has negligible probability in this hybrid.
At the end of time, we have a set of pairs. Let us focus on just a single pair . Because of how is defined, we have . Furthermore, the UHF key is sampled independently of , after they have been chosen. This is precisely the situation considered in definition 11.1.1; in other words, is negligible.
Thus, any single pair collides with negligible probability, say, . We can also see that if the adversary makes combined calls to and , then there will be surely at most pairs added to . By the union bound, the probability of the bad event is at most . Since is polynomial in the security parameter and is negligible, the bad-event probability is negligible.
Note: If and are different pairs in , then their collision events and are not necessarily independent. But the union bound does not require the separate events to be independent.
How is a UHF different than a PRF? In a PRF, we require the outputs to be pseudorandom, while in a UHF they only need to avoid collisions. The outputs of a PRF are shown to the adversary, which is our way of saying “it is safe to use PRF outputs however you like.” The outputs of a UHF remain hidden from the adversary: Think about how the adversary does not see the intermediate values in of definition 11.1.2. You can interpret the UHF definition as saying, “It is safe to use UHF outputs to check whether two UHF inputs are equal, and nothing else.”
11.2. Universal hash paradigm for PRFs
We motivated UHFs by thinking about them as CRHFs where the salt is private. One situation with private salts is the hash-then-PRF construction in section 10.5.2, which used a CRHF to convert a fixed-input-length PRF into a variable-input-length one. Indeed, we can replace the CRHF in this construction by a UHF:
Let be a UHF with output length , and let be a PRF with input length . Then UH-PRF is defined as the following function :
The input domain of is the same as that of (usually all strings, or all block-aligned strings), and its output length is the same as that of .
If is a secure UHF and is a secure PRF, then UH-PRF (construction 11.2.1) is a secure PRF.
The proof is remarkably simple.
11.2.1. Handling non-block-aligned data
Construction 11.2.1 results in a variable-input-length PRF that inherits its input domain from the component UHF. What happens if the UHF supports only block-aligned data, but we want a PRF that supports arbitrary-length data?
One natural approach is to add padding, similar to how this is handled in encryption (section 8.6). Padding indeed works fine for this purpose, but remember that padding always increases the length of the data. In particular, if the data already is a multiple of the blocklength, then a block consisting entirely of padding must be added.
There is a clever way to avoid the extra padding block in the UH-PRF construction. The idea is to use different keys for the final PRF, depending on whether the input was block-aligned or not.
Let be a UHF with output length , defined for block-aligned data only, so its input domain is . Let be a PRF with input length , and let be a padding function (i.e., an injective function whose output is always a multiple of the blocklength ). Then the following is a variable-input-length PRF supporting arbitrary lengths (not just multiples of the blocklength):
Exercise 11.7 asks you to prove security of this construction.
11.3. CBC-MAC is a UHF
We introduced CBC-MAC in section 6.6, and warned that it is not secure as a variable-input-length PRF. In this section we show that CBC-MAC is, however, secure as a variable-input-length UHF. It can therefore be promoted to a variable-input-length PRF in a simple way, using construction 11.2.1.
CBC-MAC is a secure (variable-input-length) UHF, if the underlying is a secure PRF/PRP with blocklength .
CBC-MAC is usually written with as the input to the PRF/PRP. In the proof it will be convenient to name these values; we'll use for the th input to the PRF/PRP. Not only that, but it will be convenient to compute the next PRF/PRP input immediately after calling .
In order to avoid special cases in the code, we also compute a “next PRF/PRP input” even for the last call to , although is no “next” input. This “next input” is computed as , and yet there is no block . We use the convention that is all zeros, just to avoid referring to a nonexistent variable, but the interpretation of is not terribly important since is not used.
With these changes, we will use the following as our code for CBC-MAC:
The Golden Rule of PRFs suggests that we will need to argue that inputs to do not repeat (except with negligible probability). This is good advice for this proof, but with a minor complication. Suppose and share the same first blocks. Then we do expect the two computations and to use the same first inputs to . But we don't expect any other PRF calls to have repeated inputs. A more precise interpretation of the Golden Rule is that inputs to do not repeat unexpectedly.
