郁昱,李祥学

• 1:上海交通大学计算机科学与工程系
• 2:华东师范大学计算机科学与技术系
• 3:西安邮电大学无线网络安全技术国家工程实验室

摘要(Abstract)：

重点回顾基于单向函数的伪随机产生器,以及通用单向哈希函数的研究现状,介绍相关研究的最新进展,并对通用单向哈希函数设计方法给出系统性阐述。单向函数蕴涵伪随机产生器是密码学中的基础问题,是现代密码学的基础。单向函数可以用来构造伪随机产生器进而构成流密码算法,或是在伪随机产生器的基础上进一步构造伪随机函数和伪随机置换从而用作分组加密算法。随机迭代技术被提出并经精练后,可用于基于规则单向函数的伪随机产生器设计。单向函数蕴涵通用单向哈希函数是现代密码学最核心的基础理论之一。关于通用单向哈希函数可以基于任意单向函数构造而来。通用单向哈希函数的应用包括基于最小假设的数字签名、Cramer-Shoup加密体制、统计隐藏承诺体制等。

关键词(KeyWords)： 密码学;单向函数;伪随机产生器;通用单向哈希函数

Abstract:

Keywords:

基金项目(Foundation): 国家自然科学基金资助项目(61472249,61572192,61572149)

作者(Author): 郁昱,李祥学

DOI: 10.13682/j.issn.2095-6533.2016.02.001

参考文献(References)：

• [1]HASTAD J,IMPAGLIAZZO R,LEVIN L A,et al.Construction of a pseudo-random generator from any one-way function[J/OL].SIAM Journal on Computing,1995,28(4):12-24[2015-11-12].http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.5.7957.
• [2]BLUM M,MICALI S.How to generate cryptographically strong sequences of pseudorandom bits[J/OL].SIAM Journal on Computing,1984,13(4):850-864[2015-11-12].http://epubs.siam.org/doi/pdf/10.1137/0213053.
• [3]YAO A C C.Theory and applications of trapdoor functions(extended abstract)[C]//Proceedings of the23rd IEEE Symposium on Foundation of Computer Science.Chicago:IEEE,1982:80-91.
• [4]GOLDREICH O,LEVIN L A.A hard-core predicate for all one-way functions[C]//STOC’89Proceedings of the twenty-first annual ACM symposium on Theory of computing.New York:ACM,1989:25-32.DOI:10.1145/73007.73010.
• [5]DODIS Y,ELBAZ A,OLIVEIRA R,et al..Improved randomness extraction from two independent sources[C]//Approximation,Randomization,and Combinatorial Optimization.Algorithms and Techniques.Berlin:Springer-Verlag,2004:334-344.DOI:10.1007/978-3-540-27821-4_30.
• [6]CARTER J L,WEGMAN M N.Universal classes of Hash functions[J].Journal of Computer and System Sciences,1979,18(2):143-154.
• [7]LEE C J,LU C J,TSAI S C,et al.Extracting randomness from multiple independent sources[J].IEEE Transactions on Information Theory,2005,51(6):2224-2227.
• [8]STINSON D R.Universal Hash families and the leftover Hash lemma,and applications to cryptography and computing[J/OL].Journal of Combinatorial Mathematics and Combinatorial Computing,2002,42:3-31[2015-11-15].http://cacr.uwaterloo.ca/~dstinson/papers/leftoverhash.pdf.
• [9]GOLDREICH O.Three XOR-lemmas:an exposition[C]//Studies in Complexity and Cryptography.Miscellanea on the Interplay between Randomness and Computation.Berlin:Springer-Verlag,2011:248-272.DOI:10.1007/978-3-642-22670-0_22.
• [10]GOLDREICH O.Foundations of Cryptography:Basic Tools[M/OL].New York:Cambridge University Press,2001[2015-11-13].http://office-for.com/lib/etc/crypto_2001.pdf.
• [11]YU Y,GU D,LI X,et al.The randomized iterate,revisited-almost linear seed length PRGs from a broader class of one-way functions[C/OL]//Theory of Cryptography:12th Theory of Cryptography Conference,TCC 2015,Warsaw,Poland,March 23-25,2015,Proceedings,Part I.Berlin:International Association for Cryptologic Research,2015:7-35[2015-11-26].http://link.springer.com/chapter/10.1007/978-3-662-46494-6_2.
• [12]NAOR M,YUNG M.Universal one-way Hash functions and their cryptographic applications[C]//JOHNSON D S.STOC’89Proceedings of the twenty-first annual ACM symposium on Theory of computing.New York:ACM,1989:33-43.DOI:10.1145/73007.73011.
• [13]LEVIN L A.One-way functions and pseudorandom generators[J].Combinatorica,1987:7(4):357-363.
• [14]GOLDREICH O,KRAWCZYK H,LUBY M.On the existence of pseudorandom generators[C]//Advances in Cryptology:CRYPTO’88.New York:SpringerVerlag,1990:146-162.DOI:10.1007/0-387-34799-2_12.
• [15]HAITNER I,REINGOLD O,VADHAN S P.Efficiency improvements in constructing pseudorandom generators from one-way functions[C]//STOC’10Proceedings of the forty-second ACM symposium on Theory of computing.New York:ACM,2010:437-446.DOI:10.1145/1806689.1806750.
• [16]HOLENSTEIN T.Pseudorandom generators from one-way functions:A simple construction for any hardness[C]//Theory of Cryptography:Third Theory of Cryptography Conference,TCC 2006,New York,NY,USA,March 4-7,2006.Proceedings.Berlin:Springer-Verlag,2006:443-461.DOI:10.1007/11681878_23
