 # Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

## Presentation on theme: "Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44."— Presentation transcript:

Session 5 Hash functions and digital signatures

Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44

Contents Digital signatures – Definition – Digital signatures – procedure – Digital signature with RSA – Signing enciphered messages – Signing and hashing 3/44

Hash functions - definition Let k, n be positive integers A function f with n bit output and k bit key is called a hash function if 1. f is a deterministic function 2. f takes 2 inputs, the first is of arbitrary length and the second is of length k 3. f outputs a binary string of length n Formally: 4/44

Hash functions - definition The key k is assumed to be known/fixed, unlike in cipher systems If k is known/fixed, the hash function is unkeyed If k is secret the hash function is keyed k is known/fixed in most of the applications (e.g. digital signature schemes) k is kept secret in Message Authentication Codes (MACs) 5/44

Hash functions – security requirements In order to be useful for cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1) 1.One-wayness (or preimage resistance): a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that f k (x )=w. 6/44

Hash functions – security requirements Security requirements (2) 2.Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y  x such that f k (x )=f k (y ). 7/44

Hash functions – security requirements Security requirements (3): 3.(Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y  x such that f k (x )=f k (y ). 8/44

Hash functions – security requirements The collision resistance implies the second preimage resistance. The second preimage resistance and one- wayness are incomparable – The properties do not follow from one another – Still, a hash function that would be one-way but not second preimage resistant would be quite artificial 9/44

Hash functions – security requirements In practice, collision resistance is the strongest security requirement of all the three requirements – the most difficult to satisfy – the easiest to breach Breaking the collision resistance property is the goal of most attacks on hash functions. 10/44

Hash functions – other requirements Certificational weakness – A good hash function should possess avalanche property changing a bit of input would approximately change a half of the output bits – No input bits can be reliably guessed based on the hash function’s local output (local one- wayness) – Failure to satisfy these (and some other) properties is called certificational weakness. 11/44

Hash functions – other requirements It is also required that a hash function is feasible to compute, given x (and k ). This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice. 12/44

Hash functions – other requirements Example: so called algebraic hash functions, based on the same difficult mathematical problems that are used in public key cryptography – Shamir’s function (factoring) – Chaum-vanHeijst-Pfitzmann’s function (discrete log) – Newer designs: VSH (factoring), LASH (lattice), Dakota (modular arithmetic and symmetric ciphers) 13/44

Hash functions - construction The Merkle-Damgård construction – A classical hash function design – Iterates a compression function – A compression function takes a fixed length input outputs a fixed length (shorter) output. 14/44

Hash functions - construction In practice, symmetric cipher systems are used as compression functions (usually block ciphers). Let g =(x,k ) be a block cipher, where x is the plaintext message, and k is the key. The length of the block x is n bits and the length of the key k is m bits, m >n. 15/44

Hash functions - construction The hash function f to be constructed – has the (theoretically) unlimited input length – has the output bit length n The input string to the hash function f is y. 16/44

Hash functions - construction Hash function iterations – Pad y such that the length of the padded input y ’ is the least possible multiple of m. – Let where y i  {0,1} m. – Let f 0 be a fixed initialization vector of length n (in bits). – Then, for i =1,..., r, f i =g (f i -1, ). – Finally, f =f r. 17/44

Hash functions - construction Remark: – The padding algorithm and f 0 depend on the particular hash function. Schematic of the Merkle-Damgård design 18/44

Hash functions - construction Advantages of using block ciphers as compression functions – Efficient, i.e. fast – Usually already implemented Disadvantage – Employing a strong block cipher in hash function design does not guarantee a good hash function. 19/44

Hash functions - construction Examples of Merkle-Damgård designs – The MD (Message Digest) family of hash functions (MD4, MD5), n =128. – The NIST SHA (Secure Hash Algorithm) family of hash functions (SHA-1 (n =160), SHA-2 (i.e. SHA-256, SHA-512)). They all use custom block cipher rounds. 20/44

Hash functions - construction The speed of such a design depends on the number of rounds of the block cipher involved. Example – MD4 – 3 rounds – MD5 – 4 rounds – more secure – But MD5 is  30% slower than MD4. 21/44

Hash functions - security Security of the most often used hash functions, MD5 and SHA-1 has been recently compromised – collisions were found. They are now considered insecure. Consequence: the SHA-3 contest, the proposals are due October 2008. 22/44