If and share the same first blocks, then we expect every call to in the following picture to receive a distinct input:
Most of the difficulty in this proof comes from carefully rewriting the logic of CBC-MAC to treat different calls to differently, based on whether whether we expect -inputs to repeat or not, matching the logic of this picture.
We will prove that CBC-MAC satisfies definition 11.1.1, meaning that for all , the following block of code outputs only with negligible probability:
In a sequence of hybrids, we will show that this block of code is indistinguishable from one that always returns .
It now suffices to show that the overall probability of the bad event in this final hybrid is negligible. There are three lines in which a bad event may be triggered, and we will consider the first two separately.
Recall that the set was introduced to store the keys that were previously defined in . These values correspond to all the inputs to visible in the picture, named and in the program's code:
The program triggers a bad event if there is an unexpected repeat among these / -values. In the final hybrid, all of the / values are chosen uniformly, with just two exceptions:
-
is defined to be .
-
Suppose the CBC-MAC computations of and diverge after blocks. Thus, and agree in the first blocks but differ in block . Then you can verify that . In other words, and have an xor difference of , which you can justify to yourself algebraically or with the illustration above.
(This case does not occur if is simply a prefix of . In that case, the strings agree in the first blocks but does not have a th block.)
All other and values are chosen uniformly. For a collection of and values chosen in this way (almost all of them uniformly, but with 2 possible exceptions), what is the probability of a repeat? It's best to consider an equivalent scenario where they are chosen in the following order:
-
First, is fixed and added to .
-
If the CBC-MAC computations diverge after blocks, then let be the next value sampled (uniformly). Both and its sibling are added to . contains only one item at this point, so there are only two choices of that would cause a repeat in , those choices being and . The probability of this step causing the bad event is at most .
-
Now all the other / values are sampled uniformly and added to ; the order doesn't matter because they are all sampled independently. The first of these to be sampled has probability of being a repeat, because has three items at this point. The next has probability , and so on.
There are at most values of / considered in this process. The overall probability of repeats among the / values is therefore at most:
Finally, consider the other way that the program can trigger a bad event: when but . To analyze this probability, it is helpful to assume without loss of generality that ; if not, the program can simply swap and as its first action. Then the second for-loop must visit its else-branch in its final iteration; otherwise, we would have . In this final iteration, is sampled uniformly.
The bad event happens if and only if:
Since is sampled uniformly, after the other values and have already been determined, the probability of this way of triggering the bad event is .
Overall, the bad event has probability at most
which is negligible. This completes the proof.
11.3.1. Variable-input PRFs using CBC-MAC as a UHF
Knowing that CBC-MAC is a UHF, we can compose it with a (fixed-input-length) PRF following the recipe of construction 11.2.1 to obtain a variable-input-length PRF. We now discuss a few ways to instantiate this recipe.
Of course, CBC-MAC itself is built from a fixed-input-length PRF, and it is reasonable to use the same PRF in both roles: both as the primary component of CBC-MAC and the final step of the UH-PRF recipe. It is important to use independent keys for these two different uses of a single PRF.
Suppose is a secure PRP with blocklength . Then ECBC, defined below, is a secure variable-input-length PRF.
ECBC exactly follows the recipe of construction 11.2.1, composing CBC-MAC UHF with the PRF , on independent keys.
ECBC applies two consecutive PRF calls in its last block. The first of these can be eliminated:
Suppose is a secure PRP with blocklength . Then FCBC, defined below, is a secure variable-length PRF.
Define the function as follows:
is therefore just CBC-MAC but without the last call to . We can in fact write CBC-MAC in terms of via:
Since is a permutation, we have
In other words, has exactly the same collision behavior as CBC-MAC, making also a secure UHF. FCBC is the composition of this UHF with the secure PRF/PRP , on independent keys. Hence, FCBC is an instance of the UH-PRF recipe.
Another variation on this theme, called CMAC, is discussed in exercise 11.13.
