1. Lecture 3 Cryptographic Hash Functions
H: Hash Function
Message: M
Lecturer: Meysam Alishahi Design By: Z. Faraji and H. Hajiabolhassan
Message Digest D
D = H(M)
4 May 2019

2. Hash Functions – a Hot Topic
Hash functions take a variable-length message and reduce it to a shorter fixed message digest
Many applications: “Swiss army knives” of cryptography:
Digital signatures (with public key algorithms)
Random number generation
Key update and derivation
One way function
Message authentication codes (with a secret key)
Integrity protection
code recognition (lists of the hashes of known good programs or malware)
User authentication (with a secret key)
Commitment schemes
4 May 2019

3. Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions
Message Autentication Codes
Unconditionally Secure MACs
4 May 2019

4. Hashes, Message Digests
Encrypting whole message is very expensive.
4 May 2019

5. Hashes, Message Digests
A signed message digest (or hash) of the message is much more efficient.
4 May 2019

6. Why Is It Efficient? Much faster to encrypt and decrypt.
Usually much shorter than the message.
Much faster to encrypt and decrypt.
Acts as a proxy for a lengthy message.
Make public-key cryptography more popular.
Like digital fingerprint or checksum of message.
4 May 2019

7. Classification Hash Function Unkeyed Keyed Other application Other
MDC
MAC
OWHF
CRHF
preimage res.
2nd-preimage
collision res.
4 May 2019

8. Hash Functions: Main Idea
hash function H .
message
“message
digest” x . y . . .
x’’ y’ x’
bit strings of any length
n-bit bit strings
H is a lossy compression function
Collisions: h(x)=h(x’) for some inputs x, x’
Result of hashing should “look random” (make this precise later)
Intuition: half of digest bits are “1”; any bit in digest is “1” half the time
Cryptographic hash function needs a few properties…
4 May 2019

9. Cryptographic Hash Function
Crypto hash function h(x) must provide
Compression  output length is small
Efficiency  h(x) easy to compute for any x
Preimage Resistant given a value y it is infeasible to find an x such that h(x) = y
Second Preimage Resistant  given x and h(x), infeasible to find y  x such that h(y) = h(x)
Collision Resistant  infeasible to find any x and y, with x  y such that h(x) = h(y)
Many collisions exist, but cannot find any
4 May 2019

10. Motivation: Integrity
VIRUS
badFile
goodFile
The Times
hash(goodFile)
User
Software manufacturer wants to ensure that the executable file
is received by users without modification.
It sends out the file to users and publishes its hash in NY Times.
The goal is integrity, not secrecy
Idea: given goodFile and hash(goodFile),
very hard to find badFile such that hash(goodFile)=hash(badFile)
4 May 2019

11. Motivation: Authentication
KEY
KEY
msg, hash(KEY,msg)
Alice
Bob
Alice wants to make sure that nobody modifies message in transit
Ensures both integrity and authentication (why?)
Idea: given msg, very hard to compute hash(KEY,msg) without KEY;
very easy with KEY
4 May 2019

12. Password Protection What should we put in there?
Password File
U1=…
U2=…
Password= jeitlse6
What should we put in there?
What if backup tape stolen?
What property do we need?
4 May 2019

13. Definition 4. For each kєK , there is a Hash function hk ЄH.
A Hash family is a four-tuple (X , Y ,K,H). Where the following conditions are satisfied: 1. X is a set of possible messages. 2. Y is a finite set of possible messages digests or autenication tags.
3. K, the key space, is a finite set of possible keys
4. For each kєK , there is a Hash function hk ЄH.
Each hk : X Y
4 May 2019

14. Hash Functions h is compress functions
X could be a finite or infinite set.
Y is a finite set.
|X |  |Y | or stronger, |X |  2|Y |.
A pair (x ,y) XY is said to be valid under the key K
hK(x) = y.
Let FX,Y denote the set of all function from X to Y.
|X| = N and |Y| = M.
|FX,Y| = MN.
F  FX,Y is termed an (N,M)-hash family.
An unkeyed hash function is a function
h: X  Y .
4 May 2019

15. Non-Crypto Hash (1) Data X = (X0,X1,X2,…,Xn-1), each Xi is a byte
Suppose hash(X) = X0+X1+X2+…+Xn-1
Is this secure?
Example: X = ( , )
Hash is
But so is hash of Y = ( , )
Easy to find collisions, so not secure…

