cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adv ...

, collision resistance is a property of

cryptographic hash functions A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output r ...

: a hash function ''H'' is collision-resistant if it is hard to find two inputs that hash to the same output; that is, two inputs ''a'' and ''b'' where ''a'' ≠ ''b'' but ''H''(''a'') = ''H''(''b''). Goldwasser, S. and Bellare, M.br>"Lecture Notes on Cryptography"
Summer course on cryptography, MIT, 1996-2001 The

pigeonhole principle In mathematics, the pigeonhole principle states that if items are put into containers, with , then at least one container must contain more than one item. For example, if one has three gloves (and none is ambidextrous/reversible), then there mu ...

means that any hash function with more inputs than outputs will necessarily have such collisions; the harder they are to find, the more cryptographically secure the hash function is. The "

birthday paradox In probability theory, the birthday problem asks for the probability that, in a set of randomly chosen people, at least two will share a birthday. The birthday paradox is that, counterintuitively, the probability of a shared birthday exceeds 5 ...

" places an upper bound on collision resistance: if a hash function produces ''N'' bits of output, an attacker who computes only 2^''N''/2 (or

\scriptstyle \sqrt

) hash operations on random input is likely to find two matching outputs. If there is an easier method than this

brute-force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correc ...

, it is typically considered a flaw in the hash function.Pass, R
"Lecture 21: Collision-Resistant Hash Functions and General Digital Signature Scheme"
Course on Cryptography, Cornell University, 2009

Cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output ...

s are usually designed to be collision resistant. However, many hash functions that were once thought to be collision resistant were later broken. MD5 and

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160- bit (20- byte) hash value known as a message digest – typically rendered as 40 hexa ...

in particular both have published techniques more efficient than brute force for finding collisions. However, some hash functions have a proof that finding collisions is at least as difficult as some hard mathematical problem (such as

integer factorization In number theory, integer factorization is the decomposition of a composite number into a product of smaller integers. If these factors are further restricted to prime numbers, the process is called prime factorization. When the numbers are s ...

discrete logarithm In mathematics, for given real numbers ''a'' and ''b'', the logarithm log''b'' ''a'' is a number ''x'' such that . Analogously, in any group ''G'', powers ''b'k'' can be defined for all integers ''k'', and the discrete logarithm log''b ...

). Those functions are called provably secure.

Definition

A family of functions generated by some algorithm ''G'' is a family of collision-resistant hash functions, if , ''m''(''k''), > , ''l''(''k''), for any ''k'', i.e., ''h''_''k'' compresses the input string, and every ''h''_''k'' can be computed within polynomial time given ''k'', but for any probabilistic polynomial algorithm ''A'', we have : Pr [''k'' ← ''G''(1^''n''), (''x''₁, ''x''₂) ← ''A''(''k'', 1^''n'') s.t. ''x''₁ ≠ ''x''₂ but ''h''_''k''(''x''₁) = ''h''_''k''(''x''₂)] < negl(''n''), where negl(·) denotes some negligible function, and ''n'' is the security parameter., def 1.

Rationale

Collision resistance is desirable for several reasons. * In some

digital signature A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...

systems, a party attests to a document by publishing a

public key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...

signature on a hash of the document. If it is possible to produce two documents with the same hash, an attacker could get a party to attest to one, and then claim that the party had attested to the other. * In some distributed content systems, parties compare cryptographic hashes of files in order to make sure they have the same version. An attacker who could produce two files with the same hash could trick users into believing they had the same version of a file when they in fact did not.

References

{{DEFAULTSORT:Collision Resistance Symmetric-key cryptography Theory of cryptography

Definition

Rationale

See also

References