11.4. Poly-UHF: An unconditionally secure UHF
Some UHF constructions can be proven secure unconditionally. Their security doesn't depend on the security of an underlying PRF, like the UHF constructions from previous sections.
The main idea behind unconditionally secure UHFs is to interpret the input string as coefficients of a polynomial, and treat the UHF key as a point on which to evaluate that polynomial. Essentially, to compute the UHF output for a string under a key :
-
Chop into blocks , of equal and suitable size. To make things simpler, we'll assume that is block-aligned.
-
Evaluate the degree- polynomial
at the point , working mod . Here is a prime that can be public, even known to the adversary. Use the output of the polynomial as the UHF output.
The reason for writing the subscripts in descending order, and starting from , is that it is convenient for an algorithmic optimization that will be discussed later. The reason we interpret as a polynomial with leading coefficient 1 is that it ensures different correspond to different polynomials. Without this convention, leading blocks of zeros have no effect; two different strings and could correspond to the same polynomial, if they differ only in leading zero-blocks.
Poly-UHF can be specified in more detail as the following:
Let be a prime. Then poly-UHF is defined as follows:
Poly-UHF is a secure UHF (unconditionally).
We will show that is negligible, when , and is sampled uniformly from .
Write and as
and define the following polynomials:
Then we are interested in the probability that , over a uniform choice of . We can rewrite the condition as and make a few observations:
-
has degree exactly ; the leading coefficient on is always 1. Similarly, has degree exactly .
-
is a polynomial in , of degree at most .
-
Since and are different strings, and are different polynomials. If and differ in the -th block (including the case that one of those strings doesn't have an -th block), then and differ in the coefficient of .
-
if and only if is a root of the (nonzero) polynomial
Recall the fundamental theorem of algebra, which is true for polynomials modulo a prime:
Let be a prime, and let be a nonzero polynomial (not all coefficients are 0 mod ) of degree at most . Then has at most roots mod . That is, there are at most values of that satisfy .
Armed with this fact, we can complete the proof:
The last step follows from the fact that the polynomial has at most roots, and is sampled uniformly from . Since and are the lengths of strings chosen by the adversary, is polynomial in the security parameter, and the collision probability is negligible.
Horner's method: There is an elegant way to evaluate a polynomial at some particular point, given a list of its coefficients. The idea is summarized in the following example:
More generally, if we write to denote the value , then it satisfies the following recurrence:
This recursive formula can be converted into an iterative algorithm, by working from the inside out:
This simple method for evaluating a polynomial is called Horner's method. We can write the poly-UHF algorithm using Horner's method as:
Since the final output is needed mod , we can reduce the intermediate result mod after each iteration of the loop.
Do we really need a prime for Poly-UHF?
We used the fact that a nonzero polynomial of degree at most has at most roots.
This fact is true modulo a prime, but not true modulo a composite.
If a nonzero polynomial can have many roots, then there can be many keys that cause two strings to collide, but we need there to be only a negligible fraction of keys with this property.
Exercise 11.17 walks through an example of how Poly-UHF is insecure if the modulus is .
How should the prime be chosen?
Suppose our security parameter is and we would like to chop long strings into blocks of length 128, which we interpret as integers in the range .
Then we can choose any prime such that .
The security of poly-UHF relies on being prime, but not on being chosen in any particular way;
it is a public parameter of the construction.
Hence, can be chosen to have some additional properties that make reduction-mod- more efficient for a computer.
See the example below.
Poly1305 is a MAC algorithm, which uses at its core a variant of Poly-UHF modulo the prime . This prime was chosen because modular reduction modulo such a prime (very close to a power of 2) can be highly optimized for modern processors. Poly1305 uses a few other deviations from our classical Poly-UHF construction, which contribute to its high performance and which are mostly beyond the scope of this book. However, exercise 11.18 explores one aspect of Poly1305, which is to reduce the final result (an element of ) mod .
