# 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

## Presentation on theme: "1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen."— Presentation transcript:

1 CS 255 Lecture 6 Hash Functions Brent Waters

2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen ciphertext attack Attacker’s Goal Discover secret key Decrypt a ciphertext, C * Distinguish two messages

3 Recap- Notions of Security 3x3=9 possible notions of security Strongest system =Semantic security against CCA weakest adversary goal + most adversary power

4 Recap- Semantic Security of Counter Mode 1) Defined notion of security for block cipher --Indistinguishable from PRP --Formal definition game --Believe this is true for AES…

5 Recap- 2) Prove that if cipher is indist. from Random Permutation then counter mode is semantically secure against CPA attack --Assume counter mode is not ) A breaks it --Build algorithm B that uses algorithm A --Want to show that A’s answer gives B information to play his game

6 Why do we do this? Aren’t we assuming AES, 3DES secure anyway? Why not just make same assumption for mode X? Reduce to simplest assumptions possible

7 Hash Functions Hash function- h: {0,1} * \rightarrow {0,1} n typically n ¼ 160 bits (will see why soon) Hi, I recently….. …should be used h(x) 01100100…1

8 Properties Compression Pre-image resistanc: Given y=h(x) difficult to determine x’ s.t. h(x’)=y 2 nd preimage resistance: Given x find x’  x s.t. h(x) = h(x’) Collision resistance: Find x’  x s.t. h(x)=h(x’)

9 Relations If h is collision resistant then h is 2 nd order pre- image resistant How do we show this? Reduction—simple here

10 Applications Show three applications and do one together For each one keep in mind what properties we need

11 Password protection pword=jeitlse Password file U1=… U2=… What should we put in there? What if backup tape stolen? What property do we need

12 Virus protection Worried virus might modify an application Small amount of trusted storage on USB token What properties do we need? Mirror sites distributing software

13 Digital Signatures One party can sign a message M, many parties can verify Contract signing, code signing Raw signature scheme only signs messages ~160 bits What properties do we need?

14 Birthday Attack for Collisions Let r 1, … r j 2 [0,1…B] When n=1.2 sqrt(B) then Pr[ 9 i  j: r i =r j ] Pr[ 9 i  j: r i =r j ] =1-Pr[ 8 i  j:r i  r j ] =1-(1-1/B)(1-2/B)...(1-(n-1)/B) =1-  n-1 (1-i/B) ¼ 1-  n-1 e -i/B =1-e 1/2n 2 /B =1-1/e.7 for n=1.2 sqrt(B) =1/2

15 Lesson 80 bit hash implies 40 bit security (for collisions) Need 160 bit hash output For n integers have ¼ n^2 pairs each is a possibility for a collision

16 Iterated Construction (Merkle-Damgard) M1M2M3M4pad IV ffff H0H0 H1H1 H2H2 H3H3 1.f – Compression function 2.H i – chaining variables 3.IV – Initial Value

17 Iterated Construction (Merkle-Damgard) M1M2M3M4pad IV ffff H0H0 H1H1 H2H2 H3H3 Padding: 100000 | length Pad out last message block Add one block with message length

18 Collision resistance If compression function resistant then so is iterated construction Way we prove this is to show if we have M  M’ and hash(M)=hash(M’) then we can find two different inputs to compression function (x,y) and (x’,y’) such that f(x,y)=f(x,y) -Note (x,y)  (x’,y’) if x  x’ or y  y’

19 Collision Resistance Suppose h(M)=h(M’) IV=H 0, H 1,H 2....H t IV=H 0 ’, H 1 ’, H 2 ’...H r ’ Collision means H t = H r ’ Case I: Suppose t  r then H t =H r ’ =f(H t-1, t)=f(H r-1 ’, r) ) collision!

20 Collision Resistance Suppose h(M)=h(M’) M=M 0, M 1...M t-1, M’=M 0, M 1,... M r-1 IV=H 0, H 1, H 2....H t IV=H 0 ’, H 1 ’, H 2 ’...H r ’ Case 2: t  r (Messages same # of blocks) Look at ith chaining variable Have H i =H i ’ so f(H i,M i )=f(H i ’,M i ’) if M i  M i ’ or if H i  H i ’ then have a collision otherwise repeat observation for i-1 chaining var. However, 9 j: M j  M j ’ so must have a collision at some point

21 Block cipher construction Matyas-Meyer f(M,H)=E(M,g(h)) © M E HiHi g MiMi © H i+1... Thm: Suppose E k (x) =E(X,K) is a collection of random permutations. Then finding a collision take 2 n/2 evaluations of E. Best possible.

22 Customized Hash functions Merkle-Damgard types—compression function faster than block ciphers MD4128 Collisions found MD5128 28.5MB/s Collisons found SHA-1160 15.2MB/s SHA-2 160,256 RIPEMD 160 12.6 Collisions found

23 “Provable” hash functions Discrete log problem: Given g a mod p Output a f(a,b)=g a h b mod p Slow

24 Paper submission project Professors/grad students submit papers to conferences electronically Strict deadlines: 9pm Jan. 29 th People always wait to last minute – get flood of papers at end Graphics people send in videos – potentially GBs of data– no way server can handle them all

25 Solutions? Attacks? Properties

Download ppt "1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen."

Similar presentations