Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 3 Cryptographic Hash Functions

Similar presentations


Presentation on theme: "Lecture 3 Cryptographic Hash Functions"— Presentation transcript:

1 Lecture 3 Cryptographic Hash Functions
H: Hash Function Message: M Lecturer: Meysam Alishahi Design By: Z. Faraji and H. Hajiabolhassan Message Digest D D = H(M) 4 May 2019

2 Hash Functions – a Hot Topic
Hash functions take a variable-length message and reduce it to a shorter fixed message digest Many applications: “Swiss army knives” of cryptography: Digital signatures (with public key algorithms) Random number generation Key update and derivation One way function Message authentication codes (with a secret key) Integrity protection code recognition (lists of the hashes of known good programs or malware) User authentication (with a secret key) Commitment schemes 4 May 2019

3 Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions Message Autentication Codes Unconditionally Secure MACs 4 May 2019

4 Hashes, Message Digests
Encrypting whole message is very expensive. 4 May 2019

5 Hashes, Message Digests
A signed message digest (or hash) of the message is much more efficient. 4 May 2019

6 Why Is It Efficient? Much faster to encrypt and decrypt.
Usually much shorter than the message. Much faster to encrypt and decrypt. Acts as a proxy for a lengthy message. Make public-key cryptography more popular. Like digital fingerprint or checksum of message. 4 May 2019

7 Classification Hash Function Unkeyed Keyed Other application Other
MDC MAC OWHF CRHF preimage res. 2nd-preimage collision res. 4 May 2019

8 Hash Functions: Main Idea
hash function H . message “message digest” x . y . . . x’’ y’ x’ bit strings of any length n-bit bit strings H is a lossy compression function Collisions: h(x)=h(x’) for some inputs x, x’ Result of hashing should “look random” (make this precise later) Intuition: half of digest bits are “1”; any bit in digest is “1” half the time Cryptographic hash function needs a few properties… 4 May 2019

9 Cryptographic Hash Function
Crypto hash function h(x) must provide Compression  output length is small Efficiency  h(x) easy to compute for any x Preimage Resistant given a value y it is infeasible to find an x such that h(x) = y Second Preimage Resistant  given x and h(x), infeasible to find y  x such that h(y) = h(x) Collision Resistant  infeasible to find any x and y, with x  y such that h(x) = h(y) Many collisions exist, but cannot find any 4 May 2019

10 Motivation: Integrity
VIRUS badFile goodFile The Times hash(goodFile) User Software manufacturer wants to ensure that the executable file is received by users without modification. It sends out the file to users and publishes its hash in NY Times. The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) 4 May 2019

11 Motivation: Authentication
KEY KEY msg, hash(KEY,msg) Alice Bob Alice wants to make sure that nobody modifies message in transit Ensures both integrity and authentication (why?) Idea: given msg, very hard to compute hash(KEY,msg) without KEY; very easy with KEY 4 May 2019

12 Password Protection What should we put in there?
Password File U1=… U2=… Password= jeitlse6 What should we put in there? What if backup tape stolen? What property do we need? 4 May 2019

13 Definition 4. For each kєK , there is a Hash function hk ЄH.
A Hash family is a four-tuple (X , Y ,K,H). Where the following conditions are satisfied: 1. X is a set of possible messages. 2. Y is a finite set of possible messages digests or autenication tags. 3. K, the key space, is a finite set of possible keys 4. For each kєK , there is a Hash function hk ЄH. Each hk : X Y 4 May 2019

14 Hash Functions h is compress functions
X could be a finite or infinite set. Y is a finite set. |X |  |Y | or stronger, |X |  2|Y |. A pair (x ,y) XY is said to be valid under the key K hK(x) = y. Let FX,Y denote the set of all function from X to Y. |X| = N and |Y| = M. |FX,Y| = MN. F  FX,Y is termed an (N,M)-hash family. An unkeyed hash function is a function h: X  Y . 4 May 2019

15 Non-Crypto Hash (1) Data X = (X0,X1,X2,…,Xn-1), each Xi is a byte
Suppose hash(X) = X0+X1+X2+…+Xn-1 Is this secure? Example: X = ( , ) Hash is But so is hash of Y = ( , ) Easy to find collisions, so not secure…

