Hashfuncs 6up
Hashfuncs 6up
É A hash function is a computationally efficient É Integrity: Alice sends m, h(m) (or alternatively,
function h : {0, 1}∗ → {0, 1}k which compresses Ek (m||h(m))) to Bob.
Cryptography II: any arbitrary length binary string to a fixed size É Protects against malicious modification.
Hash Functions k-length binary hash value (or hash for short). É Confidentiality: An Authentication Server stores a
Computer Security Lecture 3 É A good hash function distributes values uniformly: user’s password p as h(p).
the probability that a randomly chosen string s gets É Other uses: confirming knowledge (e.g. password)
mapped to a particular hash y is 21k without revealing, deriving keys, pseudo-random
David Aspinall
É A cryptographic hash function must satisfy numbers. A piece of “cryptographic glue”.
some further properties, e.g.: É On their own, hash functions don’t protect against
School of Informatics
University of Edinburgh 1. it should be difficult to invert; É Malicious repetition of data, e.g., repeating a £100
2. it should be difficult to find a second input that bank deposit. (Ex. how could you do that?)
23rd January 2012 hashes to the same value as another input; É Dishonest repudiation, e.g., denying sending a
3. it should be difficult to find any two inputs that hash hashed email message with a correct hash.
to the same value.
É Nor do they support message recovery, i.e.,
depending on the application. recovering the original message after tampering
Properties of cryptographic hash functions Hash function Classification [HAC] Modification Detection Codes
É The main application of hash functions is as
Preimage Resistance (One-way) Modification Detection Codes to provide data
h is preimage resistant if given a hash value y, it is integrity.
computationally infeasible to find an x such that É A hash h(x) provides a short message digest, a
h(x) = y. “fingerprint” of some possibly large data x. If the
data is altered, the digest should become invalid.
2nd Preimage Resistance (Weak Collision Resistance) É This allows the data (but not the hash!) to be stored
in an unsecured place.
h is 2nd preimage resistant if given a value x1 and É If x is altered to x0 , we hope h(x) 6= h(x0 ), so it can be
its hash h(x1 ), it is computationally infeasible to find detected.
another x2 such that h(x2 ) = h(x1 ). É This is useful especially where malicious alteration
is a concern, e.g., software distribution.
(Strong) Collision Resistance
É Ordinary hash functions such as CRC-checkers
h is collision resistant if it is computationally produce checksums which are not 2nd preimage
infeasible to find any two inputs x1 and x2 such that resistant: an attacker could produce a hacked
h(x1 ) = h(x2 ). version of a software product and ensure the
checksum remained the same.
Varieties of MDCs Message Authentication Codes Relationships between properties
É Collision resistance implies 2nd-preimage
É A one-way hash function (OWHF) is a hash
É Message Authentication Codes are keyed hash resistance.
function that satisfies preimage resistance and
functions, indexed with a secret key. É Sketch proof [HAC]:
2nd-preimage resistance. É As well as data integrity, they provide data-origin É Let h be CR, but suppose it is not 2nd PI.
É A collision resistant hash function (CRHF) is a authentication, because it is assumed that apart É Fix some input x; compute h(x).
hash function that satisfies 2nd-preimage from the recipient, only the sender knows the secret É Since not 2nd PI, we can find an x0 6= x with
resistance and collision resistance. key necessary to compute the MAC. h(x0 ) = h(x).
É In practice, CRHF usually satisfies preimage É A MAC is a key-indexed family of hash functions, É But now (x, x0 ) is a collision, so h cannot be CR.
resistance. {hk | k ∈ K}. MACs must satisfy a computation É This and similar arguments (e.g., see Smart) can be
É CRHFs are harder to construct than OWHFs and resistance property. made precise using the Random Oracle Model.
have longer length hash values. É Collision resistance does not imply preimage
É Choice between OWHF and CRHF depends on Computation Resistance resistance
application: Given a set of pairs (xi , hk (xi )) it is computationally É Contrived counterexample:
É If attacker can control input, CRHF required. infeasible to find any other text-MAC pair (x, hk (x)) for a
É Otherwise OWHF suffices new input x 6= xi . 1 || x if x has length n
h(x) =
É Ex: which is needed for password file security? 0 || g(x) otherwise
Collision Resistance and Birthday Attacks From one-way functions to MDCs OWFs from block ciphers
É To satisfy (strong) collision resistance, a hash
function must be large enough to withstand a
birthday attack. (or square root attack). É Multiplication of large primes is a OWF
É Drawing random elements with replacement from p a
É for appropriate choices of p and q, f (p, q) = pq is a É A block cipher is an encryption scheme which works
set of k elements, a repeat is likely after about k one-way function since integer factorization on fixed length blocks of input text.
selections. [FACTORING] is difficult. É We can construct a OWF from a block cipher such
É Not feasible to turn into an MD function, though.
É Mallory has two contracts, one for £1000, the other (Ex: why?) as DES, which is treated essentially as a random
£100,000, to be signed with a 64-bit hash. He function:
É Exponentiation in finite fields is a OWF
makes 232 minor variations in each (e.g h(x) = Ek (x) ⊕ x
É for appropriate primes p and numbers α,
spaces/control chars), and finds a pair with the f (x) = α x mod p is a one-way function, since the for fixed key k. This can be turned into a MD
same hash. Later claims second document was discrete logarithm problem [DLP] is difficult. function, by iteration. . .
signed, not first. É Main problem with turning this into a realistic MD
É An n-bit unkeyed hash function has ideal security function is that it’s too slow to calculate.
if producing a preimage or 2nd-preimage each
requires 2n operations, and producing a collision
requires 2n/ 2 operations.
Iterated hash function construction [HAC] Building up hash functions MD5
É An iterated hash function is constructed using a É Improvement of MD4; MD4 and MD5 designed by
compression function f which converts a t + n-bit Ron Rivest.
input into an n-bit output. É Text processed in 512-bit blocks, as 16 32-bit
sub-blocks. Output is four 32-bit blocks, giving a
É The input x is split into blocks x1 x2 , . . . xk of size t,
128-bit hash. Message padded with 1 and then 0s
appending padding bits and a length block
until last block is 448 bits long, then a 64-bit length.
indicating the original length. É Main loop has four rounds, chaining 4 variables
H0 = IV Hi = f (Hi−1 , xi ), 1 ≤ i ≤ k h(x) = g(Hk ). a, b, c, d. Each round uses a different operation (with
a similar structure) 16 times, which computes a new
É IV: an initialization vector; g: an output value of one of the four variables using a non-linear
transformation (often identity). function of the other three, chosen to preserve
É This is Merkle’s meta-method randomness properties of the input.
É For example, the first round uses the operation:
É Fact: any CR compression function f can be
extended to a CRHF by the above construction, and a = (F(b, c, d) + xi + tj ) <<< s
É padding: the last block with 0s, adding a final extra F(b, c, d) = (b ∧ c) ∨ (¬b ∧ d)
block xk which holds right-justified binary where <<< s is left-circular shift of s bits, xi is the
representation of length(x) (this padding is called ith sub-block of the message. Constants tj are the
MD strengthening).
integer part of 232 ∗ abs(sin(i + 1)) where 0 ≤ i ≤ 63
É Set IV = 0n , g = id, and compute Hi = f (Hi−1 , xi ).
is in radians (for the 4 * 16 steps).
Recommended Reading
One of: Ch 9 of HAC (9.1–9.2); Ch. 10 of Smart 3rd Ed;
11.1–11.3 of Gollmann.