Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)


Universal One-Way Hash Functions (UOWHFs) may be used in place of collision-resistant functions in many public-key cryptographic applications. At Asiacrypt 2004, Hong, Preneel and Lee introduced the stronger security notion of higher order UOWHFs to allow construction of long-input UOWHFs using the Merkle-Damgård domain extender. However, they did not provide any provably secure constructions for higher order UOWHFs.

We show that the subset sum hash function is a kth order Universal One-Way Hash Function (hashing n bits to m < n bits) under the Subset Sum assumption for k = O(log m). Therefore we strengthen a previous result of Impagliazzo and Naor, who showed that the subset sum hash function is a UOWHF under the Subset Sum assumption. We believe our result is of theoretical interest; as far as we are aware, it is the first example of a natural and computationally efficient UOWHF which is also a provably secure higher order UOWHF under the same well-known cryptographic assumption, whereas this assumption does not seem sufficient to prove its collision-resistance. A consequence of our result is that one can apply the Merkle-Damgård extender to the subset sum compression function with ‘extension factor’ k+1, while losing (at most) about k bits of UOWHF security relative to the UOWHF security of the compression function. The method also leads to a saving of up to m log(k+1) bits in key length relative to the Shoup XOR-Mask domain extender applied to the subset sum compression function.


hash function provable security subset sum 


  1. 1.
    Ajtai, M.: Generating Hard Instances of Lattice Problems. In: Proc. 28th STOC, pp. 99–108. ACM Press, New York (1996)Google Scholar
  2. 2.
    Bellare, M., Micciancio, D.: A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Collision-Resistant hashing: Towards making UOWHFs Practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Coster, M.J., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.P.: An improved low-density subset sum algorithm. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 54–67. Springer, Heidelberg (1991)Google Scholar
  5. 5.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. Technical Report TR96-056, Electronic Colloquium on Computational Complexity, ECCC (1996)Google Scholar
  7. 7.
    Hong, D., Preneel, B., Lee, S.: Higher Order Universal One-Way Hash Functions. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 201–213. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Hsiao, C., Reyzin, L.: Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Impagliazzo, R., Naor, M.: Efficient Cryptographic Schemes Provably as Secure as Subset Sum. Journal of Cryptology 9, 199–216 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Karp, R.M.: Reducibility among Combinatorial Problems. In: Miller, R.E., Thatcher, J.W. (eds.) Complexity of Computer Computation, Plenum, New York (1972)Google Scholar
  11. 11.
    Merkle, R.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  12. 12.
    Merkle, R., Hellman, M.: Hiding Information and Signatures in Trapdoor Knapsacks. IEEE Trans. on Information Theory 24, 525–530 (1978)CrossRefGoogle Scholar
  13. 13.
    Micciancio, D., Regev, O.: Worst-Case to Average-Case Reductions based on Gaussian Measures. In: Proc. FOCS 2004, pp. 372–381. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  14. 14.
    Naor, M., Yung, M.: Universal One-Way Hash Functions and their Cryptographic Significance. In: Proc. 21st STOC, pp. 33–43. ACM Press, New York (1989)Google Scholar
  15. 15.
    Shamir, A.: A Polynomial Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem. IEEE Trans. on Information Theory 30, 699–704 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Shoup, V.: A Composition Theorem for Universal One-Way Hash Functions. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 445–452. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.Dept. of ComputingMacquarie UniversityNorth RydeAustralia

Personalised recommendations