16 Non-Crypto Hash Data X = (X0,X1,X2,…,Xn-1) Suppose hash is
h(X) = nX0+(n-1)X1+(n-2)X2+…+1Xn-1 Is this hash secure? At least h( , )=h( , ) Not secure, but it is used in the (non-crypto) application rsync. Imagine you have two files, A and B, and you wish to update B to be the same as A. The obvious method is to copy A onto B. Now imagine that the two files are on machines connected by a slow communications link. If A is large, copying A onto B will be slow. 4 May 2019

17 A Short History of Practical Hash Functions Constructions and Their Failures
MDx family Proposed by Ronald Rivest for RSA Labs MD2: 1989, Broken MD4, 1990, Broken MD5, 1992, Broken 128-bit output Inspired by MDx family RIPEMD: 1995, Broken RIPEMD-160: 1996 Haval: 1992, Broken SHA family, (SHA: Secure Hash Algorithm) – also inspired by MDx family Developed by NSA (National Security Agency) SHA-0, 1993, FIPS-180, US Gov., 160-bit output, Broken SHA-1, 1995, FIPS-180-1, US Gov., Theoretically broken in 2005 SHA-2, 2002, FIPS-180-2, US Gov., SHA-224/256/384/512 4 May 2019

18 Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions Message Autentication Codes Unconditionally Secure MACs 4 May 2019

19 We now define three poblems;
if a hash function is to be considered secure, it should be the case that these three problems are difficult to solve. 4 May 2019

20 Security of Hash Functions
Instance: A hash function h: X Y and an element yєY. Preimage: Find : xє X such that h(x)=y. Second Preimage Find : x΄є X such that x΄≠x and h(x΄)=h(x). Collision Find : x,x΄є X such that x΄≠x and h(x΄)=h(x). 4 May 2019

21 a completely random function
Random Oracle Model [Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993] Idea: model the hash function as a random oracle. x H(x) a completely random function H : {0,1}* → {0,1}L 4 May 2019

22 Criticism of the Random Oracle Model
[Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998] There exists a signature scheme that is secure in Random oracle model but is not secure if the random oracle is replaced with any real hash function. This example is very artificial. No “realistic” example of this type is know. 4 May 2019

23 Terminology Plain model: In cryptography the plain model is the model of computation in which the adversary is only limited by the amount of time and computational power available. Other names used are bare model and standard model. Random Oracle Model is also called: the “Random Oracle Heuristic”. Common View: ROM proof is better than nothing. 4 May 2019

24 Other Uses of “Hash Functions”
Hash functions are used by practitioners to convert “non-uniform randomness” into a uniform one. Example: shorter “uniformly random” H(m) a hash function H : {0,1}* → {0,1}L user generated randomness X (key strokes, mouse movements, etc.) How to formalize it? 4 May 2019

25 Pseudorandom Fnctions
x x’ F(x) F(x’) A random function F: {0,1}m ---> {0,1}m x’’ F(x’’) Crucial difference: Also the adversary can query the oracle 4 May 2019

26 Theorem Suppose that is chosen randomly and let . Moreover, the values h(x) have been determined for xєX0. p(h(x)=y)=1/|Y| (for all xєX\X0 , yєY) 4 May 2019

27 Algorithm Randomized algorithms make random choices during their execution. A Las Vegas algorithm is a randomized algorithm which may fail to give an answer. If the algorithm does return an answer, then the answer must be correct. A randomized algorithm has average-case success probability ε if the probability that the algorithm returns a correct answer, averaged over all problem instances of a specified size , is at least ε (0≤ε ≤ 1). We use the terminology (ε,Q)-algorithm to denote a Las Vegas algorithm with average-case success probability ε. The number of oracle queries made by algorithms is at most Q. 4 May 2019

28 Algoithm 1: Find-Preimage(h,y,Q)
Choose any for each xє X0 do if h(x)=y then return (x) return (failure) Theorem. Let |Y|=M. For any with |X0|=Q, the average-case success probability of Algorithm1 is 4 May 2019

29 Proof Let yєY is fixed , X0={x1 ,x2 ,…, xQ }. E i :=the event h(x i )=y, 1≤ i≤Q We know E i ‘s are indepent events and p(E i )=1/M 1≤ i≤Q (by the last theorem) Consequently, The success probability of Algorithm 1, for any fixed y, is constant. Therefore, the success probability averaged over all y Y is identical, too. 4 May 2019

