SL2 homomorphic hash functions: Worst case to average case reduction and short collision search

TL;DR

This paper analyzes the security of homomorphic hash functions into SL(2,q), providing worst-case to average-case reductions and efficient collision search algorithms that outperform previous methods.

Contribution

It introduces a worst-case to average-case reduction for SL(2,q) hash functions under a number theoretic hypothesis and presents new algorithms for finding short collisions efficiently.

Findings

Collision length O(log(q)) can be found in time O(√q) for certain homomorphisms.

Heuristic algorithms find shorter collisions faster than previous methods.

The algorithms outperform earlier generic collision search algorithms in practice.

Abstract

We study homomorphic hash functions into SL(2,q), the 2x2 matrices with determinant 1 over the field with $q$ elements. Modulo a well supported number theoretic hypothesis, which holds in particular for concrete homomorphisms proposed thus far, we provide a worst case to average case reduction for these hash functions: upto a logarithmic factor, a random homomorphism is as secure as _any_ concrete homomorphism. For a family of homomorphisms containing several concrete proposals in the literature, we prove that collisions of length O(log(q)) can be found in running time O(sqrt(q)). For general homomorphisms we offer an algorithm that, heuristically and according to experiments, in running time O(sqrt(q)) finds collisions of length O(log(q)) for q even, and length O(log^2(q)/loglog(q))$ for arbitrary q. While exponetial time, our algorithms are faster in practice than all earlier generic algorithms, and produce much shorter collisions.