Cycle rank: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>David Eppstein
Incorporate remaining see-also link into main text and remove section
 
en>Hermel
Line 1: Line 1:
With eBay present process itѕ most dramatic transformation sincе its inception, mɑny sellers ɑrе takіng a lοoƙ at Amazon being a potential market fοr his or heг items. Тherе arе lots оf hіgh reasons to look at Amazon. Іt is a lɑrge market, larger than eBay Ιts purchasers аre less bargain sensitive tҺan eBay clients. And Amazon handles all tɦe fee processing ѕo ƴou can see never any issues aƅoսt a winner making a cost.
{{Infobox cryptographic hash function
| name          = Elliptic curve only hash (ECOH)
| image          =
| caption        =
<!-- General -->
| designers      = Daniel R. L. Brown, Matt Campagna, Rene Struik
| publish date  = 2008
| series        =
| derived from  = [[MuHASH]]
| derived to    =
| related to     =
| certification  =
<!-- Detail -->
| digest size    = 224, 256, 384 or 512
| structure      =
| rounds        =
| cryptanalysis  = Second Pre-Image
}}


ϒou can fіnd nice deal on [http://answers.yahoo.com/search/search_result?p=caterpillar&submit-go=Search+Y!+Answers caterpillar] bulldozers fοr sale in case you look foг the classifieds site Craigslist. Тhis glorious web site ɦas individuals fгom all in tҺe country marketing tҺeir items from tɦe proprietor. However, My associate and і wouldn't  ebay and paypal account for sale advise sending Һardly any money tɦrough tҺe email unleѕs you utterly belief anyboԀy yоu'rе buying from. Уοu possiƄly can put your hard earned money in an escrow account Ьefore making buying.
'''The elliptic curve only hash (ECOH)''' algorithm was submitted as a candidate for SHA-3 in the [[NIST hash function competition]]. However, it was rejected in the beginning of the competition since a [[Preimage attack|second pre-image attack]] was found.  


Selling оn eBay places yoսr item in fгont ߋf a lot more eyes than just ɦaving a yard sale would. Some gadgets promote rapidly оn the popular bidding website, աhereas otherѕ sit foг longеr durations. Tɦere aгe no set-іn-stone calendars for thе verƴ bеst times tο promote, ɦowever jսst a few factors сan determine Һow well you do as a seller. Step # 3  On-line entrepreneurs can sell on eBay via auctions or product listings. Frequent eBay sellers mɑy alѕօ build an eBay store.
The ECOH is based on the [[MuHASH]] [[hash algorithm]], that has not yet been successfully [[Cryptanalytic attack|attacked]]. However, MuHASH is too inefficient for practical use and changes had to be made. The main difference is that where MuHASH applies a [[random oracle]], ECOH applies a [[Padding (cryptography)|padding]] function. Assuming random oracles, finding a [[Collision resistance|collision]] in MuHASH implies solving the [[discrete logarithm problem]]. MuHASH is thus a [[Provably secure cryptographic hash function|provably secure hash]], i.e. we know that finding a collision is at least [[Complexity class|as hard]] as some hard known mathematical problem.  


ңowever, eBay supplies a protracted URL, оr Internet handle, fоr its shops. Ѕome marketers search to extend tҺeir eBay gross sales bу utilizing a shorter website tackle. This has the potential of ǥetting extra repeat guests аnd gross sales, аs a result οf clients сan memorize a briеf, catchy URL. Marketers ϲan purchase ɑ domain name frօm any of hundreds of registrars. Τhey'll thеn uѕе area redirection to routinely send guests оf that domain to tҺe eBay retailer.
ECOH does not use random oracles and its security is not strictly directly related to the discrete logarithm problem, yet it is still based on mathematical functions. ECOH is related to the Semaev's problem of finding low degree solutions to the summation polynomial equations over binary field, called the '''Summation Polynomial Problem'''. An efficient algorithm to solve this problem has not been given so far. Although the problem was not proven to be [[NP-hard]], it is assumed that such an algorithm does not exist. Under certain assumptions, finding a collision in ECOH may be also viewed as an instance of the [[subset sum problem]]. Besides solving the Summation Polynomial Problem, there exists another way how to find second pre-images and thus collisions, '''Wagner's generalized birthday attack'''.  


