Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
|
|
- Jasmine Harvey
- 6 years ago
- Views:
Transcription
1 Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO /26
2 WhatisaMACalgorithm? M Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26
3 WhatisaMACalgorithm? M Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26
4 WhatisaMACalgorithm? k M k Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26
5 WhatisaMACalgorithm? M, t k t = MAC k (M) k Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26
6 WhatisaMACalgorithm? M, t k t = MAC k (M) t k? = MAC k (M) Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26
7 MAC security A MAC (Message Authentication Code) should provide authentication and integrity protection. MAC security notions: chosen message attacks The adversary has access to an oracle M MAC k (M). He must compute a new MAC for: One message of his choice: existential forgery. Any message: universal forgery. One very popular MAC (ANSI, IETF, ISO, NIST), HMAC is based on a hash function. Topicofthetalk 3/26 Can we use the attacks on or MD5 to break HMAC?
8 Known attacks on MD hash functions M 1 IV h M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) in 2 1, MD5 in 2 27, SHA-1 in 2 63 Colliding blocks look random Limited impact: commitment Add a prefix and a suffix, hide the randomness Partial freedom in the colliding blocks Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) 4/26
9 Known attacks on MD hash functions M 1 M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) Add a prefix and a suffix, hide the randomness Include two documents, use the collision as a switch Signature by a third party Fraud is detectable Partial freedom in the colliding blocks Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) 4/26
10 Known attacks on MD hash functions M 1 M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) Add a prefix and a suffix, hide the randomness Partial freedom in the colliding blocks Weak challenge-response authentication: APOP Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) 4/26
11 Known attacks on MD hash functions P 1 M 1 P 2 M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) Add a prefix and a suffix, hide the randomness Partial freedom in the colliding blocks Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) Colliding certificates with different names. 4/26
12 MD family status Current status Collision-resistance is seriously broken, but for most constructions, no real attacks are known: Key derivation Peer authentication HMAC... More in-depth study and improvement of are needed. Ourresultson We adapted to HMAC/NMAC. Universal forgery attack with 2 88 data and 2 95 CPU. 5/26
13 MD family status Current status Collision-resistance is seriously broken, but for most constructions, no real attacks are known: Key derivation Peer authentication HMAC... More in-depth study and improvement of are needed. Ourresultson We adapted to HMAC/NMAC. Universal forgery attack with 2 88 data and 2 95 CPU. 5/26
14 Outline The hash function HMAC and NMAC Contini-Yin NMAC attack IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits 6/26
15 The hash function General design Merkle-Damgård: H i = F(M i, H i 1 ) M M 0 M 1 M 2 M 3 F F F F IV H 0 H 1 H 2 H 3 D h(m) Davies-Meyer with a Feistel-like cipher. m i H i 1 C H i 7/26
16 The compression function Step update Q i 4 Q i 3 Q i 2 Q i 1 Φ i m i k i s i Q i 3 Q i 2 Q i 1 Q i Q i = (Q i 4 Φ i (Q i 1, Q i 2, Q i 3 ) m i k i ) s i In: Q 4 Q 1 Q 2 Q 3 Out: Q 4 Q 44 Q 1 Q 47 Q 2 Q 46 Q 3 Q 45 8/26
17 NMAC description M 0...M i... M k k 2 H k2 (M) k 1 MAC NMAC k1,k 2 (M) = H k1 (H k2 (M)) Keyed hash function H k : replace the IV by the key. Prevents offline collision search and extension attacks. 9/26
18 HMAC description HMAC k (M) = H( k opad H( k ipad M)) opad and ipad are 1-block constants k is k padded to one block No need to key the hash function. HMAC k NMAC H( k opad),h( k ipad) HMAC security is equivalent to NMAC security. HMAC/NMAC security proof If the compression function F is secure as a PRF then HMAC/NMAC is: secure against existential forgery up to 2 n/2 secure against universal forgery up to 2 n 10/26
19 Outline The hash function HMAC and NMAC Contini-Yin NMAC attack IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits 11/26
20 Collisions: 1 Precomputation: Choose a message difference. Compute a differential path. Derive a set of sufficient conditions. 2 Collision search: Main result Find a message that satisfies the set of conditions. We know a difference and a set of conditions on the internal state variables Q i s, such that: If all the conditions are satisfied by the internal state variable in the computation of H(M), then H(M) = H(M + ). 12/26
21 How to use collisions? M 0...M i... M k k 2 H k2 (M) k 1 MAC 13/26 We can detect hash collisions through NMAC collisions. Without the IV, we can t use message modifications. Try many pairs (M, M + ), and wait for a collision. The collision contains some key information, but we need a way to extract it...
