Scribd
Upload
53 views7 pages

06.1 Collision Resistance Introduction

This document is a summary of part of an online cryptography course by Dan Boneh. It discusses how message authentication codes (MACs) can be constructed from collision resistant hash functions. It shows that if I is a secure MAC and H is a collision resistant hash function, then the construction Ibig which applies I to the output of H maintains security. This allows building secure MACs for long messages. Collision resistance is necessary for security, as an adversary could otherwise forge messages. An example application to integrity of software packages is given which uses collision resistant hashes to detect unauthorized modifications.

Uploaded by

Anonymous s3TzBvwS1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views7 pages

06.1 Collision Resistance Introduction

This document is a summary of part of an online cryptography course by Dan Boneh. It discusses how message authentication codes (MACs) can be constructed from collision resistant hash functions. It shows that if I is a secure MAC and H is a collision resistant hash function, then the construction Ibig which applies I to the output of H maintains security. This allows building secure MACs for long messages. Collision resistance is necessary for security, as an adversary could otherwise forge messages. An example application to integrity of software packages is given which uses collision resistant hashes to detect unauthorized modifications.

Uploaded by

Anonymous s3TzBvwS1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Online

Cryptography Course Dan Boneh

Collision resistance

Introduc3on

Dan Boneh
Recap: message integrity
So far, four MAC construc3ons:
ECBC-MAC, CMAC : commonly used with AES (e.g. 802.11i)
PRFs NMAC : basis of HMAC (this segment)
PMAC: a parallel MAC
randomized
MAC Carter-Wegman MAC: built from a fast one-3me MAC

This module: MACs from collision resistance.


Dan Boneh
Collision Resistance
Let H: M T be a hash func3on ( |M| >> |T| )

A collision for H is a pair m0 , m1 M such that:


H(m0) = H(m1) and m0 m1

A func3on H is collision resistant if for all (explicit) e algs. A:


AdvCR[A,H] = Pr[ A outputs collision for H]
is neg.

Example: SHA-256 (outputs 256 bits)


Dan Boneh
MACs from Collision Resistance
Let I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES)
Let H: Mbig M

Def: Ibig = (Sbig , Vbig ) over (K, Mbig, T) as:

Sbig(k,m) = S(k,H(m)) ; Vbig(k,m,t) = V(k,H(m),t)

Thm: If I is a secure MAC and H is collision resistant


then Ibig is a secure MAC.

Example: S(k,m) = AES2-block-cbc(k, SHA-256(m)) is a secure MAC.


Dan Boneh
MACs from Collision Resistance
Sbig(k, m) = S(k, H(m)) ; Vbig(k, m, t) = V(k, H(m), t)

Collision resistance is necessary for security:

Suppose adversary can nd m0 m1 s.t. H(m0) = H(m1).

Then: Sbig is insecure under a 1-chosen msg a]ack


step 1: adversary asks for t S(k, m0)
step 2: output (m1 , t) as forgery
Dan Boneh
Protec3ng le integrity using C.R. hash
So`ware packages: read-only
package name package name package name public space
F1 F2 Fn H(F1)
H(F2)

H(Fn)

When user downloads package, can verify that contents are valid
H collision resistant
a]acker cannot modify package without detec3on
no key needed (public veriability), but requires read-only space
Dan Boneh
End of Segment

Dan Boneh

You might also like