Presentation is loading. Please wait.

Presentation is loading. Please wait.

Announcements: Choosing presentation dates (at end) Choosing presentation dates (at end)Questions? This week: Hash functions, SHA Hash functions, SHA Birthday.

Published byHugo Huson Modified over 9 years ago

Similar presentations

Presentation on theme: "Announcements: Choosing presentation dates (at end) Choosing presentation dates (at end)Questions? This week: Hash functions, SHA Hash functions, SHA Birthday."— Presentation transcript:

1 Announcements: Choosing presentation dates (at end) Choosing presentation dates (at end)Questions? This week: Hash functions, SHA Hash functions, SHA Birthday attacks Birthday attacks Digital signatures (Monday) Digital signatures (Monday) DTTF/NB479: DszquphsbqizDay 28

2 Birthday paradox What’s the chances that two people in our class of 28 have the same birthday? Exact solution: use fractions Approximate solution: Where r = 28 people, and N = 365 choices 1-2

3 The birthday paradox doesn’t mean that there’s a high probability that someone else has my birthday What’s the chance that one of the other 27 students has your birthday? Note: the chance of someone matching me is low, but there are lots of ways to get pairs of matches in general. 3

4 Likewise, the birthday paradox doesn’t mean that finding a collision with a known digest is easy What’s the chance that one of the other 27 students has your birthday? Note: the chance of someone matching me is low, but there are lots of ways to get pairs of matches in general. 4 Strongly collision-free: Can’t find any pair m 1 ≠ m 2 such that h(m 1 )=h(m 2 ) easily (Sometimes we can settle for weakly collision-free: given m, can’t find m’ ≠ m with h(m) = h(m’).

5 We can calculate how many messages we need to hash to have a good chance of finding a collision How many people are needed to get the probability of having 2 with the same birthday to be above 50%? Derive for general N (not just days in a year) 5

6 Birthday attacks on SHA-1? How many digests are possible when h is an n-bit hash? This is N. The birthday paradox says I can choose r = sqrt(n) messages and there’s a good possibility that 2 will match. For a 60-bit hash, r = ??? For a 60-bit hash, r = ??? For a 160-bit hash, r = ??? For a 160-bit hash, r = ??? 6

7 Multicollisions are harder to find, but not as hard as expected. What if instead of finding a just pair of collisions, we need to find 8 collisions?

8 Multicollisions Recall: given r people and N (say, 365) birthdays. If, then there’s a good chance that 2 people will have the same birthday Generalization: given r people and N birthdays. If for some k, then there’s a good chance that k people will have the same birthday. So for 160-bit hashes, how many messages do we need to generate to get an 8-collision? That’s lots more than 2 80 ! However, there’s a big underlying assumption: the hash function is random! Is SHA-1 random? (answer on next slide) 7

9 No (It’s iterative…)

10 Recall this picture Consider the following attack: 1.Birthday attack the first block: x1 = h’(x0, m1) 1.Need to generate 2 n/2 messages 2.Result: found (m1, m1’) such that x1 = h’(x0, m1) = h’(x0, m1’) 2.Repeat for x2 and x3, finding pairs (m2, m2’) based on x1 and (m3, m3’) based on x2. 1.Need to generate total of 3 * 2 n/2 messages 2.Result: found 8 combinations (m1, m1’) x (m2, m2’) x (m3, m3’) with same x3. 3.3 x 2 80 is lots smaller than 2 140. m1m1 m2m2 X0X0 X1X1 X2X2 h’ m3m3 X3X3 mLmL XLXL =h(m) m1’m1’ m2’m2’ m3’m3’ 8

11 Birthday attacks on discrete logs Birthday attack Uses sqrt(n) modular exponentiations Uses sqrt(n) modular exponentiations Works probabilistically Works probabilistically Works with high probability. Works with high probability. Requires random modular exponentiations to be done Requires random modular exponentiations to be done BabyStep, GiantStep attack Uses sqrt(n) modular exponentiations Works deterministically. Guaranteed to work Does modular exponentiations in order, which is somewhat faster BabyStep, GiantStep attack Compare with BabyStep, GiantStep attack

12 The Future of SHA-1?

13 The best attack so far… On 17 August 2005, an improvement on the SHA-1 attack was announced on behalf of Xiaoyun Wang, Andrew Yao and Frances Yao at the CRYPTO 2005 rump session, lowering the complexity required for finding a collision in SHA-1 to 2 63.

14 SHA-3 Under evaluation by NIST Candidate submissions due Oct. 31, 2008 Received 64 (51 complete, currently down to 40) From US, Canada, China, Singapore, Japan, Korea, Argentina, India, Switzerland, Macedonia, Turkey, Israel, Belgium, France, Norway, Luxembourg and a number of “pan European” submissions From US, Canada, China, Singapore, Japan, Korea, Argentina, India, Switzerland, Macedonia, Turkey, Israel, Belgium, France, Norway, Luxembourg and a number of “pan European” submissions 199 cryptographers met in February 2009 at KU Leuven, Belgium Open discussion Open discussion Cryptanalysis is hard! Cryptanalysis is hard! Got it cut down to 5 finalists Got it cut down to 5 finalists Michael Pridal-LoPiccolo’s senior thesis is on Keccak Michael Pridal-LoPiccolo’s senior thesis is on Keccak www.ietf.org/proceedings/09mar/slides/saag-0.ppt http://csrc.nist.gov/groups/ST/hash/statement.html

15 For your pleasure… What’s the chance that 2 people in a family of 4 have a birthday in the same month? How big does our class need to be to have: a 99% chance that 2 have the same birthday? a 99% chance that 2 have the same birthday? a 100% probability (guaranteed) that 2 have the same birthday? a 100% probability (guaranteed) that 2 have the same birthday? Trivia: If a professor posts grades for his class by using the last 4 digits of each student’s SSN, what’s the probability that at least 2 students have same last 4 digits? …for a class at UIUC? (200 students) …for a class at Rose? (30 students) 9-12

Download ppt "Announcements: Choosing presentation dates (at end) Choosing presentation dates (at end)Questions? This week: Hash functions, SHA Hash functions, SHA Birthday."

Similar presentations

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Hashing Note: only 3 people.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Hashing Note: only 3 people.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
SHA-1 collision found Lukáš Miňo, Richard Bartuš.

SHA-1 collision found Lukáš Miňo, Richard Bartuš.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.

Announcements: 1. Term project groups and topics due tomorrow midnight Waiting for posts from most of you. Questions? This week: Primality testing, factoring.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Announcements: 1. Class cancelled tomorrow 2. HW7 due date moved to Thursday. Questions? This week: Birthday attacks, Digital signatures Birthday attacks,

Announcements: 1. Class cancelled tomorrow 2. HW7 due date moved to Thursday. Questions? This week: Birthday attacks, Digital signatures Birthday attacks,
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.

Announcements:Questions? This week: Birthday attacks, Digital signatures, DSA Birthday attacks, Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 30.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.

Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.

Similar presentations

Ads by Google