Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Published byCory Small Modified over 8 years ago

Similar presentations

Presentation on theme: "Ryan Henry I 538 /B 609 : Introduction to Cryptography."— Presentation transcript:

1 Ryan Henry I 538 /B 609 : Introduction to Cryptography

2 Ryan Henry 1 Tuesday’s lecture: Secure variants of CBC-MAC Hash functions Today’s lecture: Constructing hash functions HMAC Birthday attacks

3 Ryan Henry Assignment 3 is on Tuesday, October 13 2 (That’s one week from today!) Please seek help before 2:30pm on Friday! Thursday, October 15 (Assignment 4 will still be posted on Tuesday, October 13 and due on Tuesday, October 27!)

4 Ryan Henry Recall: Collision resistance 3 Challenger (C) Attacker (A) k ← Gen(1 s ) (m 0, m 1 ) 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv collision (A) := Pr[E] 1 s1 s

5 Ryan Henry Recall: Second preimage resistance 4 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv 2-preimage (A) := Pr[E]

6 Ryan Henry Recall: Preimage resistance 5 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 s1 s k Let E be the event that H(k, m) = y Define A’s advantage to be Adv preimage (A) := Pr[E]

7 Ryan Henry (One-way) compression functions ▪I▪Intuitively, a (one-way) compression function is a keyed function h with three properties: –E–Efficient: There exists a PPT algorithm that evaluates h –C–Compression: h maps 2s-bit strings and to s-bit strings –O–One-way: Given an output of h, it is difficult to find any input that maps to that output Q: On average, how many inputs map to each output? A: About 2 s 6 ( T h i s i s t h e o p p o s i t e o f w h a t y o u w a n t f r o m n o n - c r y p t o g r a p h i c c o m p r e s s i o n f u n c t i o n s )

8 Ryan Henry Merkle-Damgård construction 7 m1m1...

9 Ryan Henry Davies-Meyer compression function 8 mimi z i-1  zizi Thm: If F is a PRF, then the Davies-Meyer compression function is collision resistant. In particular, finding a collision requires O(2 n/2 ) evaluations of F on average. F m i (z i-1 )

10 Ryan Henry Recall: Nested CBC-MAC (NMAC) 9 m1m1    k1k1 k1k1 k1k1... k2k2 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key

11 Ryan Henry Hash-based MAC (HMAC) ▪ The most widely used MAC algorithm in practice ▪ H s is a collision-resistant (keyed) hash function ▪ k is the secret MAC key ▪ opad = 0x5c5c5c... 5c ▪ ipad = 0x363636... 36 10 1 block n blocks "outer" pad "inner" pad

12 Ryan Henry HMAC 11...

13 Ryan Henry Simpler HMAC constructions? Q: Is H(k 11 m) a secure MAC? A: No! (But why?) –S–Suppose H is constructed using Merkle-Damgård construction –G–Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) –J–Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well....sort of!? It's not as secure as HMAC! (But why?) –I–If H(m 0 ) = H(m 1 ) then H(m 0 11 k) = H(m 1 11 k) –W–Weakness in collision-resistance of H implies weakness in HMAC 12

14 Ryan Henry Simpler HMAC constructions? Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? –T–This is essentially HMAC without ipad and opad –P–Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit! –H–H(k 11 m 11 k) falls to "target prefix collision" attacks against H 13

15 Ryan Henry Generic birthday attack ▪L▪Let H: {0, 1} * → {0, 1} s and consider the following algorithm: –C–Choose N := (5/4) · 2 s/2 distinct messages, m 1,..., m N, each uniformly at random –F–For i = 1,..., N, compute y i := H(m i ) –I–If y i = y j for some i ≠ j, then output (m i, m j ) 14

16 Ryan Henry 15 Generic birthday attack = 1 - ( (2 s -1)/2 s ) ( (2 s -2)/2 s )... ( (2 s -N+1)/2 s ) = 1 - e -1/2 s ∑ i ≥ 1 - e -(N 2 /2)/2 s = 1 - e -((5/4 2 s/2 ) 2 /2)/2 s = 1-e -25/32 ≥ 0.54

17 Ryan Henry Generic birthday attack ▪O▪Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Adv collision (A) > 1/2 in O(s · 2 s/2 ) time (albeit with O(s · 2 s/2 ) storage Q: Is this a problem? A: No! (in theory); Possibly! (in practice) –R–Real hash functions have fixed-length outputs –N–Need to ensure that 2 s/2 work is infeasible....or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s·2 s/2 bits? A: Perhaps surprisingly, no! 16

18 Ryan Henry "Small-space" birthday attack ▪C▪Consider an attacker A that works as follows: 1. Choose a random initial value m 0 2. Set m := m 0 and m' := m 0 3. For i = 1, 2, 3,..., do the following –C–Compute m := H(m) and m' := H(H(m')) // now m = H (i) (m 0 ) and m' = H (2i) (m 0 ) –I–If m == m', break from loop 4. Set m' := m and m := m 0 5. For j = 1,..., i, do the following –I–If H(m) == H(m'), return (m, m') –E–Else, set m := H(m) and m' := H(m') // now m = H (j) (m 0 ) and m' = H (i+j) (m 0 ) 17 Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s·2 s/2 ) time using O(1) storage.

19 Ryan Henry That’s all for today, folks! 18

Download ppt "Ryan Henry I 538 /B 609 : Introduction to Cryptography."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)

Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.

Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Dan Boneh Collision resistance Generic birthday attack Online Cryptography Course Dan Boneh.

Dan Boneh Collision resistance Generic birthday attack Online Cryptography Course Dan Boneh.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google