# EE-374

# Chapter 2
# Cryptographic Primitives

### 2.1 Hash functions
- So we've seen that in the *gossip protocol* nodes exchange information objects, its essential to label them with a unique identifier
    - Since there is no notion of ordering while the protocol is running we discard counting and also random numbers because we want uniqueness
    - Then we use hashes as unique identifiers: $H:\{0,1\}^\ast\rightarrow\{0,1\}^\kappa$ which take whatever sized string and output a $\kappa$-bits long string
    - *Cryptographic hashes* are great *compression* functions that also are polynomially computable
- Next on we'll define three key properties around resistance against $\mathcal{A}$: *collision, preimage & 2nd-preimage resistance*

<div style="background-color:rgba(0, 0, 0, 0.0470588); padding:10px 0;font-family:monospace; font-family:monospace">
<font color = "gray"># <strong>Algorithm 3</strong> collision-finding game for a hash function $H$</font><br>
<strong>function</strong> collision-game$_{H,\mathcal{A}}(\kappa)$<br>
&nbsp;&nbsp;$x_1,x_2\leftarrow\mathcal{A}(1^{\kappa})$<br>
&nbsp;&nbsp;<strong>return</strong> $H_\kappa(x_1)=H_\kappa(x_2)\wedge x_1\neq x_2$<br>
<strong>end function</strong>
<br>
<br>
<font color = "gray"># <strong>Algorithm 5</strong> preimage-finding game for a hash function $H$</font><br>
<strong>function</strong> preimage-game$_{H,\mathcal{A}}(\kappa)$<br>
&nbsp;&nbsp;$x\sim P_\text{uniform}\leftarrow^\$\{0,1\}^\kappa$<br>
&nbsp;&nbsp;$y\leftarrow H_\kappa(x)$<br>
&nbsp;&nbsp;$x^\prime\leftarrow\mathcal{A}(y)$<br>
&nbsp;&nbsp;<strong>return</strong> $H_\kappa(x^\prime)=y$<br>
<strong>end function</strong>
<br>
<br>
<font color = "gray"># <strong>Algorithm 6</strong> 2nd-preimage-finding game for a hash function $H$</font><br>
<strong>function</strong> 2nd-preimage-game$_{H,\mathcal{A}}(\kappa)$<br>
&nbsp;&nbsp;$x_1\sim P_\text{uniform}\leftarrow^\$\{0,1\}^{2\kappa+1}$<br>
&nbsp;&nbsp;$x_2\leftarrow\mathcal{A}(x_1)$<br>
&nbsp;&nbsp;<strong>return</strong> $H_\kappa(x_1)=H_\kappa(x_2)\wedge x_1\neq x_2$<br>
<strong>end function</strong>
</div>

#### Collision resistance
- In short, for $\mathcal{A}$ to break collsion resistance she has to freely chose both inputs $x_1,x_2$ such that: $\forall x_1,x_2:x_1\neq x_2\Rightarrow H(x_1)= H(x_2)$
- Because of Pigeonhole theorem ie. if the universe of preimage is larger than hash image then collisions will exist
    - **Theorem 2** (Pigeonhole). *Consider a function $f:A\rightarrow B$. If $|A|>|B|$, then there must exist some inputs $x_1, x_2$ such that $f(x_1)=f(x_2)$*
    - thus, **collisions** are inevitable, some algorithms to find the problematic inputs are
        - start feeding inputs to $H$, starting w/ $x=0$ and going up to $2^\kappa-1$, if there hasn't been a collision until then $\Rightarrow$ we are certain that the next input will yield a collision
        - Brute force search, runs in exponential time $2^{2\kappa}$ where we use two for loops one for $x_i$ and the other for $x_j$ aiming to find $(i,j)\wedge H(x_i)=H(x_j)$
        - *Collision-finding game* - initialize the adversary $x_1,x_2\leftarrow\mathcal{A}(1^\kappa)$ and let her produce two different inputs (she may have them hard coded) that have the same $\kappa$-bit output hash $H_\kappa(x_1)=H_\kappa(x_2)\wedge x_1\neq x_2$
        
- From the last point, the adversary may have a list of hard coded collisions, but for sufficiently large values of $\kappa$ ie. more secure hash function, these may not work
    - **Definition 5** (Collision Resistance). *A hash function $H:\{0,1\}^\ast\rightarrow\{0,1\}^\kappa$ is collision resistant if:* $\forall\text{PPT}\mathcal{A} : P[\text{collision-game}_{H,\mathcal{A}}(\kappa)=1]\leq\text{negl}(\kappa)$


#### Preimage resistance
- In preimage resistance $\mathcal{A}$ is provided a hash output and should be unfeasible to find the preimage $x$ that produces such hash
    - **Defintion 6** (Preimage Resistance). *A hash function $H:\{0,1\}^\ast\rightarrow\{0,1\}^\kappa$ is preimage resistant if* $\forall\text{PPT}\mathcal{A}: P[\text{preimage-game}_{H,\mathcal{A}}(\kappa)=1]\leq\text{negl}(\kappa)$
    
#### Second preimage resistance
- In second preimage resistance $\mathcal{A}$ is handed a preimage $x_1$ and its image $H(x_1)$ and should be unfeasible to find another input $x_2$ that produces the same image
    - **Definition 7** (2nd-Preimage Resistance) *A hash function $H:\{0,1\}^\ast\rightarrow\{0,1\}^\kappa$ is 2nd-preimage resistant if* $\forall\text{PPT}\mathcal{A}: P[\text{2nd-preimage-game}_{H,\mathcal{A}}(\kappa)=1]\leq\text{negl}(\kappa)$*

- As we can see there is some deductive hierarchy in strength of theorems:
    - **Theorem 3** (Collision Resistance $\Rightarrow$ 2nd Preimage Resistance). *If a hash function $H$ is collision resistant, then it is 2nd-preimage resistant*
    - **Theorem 4** (2nd Preimage Resistance $\Rightarrow$ Preimage Resistance). *If a hash funciton $H$ is 2nd-preimage resistant, then it is preimage resistant*
    
- *Soft intuitive proofs*:
    - Theorem 4 - suppose another $\mathcal{A}$ that can break $H$ in 2nd-preimage and serves $\mathcal{A}^\prime$ in its mission to break collision. First, $\mathcal{A}^\prime$ chooses $x_1\sim P_\text{uniform}$ from the message space and then hands it to $\mathcal{A}$ who, based in our assumption, achieves Definition 7 producing an $x_2$ such that $x_1\neq x_2 \wedge H(x_1)=H(x_2)$. Then, returns this output to $\mathcal{A}^\prime$ who produces the final output $(x_1,x_2)$
    - Theorem 5 - a lot more complicated

    
#### Gossiping with hashses
- Collision resistance ensures that objects are uniquely *content-addressible*
- Hashes are so useful that allow to advertise unique objects without revealing its contents
- In the gossiping process, instead of sending the whole object to peers it is more efficient to advertise its hash (*objectid*)
    - If a peer is already aware of the object, then they can simply ignore it. If not they can request the object through its *objectid* and verify its hash upon delivery
    - Moreover, gossiping w/ hashes allows anonymity ie. $B$ doesn't have a way of knowing if object $O$ was generated by $A$'s IP addr or simply relayed.

<img src="images/ch021-gossiping-hashes.png" width="60%">


In [None]:
- 