Marketplaces ɑгe all аbout strength іn numberѕ. [http://scottalanciolek.com/Rules_Not_To_Follow_About_Ebay_Account_For_Sale ebay account for sale uk 2012] That is aѕ true fοr online marketplaces ɑs it's for real woгld examples like farmers' markets, procuring malls, аnd food trailer parks. Τhe variability and all-іn-one side of tҺe marketplace cаn draw in lots of clients whߋ prefer thɑt form օf procuring expertise. Օn-line marketplaces аlso carry the additional layer օf single-stream checkout аnd fulfilment help to Ьe able tо create а seamless experience fοr buyers.
ECOH is a nice example of hash function that is based on mathematical functions (with the [[Provably secure cryptographic hash function|provable security]] approach) rather than on classical ad hoc mixing of bits to obtain the hash.


Cons оf Promoting ߋn Amazon & eBay Money οrders and cashier's checks աas tɦought-abοut as ցood as money. Nߋt anymore. Ҭhe proliferation of tоp օf the range counterfeit money օrders and cashier's checks ɦaѕ put an end to that. Do not Ьe fooled іf youг bank accepts tҺe counterfeit and credits уоur account. If іt seems to be а fake, the financial institution աith taкe tҺе cash again oսt of yοur account. Bank tellers will not be consultants аt recognizing fakes аnd it miɡht takе weeks before the bank finally discovers tɦat it is a counterfeit.<br><br>Fοr more informɑtion in regardѕ to [http://www7-prd.mbopartners.com/comment/3649 ebay account for sale uk 2012] stօp bу оur own web-page.
== The algorithm ==
Given <math>n</math>, ECOH divides the message <math>M</math> into <math>n</math> blocks <math>M_0,\ldots,M_{n-1}</math>. If the last block is incomplete, it is padded with single 1 and then appropriate number of 0. Let furthermore <math>P</math> be a function that maps a message block and an integer to an elliptic curve point. Then using the mapping <math>P</math>, each block is transformed to an [[elliptic curve]] point <math>P_i</math>, and these points are [[Elliptic_curve#The_group_law|added]] together with two more points. One additional point <math>X_1</math> contains the padding and depends only on the message length. The second additional point <math>X_2</math> depends on the message length and the XOR of all message blocks. The result is [[truncated]] to get the hash <math>H</math>.
 
<math>\begin{align}
P_i &{}:= P(M_i,i)\\
X_1 &{}:= P'(n) \\
X_2 &{}:= P^*(M_i, n)\\
Q &{}:= \sum_{i=0}^{n-1} P_i + X_1 + X_2\\
R &{}:= f(Q)
\end{align}</math>
 
The two extra points are computed by <math>P'</math> and <math>P^*</math> . <math>Q</math> adds all the elliptic curve points and the two extra points together. Finally, the result is passed through an output transformation function f to get the hash result <math>R</math>. To read more about this algorithm, see [http://ehash.iaik.tugraz.at/uploads/a/a5/Ecoh.pdf "ECOH: the Elliptic Curve Only Hash"].
 
=== Examples ===
Four ECOH algorithms were proposed, ECOH-224, ECOH-256, ECOH-384 and ECOH-512. The number represents the size of the message digest. They differ in the length of parameters, block size and in the used elliptic curve. The first two uses the elliptic curve B-283: <math> X^{283} + X^{12} + X^7 + X^5 + 1 </math>, with parameters (128, 64, 64). ECOH-384 uses the curve B-409: <math> X^{409} + X^{87} + 1 </math>, with parameters (192, 64, 64). ECOH-512 uses the curve B-571: <math> X^{571} + X^{10} + X^5 + X^2 + 1 </math>, with parameters (256, 128, 128). It can hash messages of bit length up to <math> 2^{128} </math>.
 
==Properties==
* '''Incrementality''': ECOH of a message can be updated quickly, given a small change in the message and an intermediate value in ECOH computation.
* '''Parallelizability''': This means the computation of the <math> P_i's </math> can be done on parallel systems.
* '''Speed''': The ECOH algorithm is about thousand times slower than [[SHA-1]]. However, given the developments in desktop hardware towards [[Parallel computing|parallelization]] and [[CLMUL instruction set|carryless multiplication]], ECOH may in a few years be as fast as SHA-1 for long messages. For short messages, ECOH is relatively slow, unless extensive tables are used.
 
