0% found this document useful (0 votes)
88 views4 pages

Homework 6

This document contains 8 problems related to cryptography concepts such as hash functions, collision resistance, birthday paradox, and compression functions. The problems ask the student to analyze properties like collision resistance for derived hash functions, explain implications between security properties, and identify insecure compression function constructions from block ciphers. References for further reading on cryptography topics are also provided.

Uploaded by

Emamul Haque
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
88 views4 pages

Homework 6

This document contains 8 problems related to cryptography concepts such as hash functions, collision resistance, birthday paradox, and compression functions. The problems ask the student to analyze properties like collision resistance for derived hash functions, explain implications between security properties, and identify insecure compression function constructions from block ciphers. References for further reading on cryptography topics are also provided.

Uploaded by

Emamul Haque
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Introduction to Cryptography

TEK 4500 (Fall 2020)


Problem Set 6

Problem 1.
Read Chapter 11 in [PP] and Chapter 6 in [BR] + Appendix A in [BR] (Birthday problem).

Problem 2.
Suppose we have three different hash functions producing output of lengths 64, 128 and
160 bits. How many random computations do you approximately need to find a collision
with probability p = 0.5? How many different random hash values do you approximately
need to find a collision with probability p = 0.1?

Hint: Use whatever formulation of the birthday paradox you want.

Problem 3.
Suppose H1 , H2 ; M → Y are two hash functions for which we know that at least one
is collision-resistant. Unfortunately, we don’t know which. Consider now the following
derived hash functions.
a) H : M → Y × Y, defined by H(X) = H1 (X)kH2 (X). Is H collision-resistant? Justify
your answer.
b) H : M → Y defined by H(X) = H2 (H1 (X)) (here we assume that Y ⊂ M). Is H
collision-resistant? What about H(X) = H1 (H2 (X))? Justify your answer.

Problem 4. [2nd-preimage-resistance]
The two main security properties for hash functions are collision-resistance and one-wayness.
However, there is also a third security property commonly defined for hash functions
called 2nd preimage-resistance. In a 2nd-preimage attack the adversary is given X ∈ M
and Y ← H(X), and then asked to find a different X 0 ∈ M that hash to the same value as
X. That is: given X and Y , find X 0 6= X such that H(X 0 ) = H(X) = Y . In other words,
the adversary is asked to find a second pre-image for Y , hence the name. See Fig.1 for
the formal definitions. Note that 2nd preimage-resistance is a weaker security requirement
than collision-resistance, i.e., we’re asking for more from the adversary. Indeed, for finite
M and Y, and assuming |M| >> |Y|, we have

1
ExpcrH (A): Exp2pre
H (A): Expow
H (A):
1: (X1 , X2 ) ← AH $ $
1: X←M 1: X←M
2: if X1 6= X2 ∧ H(X1 ) = H(X2 ):
2: Y ← H(X) 2: Y ← H(X)
3: return 1
3: X 0 ← AH (X, Y ) 3: X 0 ← AH (Y )
4: else
4: if X 0 6= X ∧ H(X 0 ) = Y : 4: if H(X 0 ) = Y :
5: return 0
5: return 1 5: return 1
6: else 6: else
7: return 0 7: return 0

Advcr cr
H (A) = Pr[ExpH (A) ⇒ 1]
Adv2pre 2pre
H (A) = Pr[ExpH (A) ⇒ 1]
Advow ow
H (A) = Pr[ExpH (A) ⇒ 1]

Figure 1: Security definitions for collision-resistance, 2nd preimage-resistance, and one-wayness


for a hash function H : M → Y.

collision-resistance =⇒ 2nd preimage-resistance =⇒ one-wayness.

a) Explain why the first implication above holds, i.e., why collision-resistance implies
2nd preimage-resistance.
b) Suppose {0, 1}200 ⊂ M and that H : M → Y is a collision-resistant hash function.
Now define H 0 : M → Y as follows:
(
0200 if X = 0200 or X = 1200
H 0 (X) =
H(X) otherwise

Show that H 0 is 2nd preimage-resistant, but not collision-resistant.

Problem 5.
Suppose that F : {0, 1}m → {0, 1}m is a one-way secure permutation. Define H : {0, 1}2m →
{0, 1}m as follows. Given X ∈ {0, 1}2m , write

X = X 0 ||X 00 ,

where X 0 , X 00 ∈ {0, 1}m . Then define

H(X) = F (X 0 ⊕ X 00 ).

Is H one-way? Is it 2nd preimage-resistant? Justify your answers.

2
Problem 6.
Suppose H1 : {0, 1}2m → {0, 1}m is a collision resistant hash function.

a) Define H2 : {0, 1}4m → {0, 1}m as follows:

• Write X ∈ {0, 1}4m as X = X1 ||X2 , where X1 , X2 ∈ {0, 1}2m


• Define H2 (X) = H1 (H1 (X1 )||H1 (X2 )).

Prove that H2 is collision resistant.


i
b) For an integer i ≥ 2, define a hash function Hi : {0, 1}2 m → {0, 1}m as follows:
i i−1 m
• Write X ∈ {0, 1}2 m as X = X1 ||X2 , where X1 , X2 ∈ {0, 1}2
• Define Hi (x) = H1 (Hi−1 (X1 )||Hi−1 (X2 )).

Prove that Hi is collision resistant.

Problem 7. [Problem 11.3 in [Ros]]


I’ve designed a hash function H : {0, 1}∗ → {0, 1}n . One of my ideas is to make H(X) = X
if X is an n-bit string (assume the behavior of H is much more complicated on inputs of
other lengths). That way, we know with certainty that there are no collisions among n-bit
strings. Have I made a good design decision?

Problem 8. [Davies-Meyer alternatives]


Recall that the Davies-Meyer construction is a way of turning a block cipher E : {0, 1}b ×
{0, 1}n → {0, 1}n into a collision-resistant compression function h : {0, 1}n+b → {0, 1}n as:

h(V kM ) = E(M, V ) ⊕ V.

Here we look at some alternative constructions to Davies-Meyer that all turn out to be
insecure. For b) and c) we assume that b = n.

a) h1 (V kM ) = E(M, V )

b) h2 (V kM ) = E(M, V ) ⊕ M

c) h3 (V kM ) = E(V, V ⊕ M ) ⊕ V

Show that none of the compression functions above are collision-resistant.

3
References
[BR] Mihir Bellare and Phillip Rogaway. Introduction to Modern Cryptography. https:
//web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf.

[PP] Christof Paar and Jan Pelzl. Understanding Cryptography - A Textbook for Students and
Practitioners. Springer, 2010.

[Ros] Mike Rosulek. The Joy of Cryptography, (draft Feb 6, 2020). https://web.engr.
oregonstate.edu/~rosulekm/crypto/crypto.pdf.

You might also like