cryptographic hash functionsweb.cse.ohio-state.edu/~lai.1/5351/6.hash.pdfin practice, a fixed hash...
TRANSCRIPT
A function mapping from a larger domain to a smaller range
(thus not injective).
Applications:
Fast lookup (hash tables)
Error detection/co
rrection
Crypto
graphy
:
Hash function
Others
Different applications require differen
cryptographi
t properties
c hash functio
of hash
n
f
unc s.
s
tion
2
* *
: , | | | |.
E.g., :{0,1} {0,1} , :{0,1} ,
:{0,1} {0,1} , with .
In the last case, is also called
Hash func
com
(Informa
pre
tions
ssion
l)
a
:
u f
Cryptographic hash function
n
n
k l
h X Y X Y
h h Z
h k l
h
.
For cryptographic applications, ( ) is intended to be a
fingerprint or digest of .
(username, passwoA clas rd)sical application is to store a
username, (passwo
s
rd) to
nction
protect thh
h m
m
e secrecy of passwords.
For this application, what property is required of ?h
3
if ( ) , is a pre-image of .
Each hash value typically has multiple pre-images.
Collision: a pa
(Informal)
(Infor
ir ( , ), , s.t. ( ) ( ).
mal) A
Pre
-image:
Security requirements
h m y m y
m m m m h m h m
hash function is said to be:
given a hash value , it is
computationally infeasible to find a pre-ima
Pre-image resistant:
Second pre-image res
ge of .
given a mistan essaget , i:
h
y
y
m
t is
Collis
infeas
ion resistan
ible to find a second pre-image of ( ).
if it is infeasible to find a collision.t:
y h m
4
Loosely speaking,
Collision resistant Second pre-image resistant
Pre-image resistant
For cryptographic applications, a hash functio
n is required to
be collision resistant.
5
In practice, a fixed hash function is used.
However, there is a technical difficulty in defining
collision-resistance for a hash funcfixed t
Hard to define collision-resistant hash functions
h
*
( )
ion .
Try this "definition": A hash function :{0,1} {0,1} is
if for polynomial-time algorithm ,
Pr (1 ) successfully p
collision-re
roduces a co
every
llisi
sistant
on for
n
h n
h
h
A
A h neg
*
,
( ).
Problems with this definition:
For any , {0,1} , , let denote the algor
ithm
that simply prints , .
For any , an algorithm that outputs a collision wit
x x
l n
x x x x A
x x
h
h prob 1.
Thus, no hash function would be collision resistant. 6
A (with output length ( )) is a pair of PPT
al
hash function
gorithms ( , ) :
(1 ) outputs a key for some index set .
(Assume that 1
Hash function (formal definition)
n
n n
l n
Gen H
Gen s I I
*
( )
( )
is implicit in .)
takes as input a key and a string {0,1} and outputs
a string ( ) {0,1} .
If is defined only for {0,1} , where ( ) ( ),
then ( , ) is a
n
s l n
s l n
s
H s x
H x
H x l n l n
Gen H
fixed-length hash function
compression fun
(also called a
) for input of length ction ( ).l n
7
is a function with two inputs, and ( ) ( , ).
The is not necessarily a uniform string in {0,1} ,
and is inot a secre
k
t
ey
; t is more like an than a key.
To
ed
key
inde
emphas
x
i
Remarks
s
n
H H x H
s
s x
, , ,
s this, we write instead of .
An example compression function
For convenience, we often also refer to as a hash function.
(may skip) :
( , ) mod , ( , ) wh
,
s
s
p q g h
s
x y
q q
H H
H
H x y g h p x y Z
H
Z
*
ere
, , , : , primes, 2 1,
, generators of n
q
p q g h p q p q q nI
g h Z
8
,
Let ( , ) be a hash function.
Collision-finding experiment Hash-coll ( ) :
A key is generated, (1 ).
The adversary is given an outpd uts
Collision-resistant hash function
A
n
Gen H
n
s Gen
A s
*
( )( if is fixed-length).
The output of the experiment is 1 if and only if
an
, {0,1}
or , {0,1}
( ) ( )d . // finds a collision//
A hashDefinition: func
l n
s s
x x
x x
x x H x H x A
,
tion ( , ) is
if for all PPT adversaries , there is a ( ) such that
Pr H
collision
ash-coll (
-resistan
) 1 .
t
( )A
Gen H
A negl n
n negl n
9
, Pr Hash-coll ( ) 1
= Pr finds a collision for : (1 )
= Pr[ ] Pr finds a collision for
= the probability that finds a collision for a
rando l
m y
Remarks
n
A
s n
s
s I
n
A H s Gen
s A H
A
hash function .
For different , may succeed with different
pic
probabilities.
ked s
s
H
H A
10
*
Provably collision-resistant hash
:{0,1} {0,1} ?
claw-free pair
functions can be constructed
from s of one-way perm
How to construct a collision-resistant
hash function
s nH
.
