Download presentation
Presentation is loading. Please wait.
1
Lecture 3 Cryptographic Hash Functions
H: Hash Function Message: M Lecturer: Meysam Alishahi Design By: Z. Faraji and H. Hajiabolhassan Message Digest D D = H(M) 4 May 2019
2
Hash Functions – a Hot Topic
Hash functions take a variable-length message and reduce it to a shorter fixed message digest Many applications: “Swiss army knives” of cryptography: Digital signatures (with public key algorithms) Random number generation Key update and derivation One way function Message authentication codes (with a secret key) Integrity protection code recognition (lists of the hashes of known good programs or malware) User authentication (with a secret key) Commitment schemes 4 May 2019
3
Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions Message Autentication Codes Unconditionally Secure MACs 4 May 2019
4
Hashes, Message Digests
Encrypting whole message is very expensive. 4 May 2019
5
Hashes, Message Digests
A signed message digest (or hash) of the message is much more efficient. 4 May 2019
6
Why Is It Efficient? Much faster to encrypt and decrypt.
Usually much shorter than the message. Much faster to encrypt and decrypt. Acts as a proxy for a lengthy message. Make public-key cryptography more popular. Like digital fingerprint or checksum of message. 4 May 2019
7
Classification Hash Function Unkeyed Keyed Other application Other
MDC MAC OWHF CRHF preimage res. 2nd-preimage collision res. 4 May 2019
8
Hash Functions: Main Idea
hash function H . message “message digest” x . y . . . x’’ y’ x’ bit strings of any length n-bit bit strings H is a lossy compression function Collisions: h(x)=h(x’) for some inputs x, x’ Result of hashing should “look random” (make this precise later) Intuition: half of digest bits are “1”; any bit in digest is “1” half the time Cryptographic hash function needs a few properties… 4 May 2019
9
Cryptographic Hash Function
Crypto hash function h(x) must provide Compression output length is small Efficiency h(x) easy to compute for any x Preimage Resistant given a value y it is infeasible to find an x such that h(x) = y Second Preimage Resistant given x and h(x), infeasible to find y x such that h(y) = h(x) Collision Resistant infeasible to find any x and y, with x y such that h(x) = h(y) Many collisions exist, but cannot find any 4 May 2019
10
Motivation: Integrity
VIRUS badFile goodFile The Times hash(goodFile) User Software manufacturer wants to ensure that the executable file is received by users without modification. It sends out the file to users and publishes its hash in NY Times. The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile) 4 May 2019
11
Motivation: Authentication
KEY KEY msg, hash(KEY,msg) Alice Bob Alice wants to make sure that nobody modifies message in transit Ensures both integrity and authentication (why?) Idea: given msg, very hard to compute hash(KEY,msg) without KEY; very easy with KEY 4 May 2019
12
Password Protection What should we put in there?
Password File U1=… U2=… Password= jeitlse6 What should we put in there? What if backup tape stolen? What property do we need? 4 May 2019
13
Definition 4. For each kєK , there is a Hash function hk ЄH.
