4

I'm looking for a reversible hash function that would map any 64-bit integer to another, with 1-to-1 correspondence, i.e. one number in one set maps to only one number in another set, both ways.

It is also important that the mapping is random-looking in a sense that if the function is not known to the outside observer, it should be relatively difficult to guess. Which means that the function should probably have some sort of a "seed" or "salt" (a large enough number or a sequence) that would make the mapping unique.

mojuba
  • 183
  • 2
    How about permuting the binary digits and XORing with a random bitmask? – Karl Jan 04 '22 at 16:41
  • @Karl good solution but for an input sequence that increments starting from 0 (0, 1, 2, ...) the upper part of the mask would be easy to guess. Good hash functions can hide the fact that input is sequential (although good hash functions are also not reversible...) – mojuba Jan 04 '22 at 16:58
  • 1
    Encrypt with DES with a fixed key. DES is a permutation... though @Karl's solution is simpler than encryption. – kelalaka Jan 04 '22 at 17:03
  • @kelalaka doesn't DES make the data larger? I need 64-bit to 64-bit mapping – mojuba Jan 04 '22 at 17:07
  • DES is block cipher with 64-bit block size. – kelalaka Jan 04 '22 at 17:09
  • Are you hoping for a function that's hard to guess even if the observer knows your scheme, as long as they don't know the salt? – Karl Jan 04 '22 at 17:20
  • @Karl yes, that's the idea. Imagine I want to mask a trivial autoincrement variable on the server so that the outside observer can't enumerate the objects. – mojuba Jan 04 '22 at 17:59
  • 1
    Then, permutation by encryption is a good candidate, x-or mask can be easily recovered on CPA attack. There are other ciphers that have 64-bit like PRESENT SIMON, etc... – kelalaka Jan 04 '22 at 18:09
  • @kelalaka not familiar with these algorithms, is the output size the same as input? If so, then it's what I need. – mojuba Jan 04 '22 at 19:21
  • Not what you're asking for, but something to consider: when sending an id to the client (or any other data you don't want them to tamper with), instead of (or in addition to) obfuscating it, you could append a "checksum" based on a hash function with a secret salt, and then validate it when they send it back. – Karl Jan 04 '22 at 19:28

1 Answers1

4

You can use a block cipher with a 64-bit block size for your aim.

A block cipher is a family of permutations;

$$F:\{0,1\}^\ell\times\{0,1\}^b \to\{0,1\}^b$$

$\ell$ is the key size and $n$ is the block size. For DES $b=64$ as for PRESENT and SIMON can have it, too ( there are others in the lightweight cryptography). If one fixes a key $k$ then one selects one of the permutations from the family.

$$F_k:\{0,1\}^b \to\{0,1\}^b$$

If you use DES then we have

$$DES_k:\{0,1\}^{64} \to\{0,1\}^{64}$$

To map a value, encrypt it, to find the reverse, decrypt it always with the fixed key.

As long as the key is kept secret and the attacker cannot obtain input, the output will be unknown to the outsider. In the case of the input-output pairs are available to the attacker use SIMON with a 128-bit key. It is secure against Known-Plaintext Attack (KPA), that is one cannot find the key with given input and output pairs. DES key size is too short for today's standards, at least 112 bit is required from the lightweight ciphers.

This operation actually a single block ECB mode encryption where it can achieve CPA security, however, multiple block ECB mode encryption will fail CPA.

Under the unknown attack model, you may need integrity and/or authentication that can be supplied with a MAC like HMAC with another key or derive them from a single key.

kelalaka
  • 1,637