16. Non-Crypto Hash Data X = (X0,X1,X2,…,Xn-1) Suppose hash is
h(X) = nX0+(n-1)X1+(n-2)X2+…+1Xn-1
Is this hash secure? At least
h( , )=h( , )
Not secure, but it is used in the (non-crypto) application rsync.
Imagine you have two files, A and B, and you wish to update B to be the same as A. The obvious method is to copy A onto B. Now imagine that the two files are on machines connected by a slow communications link. If A is large, copying A onto B will be slow.
4 May 2019

17. A Short History of Practical Hash Functions Constructions and Their Failures
MDx family
Proposed by Ronald Rivest for RSA Labs
MD2: 1989, Broken
MD4, 1990, Broken
MD5, 1992, Broken 128-bit output
Inspired by MDx family
RIPEMD: 1995, Broken
RIPEMD-160: 1996
Haval: 1992, Broken
SHA family, (SHA: Secure Hash Algorithm) – also inspired by MDx family
Developed by NSA (National Security Agency)
SHA-0, 1993, FIPS-180, US Gov., 160-bit output, Broken
SHA-1, 1995, FIPS-180-1, US Gov., Theoretically broken in 2005
SHA-2, 2002, FIPS-180-2, US Gov., SHA-224/256/384/512
4 May 2019

18. Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions
Message Autentication Codes
Unconditionally Secure MACs
4 May 2019

19. We now define three poblems;
if a hash function is to be considered secure, it should be the case that these three problems are difficult to solve.
4 May 2019

20. Security of Hash Functions
Instance: A hash function h: X Y and an element yєY. Preimage: Find : xє X such that h(x)=y. Second Preimage Find : x΄є X such that x΄≠x and h(x΄)=h(x). Collision Find : x,x΄є X such that x΄≠x and h(x΄)=h(x).
4 May 2019

21. a completely random function
Random Oracle Model
[Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993] Idea: model the hash function as a random oracle. x
H(x)
a completely random function
H : {0,1}* → {0,1}L
4 May 2019

22. Criticism of the Random Oracle Model
[Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998]
There exists a signature scheme that is
secure in Random oracle model
but
is not secure if the random oracle is replaced with any real hash function.
This example is very artificial. No “realistic” example of this type is know.
4 May 2019

23. Terminology
Plain model: In cryptography the plain model is the model of computation in which the adversary is only limited by the amount of time and computational power available. Other names used are bare model and standard model.
Random Oracle Model is also called:
the “Random Oracle Heuristic”.
Common View: ROM proof is better than nothing.
4 May 2019

24. Other Uses of “Hash Functions”
Hash functions are used by practitioners to convert “non-uniform randomness” into a uniform one.
Example:
shorter “uniformly random” H(m)
a hash function
H : {0,1}* → {0,1}L
user generated randomness X (key strokes, mouse movements, etc.)
How to formalize it?
4 May 2019

25. Pseudorandom Fnctionsx x’
F(x)
F(x’)
A random function
F: {0,1}m ---> {0,1}m
x’’
F(x’’)
Crucial difference:
Also the adversary can query the oracle
4 May 2019

26. Theorem
Suppose that is chosen randomly and let . Moreover, the values h(x) have been determined for xєX0. p(h(x)=y)=1/|Y| (for all xєX\X0 , yєY)
4 May 2019

27. Algorithm
Randomized algorithms make random choices during their execution.
A Las Vegas algorithm is a randomized algorithm which may fail to give an answer. If the algorithm does return an answer, then the answer must be correct.
A randomized algorithm has average-case success probability ε if the probability that the algorithm returns a correct answer, averaged over all problem instances of a specified size , is at least ε (0≤ε ≤ 1).
We use the terminology (ε,Q)-algorithm to denote a Las Vegas algorithm with average-case success probability ε. The number of oracle queries made by algorithms is at most Q.
4 May 2019

28. Algoithm 1: Find-Preimage(h,y,Q)
Choose any for each xє X0 do if h(x)=y then return (x) return (failure) Theorem. Let |Y|=M. For any with |X0|=Q, the average-case success probability of Algorithm1 is
4 May 2019

29. Proof
Let yєY is fixed , X0={x1 ,x2 ,…, xQ }. E i :=the event h(x i )=y, 1≤ i≤Q We know E i ‘s are indepent events and p(E i )=1/M 1≤ i≤Q (by the last theorem) Consequently, The success probability of Algorithm 1, for any fixed y, is constant. Therefore, the success probability averaged over all y Y is identical, too.
4 May 2019