A Hash family is a four-tuple (X , Y ,K,H). Where the following conditions are satisfied: 1. X is a set of possible messages. 2. Y is a finite set of possible messages digests or autenication tags. 3. K, the key space, is a finite set of possible keys 4. For each kєK , there is a Hash function hk ЄH. Each hk : X Y 4 May 2019
14
Hash Functions h is compress functions
X could be a finite or infinite set. Y is a finite set. |X | |Y | or stronger, |X | 2|Y |. A pair (x ,y) XY is said to be valid under the key K hK(x) = y. Let FX,Y denote the set of all function from X to Y. |X| = N and |Y| = M. |FX,Y| = MN. F FX,Y is termed an (N,M)-hash family. An unkeyed hash function is a function h: X Y . 4 May 2019
15
Non-Crypto Hash (1) Data X = (X0,X1,X2,…,Xn-1), each Xi is a byte
Suppose hash(X) = X0+X1+X2+…+Xn-1 Is this secure? Example: X = ( , ) Hash is But so is hash of Y = ( , ) Easy to find collisions, so not secure…
16
Non-Crypto Hash Data X = (X0,X1,X2,…,Xn-1) Suppose hash is
h(X) = nX0+(n-1)X1+(n-2)X2+…+1Xn-1 Is this hash secure? At least h( , )=h( , ) Not secure, but it is used in the (non-crypto) application rsync. Imagine you have two files, A and B, and you wish to update B to be the same as A. The obvious method is to copy A onto B. Now imagine that the two files are on machines connected by a slow communications link. If A is large, copying A onto B will be slow. 4 May 2019
17
A Short History of Practical Hash Functions Constructions and Their Failures
MDx family Proposed by Ronald Rivest for RSA Labs MD2: 1989, Broken MD4, 1990, Broken MD5, 1992, Broken 128-bit output Inspired by MDx family RIPEMD: 1995, Broken RIPEMD-160: 1996 Haval: 1992, Broken SHA family, (SHA: Secure Hash Algorithm) – also inspired by MDx family Developed by NSA (National Security Agency) SHA-0, 1993, FIPS-180, US Gov., 160-bit output, Broken SHA-1, 1995, FIPS-180-1, US Gov., Theoretically broken in 2005 SHA-2, 2002, FIPS-180-2, US Gov., SHA-224/256/384/512 4 May 2019
18
Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions Message Autentication Codes Unconditionally Secure MACs 4 May 2019
19
We now define three poblems;
if a hash function is to be considered secure, it should be the case that these three problems are difficult to solve. 4 May 2019
20
Security of Hash Functions
Instance: A hash function h: X Y and an element yєY. Preimage: Find : xє X such that h(x)=y. Second Preimage Find : x΄є X such that x΄≠x and h(x΄)=h(x). Collision Find : x,x΄є X such that x΄≠x and h(x΄)=h(x). 4 May 2019
21
a completely random function
Random Oracle Model [Bellare, Rogaway, Random Oracles are Practical: A Paradigm for Designing Efficient Protocols, 1993] Idea: model the hash function as a random oracle. x H(x) a completely random function H : {0,1}* → {0,1}L 4 May 2019
22
Criticism of the Random Oracle Model
[Canetti, Goldreich, Halevi: The random oracle methodology, revisited. 1998] There exists a signature scheme that is secure in Random oracle model but is not secure if the random oracle is replaced with any real hash function. This example is very artificial. No “realistic” example of this type is know. 4 May 2019
23
Terminology Plain model: In cryptography the plain model is the model of computation in which the adversary is only limited by the amount of time and computational power available. Other names used are bare model and standard model. Random Oracle Model is also called: the “Random Oracle Heuristic”. Common View: ROM proof is better than nothing. 4 May 2019
24
Other Uses of “Hash Functions”
Hash functions are used by practitioners to convert “non-uniform randomness” into a uniform one. Example: shorter “uniformly random” H(m) a hash function H : {0,1}* → {0,1}L user generated randomness X (key strokes, mouse movements, etc.) How to formalize it? 4 May 2019
25
Pseudorandom Fnctions
x x’ F(x) F(x’) A random function F: {0,1}m ---> {0,1}m x’’ F(x’’) Crucial difference: Also the adversary can query the oracle 4 May 2019
26
Theorem Suppose that is chosen randomly and let . Moreover, the values h(x) have been determined for xєX0. p(h(x)=y)=1/|Y| (for all xєX\X0 , yєY) 4 May 2019