==Security of ECOH==
The ECOH hash functions are based on concrete mathematical functions. They were designed such that the problem of finding collisions should be [[Polynomial-time reduction|reducible]] to a known and hard mathematical problem (the [[subset sum problem]]). It means that if one could find collisions, one would be able to solve the underlying mathematical problem which is assumed to be hard and unsolvable in [[polynomial time]]. Functions with these properties are known [[Provably secure cryptographic hash function|provably secure]] and are quite unique among the rest of hash functions. Nevertheless second pre-image (and thus a collision) was later found because the assumptions given in the proof were too strong.
 
=== Semaev Summation Polynomial ===
One way of finding collisions or second pre-images is solving '''Semaev Summation Polynomials'''. For a given elliptic curve E, there exists polynomials <math> f_n </math> that are symmetric in <math>n</math> variables and that vanish exactly when evaluated at abscissae of points whose sum is 0 in <math>E</math>. So far, an efficient algorithm to solve this problem does not exist and it assumed assumed to be hard (but not proven to be [[NP-hard]]).
 
More formally: Let <math>\mathbf{F}</math> be a finite field, <math>E</math> be an elliptic curve with [[Weierstrass's elliptic functions|Weierstrass equation]] having coefficients in <math>\mathbf{F}</math> and <math>O</math> be the point of infinity. It is known that there exists a multivariable polynomial <math>f_n(X_1,\ldots,X_N)</math> if and only if there exist < <math>y_1,\ldots,y_n</math> such that <math>(x_1,y_1)+\ldots+(x_n,y_n) = O</math>. This polynomial has degree <math>2^{n-2}</math> in each variable. The problem is to find this polynomial.
 
=== Provable security discussion ===
The problem of finding collisions in ECOH is similar to the [[subset sum problem]]. Solving a subset sum problem is almost as hard as the [[discrete logarithm]] problem. It is generally assumed that this is not doable in [[polynomial time]]. However a significantly loose heuristic must be assumed, more specifically, one of the involved parameters in the computation is not necessarily random but has a particular structure. If one adopts this loose heuristic, then finding an internal ECOH collision may be viewed as an instance of the [[subset sum problem]].
 
A second pre-image attack exists in the form of generalized birthday attack.
 
=== Second pre-image attack ===
'''Description of the attack''': This is a Wagner’s Generalized [[Birthday attack|Birthday Attack]]. It requires 2<sup>143</sup> time for ECOH-224 and ECOH-256, 2<sup>206</sup> time for ECOH-384, and 2<sup>287</sup> time for ECOH-512. The attack sets the checksum block to a fixed value and uses a collision search on the elliptic curve points.  
For this attack we have a message ''M'' and try to find a ''M''' that hashes to the same message. We first split the message length into six blocks. So <math> M'= (M_1,M_2,M_3,M_4,M_5,M_6)</math>. Let ''K'' be a natural number. We choose ''K'' different numbers for <math>(M_0,M_1)</math> and define <math>M_2</math> by <math> M_2 := M_0 + M_1 </math>. We compute the ''K'' corresponding elliptic curve points <math>P(M_0,0) + P(M_1,1) + P(M_2,2)</math> and store them in a list. We then choose ''K'' different random values for <math>(M_3,M_4)</math>, define <math> M_5 := M_3 + M_4 </math>, we compute <math> Q - X_1 - X_2 - P(M_3,3) - P(M_4,4) - P(M_5, 5)</math>, and store them in a second list. Note that the target ''Q'' is known. <math>X_1</math> only depends on the length of the message which we have fixed. <math>X_2</math> depends on the length and the XOR of all message blocks, but we choose the message blocks such that this is always zero. Thus, <math>X_2</math> is fixed for all our tries.
 
If ''K'' is larger than the square root of the number of points on the elliptic curve then
we expect one [[collision]] between the two lists. This gives us a message <math>(M_1,M_2,M_3,M_4,M_5,M_6)</math> with:
<math>
Q = \sum_{i=0}^5 P(M_i,i) + X_1 + X_2
</math>
This means that this message leads to the target value ''Q'' and thus to a second preimage, which was the question. The workload we have to do here is two times ''K'' partial hash computations. For more info, see [http://eprint.iacr.org/2009/168.pdf "A Second Pre-image Attack Against Elliptic Curve Only Hash (ECOH)"].
 
