Blum Blum Shub Hash

Question

Will this algorithm make a cryptographically secure hash function? Can it be used to generate passwords? Is it secure enough for use as a MAC?

Divide the message into blocks.

The initial state is $h=314159265358979323846$.

For each message block $m$:

The new state is $h=(h+m)^2 \;\; mod \;\; pq$.

For a digest of size n bits repeat n times:

The new state is $h=h^2 \;\; mod \;\; pq$.

Return parity bit of $h$.

@user43678 For a 2048-bit+ modulus, you are talking about tens of thousands of word-sized multiplications/additions/divisions per output bit. That is atrociously slow (talking hundreds of microseconds, maybe even milliseconds here with even short messages on modern desktop CPUs). You would be lucky to get 1MB/s out of it. — Thomas, Feb 04 '17 at 05:08
Ah, I understand, it's simple to do a fast hardware implementation but it is grossly impractical for speed in software which is more important. — user43678, Feb 04 '17 at 05:25
But that isn't the point, the question is: is it cryptographically secure, can it be used for passwords, and can it be used for MACs. — user43678, Feb 04 '17 at 05:29
@Thomas I find it totally bewildering why these discussions always revert to speed /efficiency. These question(s) rarely focus on performance, and inefficiency of a function does not automatically invalidate it for all applications. The math is still valid, even if you're prejudiced against it. 1 MB/s is plenty for many applications and faster than I can do it by hand. BBS is one of the very few original, non bit mangling /shifty generators out there, and it is cryptographically secure. Rolls Royce cars are inefficient too... — Paul Uszak, Feb 04 '17 at 11:44
@PaulUszak Except it actually has some issues with the math in real life too... there are reasons to be prejudiced against BBS, and they don't all involve performance (taking your example, would you still drive your Rolls Royce over an ordinary car if it were completely wrecked and barely worked?) — Thomas, Feb 04 '17 at 11:47

score 4 · Accepted Answer · edited Apr 13 '17 at 12:48

The authors of the original algorithm (1) shows that the security of the $x^2 \bmod N$generator as a pseudorandom number generator (PRG) can be reduced to the quadratic residuosity problem.

The paper then shows that (all modulo the QRA):

Theorem 4: The generator is an unpredictable cryptographically secure pseudo-random sequence generator.

Theorem 5: The sequences produced by the generator pass every probabilistic polynomial time statistical test and that it has the property of unpredictability.

The basis for these properties is that a (probabalistic polynomial time with advantage $\epsilon$) predictor for the generator can be converted efficiently into a predictor of parity for $x_{-1}$ (for arbitrary $x_0$). They then show that such a predictor can be efficiently converted into a procedure for guessing quadratic residuosity (with an amplified $\frac{1}{2}-\epsilon$ advantage.).

The algorithm is a cryptographically secure PRG, provided that the quadratic resuosity problem remains a computationally hard problem under the assumptions made in the proof. According to this answer the assumptions made are easily misinterpreted and for the construction to be secure N needs to be very very large.

However and in any-case, secure PRGs do not inherently make secure cryptographic hash functions. A secure hash algorithm needs to be deterministic, collision resistant and first and second pre-image resistant.

As stated in the comments your algorithm would not make a secure hash function because it does not have the property of collision resistance:

$\forall x,h: h' = -h - x \bmod N $

This also implicitly breaks second pre-image resistance.

Since the hash function is not cryptographically secure it is not suitable for using to generate passwords or to authenticate messages.

Blum Blum Shub Hash

1 Answers1