0% found this document useful (0 votes)
15 views4 pages

Hashfuncs 6up

The document provides an overview of hash functions, their properties, and applications in cryptography, emphasizing the importance of collision resistance and preimage resistance. It discusses various types of hash functions, including one-way hash functions and message authentication codes, as well as their limitations in ensuring data integrity and confidentiality. Additionally, it covers specific hash algorithms like MD5 and SHA-1, highlighting their construction and current status in cryptographic security.

Uploaded by

Rahnd Hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
15 views4 pages

Hashfuncs 6up

The document provides an overview of hash functions, their properties, and applications in cryptography, emphasizing the importance of collision resistance and preimage resistance. It discusses various types of hash functions, including one-way hash functions and message authentication codes, as well as their limitations in ensuring data integrity and confidentiality. Additionally, it covers specific hash algorithms like MD5 and SHA-1, highlighting their construction and current status in cryptographic security.

Uploaded by

Rahnd Hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Hash function basics Hash function uses and non-uses

É A hash function is a computationally efficient É Integrity: Alice sends m, h(m) (or alternatively,
function h : {0, 1}∗ → {0, 1}k which compresses Ek (m||h(m))) to Bob.
Cryptography II: any arbitrary length binary string to a fixed size É Protects against malicious modification.
Hash Functions k-length binary hash value (or hash for short). É Confidentiality: An Authentication Server stores a
Computer Security Lecture 3 É A good hash function distributes values uniformly: user’s password p as h(p).
the probability that a randomly chosen string s gets É Other uses: confirming knowledge (e.g. password)
mapped to a particular hash y is 21k without revealing, deriving keys, pseudo-random
David Aspinall
É A cryptographic hash function must satisfy numbers. A piece of “cryptographic glue”.
some further properties, e.g.: É On their own, hash functions don’t protect against
School of Informatics
University of Edinburgh 1. it should be difficult to invert; É Malicious repetition of data, e.g., repeating a £100
2. it should be difficult to find a second input that bank deposit. (Ex. how could you do that?)
23rd January 2012 hashes to the same value as another input; É Dishonest repudiation, e.g., denying sending a
3. it should be difficult to find any two inputs that hash hashed email message with a correct hash.
to the same value.
É Nor do they support message recovery, i.e.,
depending on the application. recovering the original message after tampering

Properties of cryptographic hash functions Hash function Classification [HAC] Modification Detection Codes
É The main application of hash functions is as
Preimage Resistance (One-way) Modification Detection Codes to provide data
h is preimage resistant if given a hash value y, it is integrity.
computationally infeasible to find an x such that É A hash h(x) provides a short message digest, a
h(x) = y. “fingerprint” of some possibly large data x. If the
data is altered, the digest should become invalid.
2nd Preimage Resistance (Weak Collision Resistance) É This allows the data (but not the hash!) to be stored
in an unsecured place.
h is 2nd preimage resistant if given a value x1 and É If x is altered to x0 , we hope h(x) 6= h(x0 ), so it can be
its hash h(x1 ), it is computationally infeasible to find detected.
another x2 such that h(x2 ) = h(x1 ). É This is useful especially where malicious alteration
is a concern, e.g., software distribution.
(Strong) Collision Resistance
É Ordinary hash functions such as CRC-checkers
h is collision resistant if it is computationally produce checksums which are not 2nd preimage
infeasible to find any two inputs x1 and x2 such that resistant: an attacker could produce a hacked
h(x1 ) = h(x2 ). version of a software product and ensure the
checksum remained the same.
Varieties of MDCs Message Authentication Codes Relationships between properties
É Collision resistance implies 2nd-preimage
É A one-way hash function (OWHF) is a hash
É Message Authentication Codes are keyed hash resistance.
function that satisfies preimage resistance and
functions, indexed with a secret key. É Sketch proof [HAC]:
2nd-preimage resistance. É As well as data integrity, they provide data-origin É Let h be CR, but suppose it is not 2nd PI.
É A collision resistant hash function (CRHF) is a authentication, because it is assumed that apart É Fix some input x; compute h(x).
hash function that satisfies 2nd-preimage from the recipient, only the sender knows the secret É Since not 2nd PI, we can find an x0 6= x with
resistance and collision resistance. key necessary to compute the MAC. h(x0 ) = h(x).
É In practice, CRHF usually satisfies preimage É A MAC is a key-indexed family of hash functions, É But now (x, x0 ) is a collision, so h cannot be CR.
resistance. {hk | k ∈ K}. MACs must satisfy a computation É This and similar arguments (e.g., see Smart) can be
É CRHFs are harder to construct than OWHFs and resistance property. made precise using the Random Oracle Model.
have longer length hash values. É Collision resistance does not imply preimage
É Choice between OWHF and CRHF depends on Computation Resistance resistance
application: Given a set of pairs (xi , hk (xi )) it is computationally É Contrived counterexample:
É If attacker can control input, CRHF required. infeasible to find any other text-MAC pair (x, hk (x)) for a 
É Otherwise OWHF suffices new input x 6= xi . 1 || x if x has length n
h(x) =
É Ex: which is needed for password file security? 0 || g(x) otherwise