30 Algoithm 2: Find-Secound-Preimage(h,x,Q)
Choose for each xє X0 do if h(x)=y then return (x) return (failure) Theorem. Let |Y|=M. For any with |X0|=Q-1, the average-case success probability of Algorithm2 is 4 May 2019

31 Length of Hash Value? Birthday Paradox:
What should be the size k of a group of people, such that with probability 1/2 at least two persons from the group will have birthday on the same day? 4 May 2019

32 Length of Hash Value? 4 May 2019

33 Algoithm 3: Find-Collision(h,Q)
Choose for each xє X0 do yx h(x) if yx=yx΄ for some x=x΄ then return (x,x΄) else return (failure) Theorem. Let |Y|=M. For any with |X0|=Q, the average-case success probability of Algorithm3 is 4 May 2019

34 Proof Let X0={x1 ,x2 ,…, xQ } , E i :=the event “ ” Clearly p(E1 )=1, 2≤ i≤Q So 4 May 2019

35 Proof The probability that there is not any collision: Also, Hence,
By ignoring the term Q 4 May 2019

36 Birthday Attacks Any function H: {0,1}* ->{0,1}n must have infinitely many collisions. It requires O(2n/2) evaluations of H to find two messages m and m’ that have a collision, H(m)=H(m’). This means n must be reasonably large, otherwise it cannot be collision resistant. This process is analogous to throwing k balls randomly into n bins and checking to see if some bin contains at least two balls. For having more than half chance of finding at least two balls in one bin, k  1.17 n1/2 E.g. n = 365  k  23 4 May 2019

37 Comparision of Securiy Criteria
In random oracle model, we have seen that solving collision is easier than solving preimage or secound preimage. 4 May 2019

38 Question A related question is whether there exist
reductions among the three problems which could be applied to arbitrary hash function? 4 May 2019

39 Algorithm4: Collision-To-Secound-Preimage
External Oracle-2ND-Preimage Choose xєX uniformly at random If Oracle-2ND-Preimage(h,x)=x΄ then return (x,x΄) Else return (failure) 4 May 2019

40 Notification If there exists an (є,Q)-algorithm for second preimage, then Collision-To-Secound Preimage is an (є,Q+1)-algorithm. 4 May 2019

41 Algorithm5: Collision-To-Preimage(h)
External Oracle-Preimage Choose xєX uniformly at random y h(x) If Oracle-Preimage(h,y)=x΄ and then return (x,x΄) Else return (failure) 4 May 2019

42 Theorem =hash function |X| ,|Y| are finite and |X|≥ 2|Y| Oracle-Preimage is a (1,Q)-algorithm for Preimage (for the fixed hash function h). Collision-To-Preimage is a (1/2,Q+1)-algorithm for collision (for the fixed hash function h). 4 May 2019

43 Proof Clearly Collision-To-Preimage is a probabilistic Algorithm (Las Vegas type). So we must compute average-case probability of success. We define [x]={x1єX:h(x)=h(x1)} (for any xєX) Hence Э!yєY ; [x]= 4 May 2019

44 Proof On the other hand; we supposed Oracle-Preimage is a (1,Q)-algorithm. So (for any y єY) Therefore |[x]|=|Y| We define |Y|:= classes by C. We now suppose x is random element X chosen by the algorithm Collision-To-Preimage. 4 May 2019

45 Proof For this x, there are |[x]| possible x1’s that could be returned as the output of Oracle-Preimage. For xєX; the probability of success = (|[x]|-1)/ |[x]| 4 May 2019

46 Proof So |X|≥2|Y| 4 May 2019

47 Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions Message Autentication Codes Unconditionally Secure MACs 4 May 2019

48 Detailed View original input x preprocessing append padding bits
append length block formatted input x1, x2... xt iterated processing compression function f xi Hi Hi-1 H0=IV Ht g output h(x)=g(Ht) 4 May 2019

49 Iterated Hash Function
Suppose that is a compression function ;t≥1. Our goal We construct an iterated hash function ,based on the compression function compress. 4 May 2019