(Section 10.2 of Delfs & Knebl)
In practice, hash functions are constructed from compression
functions
:{0,1} {0,1}
by a process called
utations
Merkle-Damgard'
s n r nh
s construction.
11
*
*
Construct a function :{0,1} {0,1}
from a function :{0,1} {0,1} . // ( ) //
hash
comp
1. For {0,1} of leng
ression
paddingth less than 2 , add a s
Merkle-Damgard constructions n
s n r n
r
H
h r r n
m
1 2
0
o that
the length of the result is a multiple of .
padding = 10...0 | |, where | | is the original length of .
2. Let padded , where | | .
3. Let 0 and
q i
n
i
r
m m m
m m m m m r
z z
1 0( ) for 1 . // is the IV //
4. The hash value is ( ) .
i i
s
s
q
z m i q z
H m z
h
… 12
1 2 3 qm m m m
shsh
shsh
1 2 1 q qz z z z
0z ( )sH m
not
Theor If ( , ) is collision resistant, then so is ( , ).
We will show that if is collision resistant, then is
collision resistant. Specifically, whenever the adversary
em:
Proof
.
ot cn
Gen h Gen H
H h
1 1
1
| | | |.
an
find a collision ( , ) for , then it can find a collision for .
Consider two cases:
In this case, , and so ( , ) ( , ). But
( , ) ( ) ( )
s s
q q q q q q
s s s
q q
m m H h
m m m z m z
h m z H m H m
m m
1
1 1 1 1
( , ), a collision for .
In this case, . Since ( ) ( ), there exists
an such that (
, ) ( , ) but ( , ) ( , ),
which is
| | | |.
s s
q q
s s
s s
i i i i i i i i
h m z h
q q H m H m
i m z m z h m z h m z
m m
a collision for .sh
13
14
If the adversary can find a collision , for ,
then it can find a collision for .
s
s
m m H
h
…
1 2 3padded : qm m m m m
shsh
shsh
1 2 1 q qz z z z
0z ( )sH m
…
1 2 3padded : qm m m m m
shsh
shsh
1 2 1 q qz z z z
0z ( )sH m
We have shown that for every key ,
Whenever can find a collision for , it can find a collision for .
So, for every key ,
Pr finds a collision for Pr finds a collision fo
s s
s
s
A H h
s
A h A
r
So,
Pr finds a collision for :
Pr finds a collision for
(1 )
(1 : )
s
s
ns
ns Gen
s Gen
H
A h
A H
15
*
Minimum requirement: must be large enough for to resist
the birthday a
Birthda
ttack.
randomly generate a sety attack of messages
:{0,1} {
:
0,1}
How large should be?
s
s
H
H
m
1 2
Birthday problem
, , , , and check if ( ) ( ) for some .
Why is it called a birthday attack?
In a group of people, what is the probability
that at least two of them have a s
:
am
s s
k i jm m H m H m i j
k
Having a same birthday
e bir
a col
thd
lis
ay?
ion.
16
If objects are each assigned a random value in 1, 2, ..., ,
the is
1 2 1
probability of a collisi
1 1 (i.e., 1 Pr no collision )
1
on
1
Birthday attack's success rate
p
k N
N N N k
N N N
i
N
1 1
1
1
1// ( 1)/2
1
Birthday paradox:
(note: 1 if 0 1)
1 1 1
with 365, 1 2 for as small
1 2 if
as 23
1. 1
.
7 .
i k
kx
i
ki Ni N k k N
i
x e x
e e e
N p k
p k N
17
1 2
1 2
Define Pr Pr object collides with some object .
The birthday attack's success probabili
ty satisfies:
Pr
Pr Pr Pr
0 1 2 1
( 1)
o
22
F r
i
k
k
C
k
i j i
p
p C C C
C C C
k
N N N N
k kpN
N
* a hash function :{0,1} {0,1} ,
To resist the birthday attack, should be large enough that
generating messages is practic
ally infeasible.
Currently, a minimu
2 .
2
m of is c1 8 r2 e
N
p
N
k N
H
50 29
ommended.
For 128, it will take 2 to have a successful rate of 2 . k p
18
64
an NIST standard.
using Merkle-Damgard construction.
input message is divided into blocks with padding.
padding = 10...0 | | , where | | {0,1} .
thus, mess
The Secure Hash Algorithm (SHA-1)
m
m m
64
0 15
0 4
age length is limited to | | 2 1.
block = 512 bits = 16 words = .
IV a constant of 160 bits = 5 words = .
resulting hash value: 160 bits.
underlying compression function
m
W W
H H
h
160 512 160:{0,1} {0,1} ,
a series (80 rounds) of , , , , +, and Rotate on
words ' & 's. i iW s H
19
160 is big enough to resist birthday attacks .
There is no mathematical proof for its collision resistance.
In 2004, a collision for a 58-round SHA-1 was found.
for
Newer
now
Is SHA-1 secure?