Actual parameters:
* ECOH-224 and ECOH-256 use the elliptic curve B-283 with approximately <math>2^{283}</math> points on the curve. We choose <math>K = 2^{142}</math> and get an attack with complexity <math>2^{143}</math>.
* ECOH-384 uses the elliptic curve B-409 with approximately <math>2^{409}</math> points on the curve. Choosing <math>K=2^{205}</math> gives an attack with complexity <math>2^{206}.</math>
* ECOH-512 uses the elliptic curve B-571 with approximately <math>2^{571}</math> points on the curve. Choosing <math>K=2^{286}</math> gives an attack with complexity <math>2^{287}.</math>
 
==ECOH2==
 
The official [http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/ECOH_Comments.pdf comments] on ECOH included a proposal called ECOH2 that doubles the elliptic curve size in an effort to stop the Halcrow-Ferguson second preimage attack with a prediction of improved or similar performance.
 
==References==
* Daniel R. L. Brown, Matt Campagna, Rene Struik (2008). [http://ehash.iaik.tugraz.at/uploads/a/a5/Ecoh.pdf "ECOH: the Elliptic Curve Only Hash"].
* Michael A. Halcrow, Niels Ferguson (2009). [http://eprint.iacr.org/2009/168.pdf "A Second Pre-image Attack Against Elliptic Curve Only Hash (ECOH)"].
 
==See also==
[[Provably secure cryptographic hash function]]
 
{{Cryptography navbox | hash}}
 
[[Category:Cryptographic hash functions]]

Revision as of 12:13, 3 February 2013

Template:Infobox cryptographic hash function

The elliptic curve only hash (ECOH) algorithm was submitted as a candidate for SHA-3 in the NIST hash function competition. However, it was rejected in the beginning of the competition since a second pre-image attack was found.

The ECOH is based on the MuHASH hash algorithm, that has not yet been successfully attacked. However, MuHASH is too inefficient for practical use and changes had to be made. The main difference is that where MuHASH applies a random oracle, ECOH applies a padding function. Assuming random oracles, finding a collision in MuHASH implies solving the discrete logarithm problem. MuHASH is thus a provably secure hash, i.e. we know that finding a collision is at least as hard as some hard known mathematical problem.

ECOH does not use random oracles and its security is not strictly directly related to the discrete logarithm problem, yet it is still based on mathematical functions. ECOH is related to the Semaev's problem of finding low degree solutions to the summation polynomial equations over binary field, called the Summation Polynomial Problem. An efficient algorithm to solve this problem has not been given so far. Although the problem was not proven to be NP-hard, it is assumed that such an algorithm does not exist. Under certain assumptions, finding a collision in ECOH may be also viewed as an instance of the subset sum problem. Besides solving the Summation Polynomial Problem, there exists another way how to find second pre-images and thus collisions, Wagner's generalized birthday attack.

ECOH is a nice example of hash function that is based on mathematical functions (with the provable security approach) rather than on classical ad hoc mixing of bits to obtain the hash.

The algorithm

Given n, ECOH divides the message M into n blocks M0,,Mn1. If the last block is incomplete, it is padded with single 1 and then appropriate number of 0. Let furthermore P be a function that maps a message block and an integer to an elliptic curve point. Then using the mapping P, each block is transformed to an elliptic curve point Pi, and these points are added together with two more points. One additional point X1 contains the padding and depends only on the message length. The second additional point X2 depends on the message length and the XOR of all message blocks. The result is truncated to get the hash H.

Pi:=P(Mi,i)X1:=P(n)X2:=P*(Mi,n)Q:=i=0n1Pi+X1+X2R:=f(Q)

The two extra points are computed by P and P* . Q adds all the elliptic curve points and the two extra points together. Finally, the result is passed through an output transformation function f to get the hash result R. To read more about this algorithm, see "ECOH: the Elliptic Curve Only Hash".

Examples

Four ECOH algorithms were proposed, ECOH-224, ECOH-256, ECOH-384 and ECOH-512. The number represents the size of the message digest. They differ in the length of parameters, block size and in the used elliptic curve. The first two uses the elliptic curve B-283: X283+X12+X7+X5+1, with parameters (128, 64, 64). ECOH-384 uses the curve B-409: X409+X87+1, with parameters (192, 64, 64). ECOH-512 uses the curve B-571: X571+X10+X5+X2+1, with parameters (256, 128, 128). It can hash messages of bit length up to 2128.

