cryptographic hash functionsweb.cse.ohio-state.edu/~lai.1/5351/6.hash.pdfin practice, a fixed hash...

30
Cryptographic Hash Functions Reading: Chapter 5 of Katz & Lindell 1

Upload: vungoc

Post on 24-Apr-2018

233 views

Category:

Documents


7 download

TRANSCRIPT

Cryptographic Hash Functions

Reading: Chapter 5 of Katz & Lindell

1

A function mapping from a larger domain to a smaller range

(thus not injective).

Applications:

Fast lookup (hash tables)

Error detection/co

rrection

Crypto

graphy

:

Hash function

Others

Different applications require differen

cryptographi

t properties

c hash functio

of hash

n

f

unc s.

s

tion

2

* *

: , | | | |.

E.g., :{0,1} {0,1} , :{0,1} ,

:{0,1} {0,1} , with .

In the last case, is also called

Hash func

com

(Informa

pre

tions

ssion

l)

a

:

u f

Cryptographic hash function

n

n

k l

h X Y X Y

h h Z

h k l

h

.

For cryptographic applications, ( ) is intended to be a

fingerprint or digest of .

(username, passwoA clas rd)sical application is to store a

username, (passwo

s

rd) to

nction

protect thh

h m

m

e secrecy of passwords.

For this application, what property is required of ?h

3

if ( ) , is a pre-image of .

Each hash value typically has multiple pre-images.

Collision: a pa

(Informal)

(Infor

ir ( , ), , s.t. ( ) ( ).

mal) A

Pre

-image:

Security requirements

h m y m y

m m m m h m h m

hash function is said to be:

given a hash value , it is

computationally infeasible to find a pre-ima

Pre-image resistant:

Second pre-image res

ge of .

given a mistan essaget , i:

h

y

y

m

t is

Collis

infeas

ion resistan

ible to find a second pre-image of ( ).

if it is infeasible to find a collision.t:

y h m

4

Loosely speaking,

Collision resistant Second pre-image resistant

Pre-image resistant

For cryptographic applications, a hash functio

n is required to

be collision resistant.

5

In practice, a fixed hash function is used.

However, there is a technical difficulty in defining

collision-resistance for a hash funcfixed t

Hard to define collision-resistant hash functions

h

*

( )

ion .

Try this "definition": A hash function :{0,1} {0,1} is

if for polynomial-time algorithm ,

Pr (1 ) successfully p

collision-re

roduces a co

every

llisi

sistant

on for

n

h n

h

h

A

A h neg

*

,

( ).

Problems with this definition:

For any , {0,1} , , let denote the algor

ithm

that simply prints , .

For any , an algorithm that outputs a collision wit

x x

l n

x x x x A

x x

h

h prob 1.

Thus, no hash function would be collision resistant. 6

A (with output length ( )) is a pair of PPT

al

hash function

gorithms ( , ) :

(1 ) outputs a key for some index set .

(Assume that 1

Hash function (formal definition)

n

n n

l n

Gen H

Gen s I I

*

( )

( )

is implicit in .)

takes as input a key and a string {0,1} and outputs

a string ( ) {0,1} .

If is defined only for {0,1} , where ( ) ( ),

then ( , ) is a

n

s l n

s l n

s

H s x

H x

H x l n l n

Gen H

fixed-length hash function

compression fun

(also called a

) for input of length ction ( ).l n

7

is a function with two inputs, and ( ) ( , ).

The is not necessarily a uniform string in {0,1} ,

and is inot a secre

k

t

ey

; t is more like an than a key.

To

ed

key

inde

emphas

x

i

Remarks

s

n

H H x H

s

s x

, , ,

s this, we write instead of .

An example compression function

For convenience, we often also refer to as a hash function.

(may skip) :

( , ) mod , ( , ) wh

,

s

s

p q g h

s

x y

q q

H H

H

H x y g h p x y Z

H

Z

*

ere

, , , : , primes, 2 1,

, generators of n

q

p q g h p q p q q nI

g h Z

8

,

Let ( , ) be a hash function.

Collision-finding experiment Hash-coll ( ) :

A key is generated, (1 ).

The adversary is given an outpd uts

Collision-resistant hash function

A

n

Gen H

n

s Gen

A s

*

( )( if is fixed-length).

The output of the experiment is 1 if and only if

an

, {0,1}

or , {0,1}

( ) ( )d . // finds a collision//

A hashDefinition: func

l n

s s

x x

x x

x x H x H x A

,

tion ( , ) is

if for all PPT adversaries , there is a ( ) such that

Pr H

collision

ash-coll (

-resistan

) 1 .

t

( )A

Gen H

A negl n

n negl n

9

, Pr Hash-coll ( ) 1

= Pr finds a collision for : (1 )

= Pr[ ] Pr finds a collision for

= the probability that finds a collision for a

rando l

m y

Remarks

n

A

s n

s

s I

n

A H s Gen

s A H

A

hash function .