27
Algorithm Randomized algorithms make random choices during their execution. A Las Vegas algorithm is a randomized algorithm which may fail to give an answer. If the algorithm does return an answer, then the answer must be correct. A randomized algorithm has average-case success probability ε if the probability that the algorithm returns a correct answer, averaged over all problem instances of a specified size , is at least ε (0≤ε ≤ 1). We use the terminology (ε,Q)-algorithm to denote a Las Vegas algorithm with average-case success probability ε. The number of oracle queries made by algorithms is at most Q. 4 May 2019
28
Algoithm 1: Find-Preimage(h,y,Q)
Choose any for each xє X0 do if h(x)=y then return (x) return (failure) Theorem. Let |Y|=M. For any with |X0|=Q, the average-case success probability of Algorithm1 is 4 May 2019
29
Proof Let yєY is fixed , X0={x1 ,x2 ,…, xQ }. E i :=the event h(x i )=y, 1≤ i≤Q We know E i ‘s are indepent events and p(E i )=1/M 1≤ i≤Q (by the last theorem) Consequently, The success probability of Algorithm 1, for any fixed y, is constant. Therefore, the success probability averaged over all y Y is identical, too. 4 May 2019
30
Algoithm 2: Find-Secound-Preimage(h,x,Q)
Choose for each xє X0 do if h(x)=y then return (x) return (failure) Theorem. Let |Y|=M. For any with |X0|=Q-1, the average-case success probability of Algorithm2 is 4 May 2019
31
Length of Hash Value? Birthday Paradox:
What should be the size k of a group of people, such that with probability 1/2 at least two persons from the group will have birthday on the same day? 4 May 2019
32
Length of Hash Value? 4 May 2019
33
Algoithm 3: Find-Collision(h,Q)
Choose for each xє X0 do yx h(x) if yx=yx΄ for some x=x΄ then return (x,x΄) else return (failure) Theorem. Let |Y|=M. For any with |X0|=Q, the average-case success probability of Algorithm3 is 4 May 2019
34
Proof Let X0={x1 ,x2 ,…, xQ } , E i :=the event “ ” Clearly p(E1 )=1, 2≤ i≤Q So 4 May 2019
35
Proof The probability that there is not any collision: Also, Hence,
By ignoring the term Q 4 May 2019
36
Birthday Attacks Any function H: {0,1}* ->{0,1}n must have infinitely many collisions. It requires O(2n/2) evaluations of H to find two messages m and m’ that have a collision, H(m)=H(m’). This means n must be reasonably large, otherwise it cannot be collision resistant. This process is analogous to throwing k balls randomly into n bins and checking to see if some bin contains at least two balls. For having more than half chance of finding at least two balls in one bin, k 1.17 n1/2 E.g. n = 365 k 23 4 May 2019
37
Comparision of Securiy Criteria
In random oracle model, we have seen that solving collision is easier than solving preimage or secound preimage. 4 May 2019
38
Question A related question is whether there exist
reductions among the three problems which could be applied to arbitrary hash function? 4 May 2019
39
Algorithm4: Collision-To-Secound-Preimage
External Oracle-2ND-Preimage Choose xєX uniformly at random If Oracle-2ND-Preimage(h,x)=x΄ then return (x,x΄) Else return (failure) 4 May 2019
40
Notification If there exists an (є,Q)-algorithm for second preimage, then Collision-To-Secound Preimage is an (є,Q+1)-algorithm. 4 May 2019
41
Algorithm5: Collision-To-Preimage(h)
External Oracle-Preimage Choose xєX uniformly at random y h(x) If Oracle-Preimage(h,y)=x΄ and then return (x,x΄) Else return (failure) 4 May 2019
42
Theorem =hash function |X| ,|Y| are finite and |X|≥ 2|Y| Oracle-Preimage is a (1,Q)-algorithm for Preimage (for the fixed hash function h). Collision-To-Preimage is a (1/2,Q+1)-algorithm for collision (for the fixed hash function h). 4 May 2019
43
Proof Clearly Collision-To-Preimage is a probabilistic Algorithm (Las Vegas type). So we must compute average-case probability of success. We define [x]={x1єX:h(x)=h(x1)} (for any xєX) Hence Э!yєY ; [x]= 4 May 2019
44
Proof On the other hand; we supposed Oracle-Preimage is a (1,Q)-algorithm. So (for any y єY) Therefore |[x]|=|Y| We define |Y|:= classes by C. We now suppose x is random element X chosen by the algorithm Collision-To-Preimage. 4 May 2019
