Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 13.

Published byMelina Young Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 13."— Presentation transcript:

1 Cryptography Lecture 13

2 Hash functions

3 Hash functions (Cryptographic) hash function: deterministic function mapping arbitrary length inputs to a short, fixed-length output (sometimes called a digest) Hash functions can be keyed or unkeyed In practice, hash functions are unkeyed We will assume unkeyed hash functions for simplicity

4 Collision-resistance
Let H: {0,1}*  {0,1}l be a hash function A collision is a pair of distinct inputs x, x’ such that H(x) = H(x’) H is collision-resistant if it is infeasible to find a collision in H

5 Generic hash-function attacks
What is the best “generic” collision attack on a hash function H: {0,1}*  {0,1}l ? Note that collisions are guaranteed to exist… If we compute H(x1), …, H(x2l + 1), we are guaranteed to find a collision Can we do better?

6 “Birthday” attacks Compute H(x1), …, H(xk)
What is the probability of a collision? Related to the so-called birthday paradox How many people are needed to have a 50% chance that some two people share a birthday?

7 How many balls do we need to have a 50% chance of a collision?
Bins: days of the year (N=365) Balls: k people Bins: values in {0,1}l (N=2l ) Balls: k hash-function computations How many balls do we need to have a 50% chance of a collision? N

8 Theorem The collision probability is O(k2/N)
When k  N1/2, probability of a collision is  50% Birthdays: 23 people suffice! Hash functions: O(2l/2) hash-function evaluations Need l=2n-bit output length to get security against attackers running in time 2n Note: twice as long as symmetric keys (e.g., block-cipher keys or PRG seeds) for the same security

9 “Birthday bound” The birthday bound comes up in many other cryptographic contexts Example: IV reuse in CTR-mode encryption If k messages are encrypted, what are the chances that some IV is used twice? Note: this is much higher than the probability that a specific IV is used again

10 Hash functions in practice
MD5 Developed in 1991 128-bit output length Collisions found in 2004, should no longer be used SHA-1 Introduced in 1995 160-bit output length Theoretical analysis indicates some weaknesses Very common; current trend to migrate to SHA-2 Collision found by brute force in 2017!

11 Hash functions in practice
SHA-2 Supports 224, 256, 384, and 512-bit outputs No known weaknesses SHA-3/Keccak Result of a public competition from Very different design than SHA-1/SHA-2

12 Applications to message authentication

13 Recall… We showed how to construct a secure MAC for short, fixed-length messages based on any PRF/block cipher We want to extend this to a secure MAC for arbitrary-length messages Before: using CBC-MAC Here: using hash functions

14 Intuition… M h M h =? H(M) h = H(M)

15 Hash-and-MAC M k k h, t t M h = H(M) Vrfyk(h, t) = 1? h = H(M)
t = Mack(h)

16 Security? If the MAC is secure for fixed-length messages and H is collision-resistant, then the previous construction is a secure MAC for arbitrary-length messages

17 Proof sketch Say the sender authenticates M1, M2, …
Let mi = H(Mi) Attacker outputs forgery (M, t), MMi for all i Two cases: H(M) = H(Mi) for some i Collision in H! H(M)  mi for all i Forgery in the underlying, fixed-length MAC

18 Instantiation? Hash function + block-cipher-based MAC?
Block-length mismatch Need to implement two crypto primitives (block cipher and hash function)

19 HMAC Constructed entirely from (certain type of) hash functions
MD5, SHA-1, SHA-2 Not SHA-3 Can be viewed as following the hash-and-MAC paradigm With (part of the) hash function being used as a pseudorandom function

20 Other applications of hash functions

21 Hash functions are ubiquitous
Collision-resistance  “fingerprinting” Used as a one-way function Used as a “random oracle” Proofs of work

22 Fingerprinting E.g., virus scanning E.g., deduplication

Download ppt "Cryptography Lecture 13."

Similar presentations

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.

Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.

Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.

CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.

Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.

Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.

@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Chapter 12 – Hash Algorithms

Chapter 12 – Hash Algorithms
IT443 – Network Security Administration Instructor: Bo Sheng

IT443 – Network Security Administration Instructor: Bo Sheng
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
Computer Security CS 526 Topic 4

Computer Security CS 526 Topic 4

Similar presentations

Ads by Google