30. Algoithm 2: Find-Secound-Preimage(h,x,Q)
Choose for each xє X0 do if h(x)=y then return (x) return (failure) Theorem. Let |Y|=M. For any with |X0|=Q-1, the average-case success probability of Algorithm2 is
4 May 2019

31. Length of Hash Value? Birthday Paradox:
What should be the size k of a group of people, such that with probability 1/2 at least two persons from the group will have birthday on the same day?
4 May 2019

32. Length of Hash Value?
4 May 2019

33. Algoithm 3: Find-Collision(h,Q)
Choose for each xє X0 do yx h(x) if yx=yx΄ for some x=x΄ then return (x,x΄) else return (failure) Theorem. Let |Y|=M. For any with |X0|=Q, the average-case success probability of Algorithm3 is
4 May 2019

34. Proof
Let X0={x1 ,x2 ,…, xQ } , E i :=the event “ ” Clearly p(E1 )=1, 2≤ i≤Q So
4 May 2019

35. Proof The probability that there is not any collision: Also, Hence,
By ignoring the term Q
4 May 2019

36. Birthday Attacks
Any function H: {0,1}* ->{0,1}n must have infinitely many collisions.
It requires O(2n/2) evaluations of H to find two messages m and m’ that have a collision,
H(m)=H(m’).
This means n must be reasonably large, otherwise it cannot be collision resistant.
This process is analogous to throwing k balls randomly into n bins and checking to see if some bin contains at least two balls.
For having more than half chance of finding at least two balls in one bin,
k  1.17 n1/2
E.g. n = 365  k  23
4 May 2019

37. Comparision of Securiy Criteria
In random oracle model, we have
seen that solving collision is easier than solving preimage or secound preimage.
4 May 2019

38. Question A related question is whether there exist
reductions among the three problems which
could be applied to arbitrary hash function?
4 May 2019

39. Algorithm4: Collision-To-Secound-Preimage
External Oracle-2ND-Preimage Choose xєX uniformly at random If Oracle-2ND-Preimage(h,x)=x΄ then return (x,x΄) Else return (failure)
4 May 2019

40. Notification
If there exists an (є,Q)-algorithm for second preimage, then
Collision-To-Secound Preimage is
an (є,Q+1)-algorithm.
4 May 2019

41. Algorithm5: Collision-To-Preimage(h)
External Oracle-Preimage Choose xєX uniformly at random y h(x) If Oracle-Preimage(h,y)=x΄ and then return (x,x΄) Else return (failure)
4 May 2019

42. Theorem
=hash function |X| ,|Y| are finite and |X|≥ 2|Y| Oracle-Preimage is a (1,Q)-algorithm for Preimage (for the fixed hash function h). Collision-To-Preimage is a (1/2,Q+1)-algorithm for collision (for the fixed hash function h).
4 May 2019

43. Proof
Clearly Collision-To-Preimage is a probabilistic Algorithm (Las Vegas type). So we must compute average-case probability of success. We define [x]={x1єX:h(x)=h(x1)} (for any xєX) Hence Э!yєY ; [x]=
4 May 2019

44. Proof
On the other hand; we supposed Oracle-Preimage is a (1,Q)-algorithm. So (for any y єY) Therefore |[x]|=|Y| We define |Y|:= classes by C. We now suppose x is random element X chosen by the algorithm Collision-To-Preimage.
4 May 2019

45. Proof
For this x, there are |[x]| possible x1’s that could be returned as the output of Oracle-Preimage. For xєX; the probability of success = (|[x]|-1)/ |[x]|
4 May 2019

46. Proof So
|X|≥2|Y|
4 May 2019

47. Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions
Message Autentication Codes
Unconditionally Secure MACs
4 May 2019

48. Detailed View original input x preprocessing append padding bits
append length block
formatted
input x1, x2... xt
iterated
processing
compression
function f xi  Hi
Hi-1
H0=IV Ht g
output h(x)=g(Ht)
4 May 2019

49. Iterated Hash Function
Suppose that is a compression function ;t≥1.
Our goal
We construct an iterated hash function
,based on the
compression function compress.
4 May 2019

