CS 255 Lecture 6 Hash Functions Brent Waters
CS 255 Lecture 6 Hash Functions Brent Waters 1
Recap-Notions of Security • What attacker can do • Random plaintext attack • Chosen ciphertext attack • Attacker’s Goal • Discover secret key • Decrypt a ciphertext, C* • Distinguish two messages 2
Recap- Notions of Security • 3 x 3=9 possible notions of security • Strongest system =Semantic security against CCA weakest adversary goal + most adversary power 3
Recap- Semantic Security of Counter Mode 1) Defined notion of security for block cipher --Indistinguishable from PRP --Formal definition game --Believe this is true for AES… 4
Recap 2) Prove that if cipher is indist. from Random Permutation then counter mode is semantically secure against CPA attack --Assume counter mode is not ) A breaks it --Build algorithm B that uses algorithm A --Want to show that A’s answer gives B information to play his game 5
Why do we do this? • Aren’t we assuming AES, 3 DES secure anyway? • Why not just make same assumption for mode X? • Reduce to simplest assumptions possible 6
Hash Functions Hash function- h: {0, 1} * rightarrow {0, 1}n typically n ¼ 160 bits (will see why soon) Hi, I recently…. . …should be used h(x) 01100100… 1 7
Properties • Compression • Pre-image resistanc: Given y=h(x) difficult to determine x’ s. t. h(x’)=y • 2 nd preimage resistance: Given x find x’ x s. t. h(x) = h(x’) • Collision resistance: Find x’ x s. t. h(x)=h(x’) 8
Relations • If h is collision resistant then h is 2 nd order preimage resistant • How do we show this? • Reduction—simple here 9
Applications • Show three applications and do one together • For each one keep in mind what properties we need 10
Password protection pword=jeitlse Password file U 1=… U 2=… • What should we put in there? • What if backup tape stolen? • What property do we need 11
Virus protection • Worried virus might modify an application • Small amount of trusted storage on USB token • What properties do we need? • Mirror sites distributing software 12
Digital Signatures • One party can sign a message M, many parties can verify • Contract signing, code signing • Raw signature scheme only signs messages ~160 bits • What properties do we need? 13
Birthday Attack for Collisions • • Let r 1, … rj 2 [0, 1…B] When n=1. 2 sqrt(B) then Pr[9 i j: ri=rj] =1 -Pr[8 i j: ri rj] =1 -(1 -1/B)(1 -2/B). . . (1 -(n-1)/B) =1 - n-1 (1 -i/B) ¼ 1 - n-1 e-i/B 2 =1 -e 1/2 n /B =1 -1/e. 7 for n=1. 2 sqrt(B) =1/2 14
Lesson • 80 bit hash implies 40 bit security (for collisions) • Need 160 bit hash output • For n integers have ¼ n^2 pairs each is a possibility for a collision 15
Iterated Construction (Merkle-Damgard) M 1 IV M 2 f H 0 M 3 f H 1 M 4 pad f H 2 f H 3 1. f – Compression function 2. Hi – chaining variables 3. IV – Initial Value 16
Iterated Construction (Merkle-Damgard) M 1 IV M 2 f H 0 M 3 f H 1 M 4 f H 2 pad f H 3 Padding: 100000 | length Pad out last message block Add one block with message length 17
Collision resistance • If compression function resistant then so is iterated construction • Way we prove this is to show if we have M M’ and hash(M)=hash(M’) then we can find two different inputs to compression function (x, y) and (x’, y’) such that f(x, y)=f(x, y) -Note (x, y) (x’, y’) if x x’ or y y’ 18
Collision Resistance • • • Suppose h(M)=h(M’) IV=H 0, H 1, H 2. . Ht IV=H 0’, H 1’, H 2’. . . Hr’ Collision means Ht = Hr’ Case I: • Suppose t r then Ht=Hr’ =f(Ht-1, t)=f(Hr-1’, r) ) collision! 19
Collision Resistance • • Suppose h(M)=h(M’) M=M 0, M 1. . . Mt-1, M’=M 0, M 1, . . . Mr-1 IV=H 0, H 1, H 2. . Ht IV=H 0’, H 1’, H 2’. . . Hr’ Case 2: t= r (Messages same # of blocks) Look at ith chaining variable Have Hi=Hi’ so f(Hi, Mi)=f(Hi’, Mi’) if Mi Mi’ or if Hi Hi’ then have a collision otherwise repeat observation for i-1 chaining var. However, 9 j: Mj Mj’ so must have a collision at some point 20
Block cipher construction Matyas-Meyer f(M, H)=E(M, g(h)) © M Mi Hi g E © Hi+1. . . Thm: Suppose Ek(x) =E(X, K) is a collection of random permutations. Then finding a collision take 2 n/2 evaluations of E. Best possible. 21
Customized Hash functions • Merkle-Damgard types—compression function faster than block ciphers • • • MD 4 128 MD 5 128 SHA-1 160 SHA-2 160, 256 RIPEMD 160 28. 5 MB/s 15. 2 MB/s 12. 6 Collisions found 22
“Provable” hash functions • Discrete log problem: Given ga mod p Output a • f(a, b)=ga hb mod p • Slow 23
Paper submission project • Professors/grad students submit papers to conferences electronically • Strict deadlines: 9 pm Jan. 29 th • People always wait to last minute – get flood of papers at end • Graphics people send in videos – potentially GBs of data– no way server can handle them all 24
Solutions? • Attacks? • Properties 25
- Slides: 25