SPCS Cryptography Homework 13

Transcription

1 1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} m k 1.2 Davies-Meyer Recall the Davies-Meyer compression unction: 1.3 Padding h(x, y) = E(x, y) y And recall our usual padding scheme pad(m): Add a 1 to the end o m. Add zeros until the result aligns with the block size. 1

2 2 SPCS Hash Recall SP CS-Hash(m) rom class: Let m = pad(m) Let L be the number o blocks in m 2.1 Calculate the ollowing using the PRP rom section 1.1 and Davies-Meyer as h: 2.2 SP CS-Hash(0) [SOLUTION: 111] SP CS-Hash(1) [SOLUTION: 100] SP CS-Hash(00) [SOLUTION: 001] SP CS-Hash(000) [SOLUTION: 001] SP CS-Hash( ) [SOLUTION: 110] SP CS-Hash( ) [SOLUTION: 001] Since the PRP is very small, can you produce any collisions? 2

3 3 Compression Functions 3.1 Collision Resistance In class we saw that Davies-Meyer is oten used to convert an ideal block cipher into a collision resistant compression unction rom 2 blocks to 1. Let E(k, m) be a block cipher where the message space is the same as the key space (e.g. 128-bit AES). Show that the ollowing methods do not work, by breaking the ollowing: Collision Resistance: it s hard to ind two dierent pairs o inputs (x, y) and (x, y ) such that h(x, y) = h(x, y ). First show how to do this in general (e.g. how you would do it or AES), then construct actual collisions using our block cipher. h 1 (x, y) = E(x, y) x h 2 (x, y) = E(y, x) y h 3 (x, y) = E(x, x y) h 4 (x, y) = E(x, x) x y (For the pair to be dierent, you need either x x, or y y. I both are dierent, that also works.) [SOLUTION: This is rom CS255 homeworks. z, x = anything, y = D(x, x z) z, y = anything, x = D(y, y z) z, x = anything, y = D(x, z) x z, x = anything, y = E(x, x) x For any o these: Choose two dierent values o anything to get a collision. ] 3

4 3.2 Preimage Resistance Suppose someone gives you a speciic target hash value z (say, z = ). For which o the previous compression unctions can you ind inputs (x, y) such that (x, y) = z? [SOLUTION: TOdO: Switch with previous question. ] 4

5 4 Breaking CBC-MAC as a Hash In class, we discussed how you can t convert CBC-MAC into a hash unction because it wouldn t have pre image resistance and collision resistance. Suppose we selected two values k 1, k 2 (permanently) and used the ollowing hash: H : {0, 1} {0, 1} n ( ) H(x) = CBC-MAC (k 1, k 2 ), pad(x) Show that it easy to break preimage resistance and collision resistance by inding expressions to calculate the ollowing (or any choice o keys): Given z, show that you can ind a message x such that H(x) = z Show that you can ind messages x, y such that H(x) = H(y) Apply your answers H(x) using our block cipher, with k 1 k 2 = 010 = 001 and 5

6 5 Merkle Hash Trees Back in the day, Merkle suggested a parallel method or constructing hash unctions out o compression unctions. Let be a compression unction that takes two n-bit blocks and outputs one n-bit block. To hash a message m we use the ollowing tree construction: Hash msg-len Message Block 1 Block 2 Block 3 Block 4 Block 15 Block 16 For simplicity, assume that the number o blocks in m is always a power o Evaluate H( ) using our PRP. [SOLUTION: 000 ] 5.2 Prove that i one can ind a collision or the resulting hash unction then one can ind collisions or the compression unction. Show that i the msg-len block is eliminated (e.g. the contents o that block is always set to 0) then the construction is not collision resistant. [SOLUTION: This is rom CS255 homeworks.] 6

7 5.3 Can you ind a way to extend this to handle messages o arbitrary length? You will need to: Handle padding. Prove that it is impossible to ind any hash collisions i without inding collisions in the compression unction. (This is actually tricky to get right, and it s it s easy to believe your proo is your correct even i it has a signiicant mistake. I suggest you leave this question or the end.) 6 Algorithm Substitution Attack Suppose we are having a secret communication using a key m, and want to allow someone with a certain master key mk to listen in. Consider the ollowing (authenticated) encryption algorithm E P RP (k, m) that uses a PRP E: Calculate IV = E P RP (mk, k) Send the usual (authenticated) encryption AE(k, m), using the IV rom the previous step. Answer: Show that anyone with the master key can decrypt the message. Show that the receiver (who also has k) can t tell the message apart rom a valid encryption that uses a random IV. Show that no one without either k or mk can decrypt the message. What happens i you send the encryption o two dierent messages? Can you ind a ix to the problem that comes up? 7