For different , may succeed with different

pic

probabilities.

ked s

s

H

H A

10

*

Provably collision-resistant hash

:{0,1} {0,1} ?

claw-free pair

functions can be constructed

from s of one-way perm

How to construct a collision-resistant

hash function

s nH

.

(Section 10.2 of Delfs & Knebl)

In practice, hash functions are constructed from compression

functions

:{0,1} {0,1}

by a process called

utations

Merkle-Damgard'

s n r nh

s construction.

11

*

*

Construct a function :{0,1} {0,1}

from a function :{0,1} {0,1} . // ( ) //

hash

comp

1. For {0,1} of leng

ression

paddingth less than 2 , add a s

Merkle-Damgard constructions n

s n r n

r

H

h r r n

m

1 2

0

o that

the length of the result is a multiple of .

padding = 10...0 | |, where | | is the original length of .

2. Let padded , where | | .

3. Let 0 and

q i

n

i

r

m m m

m m m m m r

z z

1 0( ) for 1 . // is the IV //

4. The hash value is ( ) .

i i

s

s

q

z m i q z

H m z

h

… 12

1 2 3 qm m m m

shsh

shsh

1 2 1 q qz z z z

0z ( )sH m

not

Theor If ( , ) is collision resistant, then so is ( , ).

We will show that if is collision resistant, then is

collision resistant. Specifically, whenever the adversary

em:

Proof

.

ot cn

Gen h Gen H

H h

1 1

1

| | | |.

an

find a collision ( , ) for , then it can find a collision for .

Consider two cases:

In this case, , and so ( , ) ( , ). But

( , ) ( ) ( )

s s

q q q q q q

s s s

q q

m m H h

m m m z m z

h m z H m H m

m m

1

1 1 1 1

( , ), a collision for .

In this case, . Since ( ) ( ), there exists

an such that (

, ) ( , ) but ( , ) ( , ),

which is

| | | |.

s s

q q

s s

s s

i i i i i i i i

h m z h

q q H m H m

i m z m z h m z h m z

m m

a collision for .sh

13

14

If the adversary can find a collision , for ,

then it can find a collision for .

s

s

m m H

h

1 2 3padded : qm m m m m

shsh

shsh

1 2 1 q qz z z z

0z ( )sH m

1 2 3padded : qm m m m m

shsh

shsh

1 2 1 q qz z z z

0z ( )sH m

We have shown that for every key ,

Whenever can find a collision for , it can find a collision for .

So, for every key ,

Pr finds a collision for Pr finds a collision fo

s s

s

s

A H h

s

A h A

r

So,

Pr finds a collision for :

Pr finds a collision for

(1 )

(1 : )

s

s

ns

ns Gen

s Gen

H

A h

A H

15

*

Minimum requirement: must be large enough for to resist

the birthday a

Birthda

ttack.

randomly generate a sety attack of messages

:{0,1} {

:

0,1}

How large should be?

s

s

H

H

m

1 2

Birthday problem

, , , , and check if ( ) ( ) for some .

Why is it called a birthday attack?

In a group of people, what is the probability

that at least two of them have a s

:

am

s s

k i jm m H m H m i j

k

Having a same birthday

e bir

a col

thd

lis

ay?

ion.

16

If objects are each assigned a random value in 1, 2, ..., ,

the is

1 2 1

probability of a collisi

1 1 (i.e., 1 Pr no collision )

1

on

1

Birthday attack's success rate

p

k N

N N N k

N N N

i

N

1 1

1

1

1// ( 1)/2

1

Birthday paradox:

(note: 1 if 0 1)

1 1 1

with 365, 1 2 for as small

1 2 if

as 23

1. 1

.

7 .

i k

kx

i

ki Ni N k k N

i

x e x

e e e

N p k

p k N

17

1 2

1 2

Define Pr Pr object collides with some object .

The birthday attack's success probabili

ty satisfies:

Pr

Pr Pr Pr

0 1 2 1

( 1)

o

22

F r

i

k

k

C

k

i j i

p

p C C C

C C C

k

N N N N

k kpN

N

* a hash function :{0,1} {0,1} ,

To resist the birthday attack, should be large enough that

generating messages is practic

ally infeasible.

Currently, a minimu

2 .

2

m of is c1 8 r2 e

N

p

N

k N

H

50 29

ommended.

For 128, it will take 2 to have a successful rate of 2 . k p

18

64

an NIST standard.

using Merkle-Damgard construction.

input message is divided into blocks with padding.

padding = 10...0 | | , where | | {0,1} .

thus, mess

The Secure Hash Algorithm (SHA-1)

m

m m

64

0 15

0 4

age length is limited to | | 2 1.

block = 512 bits = 16 words = .

IV a constant of 160 bits = 5 words = .

resulting hash value: 160 bits.

underlying compression function

m

W W

H H

h

160 512 160:{0,1} {0,1} ,

a series (80 rounds) of , , , , +, and Rotate on

words ' & 's. i iW s H

19

160 is big enough to resist birthday attacks .

There is no mathematical proof for its collision resistance.

In 2004, a collision for a 58-round SHA-1 was found.

for

Newer

now

Is SHA-1 secure?