SHA's have been included in the standard:
SHA-256, SHA-384, SHA-512.
These are called the SHA-2 family.
SHA-3 is currently undergoing standardization.
On 2/23/2017, G
oogle
res
rche
ea
announced the first SHA-1 collisrs ion.
20
https://security.googleblog.com/2017/02/announcing-first-
sha1-collision.html?m=1
News article
*
*
( )
hash-then-MAC
A general MAC scheme with {0,1} can be constructed using the
paradigm. To compute a tag for
{0,1} ,
We first hash to a block {0,1}
Hash-then-MAC: basic idea
l n
M
t m
m m
, using a collision-resistant
hash function.
Then compute a tag from , using a secure ( )-bit
fixed-length MAC
scheme.
t m l n
22
( )-bit MAChash * ( )
{0,1} {0,1}
skl nH l nm m t
, : a hash function with output length ( ).
, , : a fixed-length MAC for messages of length ( ).
Construct a general
c
MAC s
ollision-resista n
c
t
Hash-then-MAC: Formal Definition
H
M
Gen H l n
Gen Mac Vrfy l n
*
heme ( , , ) :
: On input 1 , output a hash key (1 ) and
a MAC key {0,1} . The key is ( ,
)
: On input a key ( , ) and a message {0,1} ,
n n
H
n
u
Gen Mac Vrfy
Gen s Gen
k k k s
Mac k s m
*
output ( ) .
: On input a key ( , ), a message {0,1} , a tag ,
ou
tput
),
(
.
s
k
s
k
t Mac H m
Vrfy k s m t
Vrfy H m t
23
If , is a collision resistant and
, , is secure , then the MAC scheme
( ,
Theorem:
, ) constructed above is secure.
Remarks:
Hash-then-MAC: Security
H
M
Gen H
Gen Mac Vrfy
Gen Mac Vrfy
( )-bit MAChash * ( )
The MAC scheme is secure, even if the hash key
is known to the adversary.
The
{0,1}
MAC key must be kept
secret.
{0,1} s
kl nl nHm m t
s
k
24
( )-bit MAChash * ( )
(
In the hash-then-MAC paradigm, we need a collision-resistant
hash function fixed-length MAC/pseudorandom function
an a
{0,1} {0,1}
d .
MACs in practice
skl nl n
l
Hm m
)-bit
In practice, people like to use just a hash function
just a pseudorandom function:
HMAC (hash-based MAC)
CBC-MAC (pseudorandom function based M
or
A )
C
kn Ft
25
1 2
in 2 1
*
1 2
HMAC is based on the idea:
{0,1} ( ) : ( ) padding
Two keys are used as IVs: and , each of length .
Unfortunately, a standard ha
HMAC: basic idea
s sk k
k
H hs s
k k
sm H m t h H m
k k n
0 fixed
sh function (e.g., SHA-1) usually has a
IV, say , which cannot be changed by users.IV
26
…
1 2 3 qm m m m
shsh
shsh
1k pa d g) in( dsH m
sh tag
2k
ou
in out
t in
Then we have HMAC with keys ( , ) :
: ( )s s
k k
t H mk kH
27
…
1 2 3 qm m m m
shsh
shsh
ink
pa d g) in( dsH m
sh tag t
outk
sh
sh
0IV
0IV
out in
in out
A FIPS standard for constructing MAC from a hash
function . Conceptually,
HMAC ( ) ( )
where and are two keys generated from a main key .
Vari
HMAC
s
s s
k
H
m k k m
k k k
H H
ous hash functions (e.g., SHA-1, MD5) may be used for .
If we use , then HMAC is as follows:SHA-1
SHA-1 SHA HMAC ( ) ( )
where
is padded with 0's to 512 bit
-
1
s
k
H
m k opad k ipad m
k
s
3636 36 (x036 repeated 64 times)
5c5c 5c (x05c repeated 64 times)
ipad
opad
28
Loosely speaking, HMAC is secure if
the underlying compression function is collision-resistant
(and hence the hash function is collision-resitant)
and beh
Security of HMAC
s
h
H
h
aves like a pseudorandom function.
In the hash-then-MAC paradigm, the hash does not need a
secret key. In HMAC, the key is introduced to enhance the
security.
s
in
H
k
29
Problem: Alice and Bob want to toss a coin by email to decide
who is going to pay for dinner.
A proposed solution:
Use a collision resistant hash function .
Toss a coin by email
h
1 1 1
2 2 2
1 2 1 2
Alice chooses a string and compute : ( ).
Bob chooses a string and compute : ( ).
Alice and Bob exchange and . //commit but hide and //
Alice and Bob excha
x y h x
x y h x
y y x x
1 2 1 2
2 2 1 1
1 2
nge and . //reveal and //
Alice and Bob check if : ( ), : ( ), respectively.
Alice and Bob compute a boolean value from and
(e.g., take the XOR of the last
x x x x
y h x y h x
x x
bits).
Is the proposed scheme "secure/fair"?30