8

I am pondering creating a hash function (like md5 or sha1) using the RSA crypto algorithm. I am wondering if there are any obvious reasons that this algorithm wouldn't work:

  1. Generate RSA public/private keys.
  2. Discard private key, never store it at all.
  3. Begin with a hash with a length of the block size for the RSA encryption.
  4. Encrypt message using public key, one block at a time.
  5. For each encrypted block of the message, accumulate it to the hash using a specified algorithm (probably a combination of +, xor, etc.)

To verify a message has the same hash as a stored hash, use the saved public key and repeat the process.

Is this possible, secure, and practical?

Thanks for any comments.

Improve this question

5 Answers 5

Reset to default
7

RSA encryption is not deterministic: if you follow the RSA standard, you will see that some random bytes are injected. Therefore, if you encrypt with RSA the same message twice, chances are that you will not get twice the same output.

Also, your "unspecified step 5" is likely to be weak. For instance, if you define a way to hash a block, and then just XOR the blocks together, then A||B and B||A (for block-sized values A and B) will hash to the same value; that's collision bonanza.

Academically, building hash functions out of number-theoretic structures (i.e. not a raw RSA, but reusing the same kind of mathematical element) has been tried; see this presentation from Lars Knudsen for some details. Similarly, the ECOH hash function was submitted for the SHA-3 competition, using elliptic curves at its core (but it was "broken"). The underlying hope is that hash function security could somehow be linked to the underlying number-theoretic hard problem, thus providing provable security. However, in practice, such hash functions are either slow, weak, or both.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I understand that the standards based implementations of RSA are non-deterministic, but the core algorithm is deterministic. I should have been more clear about step 5, it will not be simple mathematical function, but would do extra blending so as to prevent collisions. I just mentioned add and xor because they have a special relationship to each other that makes them useful for hashes.
6

There are already hashes that do essentially this, except perhaps not with the RSA algorithm in particular. They're called cryptographic hashes, and their salient point is that they're cryptographically secure - meaning that the same strength and security-oriented thought that goes into public key cryptographic functions has gone into them as well.

The only difference is, they've been designed from the ground-up as hashes, so they also meet the individual requirements of hash functions, which can be considered as additional strong points that cryptographic functions need not have.

Moreover, there are factors which are completely at odds between the two, for instance, you want hash functions to be as fast as possible without compromising security whereas being slow is oftentimes seen as a feature of cryptographic functions as it limits brute force attacks considerably.

SHA-512 is a great cryptographic hash and probably worthy of your attention. Whirlpool, Tiger, and RipeMD are also excellent choices. You can't go wrong with any of these.

One more thing: if you actually want it to be slow, then you definitely DON'T want a hash function and are going about this completely wrong. If, as I'm assuming, what you want is a very, very secure hash function, then like I said, there are numerous options out there better suited than your example, while being just as or even more cryptographically secure.

BTW, I'm not absolutely convinced that there is no weakness with your mixing algorithm. While the output of each RSA block is intended to already be uniform with high avalanching, etc, etc, etc, I remain concerned that this could pose a problem for chosen plaintext or comparative analysis of similar messages.

Improve this answer

5 Comments

Thanks for your answer. It was more of an academic question than practical, I don't intend to develop it sufficiently well for real world use. You mentioned that if I want it slow, then I don't want a hash; what would I want instead?
Depends on your reason for wanting it slow. The only reason you want something to be slow is because you don't want to be able to recreate its contents. But the purpose of a hash isn't to prevent the recreation of content, so much as it is to provide a unique digest of the contents and cryptographically secure it against hash collisions. If you're trying to prevent brute-force recreations of the original, you're probably trying to do something akin to securing passwords in a database, for which there are specific algorithms such as bcrypt and scrypt, amongst others.
The reason for wanting it to be slow is to prevent brute force attacks against password hashes. The intent would be to create something comparable to bcrypt (which is my current choice for password hashing). The reason that I found RSA attractive is that it can guarantee that there will be no collisions for all inputs that are the same as the block size or smaller.
I have a concept doubt You want build a hash function or signature scheme?
no, he wants hash functions to be ´secure as possible´. The confusion of performance and security seems to be a wide spread decease, specially in the Crypto Community ;) Obviously the lack of performance decreases the expected success of a brute force attack.
1

Typically, it is best to use an algorithm that is publicly available and has gone through a review process. Even though there might be known weaknesses with such algorithms, that is probably better than the unknown weaknesses in a home-grown algorithm. Note that I'm not saying the proposed algorithm has flaws; it's just that even if a large number of answers are given here saying that it seems good, it doesn't guarantee that it doesn't. Of course, the same thing can be said about algorithms such as MD5, SHA, etc. But at least with those, a large number of people have put them through a rigorous analysis.

Aside from the previous "boilerplate" warnings against designing one's own cryptographic functions, it seems the proposed solution might be somewhat expensive in terms of processing time. RSA encryption on a large document could be prohibitive.

Improve this answer

Comments

0

Without thinking too much about it, it seems like that would be cryptographically secure.

However, you'd have to be careful of chosen plaintext attacks, and if your input is large you may run into speed issues (as asymmetric crypto is significantly slower than cryptographic hashes).

So, in short: yes, this seems like it could be possible and secure… But unless there is a really compelling reason, I would use a standard HMAC if you want a keyed hash.

Improve this answer

1 Comment

"Without thinking too much about it" sounds like the exactly wrong way to approach cryptography, particularly when rolling your own. security.stackexchange.com/questions/18197/…
0

As mentioned above step 4.) is to be done deterministic, i.e. with modulus and public key exponent, only. If the hash in step 3.) is private, the concept appears secure to me.

Concerning Step 5.): In known CBC mode of kernel algorithms the mix with previous result is done before encryption, Step 4.), might be better for avoiding collusions, e.g. with a lazy hash; XOR is fine.

Will apply this, as available implementations of known hash functions might have backdoors :)

Deterministic Java RSA is here.

EDIT Also one should mention, that RSA is scalable without any limits. Such hash function can immediately serve as Mask Generation Function.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.