Collision Resistance and Birthday Attacks From one-way functions to MDCs OWFs from block ciphers
É To satisfy (strong) collision resistance, a hash
function must be large enough to withstand a
birthday attack. (or square root attack). É Multiplication of large primes is a OWF
É Drawing random elements with replacement from p a
É for appropriate choices of p and q, f (p, q) = pq is a É A block cipher is an encryption scheme which works
set of k elements, a repeat is likely after about k one-way function since integer factorization on fixed length blocks of input text.
selections. [FACTORING] is difficult. É We can construct a OWF from a block cipher such
É Not feasible to turn into an MD function, though.
É Mallory has two contracts, one for £1000, the other (Ex: why?) as DES, which is treated essentially as a random
£100,000, to be signed with a 64-bit hash. He function:
É Exponentiation in finite fields is a OWF
makes 232 minor variations in each (e.g h(x) = Ek (x) ⊕ x
É for appropriate primes p and numbers α,
spaces/control chars), and finds a pair with the f (x) = α x mod p is a one-way function, since the for fixed key k. This can be turned into a MD
same hash. Later claims second document was discrete logarithm problem [DLP] is difficult. function, by iteration. . .
signed, not first. É Main problem with turning this into a realistic MD
É An n-bit unkeyed hash function has ideal security function is that it’s too slow to calculate.
if producing a preimage or 2nd-preimage each
requires 2n operations, and producing a collision
requires 2n/ 2 operations.
Iterated hash function construction [HAC] Building up hash functions MD5
É An iterated hash function is constructed using a É Improvement of MD4; MD4 and MD5 designed by
compression function f which converts a t + n-bit Ron Rivest.
input into an n-bit output. É Text processed in 512-bit blocks, as 16 32-bit
sub-blocks. Output is four 32-bit blocks, giving a
É The input x is split into blocks x1 x2 , . . . xk of size t,
128-bit hash. Message padded with 1 and then 0s
appending padding bits and a length block
until last block is 448 bits long, then a 64-bit length.
indicating the original length. É Main loop has four rounds, chaining 4 variables
H0 = IV Hi = f (Hi−1 , xi ), 1 ≤ i ≤ k h(x) = g(Hk ). a, b, c, d. Each round uses a different operation (with
a similar structure) 16 times, which computes a new
É IV: an initialization vector; g: an output value of one of the four variables using a non-linear
transformation (often identity). function of the other three, chosen to preserve
É This is Merkle’s meta-method randomness properties of the input.
É For example, the first round uses the operation:
É Fact: any CR compression function f can be
extended to a CRHF by the above construction, and a = (F(b, c, d) + xi + tj ) <<< s
É padding: the last block with 0s, adding a final extra F(b, c, d) = (b ∧ c) ∨ (¬b ∧ d)
block xk which holds right-justified binary where <<< s is left-circular shift of s bits, xi is the
representation of length(x) (this padding is called ith sub-block of the message. Constants tj are the
MD strengthening).
integer part of 232 ∗ abs(sin(i + 1)) where 0 ≤ i ≤ 63
É Set IV = 0n , g = id, and compute Hi = f (Hi−1 , xi ).
is in radians (for the 4 * 16 steps).

