Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins?

  • Chun-Yuan Hsiao
  • Leonid Reyzin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3152)


Many cryptographic primitives begin with parameter generation, which picks a primitive from a family. Such generation can use public coins (e.g., in the discrete-logarithm-based case) or secret coins (e.g., in the factoring-based case). We study the relationship between public-coin and secret-coin collision-resistant hash function families (CRHFs). Specifically, we demonstrate that:

  • there is a lack of attention to the distinction between secret-coin and public-coin definitions in the literature, which has led to some problems in the case of CRHFs;

  • in some cases, public-coin CRHFs can be built out of secret-coin CRHFs;

  • the distinction between the two notions is meaningful, because in general secret-coin CRHFs are unlikely to imply public-coin CRHFs.

The last statement above is our main result, which states that there is no black-box reduction from public-coin CRHFs to secret-coin CRHFs. Our proof for this result, while employing oracle separations, uses a novel approach, which demonstrates that there is no black-box reduction without demonstrating that there is no relativizing reduction.


Hash Function Function Family Public Road 44th Annual Symposium Cryptographic Primitive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AG96]
    Adams, M., Guillemin, V.: Measure Theory and Probability. Springer, Heidelberg (1996)zbMATHGoogle Scholar
  2. [BM84]
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal on Computing 13(4), 850–863 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  3. [BR97]
    Bellare, M., Rogaway, P.: Collision-resistant hashing: Towards making uowhfs practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  4. [CHL02]
    Chang, Y.-C., Hsiao, C.-Y., Lu, C.-J.: On the imposibilities of basing one-way permutations on central cryptographic primitives. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 110–124. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. [Dam87]
    Damgård, I.: Collision-free hash functions and public-key signature schemes. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  6. [DP92]
    De Santis, A., Persiano, G.: Zero-knowledge proofs of knowledge without interaction. In: 33rd Annual Symposium on Foundations of Computer Science, Pittsburgh, Pennsylvania, October 24–27, pp. 427–436. IEEE, Los Alamitos (1992)CrossRefGoogle Scholar
  7. [GK]
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat- Shamir paradigm. Available From,
  8. [GK03]
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th Annual Symposium on Foundations of Computer Science [IEE 2003] (2003)Google Scholar
  9. [GKM+00]
    Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: 41st Annual Symposium on Foundations of Computer Science [IEE 2000], pp. 325–335 (2000)Google Scholar
  10. [GMR88]
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  11. [GMR01]
    Gertner, Y., Malkin, T., Reingold, O.: On the impossibility of basing trapdoor functions on trapdoor predicates. In: 42nd Annual Symposium on Foundations of Computer Science, Las Vegas, Nevada (October 2001)Google Scholar
  12. [GT00]
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st Annual Symposium on Foundations of Computer Science [IEE 2000] (2000)Google Scholar
  13. [Hai04]
    Haitner, I.: Implementing oblivious transfer using collection of dense trapdoor permutations. In: Naor [Nao 2004], pp. 394–409 (2004)Google Scholar
  14. [IEE00]
    IEEE. 41st Annual Symposium on Foundations of Computer Science, Redondo Beach, California (November 2000)Google Scholar
  15. [IEE03]
    IEEE. 44th Annual Symposium on Foundations of Computer Science, Cambridge, Massachusetts (October 2003)Google Scholar
  16. [IR89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing, May 1989, pp. 44–61 (1989)Google Scholar
  17. [Mer82]
    Merkle, R.C.: Secrecy, Authentication, and Public Key Systems. UMI Research Press (1982)Google Scholar
  18. [Mer89]
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
  19. [Mir01]
    Mironov, I.: Hash functions: From merkle-damgård to shoup. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 166–181. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. [MRK03]
    Micali, S., Rabin, M., Kilian, J.: Zero-knowledge sets. In: 44th Annual Symposium on Foundations of Computer Science [IEE 2003], pp. 80–91 (2003)Google Scholar
  21. [Nao04]
    Naor, M.: TCC 2004. LNCS, vol. 2951. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  22. [NIS95]
    FIPS publication 180-1: Secure hash standard (April 1995), Available from
  23. [Ped91]
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  24. [Rab78]
    Rabin, M.O.: Digitalized signatures. In: Demillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, pp. 155–168. Academic Press, London (1978)Google Scholar
  25. [Rab79]
    Rabin, M.O.: Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, Massachusetts Institute of Technology, Cambridge, MA (January 1979)Google Scholar
  26. [RTV04]
    Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor [Nao 2004], pp. 1–20 (2004)Google Scholar
  27. [Rus95]
    Russell, A.: Necessary and sufficient conditions for collision-free hashing. Journal of Cryptology 8(2), 87–100 (1995)zbMATHMathSciNetGoogle Scholar
  28. [Sim98]
    Simon, D.R.: Finding collisions on a one-way street: Can secure hash functions be based on general assumptions. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Chun-Yuan Hsiao
    • 1
  • Leonid Reyzin
    • 1
  1. 1.Boston University Computer ScienceBostonUSA

Personalised recommendations