DTTF/NB479: Dszquphsbqiz Day 27

Transcription

1 DTTF/NB479: Dszquphsbqiz Day 27 Announceents: Questions? This week: Discrete Logs, Diffie-Hellan, ElGaal Hash Functions and SHA-1 Birthday attacks

2 Hash Functions Message (long) Cryptographic hash Function, h Message digest, y (Shorter fixed length) Shrinks data, so 2 essages can have the sae digest: 1!= 2, but H( 1 ) = h( 2 ) Goal: to provide a unique fingerprint of the essage. How? Must deonstrate 3 properties: 1. Fast to copute y fro. 2. One-way: given y = h(), can t find any satisfying h( ) = y easily. 3. Strongly collision-free: Can t find any 1!= 2 such that h( 1 )=h( 2 ) easily 4. (Soeties we can settle for weakly collision-free: given, can t find!= with h() = h( ).

3 EHA: Easy Hash Algorith Break into n-bit blocks, append zeros to get a ultiple of n. There are L of the, where L = /n Fast! But not very secure. Doing a left shift on the rows helps a little: y Define as leftshifting by y bits Then i = y i 1 2 =... l = l l 2 1n 2n ln [ c c... ] ll c n 1n 21 l, l+ 1 l, l 1 =h()

4 EHA: Easy Hash Algorith 3 properties: 1. Fast to copute 2. One-way: given y = h(), can t find any satisfying h( ) = y easily. 3. Strongly collisionfree: Can t find 1!= 2 such that h( 1 )=h( 2 ) 1 2 =... l = l [ c c... ] l 2 2 1n 2n ln c n =h() Exercise: 1. Show that the basic (unrotated) version doesn t satisfy properties 2 and Show that the rotated version doesn t satisfy properties 2 and 3 either. Conclusion: Need nonlinearity!

5 SHA-1: Secure Hash Algorith NSA NIST This standard specifies a Secure Hash Algorith (SHA), which is necessary to ensure the security of the Digital Signature Algorith (DSA). When a essage of any length < 2 64 bits is input, the SHA produces a 160- bit output called a essage digest. The essage digest is then input to the DSA, which coputes the signature for the essage. Signing the essage digest rather than the essage often iproves the efficiency of the process, because the essage digest is usually uch saller than the essage. The sae essage digest should be obtained by the verifier of the signature when the received version of the essage is used as input to SHA. The SHA is called secure because it is designed to be coputationally infeasible to recover a essage corresponding to the essage digest. Any change to the essage in transit will, with a very high probability, result in a different essage digest, and the signature will fail to verify. The SHA is based on principles siilar to those used by Professor Ronald L. Rivest of MIT when designing the MD4 essage digest algorith, and is closely odelled after that algorith. (Proposed Federal Inforation Processing Standard for Secure Hash Standard, Federal Register, v. 57, n. 177, 11 Sep 1992, p ) how?

6 1 SHA-1: Prepare the essage 1. Prepare the essage. Given, create xxxxx.x: Append a 1 and then enough zeros to ake the total congruent to 448 (od 512) bits (to leave roo for the length) Append the length of ( 2 64, so can be written in 64 bits) Break into L 512-bit chunks. Each will be used to copress into a 160- bit total essage digest. Exaple: Encode with length 5000 bits. What is L?

7 2 SHA-1: Notation + Bitwise AND Bitwise OR Bitwise XOR Bitwise NOT Left-shift, with wrap-around Addition, od 2 32

8 3 SHA-1: Iterative copression Idea: iterate over all of the L blocks, outputting a value that is a function of the previous output and the current block: L h h X 0 X 1 X 2 h X 3 h X L =h() (X 0 is constant) Now, the function h

9 4-5 SHA-1: Copression function: h Input: X 0 (160 bits), 1 (512 bits): Output: X 1 (160 bits) W t Expand 1 fro bits. 1 =(W 0..W 15 ) (32 bits each) ( W W W W ) 1 = t 3 t 8 t 14 t 16 Initialization X 4 rounds of 20 iterations each: Each round uses a different K and different nonlinear ixing function f 0 H H = H H H e d = c b a 1 W 0 W 1 W 15 e d c b a K =0x5A Round 1 W 16 W 19 K =6ED9EBA1 K =8F1BBCDC W 79 e d c + X 0 = X b a (20 iters) 1 Round 2 Round 3 Round 4 K =CA62C1D6

10 6 SHA-1: Iterative copression Repeat the algorith on the previous slide L ties until you ve copressed the whole essage into a single 160-bit vector L h h X 0 X 1 X 2 h X 3 h X L =h() Each can be ipleented in hardware.

11 7-9 Interesting trivia The NSA added the left shift in w after the fact. The change corrects a technical flaw that ade the standard less secure than have been thought. (Proposed Revision of Federal Inforation Processing Standard (FIPS) 180, for Secure Hash Standard, Federal Register, v. 59, n. 131, 11 Jul 1994, p )

12 Suary What s an attack on SHA-1 look like? In other words, how do we find collisions? Stay tuned Next tie we ll learn what birthdays have to do with collisions How long before SHA-1 will be broken?