SHA-1 (160) SHA-1 (160) continued Current Status


É Secure Hash Algorithm (rev 1) is a NIST standard
É 80 steps in main loop, changing Ks and Fs 4 times
É Where j = i/ 20:
É Hash functions are versatile and powerful primitive.
[FIPS 180] also based on MD4. Five 32-bit blocks É However, difficult to construct and less researched
are chained; output is 160 bits. Message blocks 512 for( i = 0; i < 80; i++ ) {
than encryption schemes.
bits. Padding like MD5. tmp = (a <<< 5) + Fj (b, c, d) + e + wi + Kj ;
e = d; É ideal hash function is a “random mapping” where
É Main loop has four rounds of 20 operations, chaining
c = b <<< 30; knowledge of previous results doesn’t give
5 variables a, b, c, d, e, f . Five IVs and four constants
b = a; knowledge of another.
are used:
a = tmp; É practical fast iterative hash constructions fail this!
A = 0x67452301 }
K0 = 0x5A827999 É MD4 (1998), MD5 (1993/2005), SHA-1 (2005) are
B = 0xEFCDAB89
K1 = 0x6ED9EBA1 now all considered broken.
C = 0x98BADCFE É Each Fj combines three of the five variables:
K2 = 0x8F1BBCDC É The US National Institute of Standards and
D = 0x10325476
K3 = 0xCA62C1D6 F0 (X, Y, Z) = (X ∧ Y) ∨ (¬X ∧ Z)
E = 0xC3D2E1F0 Technology (NIST) has since developed a set of
F1 (X, Y, Z) = X⊕Y ⊕Z newer hash functions.
É The message block undergoes an expansion F2 (X, Y, Z) = (X ∧ Y) ∨ (X ∧ Z) ∨ (Y ∧ Z) É Formerly called SHA-2, they are denoted by their
transformation from 16*32-bit words xi to 80*32-bit F3 (X, Y, Z) = X⊕Y ⊕Z
output size: SHA-256, SHA-384, SHA-512.
words, wi by: É However, since they are based upon the same SHA
É Finally a, b, c, d, e are added to tmp (all addition is
wi = xi , for 0 ≤ i ≤ 15. modulo 232 ). construction, they are not long-term solutions
wi = (wi−3 ⊕ wi−8 ⊕ É NIST is currently running a SHA-3 competition to
wi−14 ⊕ wi−16 ) <<< 1, for 16 ≤ i ≤ 79.
É Exercise: implement SHA-1 in your favourite
determine the successor.
language following this. Test against sha1sum.
References
A. J. Menezes, P. C. Van Oorschot, S. A. Vanstone, eds.
Handbook of Applied Cryptography.
CRC Press, 1997. Online:
http://www.cacr.math.uwaterloo.ca/hac.

Neils Ferguson and Bruce Schneier. Practical


Cryptography.
John Wiley & Sons, 2003.

Douglas R Stinson. Cryptography Theory and Practice.


CRC Press, second edition edition, 2002.

Nigel Smart. Cryptography: An Introduction.


McGraw-Hill, 2003. Third edition online:
http://www.cs.bris.ac.uk/~nigel/Crypto_Book/

Recommended Reading
One of: Ch 9 of HAC (9.1–9.2); Ch. 10 of Smart 3rd Ed;
11.1–11.3 of Gollmann.

You might also like