Properties

  • Incrementality: ECOH of a message can be updated quickly, given a small change in the message and an intermediate value in ECOH computation.
  • Parallelizability: This means the computation of the Pis can be done on parallel systems.
  • Speed: The ECOH algorithm is about thousand times slower than SHA-1. However, given the developments in desktop hardware towards parallelization and carryless multiplication, ECOH may in a few years be as fast as SHA-1 for long messages. For short messages, ECOH is relatively slow, unless extensive tables are used.

Security of ECOH

The ECOH hash functions are based on concrete mathematical functions. They were designed such that the problem of finding collisions should be reducible to a known and hard mathematical problem (the subset sum problem). It means that if one could find collisions, one would be able to solve the underlying mathematical problem which is assumed to be hard and unsolvable in polynomial time. Functions with these properties are known provably secure and are quite unique among the rest of hash functions. Nevertheless second pre-image (and thus a collision) was later found because the assumptions given in the proof were too strong.

Semaev Summation Polynomial

One way of finding collisions or second pre-images is solving Semaev Summation Polynomials. For a given elliptic curve E, there exists polynomials fn that are symmetric in n variables and that vanish exactly when evaluated at abscissae of points whose sum is 0 in E. So far, an efficient algorithm to solve this problem does not exist and it assumed assumed to be hard (but not proven to be NP-hard).

More formally: Let F be a finite field, E be an elliptic curve with Weierstrass equation having coefficients in F and O be the point of infinity. It is known that there exists a multivariable polynomial fn(X1,,XN) if and only if there exist < y1,,yn such that (x1,y1)++(xn,yn)=O. This polynomial has degree 2n2 in each variable. The problem is to find this polynomial.

Provable security discussion

The problem of finding collisions in ECOH is similar to the subset sum problem. Solving a subset sum problem is almost as hard as the discrete logarithm problem. It is generally assumed that this is not doable in polynomial time. However a significantly loose heuristic must be assumed, more specifically, one of the involved parameters in the computation is not necessarily random but has a particular structure. If one adopts this loose heuristic, then finding an internal ECOH collision may be viewed as an instance of the subset sum problem.

A second pre-image attack exists in the form of generalized birthday attack.

Second pre-image attack

Description of the attack: This is a Wagner’s Generalized Birthday Attack. It requires 2143 time for ECOH-224 and ECOH-256, 2206 time for ECOH-384, and 2287 time for ECOH-512. The attack sets the checksum block to a fixed value and uses a collision search on the elliptic curve points. For this attack we have a message M and try to find a M' that hashes to the same message. We first split the message length into six blocks. So M=(M1,M2,M3,M4,M5,M6). Let K be a natural number. We choose K different numbers for (M0,M1) and define M2 by M2:=M0+M1. We compute the K corresponding elliptic curve points P(M0,0)+P(M1,1)+P(M2,2) and store them in a list. We then choose K different random values for (M3,M4), define M5:=M3+M4, we compute QX1X2P(M3,3)P(M4,4)P(M5,5), and store them in a second list. Note that the target Q is known. X1 only depends on the length of the message which we have fixed. X2 depends on the length and the XOR of all message blocks, but we choose the message blocks such that this is always zero. Thus, X2 is fixed for all our tries.

If K is larger than the square root of the number of points on the elliptic curve then we expect one collision between the two lists. This gives us a message (M1,M2,M3,M4,M5,M6) with: Q=i=05P(Mi,i)+X1+X2 This means that this message leads to the target value Q and thus to a second preimage, which was the question. The workload we have to do here is two times K partial hash computations. For more info, see "A Second Pre-image Attack Against Elliptic Curve Only Hash (ECOH)".

Actual parameters:

  • ECOH-224 and ECOH-256 use the elliptic curve B-283 with approximately 2283 points on the curve. We choose K=2142 and get an attack with complexity 2143.
  • ECOH-384 uses the elliptic curve B-409 with approximately 2409 points on the curve. Choosing K=2205 gives an attack with complexity 2206.
  • ECOH-512 uses the elliptic curve B-571 with approximately 2571 points on the curve. Choosing K=2286 gives an attack with complexity 2287.

ECOH2

The official comments on ECOH included a proposal called ECOH2 that doubles the elliptic curve size in an effort to stop the Halcrow-Ferguson second preimage attack with a prediction of improved or similar performance.

References

See also

Provably secure cryptographic hash function

Template:Cryptography navbox