• [17]HAITNER I,HARNIK D,REINGOLD O.On the power of the randomized iterate[J/OL].SIAM Journal on Computing,2011,40(6):1486-1528[2015-11-20].http://epubs.siam.org/doi/abs/10.1137/080721820.
• [18]HAITNER I,HARNIK D,REINGOLD O.On the power of the randomized iterate[C]//Advances in Cryptology-CRYPTO 2006:26th Annual International Cryptology Conference,Santa Barbara,California,USA,August 20-24,2006.Proceedings.Berlin:Springer-Verlag,2006:22-40.DOI:10.1007/11818175_2.
• [19]HOLENSTEIN T,SINHA M.Constructing apseudorandom generator requires an almost linear number of calls[C]//2012 IEEE 53rd Annual Symposium on Foundations of Computer Science(FOCS).New Brunswich,NJ:IEEE,2012:698-707.DOI:10.1109/FOCS.2012.51.
• [20]NISAN N.Pseudorandom generators for space-bounded computation[J].Combinatorica,1992,12(4):449-461.DOI:10.1007/BF01305237.
• [21]DEDIC N,HARNIK D,REYZIN L.Saving private randomness in one-way functions and pseudorandom generators[C]//Theory of Cryptography:Fifth Theory of Cryptography Conference,TCC 2008,New York,USA,March 19-21,2008.Proceedings.Berlin:Springer-Verlag,2008:607-625.DOI:10.1007/978-3-540-78524-8_33.
• [22]YU Y,LI X X,WENG J.Pseudorandom generators from regular one-way functions:new constructions with improved parameters[C]//Advances in Cryptology-ASIACRYPT 2013:19th International Conference on the Theory and Application of Cryptology and Information Security,Bengaluru,India,December 1-5,2013,Proceedings,Part II.Berlin:Springer-Verlag,2013:261-279.DOI:10.1007/978-3-642-42045-0_14.
• [23]BARAK B,SHALTIEL R,WIGDERSON A.Computational analogues of entropy[C]//Approximation,Randomization,and Combinatorial Optimization:Algorithms and Techniques:6th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems,APPROX 2003and 7th International Workshop on Randomization and Approximation Techniques in Computer Science,RANDOM 2003,Princeton,NJ,USA,August 24-26,2003.Proceedings.Berlin:Springer-Verlag,2003:200-215.DOI:10.1007/978-3-540-45198-3_18.
• [24]HSIAO C Y,LU C J,REYZIN L.Conditional computational entropy,or toward separating pseudoentropy from compressibility[C/OL]//Advances in Cryptology-EUROCRYPT 2007:26th Annual International Conference on the Theory and Applications of Cryptographic Techniques,Barcelona,Spain,May 20-24,2007.Proceedings.Berlin:Springer-Verlag,2007:169-186[2015-11-20].http://link.springer.com/chapter/10.1007/978-3-540-72540-4_10.
• [25]VADHAN S P,ZHENG C J.Characterizing pseudoentropy and simplifying pseudorandom generator constructions[C]//STOC’12 Proceedings of the fortyfourth annual ACM symposium on Theory of computing.New York:ACM,2012:817-836.DOI:10.1145/2213977.2214051.
• [26]NISAN N,ZUCKERMAN D.Randomness is linear in space[J].Journal of Computer and System Sciences,1996,52(1):43-53.
• [27]BARAK B,DODIS Y,KRAWCZYK H,et al.Leftover Hash lemma,revisited[C/OL]//Advances in Cryptology–CRYPTO 2011:31st Annual Cryptology Conference,Santa Barbara,CA,USA,August 14-18,2011.Proceedings.Berlin:Springer-Verlag,2011:1-20[2015-11-20].http://link.springer.com/chapter/10.1007/978-3-642-22792-9_1.
• [28]DODIS Y,PIETRZAK K,WICHS D.Key derivation without entropy waste[C/OL]//dvances in Cryptology–EUROCRYPT 2014:33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques,Copenhagen,Denmark,May 11-15,2014.Proceedings.Berlin:Springer-Verlag,2014:93-110[2015-11-20].http://link.springer.com/chapter/10.1007/978-3-642-55220-5_6.
• [29]DODIS Y,YU Y.Overcoming weak expectations[C/OL]//Theory of Cryptography:10th Theory of Cryptography Conference,TCC 2013,Tokyo,Japan,March 3-6,2013.Proceedings.Berlin:Springer-Verlag,2013:1-22[2015-11-23].http://link.springer.com/chapter/10.1007/978-3-642-36594-2_1.
• [30]IMPAGLIAZZO R,NISAN N,WIGDERSON A.Pseudorandomness for network algorithms[C]//STOC’94 Proceedings of the twenty-sixth annual ACM symposium on Theory of computing.New York:ACM,1994:356-364.DOI:10.1145/195058.195190