50 Iterated Hash Function
Iterated hash function h: Suppose that compress: {0,1}m+t  {0,1}m is a compression function ( where t  1). Preprocessing given x (|x|  m + t + 1) construct y(x) = x || pad(x) such that |y(x)|  0 (mod t) y (x)= y1 || y2 ||…|| yr, where |yi| = t for 1  i  r pad(x) is constructed from x using a padding function. the mapping x -> y(x) must be an injection (1 to 1) 4 May 2019

51 Iterated Hash Function
For ,we construct a string y(x) such that y(x)=y1||…||yr, |yi|=t, 1≤i≤r Output transportation = let be a public function. Define h(x)=g(zr) 4 May 2019

52 The Merkle-Damgard Construction
Here we present a particular method of constructing a hash function from a compression function. 4 May 2019

53 Algorithm 6: Merkle-Damgard
External compress Comment : s.t t≥2 x= x1 || x2 ||…|| xk, where |xi| =t-1 for 1  i  k-1 4 May 2019

54 Algorithm 6: Merkle-Damgard
do z i g i||1||y i+1 g i compress(z i+1) h(x) g k+1 return (h(x)) 4 May 2019

55 Theorem Suppose is a collision resistant compression function,where t≥2. The output of algorithm 6 is a collision resistant hash function. 4 May 2019

56 Proof g-values : g1,.., gk+1 or g’1,.., g’l+1
Suppose that we can find s.t Define y(x)=y1||…||yk+1 , y(x΄)= y΄1||…||y΄l+1 x is padded with d 0’s, x’ is padded with d’ 0’s g-values : g1,.., gk+1 or g’1,.., g’l+1 Case1: |x|≠ |x΄| (mod t-1) d≠d΄, yk+1 ≠y΄l+1 We have compress(g k||1||yk+1)=g k+1=h(x)=h(x΄) =g΄l+1=compress(g΄l||1||y΄l+1) Which is a collision for compress, Because yk+1 ≠y΄l+1 4 May 2019

57 Proof Case2:|x|=|x΄| (mod t-1) , |x|= |x΄|, k=l ,yk+1=y΄k+1 y(x)=y1||…||yk+1 , y(x΄)= y΄1||…||y΄k+1 We have compress(g k||1||yk+1)=g k+1=h(x)=h(x΄)=g΄k+1 =compress(g΄k||1||y΄k+1) If gk ≠g΄k ,then we find a collision for compress. If gk = g΄k We have compress(g k-1||1||yk)= gk = g΄k =compress(g΄k-1||1||y΄k) 4 May 2019

58 Proof = compress (g’k-1 || 1 || y’k)
compress(gk-1 || 1 ||yk) = gk = g’k = compress (g’k-1 || 1 || y’k) Either we find a collision for compress, or gk-1 = g’k-1 and yk = y’k. Assuming we do not find a collision, we continue work backwards, until finally we obtain compress(0m+1 || y1) = g1 = g’1 = compress (0m+1||y’1) If y1  y’1, then we find a collision for compress, so we assume y1 = y’1. But then yi = y’i for 1  i  k+1, so y(x) = y(x’). 4 May 2019

59 Proof Case3:|x|= |x΄| (mod t-1) , |x|≠ |x΄| We assume that|x|<|x΄| . So k<l. In a similar fashion as Case 2 , we have But (m+1)st bit of And (m+1)st bit of Hence,we find a collision for compress. 4 May 2019

60 Algorithm 7: Merkle-Damgard2
External compress Comment: f(0)=0, f(1)=01, x= x1||…||xn Denote y= y1||…||yk , where yi є{0,1}, 1≤i ≤ k 4 May 2019

61 Theorem Suppose is a collision resistant compression function. The output of Algorithm 7 is a collision resistant hash function. 4 May 2019

62 Proof Suppose that we can find x=x΄ s.t h(x)=h(x΄). Denote y(x)= y1y 2…yk , y(x΄)= y΄1y΄2…y΄k Case1: k=l As in the last theorem, either we find a collision for compress, or we obtain y=y΄. So x=x΄. Case2: k≠l, l>k. Assuming we find no collision for compress, we have the following sequence of equalities: yk=yl΄, yk-1=yl-1΄ y1=yl-k+1΄ But this contradicts the postfix-free property stated above. 4 May 2019

63 The End 5/4/2019


Download ppt "Lecture 3 Cryptographic Hash Functions"

Similar presentations


Ads by Google