11.4.1. GHASH and GCM encryption
Even when is a favorable prime, it can still be awkward to deal with reduction-mod- on a computer that prefers to work with powers of 2. However, there is a way to define “addition” and “multiplication” operations over the set , which has the necessary algebraic properties for poly-UHF to work. The algebraic structure is called a field. Fields with a finite number of elements are sometimes called Galois fields after their discoverer. (Galois is a French name, pronounced gal-wah.) Some bonus content about fields can be found in appendix B.
GHASH is a variant of Poly-UHF based on arithmetic in Galois fields (the G is for Galois). GHASH is used in GCM (Galois counter mode) encryption, the most popular standardized AEAD mode. GCM is an instance of encrypt-then-MAC (construction 9.5.1), with CTR mode as the encryption scheme, and GHASH as the UHF underlying its MAC.
Exercises
-
Prove the other direction of claim 11.1.3, that definition 11.1.2 implies definition 11.1.1.
-
Prove that every secure CRHF is also a secure UHF, interpreting the CRHF salt as the UHF key.
-
Prove that every secure PRF with output bits is also a secure UHF.
-
Prove that if is a secure UHF with output length bits, then is also a secure UHF.
-
We say that is almost-xor-universal (AXU) if, for all strings and all ,
where the probability is over the uniform choice of from . In other words, for all and , the following block of code outputs with negligible probability:
-
Prove that if is AXU, then the function is a secure UHF ( is bits).
-
Prove that CBC-MAC is AXU.
-
Show that Poly-UHF (as we have defined it) is not AXU. Use addition-mod- instead of xor in the security definition of AXU.
-
Suggest a slight variant of Poly-UHF that is AXU and prove its security.
-
-
Let be a secure UHF that supports only block-aligned inputs, and let be a padding function (definition 8.6.1). Prove that the function is a secure UHF, supporting arbitrary-length inputs.
-
Prove claim 11.2.3 (security of UH-PRF for non-block-aligned inputs).
-
Theorem 7.3.4 proves that a 3-round keyed Feistel cipher (section 7.3) construction is a secure PRP if each of its round functions is a PRF. Suppose we replace the first function with a simpler function , such that is a secure UHF (i.e., is AXU; see exercise 11.5). In other words:
Prove that the resulting construction is a secure PRP.
-
h Let be a secure PRF with input and output length . Prove that the following function is also a secure PRF with input length :
It is an instance of UH-PRF.
-
h Let be a secure PRF with input and output length . Prove that the following function is also a secure variable-length PRF:
It is an instance of UH-PRF.
-
Let be an encryption scheme. Let be a keyed function and define , where the output of is padded with zeros (on the left, say) if its length is different from . For example, if and then means .
Prove that if is a secure AE, and is a secure UHF (i.e., is AXU; see exercise 11.5), then the following scheme is a secure AEAD:
Connect the situation in this construction to exercise 11.5.
-
Let be a secure AEAD scheme that supports fixed-length associated data . Let be a secure UHF that supports arbitrary-length inputs. Prove that the following construction is also a secure AEAD, supporting arbitrary-length associated data:
-
h CMAC is a variant of CBC-MAC, in which we xor the last block with an independent key . In other words, CMAC is equivalent to plain CBC-MAC applied to . CMAC has the convenient property that all of its calls to use the same key .
-
Prove that if is a secure PRF, then and behave like two independent random functions. In other words, prove that the following two libraries are indistinguishable:
:return:return:if undefined:return:if undefined:return -
Prove that CMAC is a secure variable-input-length PRF if is a secure PRP.
CMAC can be reframed as an instance of UH-PRF.
-
-
CBC-MAC invokes the underlying PRF on input . Suppose we instead use as input; this will require a PRF with input length and output length .
Prove that the resulting function is a secure variable-length UHF if is a secure PRF:
-
Show that ECBC (construction 11.3.2), FCBC (construction 11.3.3) and CMAC (exercise 11.13) are not secure CRHFs: If their key is made public like a salt, then it is possible to efficiently compute collisions.
-
Poly-UHF interprets its input string as the coefficients of a polynomial, always fixing the leading coefficient to 1. Suppose the leading coefficient is not fixed and we interpret input as the polynomial . Show that the resulting variant of Poly-UHF is not a secure UHF.