SHA's have been included in the standard:

SHA-256, SHA-384, SHA-512.

These are called the SHA-2 family.

SHA-3 is currently undergoing standardization.

On 2/23/2017, G

oogle

res

rche

ea

announced the first SHA-1 collisrs ion.

20

https://security.googleblog.com/2017/02/announcing-first-

sha1-collision.html?m=1

News article

Application of hash functions

to MACs

K&L Section 5.3

21

*

*

( )

hash-then-MAC

A general MAC scheme with {0,1} can be constructed using the

paradigm. To compute a tag for

{0,1} ,

We first hash to a block {0,1}

Hash-then-MAC: basic idea

l n

M

t m

m m

, using a collision-resistant

hash function.

Then compute a tag from , using a secure ( )-bit

fixed-length MAC

scheme.

t m l n

22

( )-bit MAChash * ( )

{0,1} {0,1}

skl nH l nm m t

, : a hash function with output length ( ).

, , : a fixed-length MAC for messages of length ( ).

Construct a general

c

MAC s

ollision-resista n

c

t

Hash-then-MAC: Formal Definition

H

M

Gen H l n

Gen Mac Vrfy l n

*

heme ( , , ) :

: On input 1 , output a hash key (1 ) and

a MAC key {0,1} . The key is ( ,

)

: On input a key ( , ) and a message {0,1} ,

n n

H

n

u

Gen Mac Vrfy

Gen s Gen

k k k s

Mac k s m

*

output ( ) .

: On input a key ( , ), a message {0,1} , a tag ,

ou

tput

),

(

.

s

k

s

k

t Mac H m

Vrfy k s m t

Vrfy H m t

23

If , is a collision resistant and

, , is secure , then the MAC scheme

( ,

Theorem:

, ) constructed above is secure.

Remarks:

Hash-then-MAC: Security

H

M

Gen H

Gen Mac Vrfy

Gen Mac Vrfy

( )-bit MAChash * ( )

The MAC scheme is secure, even if the hash key

is known to the adversary.

The

{0,1}

MAC key must be kept

secret.

{0,1} s

kl nl nHm m t

s

k

24

( )-bit MAChash * ( )

(

In the hash-then-MAC paradigm, we need a collision-resistant

hash function fixed-length MAC/pseudorandom function

an a

{0,1} {0,1}

d .

MACs in practice

skl nl n

l

Hm m

)-bit

In practice, people like to use just a hash function

just a pseudorandom function:

HMAC (hash-based MAC)

CBC-MAC (pseudorandom function based M

or

A )

C

kn Ft

25

1 2

in 2 1

*

1 2

HMAC is based on the idea:

{0,1} ( ) : ( ) padding

Two keys are used as IVs: and , each of length .

Unfortunately, a standard ha

HMAC: basic idea

s sk k

k

H hs s

k k

sm H m t h H m

k k n

0 fixed

sh function (e.g., SHA-1) usually has a

IV, say , which cannot be changed by users.IV

26

1 2 3 qm m m m

shsh

shsh

1k pa d g) in( dsH m

sh tag

2k

ou

in out

t in

Then we have HMAC with keys ( , ) :

: ( )s s

k k

t H mk kH

27

1 2 3 qm m m m

shsh

shsh

ink

pa d g) in( dsH m

sh tag t

outk

sh

sh

0IV

0IV

out in

in out

A FIPS standard for constructing MAC from a hash

function . Conceptually,

HMAC ( ) ( )

where and are two keys generated from a main key .

Vari

HMAC

s

s s

k

H

m k k m

k k k

H H

ous hash functions (e.g., SHA-1, MD5) may be used for .

If we use , then HMAC is as follows:SHA-1

SHA-1 SHA HMAC ( ) ( )

where

is padded with 0's to 512 bit

-

1

s

k

H

m k opad k ipad m

k

s

3636 36 (x036 repeated 64 times)

5c5c 5c (x05c repeated 64 times)

ipad

opad

28

Loosely speaking, HMAC is secure if

the underlying compression function is collision-resistant

(and hence the hash function is collision-resitant)

and beh

Security of HMAC

s

h

H

h

aves like a pseudorandom function.

In the hash-then-MAC paradigm, the hash does not need a

secret key. In HMAC, the key is introduced to enhance the

security.

s

in

H

k

29

Problem: Alice and Bob want to toss a coin by email to decide

who is going to pay for dinner.

A proposed solution:

Use a collision resistant hash function .

Toss a coin by email

h

1 1 1

2 2 2

1 2 1 2

Alice chooses a string and compute : ( ).

Bob chooses a string and compute : ( ).

Alice and Bob exchange and . //commit but hide and //

Alice and Bob excha

x y h x

x y h x

y y x x

1 2 1 2

2 2 1 1

1 2

nge and . //reveal and //

Alice and Bob check if : ( ), : ( ), respectively.

Alice and Bob compute a boolean value from and

(e.g., take the XOR of the last

x x x x

y h x y h x

x x

bits).

Is the proposed scheme "secure/fair"?30