22 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26
23 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26
24 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26
25 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26
26 Outer key recovery M k 2 H k2 (M) k 1 MAC Problems We can t choose H k2 (M). We can only have a difference in the first 128 bits. 15/26
27 Outer key recovery M k 2 H k2 (M) k 1 MAC Problems We can t choose H k2 (M). We can only have a difference in the first 128 bits. 15/26
28 Contini and Yin s attack(asiacrypt 2006) Recovers the inner key k 2 but not the outer key k 1. Best path: p = Complexity Not enough for universal forgery. Attacker still need 2 n computations. 16/26
29 Outline The hash function HMAC and NMAC Contini-Yin NMAC attack IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits 17/26
30 A New IV-recovery Attack We want to avoid the need for related messages. We look for paths where the existence of collision discloses information about the key. Advantage In Contini-Yin attack, you need to choose a lot of bits in H k2 (M) (related messages). We only need to choose the differences in H k2 (M). 18/26
31 Using IV-dependent paths Use a differential path with δm 0 0. The beginning of the path depends on a condition (X) of the IV: px = Pr M [H(M) = H(M + ) X] step δm i Φ i Q i conditions 0 [0] [3] 1 Q [3] 1 = Q[3] 2 (X) PrM [H(M) = H(M + ) X] p X. step δm i Φ i Q i conditions 0 [0] [3] 1 [3] [10] Q [3] 1 Q[3] 2 ( X) We try 2/p X pairs: If we have a collision then (X) is satisfied. Otherwise, (X) is not satisfied. 19/26
32 Efficient computation of message pairs To recover the outer key, we need 2/p X message pairs with H k2 (M 2 ) = H k2 (M 1 ) + k 2 δq = δh = δq = δq = 0 δh = R i M i We start with one message pair (R 1, R 2 ) such that H k2 (R 2 ) = H k2 (R 1 ) + (birthday paradox). We compute second blocks (N 1, N 2 ) such that H k2 (R 2 N 2 ) = H k2 (R 1 N 1 ) + This is essentially a collision search with the padding inside the block. 20/26
33 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26
34 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26
35 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26
36 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26
37 Differential paths We need very constrained paths: At least one difference in m 0. No difference in m 4...m 15. High probability. Many paths (each one gives only one bit of the key). Differential path algorithm We use an algorithm to find a differential path from the message difference. We found 22 paths with p X Attack complexity: 2 88 data, time. 22/26
38 Differential paths We need very constrained paths: At least one difference in m 0. No difference in m 4...m 15. High probability. Many paths (each one gives only one bit of the key). Differential path algorithm We use an algorithm to find a differential path from the message difference. We found 22 paths with p X Attack complexity: 2 88 data, time. 22/26
39 Extracting more key bits When we have a collision for one of the paths, we can recover some extra information on the key: step s i δm i Φ i Q i conditions 0 3 [0] [3] 1 7 Q [3] 1 = Q[3] 2 (X) 2 11 Q [3] 1 = 0 (Y) 3 19 Q [3] 2 = 1 (Z) 4 3 [6] Note: (Y) and (Z) are not key bits, they depend on the message. Use(Y)and(Z)toefficientlyreducethekeyentropy. On average we reduce the search space from to /26
40 Hash collisions can be detected through HMAC/NMAC Tailoring : IV-dependent collisions Full key recovery Attack complexity Generic Attacks NMAC- Data Time Mem Remark E-Forgery 2 n/2 - - Collision based U-Forgery 2n/2 2 n+1 - Collision based 1 2 2n/3 2 2n/3 TM tradeoff, 2 n precpu E-Forgery Partial-KR U-Forgery New result 24/26
41 Possible improvements Find better paths. Use the method of Contini and Yin for the inner key. Use near-collisions for the outer key. About MD5 Our NMAC-MD5 attack is in the related-key model. A real attack would require a differential path with less than one block of message... More NMAC-MD5 25/26
