CSE446: Blockchain & Cryptocurrencies

Lecture – 2: Cryptography Review

Agenda
• Cryptography review
• Cryptographic hash functions
• Symmetric encryption
• Asymmetric encryption (Public-key encryption)
• Digital signature
• Merkle tree This lecture has been prepared from multiple sources:
• Textbook
• https://github.com/PratyushRT/blockchainsS21/wiki
• https://github.com/sebischair/bbse
Cryptographic hash function
• A hash function is a mathematical function with the following
three properties
• Its input can be any string of any size
• It produces a fixed size output
• It is efficiently computable
• computing the hash of an n-bit string should have a running time
of O(n)
Cryptographic hash function
Compression: H: {0,1}* à {0,1}n
101011001010101
010101010111101 acf13da379e12...
010101010101010

H(.)

Blockchain e41ade90cd94…
Cryptographic hash function
• A cryptographic hash function is a general hash function that
should satisfy these properties
• collision-resistance
• preimage resistance
• hiding
• puzzle-friendliness
Cryptographic hash function
• A cryptographic hash function is a general hash function that
should satisfy these three properties
• collision-resistance
Must-have
• preimage resistance
• hiding
Desirable for certain blockchain systems
• puzzle-friendliness
 We’ll look more closely at each of these properties to gain an understanding of why it’s useful to have
a function that behaves that way. The reader who has studied cryptography should be aware that the
treatment of hash functions in this book is a bit different from a standard cryptography textbook. The
puzzle‐friendliness property, in particular, is not a general requirement for cryptographic hash
functions, but one that will be useful for cryptocurrencies specifically.
Cryptographic hash
Property 1: Collision‐resistance. ​ The firstfunction:
property that we needcollision
from a cryptographic resistance
hash function is
that it’s collision‐resistant. A collision occurs when two distinct inputs produce the same output. A
hash function ​H(.) ​is collision‐resistant if nobody can find a collision. Formally:
• A hash function is said to be collision resistant if it is infeasible
Collision‐resistance: ​A hash function​ H​ is said to be collision resistant if it is infeasible to find​ ​two
to find two
values, ​x​ andvalues,
​y​, such that ​xx​≠​ ​yand
​, yet ​H(x)y, such
​=​H(y) ​. that x≠y,yet H(x)=H(y)

Figure 1.1 A hash collision. ​x ​and ​y​ are distinct values, yet when input into hash function ​H​, they
produce the same output.

Notice that we said ​nobody can find ​a collision, but we did not say that no collisions exist. Actually, we
know for a fact that collisions do exist, and we can prove this by a simple counting argument. The
input space to the hash function contains all strings of all lengths, yet the output space contains only
strings of a specific fixed length. Because the input space is larger than the output space (indeed, the
Cryptographic hash function: collision resistance
• A hash function is said to be collision resistant if
it is infeasible to find two values, x and y,such
that x≠y,yet H(x)=H(y)
• Infeasible-> hard to find a collision, but not,Figure
no1.2​ Because the number of inputs exceeds the number of outputs, we are guaranteed that
​

collisions exist there must be at least one output to which the hash function maps more than one input.

• The input space is > the output space (the input

Now, to make things even worse, we said that it has to be impossible to find a collision. Yet, there are

space is infinite, while the output space is finite)

methods that are guaranteed to find a collision. Consider the following simple method for finding a
256​
collision for a hash function with a 256‐bit output size: pick 2 + 1 distinct values, compute the ​
hashes of each of them, and check if there are any two outputs are equal. Since we picked more
• there must be input strings that map to the same
inputs than possible outputs, some pair of them must collide when you apply the hash function.

output string (the pigeonhole principle) The method above is guaranteed to find a collision. But if we pick random inputs and compute the
hash values, we’ll find a collision with high probability long before examining 2​ + 1 inputs. In fact, if 256​