45
Proof For this x, there are |[x]| possible x1’s that could be returned as the output of Oracle-Preimage. For xєX; the probability of success = (|[x]|-1)/ |[x]| 4 May 2019
46
Proof So |X|≥2|Y| 4 May 2019
47
Plan Hash Functions and Data Integrity Security of Hash Functions
Interated Hash Functions Message Autentication Codes Unconditionally Secure MACs 4 May 2019
48
Detailed View original input x preprocessing append padding bits
append length block formatted input x1, x2... xt iterated processing compression function f xi Hi Hi-1 H0=IV Ht g output h(x)=g(Ht) 4 May 2019
49
Iterated Hash Function
Suppose that is a compression function ;t≥1. Our goal We construct an iterated hash function ,based on the compression function compress. 4 May 2019
50
Iterated Hash Function
Iterated hash function h: Suppose that compress: {0,1}m+t {0,1}m is a compression function ( where t 1). Preprocessing given x (|x| m + t + 1) construct y(x) = x || pad(x) such that |y(x)| 0 (mod t) y (x)= y1 || y2 ||…|| yr, where |yi| = t for 1 i r pad(x) is constructed from x using a padding function. the mapping x -> y(x) must be an injection (1 to 1) 4 May 2019
51
Iterated Hash Function
For ,we construct a string y(x) such that y(x)=y1||…||yr, |yi|=t, 1≤i≤r Output transportation = let be a public function. Define h(x)=g(zr) 4 May 2019
52
The Merkle-Damgard Construction
Here we present a particular method of constructing a hash function from a compression function. 4 May 2019
53
Algorithm 6: Merkle-Damgard
External compress Comment : s.t t≥2 x= x1 || x2 ||…|| xk, where |xi| =t-1 for 1 i k-1 4 May 2019
54
Algorithm 6: Merkle-Damgard
do z i g i||1||y i+1 g i compress(z i+1) h(x) g k+1 return (h(x)) 4 May 2019
55
Theorem Suppose is a collision resistant compression function,where t≥2. The output of algorithm 6 is a collision resistant hash function. 4 May 2019
56
Proof g-values : g1,.., gk+1 or g’1,.., g’l+1
Suppose that we can find s.t Define y(x)=y1||…||yk+1 , y(x΄)= y΄1||…||y΄l+1 x is padded with d 0’s, x’ is padded with d’ 0’s g-values : g1,.., gk+1 or g’1,.., g’l+1 Case1: |x|≠ |x΄| (mod t-1) d≠d΄, yk+1 ≠y΄l+1 We have compress(g k||1||yk+1)=g k+1=h(x)=h(x΄) =g΄l+1=compress(g΄l||1||y΄l+1) Which is a collision for compress, Because yk+1 ≠y΄l+1 4 May 2019
57
Proof Case2:|x|=|x΄| (mod t-1) , |x|= |x΄|, k=l ,yk+1=y΄k+1 y(x)=y1||…||yk+1 , y(x΄)= y΄1||…||y΄k+1 We have compress(g k||1||yk+1)=g k+1=h(x)=h(x΄)=g΄k+1 =compress(g΄k||1||y΄k+1) If gk ≠g΄k ,then we find a collision for compress. If gk = g΄k We have compress(g k-1||1||yk)= gk = g΄k =compress(g΄k-1||1||y΄k) 4 May 2019
58
Proof = compress (g’k-1 || 1 || y’k)
compress(gk-1 || 1 ||yk) = gk = g’k = compress (g’k-1 || 1 || y’k) Either we find a collision for compress, or gk-1 = g’k-1 and yk = y’k. Assuming we do not find a collision, we continue work backwards, until finally we obtain compress(0m+1 || y1) = g1 = g’1 = compress (0m+1||y’1) If y1 y’1, then we find a collision for compress, so we assume y1 = y’1. But then yi = y’i for 1 i k+1, so y(x) = y(x’). 4 May 2019
59
Proof Case3:|x|= |x΄| (mod t-1) , |x|≠ |x΄| We assume that|x|<|x΄| . So k<l. In a similar fashion as Case 2 , we have But (m+1)st bit of And (m+1)st bit of Hence,we find a collision for compress. 4 May 2019
60
Algorithm 7: Merkle-Damgard2
External compress Comment: f(0)=0, f(1)=01, x= x1||…||xn Denote y= y1||…||yk , where yi є{0,1}, 1≤i ≤ k 4 May 2019
61
Theorem Suppose is a collision resistant compression function. The output of Algorithm 7 is a collision resistant hash function. 4 May 2019
62
Proof Suppose that we can find x=x΄ s.t h(x)=h(x΄). Denote y(x)= y1y 2…yk , y(x΄)= y΄1y΄2…y΄k Case1: k=l As in the last theorem, either we find a collision for compress, or we obtain y=y΄. So x=x΄. Case2: k≠l, l>k. Assuming we find no collision for compress, we have the following sequence of equalities: yk=yl΄, yk-1=yl-1΄ y1=yl-k+1΄ But this contradicts the postfix-free property stated above. 4 May 2019
63
The End 5/4/2019
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.