42 Any Questions? Thank you for your attention. 26/26
43 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26
44 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26
45 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26
46 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26
47 NMAC-MD5 Diff. paths NMAC-MD5 attack Small improvement of Contini & Yin s attack. Independently found by Rechberger & Rijmen (FC 2007). Related key model Generic Attacks NMAC-MD5 Related keys Data Time Mem Remark E-Forgery 2 n/2 - - Collision based U-Forgery 2n/2 2 n+1 - Collision based 1 2 2n/3 2 2n/3 TM tradeoff, 2 n precpu E-Forgery Partial-KR U-Forgery New result 28/26
48 Differential paths NMAC-MD5 Diff. paths The next slides show some examples of the differential paths used in the NMAC attack. For more information see: Automatic search of differential path in, by Pierre-Alain Fouque, Gaëtan Leurent and Phong Nguyen, Presented in the ECRYPT hash workshop, 2007, Cryptology eprint Archive, Report 2007/ /26
49 NMAC-MD5 Diff. paths 30/26 An IV-dependent path [29] step si δmi Φi Qi conditions 0 3 [0] [3] 1 7 Q [3] 1 = Q[3] Q [3] 1 = Q [3] 2 = [6,7] 5 7 Q [6] 3 Q[6] 2, Q[7] 3 = = Q[7] Q [6] 5 = 0, Q[7] 5 = [7] [26] Q [6] 6 = 1, Q[7] 6 = [26] [9], [29] Q [26] 5 = 1, Q [26] 6 = Q [9] 7 Q[9], Q[26] 6 8 = = 0, Q 7 = Q Q [9] = 0, Q[26] Q = 1, = [13] Q [9] 10 = 1, Q[29] 10 = [0], [12] Q [13] 10 = Q[13] Q [0] 11 = Q[0] 10, Q[12] 11 = Q[12] 10, Q[13] 12 = [0] [ ] Q [0] 13 = 1, Q[12] 13 = 0, Q[13] 13 = [13] Q [0] = 1, Q[11] = Q[11] 12, Q[12] 13 = 0, Q[13] 13 = 1, Q[13] 12 = [0] [12,13] Q [11] [ ] Q [11] 16 Q[11] 15, Q[12] 16 Q[12] 15, Q[13] 16 = = = Q[13] Q [20] 17 = Q[20] 16, Q[21] 17 = Q[21] 16, Q[22] 17 = Q[22] 16, Q[23] 17 = Q[23] [23] [26] Q [20] 19 = Q[20] 17, Q[21] 19 = Q[21] 17, Q[22] 19 = Q[22] 17, Q[23] 19 Q[23] Q [20] 20 = Q[20] 19, Q[21] 20 = Q[21] 19, Q[22] 20 = Q[22] 19, Q[23] 20 = Q[23] 19, Q[26] 19 = Q[26] [29] Q [26] 21 = Q[26] Q [26] 22 = Q[26] 21, Q[29] 21 = Q[29] [29,30] Q [29] 23 = Q[29] Q [30] 23 = Q[30] [29] Q [29] 25 Q[29] 23, Q[30] 25 = Q[30] Q [29] [0] Q[29] 25, Q[30] 26 = = Q[30] Q [0] 27 = Q[0] Q [0] 29 = Q[0] Q [0] 30 = Q[0] [0]
50 A path for the message pair generation step s i δm i Φ i Q i conditions 4 0 [4] [7] 1 7 [31] [6] Q [7] 1 = Q[7] [28], [31] [7], [10] Q [6] 0 = Q[6] 1, Q[7] 1 = Q [6] = 0, Q[7] = 0, Q[10] = Q [10] [6] [9...11] Q [6] = 0, Q[7] = 0, Q[10] = [13] Q [7] = 1, Q[9] = 4 3 Q[9], 2 Q[10] = 0, Q [11] = Q [11] [10,11] [18] Q [9] = 0, Q[10] = 1, Q [11] = 1, Q [13] = Q [13] Q [9] 6 = 1, Q[10] 6 = 1, Q [11] 6 = 1, Q [13] 6 = 0, Q [18] 5 = Q [18] [13] [12], [16] Q [13] 7 = 0, Q [18] 7 = [12] [19] Q [12] 7 = 1, Q [12] 6 = 0, Q [16] 7 = Q [16] 6, Q [18] 8 = [29] Q [12] 9 = 0, Q [16] 9 = 0, Q [19] 8 = Q [19] Q [12] 10 = 1, Q[16] 10 = 1, Q[19] 10 = 0, Q[29] 9 = Q [29] [16] [19] [15,16], [22] Q [19] 11 = 0, Q[29] 11 = [ ] Q [15] 11 = Q[15] 10, Q[16] 11 = Q[16] 10, Q[22] 11 = Q[22] 10, Q[29] 12 = [29] Q [15] 13 = 0, Q[16] 13 = 0, Q[22] 13 = 0, Q[26] 12 = Q[26] 11, Q[27] 12 = Q[27] 11, Q[28] 12 = Q[28] 11, Q[29] 12 = 1, Q[29] 11 = [28,29] [15] Q [15] = 1, Q[16] = 1, Q[22] = 1, Q[26] = 0, Q[27] = 0, Q[28] = 1, Q[29] = [15] [25] Q [15] 14 Q[15] 13, Q[26] 15 = Q[26], 14 Q[27] 15 = Q[27], 14 Q[28] 15 = Q[28], 14 Q[29] 15 = Q[29] [31] Q [15] 16 = Q[15], 14 Q[25] 15 = Q[25] Q [15] 17 = Q[15] 16, Q[25] 17 = Q[25] 15, Q[31] 16 = Q[31] [16] [28] Q [25] 18 = Q[25] 17, Q[31] 18 = Q[31] [31] [28], [31] [28], [31] Q [28] 18 Q[28] 17, Q[31] 19 Q[31] [31] Q [31] 19 Q[31] Q [31] 21 = Q[31] [28] Q [28] 22 Q[28] 21, Q[31] 22 = Q[31] [28], [31]
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC Xiaoyun Wang 1,2, Hongbo Yu 1, Wei Wang 2, Haina Zhang 2, and Tao Zhan 3 1 Center for Advanced Study, Tsinghua University, Beijing 100084, China {xiaoyunwang,
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationImproved Generic Attacks Against Hash-based MACs and HAIFA
Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur 1 and Gaëtan Leurent 2 1 Département d Informatique, École Normale Supérieure, Paris, France Itai.Dinur@ens.fr 2 Inria, EPI SECRET,
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationForgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions
Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions Scott Contini 1 and Yiqun Lisa Yin 2 1 Macquarie University, Centre for Advanced Computing ACAC, NSW 2109, Australia scontini@comp.mq.edu.au
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationFunctional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions
Functional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions Zhenzhen Bao 1, Jian Guo 1 and Lei Wang 2,3 1 School of Physical and Mathematical Sciences, Nanyang Technological
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationPractical Free-Start Collision Attacks on full SHA-1
Practical Free-Start Collision Attacks on full SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens Séminaire Cryptologie
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationPractical Free-Start Collision Attacks on 76-step SHA-1
Practical Free-Start Collision Attacks on 76-step SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens CWI, Amsterdam 2015
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationGeneric Universal Forgery Attack on Iterative Hash-based MACs
Generic Universal Forgery Attack on Iterative Hash-based MACs Thomas Peyrin and Lei Wang Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University,
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationMinimum Number of Multiplications of U Hash Functions
Minimum Number of Multiplications of U Hash Functions Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Authentication: The Popular Story 1 Alice and Bob share a secret
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationAttacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512
Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512 Charles Bouillaguet 1, Orr Dunkelman 2, Gaëtan Leurent 1, and Pierre-Alain Fouque 1 1 Département
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function
Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function Gaoli Wang 1 and Yanzhao Shen 1 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China wanggaoli@dhu.edu.cn,
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationGeneric Security of NMAC and HMAC with Input Whitening
Generic Security of NMAC and HMAC with Input Whitening Peter Gaži 1, Krzysztof Pietrzak 1, and Stefano Tessaro 2 1 IST Austria {peter.gazi,pietrzak}@ist.ac.at 2 UC Santa Barbara tessaro@cs.ucsb.edu Abstract.
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationMessage Authentication. Adam O Neill Based on
Message Authentication Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Authenticity and Integrity - Message actually comes from. claimed Sender - Message was not modified in transit ' Electronic
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationH Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.
Definition - hash function Cryptographic Hash Functions - Introduction Lars R. Knudsen April 21, 2008 Located in the southernmost part of Europe with an artic climate, Hotel Finse 1222 provides the perfect
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2012 Konstantin Beznosov 1 Module Outline! Stream ciphers under the hood Block ciphers under
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More information2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.
or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationContributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions
Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationLecture 15: Message Authentication
CSE 599b: Cryptography (Winter 2006) Lecture 15: Message Authentication 22 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Message Authentication Recall that the goal of message authentication
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More information