50. Iterated Hash Function
Iterated hash function h:
Suppose that compress: {0,1}m+t  {0,1}m is a compression function ( where t  1).
Preprocessing
given x (|x|  m + t + 1)
construct y(x) = x || pad(x)
such that |y(x)|  0 (mod t)
y (x)= y1 || y2 ||…|| yr, where |yi| = t for 1  i  r
pad(x) is constructed from x using a padding function.
the mapping x -> y(x) must be an injection (1 to 1)
4 May 2019

51. Iterated Hash Function
For ,we construct a string y(x) such
that y(x)=y1||…||yr, |yi|=t, 1≤i≤r
Output transportation = let
be a public function. Define h(x)=g(zr)
4 May 2019

52. The Merkle-Damgard Construction
Here we present a particular method of constructing a hash function from a compression function.
4 May 2019

53. Algorithm 6: Merkle-Damgard
External compress Comment : s.t t≥2 x= x1 || x2 ||…|| xk, where |xi| =t-1 for 1  i  k-1
4 May 2019

54. Algorithm 6: Merkle-Damgard
do z i g i||1||y i+1
g i compress(z i+1)
h(x) g k+1
return (h(x))
4 May 2019

55. Theorem
Suppose is a collision resistant compression function,where t≥2. The output of algorithm 6 is a collision resistant hash function.
4 May 2019

56. Proof g-values : g1,.., gk+1 or g’1,.., g’l+1
Suppose that we can find s.t
Define y(x)=y1||…||yk+1 , y(x΄)= y΄1||…||y΄l+1
x is padded with d 0’s, x’ is padded with d’ 0’s
g-values : g1,.., gk+1 or g’1,.., g’l+1
Case1: |x|≠ |x΄| (mod t-1) d≠d΄, yk+1 ≠y΄l+1
We have
compress(g k||1||yk+1)=g k+1=h(x)=h(x΄)
=g΄l+1=compress(g΄l||1||y΄l+1)
Which is a collision for compress,
Because yk+1 ≠y΄l+1
4 May 2019

57. Proof
Case2:|x|=|x΄| (mod t-1) , |x|= |x΄|, k=l ,yk+1=y΄k+1 y(x)=y1||…||yk+1 , y(x΄)= y΄1||…||y΄k+1 We have compress(g k||1||yk+1)=g k+1=h(x)=h(x΄)=g΄k+1 =compress(g΄k||1||y΄k+1) If gk ≠g΄k ,then we find a collision for compress. If gk = g΄k We have compress(g k-1||1||yk)= gk = g΄k =compress(g΄k-1||1||y΄k)
4 May 2019

58. Proof = compress (g’k-1 || 1 || y’k)
compress(gk-1 || 1 ||yk) = gk = g’k
= compress (g’k-1 || 1 || y’k)
Either we find a collision for compress, or
gk-1 = g’k-1 and yk = y’k.
Assuming we do not find a collision, we continue work backwards, until finally we obtain
compress(0m+1 || y1) = g1 = g’1 =
compress (0m+1||y’1)
If y1  y’1, then we find a collision for compress, so we assume y1 = y’1.
But then yi = y’i for 1  i  k+1, so y(x) = y(x’).
4 May 2019

59. Proof
Case3:|x|= |x΄| (mod t-1) , |x|≠ |x΄| We assume that|x|<|x΄| . So k<l. In a similar fashion as Case 2 , we have But (m+1)st bit of And (m+1)st bit of Hence,we find a collision for compress.
4 May 2019

60. Algorithm 7: Merkle-Damgard2
External compress Comment: f(0)=0, f(1)=01, x= x1||…||xn Denote y= y1||…||yk , where yi є{0,1}, 1≤i ≤ k
4 May 2019

61. Theorem
Suppose is a collision resistant compression function. The output of Algorithm 7 is a collision resistant hash function.
4 May 2019

62. Proof
Suppose that we can find x=x΄ s.t h(x)=h(x΄). Denote y(x)= y1y 2…yk , y(x΄)= y΄1y΄2…y΄k Case1: k=l As in the last theorem, either we find a collision for compress, or we obtain y=y΄. So x=x΄. Case2: k≠l, l>k. Assuming we find no collision for compress, we have the following sequence of equalities: yk=yl΄, yk-1=yl-1΄ y1=yl-k+1΄ But this contradicts the postfix-free property stated above.
4 May 2019

63. The End
5/4/2019