20

Since most cryptographic hash functions are simple, compact constructions does this simplicity impose a limit on the complexity and the size of a function that can generate preimages? That is, given a cryptographic hash function, H of some length and complexity can we lower or upper bound the complexity/size of a function that finds preimages of H. If not, why not?

If the upper bound on the size of a function that efficiently finds a preimage of H is smaller than the output size of H and then this has implications for the strength of the hash function. How can we justify that such an efficient preimage finding function must be larger than the output size?

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
Ethan Heilman
  • 2,326
  • 2
  • 20
  • 40

2 Answers2

13

The general justification is several years of cryptographic research in trying to "break" hash functions. As far as I know there is no "proof" that finding pre-images of a hash are hard. It is just assumed to be hard based on the history of effort trying to invert it. A hash function considered secure today may well turn out to be weak tomorrow.

This paper (ONE-WAY FUNCTIONS AND CIRCUIT COMPLEXITY) might be of help in understanding the relationship between circuit complexity and one-way functions.

Jus12
  • 1,679
  • 1
  • 12
  • 21
9

Cryptographic hash functions (like everything else a traditional computer does) can be described as a set of binary operations, XOR, register rotate, and binary addition being very common. These translate directly to a classic computer science problem known as "binary satisfiability" or SAT.

SAT problem has been proven NP-complete. To butcher the definition of this sublime mathematical concept, it means that there's no known algorithm which can solve the puzzle without the number of puzzle pieces ending up in an exponent somewhere describing the amount of work it will take. Crypto algorithms try to jack that exponent up into the tens of thousands or more.

There are, of course, any number of ways that any actual function might have weaknesses which cause it to not present such a worst-case problem for the attacker. But cryptographers have amassed a body of knowledge for assessing the security of algorithms beyond their outward number of bits. All but the most ancient crypto functions are out of reach of today's best SAT solvers.

But then P != NP hasn't really been proven now, has it? :-)

Marsh Ray
  • 1,896
  • 13
  • 15