-
-
Give an example of a nonzero polynomial of degree that has more than roots over . Ideally, your polynomial should have roots.
-
Describe a concrete attack against poly-UHF mod that produces a collision with constant probability (e.g., 1/2).
-
-
h Below is a simplified version of Poly1305, which is a variant of poly-UHF:
For the purposes of this exercise, Poly1305 includes two important changes relative to construction 11.4.1: (1) It interprets the input as coefficients of a polynomial whose constant coefficient is zero, so the subscripts are shifted by one compared to construction 11.4.1. (2) After evaluating this polynomial mod , the result is further reduced mod .
This exercise explores the security of these changes.
-
Speaking more abstractly, let be a prime, and define . For example, with , Poly1305 has . Let and be integers in the range . Argue that there is a set , with , such that:
The expression refers to subtraction over the integers (no modular reduction).
-
Let and be distinct polynomials, of degree at most , both with constant coefficient 0. Prove that when is chosen uniformly from ,
Where did you use the fact that and have constant coefficient 0?
-
-
Show that Poly-UHF is not a secure CRHF: If its key is made public like a salt, then it is possible to efficiently compute collisions.
-
Show that Poly-UHF is not a secure PRF.
-
-
Suppose you are given two block-aligned strings and and two poly-UHF keys and . Show how to efficiently compute blocks and such that:
-
Let denote the authenticated encryption scheme obtained by applying Encrypt-then-MAC to
-
CTR-mode encryption; and
-
UH-PRF MAC, using poly-UHF as the underlying UHF.
Describe how to compute a single ciphertext and two keys such that , and neither decryption results in . Can you make the two resulting plaintexts meaningful?
-
-
Chapter Notes
Universal hash functions were introduced by Carter and Wegman [63], who used them to construct an authentication method that is similar to our UH-PRF. In their method, instead of applying the PRF to the UHF output, they encrypt the UHF output with a fresh one-time pad known to the sender and receiver. Brassard proposed a variant where the one-time pads are generated pseudorandomly from a short seed [53]. This paradigm is used in modern authenticated encryption schemes like GCM [158] and its antecedent CWC [137].
The variant of UHF called almost-xor-universal (AXU; exercise 11.5) was first defined by Krawczyk [138].
The paradigm composing a UHF with a PRF was analyzed by Black, Halevi, Krawczyk, Krovetz, and Rogaway [42]. Their main construction is a nonce-based MAC; the construction presented in construction 11.2.1 is a simpler deterministic variant. Our security proof for this variant follows the proofs given by Black and Rogaway [44,43] and by Bellare [12].
Lucks was the first to observe and prove that the first round of a Feistel cipher can use a UHF rather than a PRF, as in exercise 11.8 [150]. The result was later extended by Naor and Reingold [169].
The AEAD construction in exercise 11.11 is one of the general-purpose constructions from Rogaway's paper that introduces AEAD [190].
Petrank and Rackoff were the first to propose construction 11.3.2 as a secure variable-length PRF [181]. Black and Rogaway [44,43] named this construction ECBC and extended it to support non-block-aligned inputs, using the technique described in claim 11.2.3. In the same paper, they also described FCBC (construction 11.3.3) and CMAC (exercise 11.13), which they originally named XCBC. Our analysis of all of these CBC-MAC variants closely follows their approach, first proving that CBC-MAC is a UHF, then viewing the schemes as instances of UH-PRF.
Horner's method for polynomial evaluation is named after Horner, who described it in 1819 [124]. Horner attributes the method to Lagrange, and it was also known to ancient Chinese and Persian mathematicians. See Mikami [163] and Libbrecht [147] for a history of the method's Chinese origins.
den Boer [82] and Taylor [209] were the first to suggest polynomials as universal hash functions. Poly1305 is due to Bernstein, and the analysis in exercise 11.18 follows the Poly1305 design document [34].
Exercise 11.21 is inspired by an attack on Facebook's abuse reporting mechanism discovered by Dodis, Grubbs, Ristenpart, and Woodage [87].