# Re: constructing a specified hash function

On Nov 1, 8:58 am, "bobic" <fblo...@xxxxxxxxxxx> wrote:
David Wagner wrote:
bobic wrote:
Hi, all. Recently, I want to construct a specified hash function, which
satisfies

y=h(x), x can be any string, and y must belong to [g^a mod p,g^{a+1}
mod p,...,g^b mod p], and no body knows the discrete logrithm of y
based on g. a,b are known.

How about h(x) = G * g^H(x), where G = g^a mod p and
H(x) = SHA256(x) mod (b-a)/ Does that do it? Note that you will
have to publish the values G and b-a, but you nobody needs to know
the discrete log of G to the base g, nor the discrete log of y to
the base x.

Out of curiousity, why do you want this hash function? Do you
have any particular security goals for it?No! :( It cannot catch the goal.

In your way, though nobody knows the discrete logrithm, everybody knows
that h(x) is the product of a constant and a number with a known
discrete logrithm.

But if your requirements are that y is in {g^a, g^{a+1}, ... g^b },
then it will always be the product of the constant g^a (which is known)
and another number. And the discrete logarithm of g^H(x) is not known
when x is not known.

Actually I think Davids solution is very reasonable; to make a hash h:
{0,1}* -> Y, you can use an existing hash function H: {0,1}* -> X, and
then use a deterministic map f: X->Y to construct h(x) = f(H(x)). Of
course you should make sure that X and Y are about the same size; if f
is an isomorphism it would be perfect.

Peter

.

## Relevant Pages

• Re: constructing a specified hash function
... the discrete log of G to the base g, nor the discrete log of y to ... have any particular security goals for it? ... In your way, though nobody knows the discrete logrithm, everybody knows ... If the constant changes to a variant, ...
(sci.crypt)
• Re: constructing a specified hash function
... have any particular security goals for it?No! ... In your way, though nobody knows the discrete logrithm, everybody knows ... How can we construct a hash function, ... If y is a product of a constant and a variant, ...
(sci.crypt)