Hash functions - applications Data integrity protection – Digital signature schemes Authentication – Message authentication codes (MACs) – If MAC uses a hash function it is called HMAC – HMAC standard RFC2104 (Bellare-Canetti- Krawczyk, 1996). 23/44

Digital signatures - definition Digital signature – A number dependent on some secret known only to the signer and on the contents of the signed message – Must be verifiable in case of a signer repudiating a signature a fraudulent claimant 24/44

Digital signatures - definition Applications – Authentication – Data integrity protection and non-repudiation – Certification of public keys in large networks. 25/44

Digital signatures - procedure Basic elements (1) – M – the set of messages that can be signed – S – the set of signatures, e.g. binary strings of fixed length – S A – signing transformation for the entity A S A is kept secret by A Used to create signatures from M 26/44

Digital signatures - procedure Basic elements (2) – V A – verification transformation for the A’s signatures Publicly known Used by other entities to verify signatures created by A 27/44

Digital signatures - procedure Both S A and V A should be feasible to compute It should not be computationally feasible to forge a digital signature y on a message x – Given x, only A (i.e. Alice) should be able to compute the signature y such that V A (x,y )=true. 28/44

Digital signatures - procedure Signing a message x – Alice uses the algorithm S A to compute the signature over the message x – Alice publishes (or sends to some recipient) the message x, together with the signature y =S A (x ) 29/44

Digital signatures - procedure Verifying a signature of a message published/sent by Alice – Upon receiving the pair (x,y ), the verifier uses the algorithm V A (publicly known) to verify the integrity of the received message x – If V A (x,y )=true, the signature is verified. 30/44

Digital signatures - procedure It can be shown that asymmetric ciphers can be used for digital signature purposes To prevent forgery, it should be infeasible for an attacker to retrieve the secret information used for signing – the transformation S A. 31/44

Digital signature with RSA Alice signs the message x by using the deciphering transformation Alice is the only one that can sign, since d A is kept secret. 32/44

Digital signature with RSA Bob verifies the signature y received from Alice by employing encipherment of y using Alice’s public key (e A,n A ), i.e. If c =x, then the signature y is verified. 33/44

Digital signature with RSA - security Suppose Eve wants to sign her own message x ’ with Alice’s signature y (i.e. to forge Alice’s signature). Eve does not know d A, she only knows Alice’s public key (e A,n A ). 34/44

Digital signature with RSA - security Direct verification, if Eve’s signed document (x ’,y ) is to be verified – This will fail, since c ≠x ’. Thus, what Eve needs is another signature, y ’, such that Getting y ’ is a difficult problem. 35/44

Digital signature with RSA - security Another possibility for Eve – she can choose y ’ first and then generate the message y ’ will then be easily verified, i.e. such a forgery is successful. But then the probability that x ’ is meaningful is very small. 36/44

Signing enciphered messages Suppose Alice wants to send a signed enciphered message x to Bob. – Alice computes her signature y =S A (x ) – Then Alice enciphers both x and y by means of Bob’s public key – The ciphertext z is transmitted to Bob. 37/44

Signing enciphered messages Deciphering and verification – Bob deciphers z by means of his private key and thus obtains (x,y ) – Then Bob uses Alice’s public verification function V A to verify the Alice’s signature y. 38/44

Signing and hashing Usually, public key ciphers are used in digital signature schemes If the original message is signed, the signature is at least as long as the message – inefficient 39/44

Signing and hashing Another problem is that of Eve’s ability to generate the signature and then get the corresponding message that may be meaningful, although with small probability. Solution: sign hashed message. 40/44

Signing and hashing The hash function f is made public Starting with a message x, Alice first computes f (x ), which is significantly smaller than x Alice then computes y =S A (f (x )) Alice then sends (x,y ) to Bob. 41/44

Verification process – Bob computes f (x ) – Bob also computes V A (f (x ),y ) – If V A (f (x ),y ) =true, then Alice’s signature is verified. Signing and hashing 42/44

Suppose Eve has (x,y =S A (f (x )) Eve would like to sign her own message x ’ with Alice’s signature (i.e. to forge it) So she needs S A (f (x ’))=S A (f (x )), which means she needs f (x ’)=f (x ). This is difficult if f (x ) is second preimage resistant. Signing and hashing - security 43/44

Moreover, it is highly unlikely that Eve would be able to find two messages, x’ and x ’’ with the same hashes and consequently signatures, if f is collision resistant. So it is difficult for Eve to choose the signature first and then get the corresponding message. Signing and hashing - security 44/44

Download ppt "Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44."

Similar presentations