130​
we randomly choose just 2​ + 1 inputs, it turns out there’s a 99.8% chance that at least two of them
• But it will be hard to find these are going to collide. The fact that we can find a collision by only examining roughly the square root of
the number of possible outputs results from a phenomenon in probability known as the ​birthday
paradox​. In the homework questions at the end of this chapter, we will examine this in more detail.
https://miro.medium.com/max/1178/1*rj_4nlE4Qw_ok0P7A7chHA.png
This collision‐detection algorithm works for every hash function. But, of course, the problem with it is
that this takes a very, very long time to do. For a hash function with a 256‐bit output, you would have
to compute the hash function 2256 ​ ​+ 1 times in the worst case, and about 2128
​ ​ times on average. That’s
Cryptographic hash function: collision resistance
• How to find a collision?
• Choose 2256 + 1 distinct Input for a hash function with 256 bit output
• Calculate hash for each input and check if the output matches with any
previous hash
• Since input sine > output size, there must be a match (collision)
• Try 2130 randomly chosen inputs, 99.8% chance that two of them will
collide
• Examining roughly the square root of the number of possible outputs (the
birthday paradox)
• The birthday paradox is that, counterintuitively, the probability of a shared
birthday exceeds 50% in a group of only 23 people
Cryptographic hash function: collision resistance

• Is finding collision computationally feasible?

• A 256-bit hash function
• worst case: 2256+ 1 times
• best case: 2128 times on average
• If a computer calculates 10,000 hashes per second, 1027 years
to generate 2128 hashes!
Cryptographic hash function: collision resistance
• The previous way was a brute-force method
• Is there any other optimised method available for finding
collisions?
• Yes, for some hash functions: H(x) = x mod 2256
• Generates a 256 bit output and easily computable
• But returns the last 256 bits of the input. One collision: 3 and 3 + 2256
• For others (e.g. SHA-256), we don’t know yet
Cryptographic hash function: collision resistance
• Real-world adversaries
• In practice, everyone has bounded resources
• Therefore, reasonable to model a real-world adversary as such an entity
• However, we do not make any assumptions about the adversarial strategy
• He can use its (bounded) resources in any possible way
• Cryptographic adversary: A probabilistic polynomial-time (PPT)
algorithm
• an algorithm that runs in polynomial time (running time grows as a
polynomial function of the input size) and may use (true) randomness to
produce (possibly) non-deterministic results
Cryptographic hash function: collision resistance

• Collision Resistance (informal):

• A hash function H is collision-resistant if for all PPT adversaries
A,
Pr[A outputs x,y s.t. x!=y and H(x)=H(y)] = “very small”
Collision resistance: application
• Message digest: a hash of any input, e.g. bits, random strings,
characters or even files
Data1 ? Data2

Server Upload Download

Data1 Delete Data2

PC

Hash1 Hash2 No manipulation, if

matched

=
Manipulation, if not
matched
Hash1
t
Cryptographic hash function: pre-image resistance

• H is a hash function
• For essentially all pre-specified outputs y, it is computationally
infeasible to find an x such that H(x) = y
• H is also called a one-way function

acf13da379e12... H-1(.) ???

Cryptographic hash function: pre-image resistance

• If x is drawn from a uniform distribution with a large number of

elements, then inverting H(x) is hard
• But what if x is drawn from a low min-entropy distribution?
• In information-theory, min-entropy is a measure of how
predictable an outcome is
• High min-entropy captures the intuitive idea that the
distribution (i.e., random variable) is very spread out
Cryptographic hash function: pre-image resistance

• But what if x is drawn from a low min-entropy distribution?

• Let the sample space is X = {h, t}
• H(x) = y
• Can an attacker find the value of x given y?
Cryptographic hash function: hiding
• A desirable property for a
cryptographic hash function is
hiding which also tackles x
picking up from a low min-
entropy distribution x ??

• A hash function H is hiding if Random

number, r
r || x H(r || x) a34cd87..

• when a secret value r is chosen

from a probability distribution
that has high min-entropy,
• then given H(r ǁ x) it is infeasible
to find x
Hiding: application
• Commitment scheme
• Want to “seal a value (who will win the world cup 22?) in an
envelope”, and publish it
• Commit to a value (Argentina J) -> this is commitment
• Reveal your commitment to anyone -> open the envelope and
verify your commitment
Hiding: commitment scheme
• com := commit(msg, key)
• msg is the message and key is the random number used once
• commit is essentially a hash function operating over the concatenation of
msg and key
• verification := verify(com, msg, key)
• Checks and returns whether msg and key produce the same result as com
• Security properties:
• Hiding: Given com, no PPT adversary can find msg
• Binding: No PPT adversary can find (msg, key) != (msg’,key’) such that
verify(commit(msg, key), key’,msg’) == true
Hiding: commitment scheme
Commitment

Selection x
(Argentina or Brasil)

Random
r || x H(r || x) a34cd87..
number, r
com

Argentina

Reveal
Question?

ANY QUESTION?