• [31]GOLDREICH O,LEVIN L A,NISAN N.On constructing 1-1 one-way functions[C/OL]//Studies in Complexity and Cryptography.Miscellanea on the Interplay between Randomness and Computation.Berlin:Springer-Verlag,2011:13-25[2015-11-25].http://link.springer.com/chapter/10.1007/978-3-642-22670-0_3.
• [32]BARHUM K,HOLENSTEIN T.A cookbook for black-box separations and a recipe for uowhfs[C/OL]//Theory of Cryptography:10th Theory of Cryptography Conference,TCC 2013,Tokyo,Japan,March 3-6,2013.Proceedings.Berlin:International Association for Cryptologic Research,2013:662-679[2015-11-22].http://link.springer.com/chapter/10.1007/978-3-642-36594-2_37.
• [33]ROMPEL J.One-way functions are necessary and sufficient for secure signatures[C]//STOC’90Proceedings of the twenty-second annual ACM symposium on Theory of computing.New York:ACM,1990:387-394.DOI:10.1145/100216.100269.
• [34]GOLDWASSER S,MICALI S,RIVEST R L.A digital signature scheme secure against adaptive chosenmessage attacks[J].SIAM Journal on Computing,1988,17(2),281-308.DOI:10.1137/0217017.
• [35]CRAMER R,SHOUP V.Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack[J].SIAM Journal on Computing,2004,33(1):167-226.DOI:10.1137/S0097539702403773.
• [36]HAITNER I,NGUYEN M H,ONG S J,et al.Statistically hiding commitments and statistical zeroknowledge arguments from any one-way function[J].SIAM Journal on Computing,2009,39(3):1153-1218.DOI:10.1137/080725404.
• [37]HAITNER I,REINGOLD O,VADHAN S P,et al.Inaccessible entropy[C]//STOC’09Proceedings of the forty-first annual ACM symposium on Theory of computing.New York:ACM,2009:611-620.DOI:10.1145/1536414.1536497.
• [38]ROMPEL J T.Techniques for computing with low-independence randomness[D/OL].USA MA Cambridge:Massachusetts Institute of Technology,1990[2015-11-26].http://dspace.mit.edu/handle/1721.1/7582.
• [39]KATZ J,KOO C Y.On constructing universal oneway hash functions from arbitrary one-way functions[EB/OL].[2015-11-10].http://www.iacr.org/cryptodb/data/paper.php?pubkey=12662.
• [40]HAITNER I,HOLENSTEIN T,REINGOLD O,et al.Universal one-way hash functions via inaccessible entropy[C]//Advances in Cryptology–EUROCRYPT 2010:29th Annual International Conference on the Theory and Applications of Cryptographic Techniques,French Riviera,May 30–June 3,2010.Proceedings.Berlin:Springer-Verlag,2010:616-637.DOI:10.1007/978-3-642-13190-5_31.
• [41]SANTIS A D,YUNG M.On the design of provably secure cryptographic Hash functions[C]//Advances in Cryptology—EUROCRYPT’90:Workshop on the Theory and Application of Cryptographic Techniques Aarhus,Denmark,May 21–24,1990Proceedings.Berlin:Springer-Verlag,1991:412-431.DOI:10.1007/3-540-46877-3_37.
• [42]BARHUM K,MAURER U.UOWHFs from OWFs:Trading regularity for efficiency[C]//Progress in Cryptology–LATINCRYPT 2012:2nd International Conference on Cryptology and Information Security in Latin America,Santiago,Chile,October 7-10,2012.Proceedings.Berlin:Springer-Verlag,2012:234-253.DOI:10.1007/978-3-642-33481-8_13.
• [43]AMES S,GENNARO R,VENKITASUBRAMANIAM M.The generalized randomized iterate and its application to new efficient constructions of UOWHFs from regular one-way functions[C]//Advances in Cryptology–ASIACRYPT 2012:18th International Conference on the Theory and Application of Cryptology and Information Security,Beijing,China,December 2-6,2012.Proceedings.Berlin:International Association for Cryptologic Research,2012:154-171.DOI:10.1007/978-3-642-34961-4_11.
• [44]YU Y,GU D,LI X X,et al.(Almost)Optimal Constructions of UOWHFs from 1-to-1,Regular One-way Functions and Beyond[C]//Advances in CryptologyCRYPTO 2015:35th Annual Cryptology Conference,Santa Barbara,CA,USA,August 16-20,2015,Proceedings,Part II.Berlin:International Association for Cryptologic Research,2015:209-229.DOI:10.1007/978-3-662-48000-7_11.
• [45]GENNARO R,GERTNER Y,KATZ J,et al.Bounds on the efficiency of generic cryptographic constructions[J].SIAM Journal on Computing,2005,35(1),217-246.DOI:10.1137/S0097539704443276.