Hash Functions. Adam O Neill Based on
|
|
- Ezra Williamson
- 6 years ago
- Views:
Transcription
1 Hash Functions Adam O Neill Based on
2 Where we are We ve seen a lower-level primitive (blockciphers) and a higher-level primitive (symmetric encryption)
3 Where we are We ve seen a lower-level primitive (blockciphers) and a higher-level primitive (symmetric encryption) Now let s see another lower-level primitive, hash functions
4 Where we are We ve seen a lower-level primitive (blockciphers) and a higher-level primitive (symmetric encryption) Now let s see another lower-level primitive, hash functions Their primary purpose is data compression, but they have many other uses as well
5 Where we are We ve seen a lower-level primitive (blockciphers) and a higher-level primitive (symmetric encryption) Now let s see another lower-level primitive, hash functions Their primary purpose is data compression, but they have many other uses as well They are treated a bit like a magic wand
6 Universal Hashing Attack Game 7.1 (universal hash function). For a keyed hash function H defined over (K, M, T ), and a given adversary A, the attack game runs as follows. The challenger picks a random k R H :KxM T HCK, A outputs two distinct messages m 0,m 1 2 M. K and keeps k to itself. We say that A wins the above game if H(k, m 0 )=H(k, m 1 ). We define A s advantage with respect to H, denoted UHFadv[A,H], as the probability that A wins the game. 2. )=HkC. 7
7 Universal Hashing Attack Game 7.1 (universal hash function). For a keyed hash function H defined over (K, M, T ), and a given adversary A, the attack game runs as follows. The challenger picks a random k R A outputs two distinct messages m 0,m 1 2 M. K and keeps k to itself. We say that A wins the above game if H(k, m 0 )=H(k, m 1 ). We define A s advantage with respect to H, denoted UHFadv[A,H], as the probability that A wins the game. 2 Definition 7.2. Let H be a keyed hash function defined over (K, M, T ), We say that H is an -bounded universal hash function, or -UHF, ifuhfadv[a,h] apple for all adversaries A (even ine cient ones). We say that H is a statistical UHF if it is an -UHF for some negligible. We say that H is a computational UHF if UHFadv[A,H] is negligible for all e adversaries A. cient
8 3. t t k + ai 2 Zp The challenge in constructing good universal hash functions (UHFs) is to construct a function that 4. Output t achieves a small collision probability using a short key. Preferably, the size of the key should not depend the length of the being hashed. Wethe give three constructions. first is an It is noton difficult to show thatmessage this algorithm produces same value as defined inthe (7.3). Observe elegant construction a statistical UHFone using modular arithmetic Our second that a long message ofcan be processed block at a time using and littlepolynomials. additional space. Every construction is based on the CBC and functions defined in Section 6.4. We show that both iteration takes one multiplication and cascade one addition. are On computational UHFs. thirdmultiplication construction is based onfour PMAC Section 0 from a machine that hasthe several units, say units, we can use a way parallel version of Horner s method to utilize all the available units and speed up the evaluation of Hpoly. to Coefficients are is input polynomial Construction using polynomials Assuming the length of m1: is auhfs multiple of 4,input simply replace lines (2) and (3) above with thethe following key, Constructions We start construction usingi polynomials a prime. Let ` be a (poly-bounded) 2. with Forai UHF 1 to v incrementing by 4 at everymodulo iteration: length3.parametert andt let function k 4 p+ be ai ak 3prime. + ai+1 We k 2 define + ai+2a khash + ai+3 2 Zp Hpoly that hashes a message m 2 Z ` p to a single element t 2 Zp. The key space is K := Zp OneLet canmprecompute the so values at every iteration we process four blocks of be a message, m =k(a,1k, a,2k,..in., azvp). 2Then Z ` p for some 0 v `. Let k 2 Zp be a key. the message using four can all be done in parallel. The hash function Hpolymultiplications (k, m) is definedthat as follows: v v 1 v 2 : H k, (a,..., a ) = k + a k + a k + + aifv p1 kis+super-poly, av 2 Zp this implies (7.3) 1 v 1 2 poly Security as a UHF. Next we show that Hpoly is an (`/p)-uhf. that `/p is negligible, which means that Hpoly is a statistical UHF. 247 Lemma 7.2. The function Hpoly over (Zp, (Zp ) `, Zp ) defined in (7.3) is an (`/p)-uhf. Proof. Consider two distinct messages m0 = (a1,..., au ) and m1 = (b1,..., bv ) in (Zp ) `. We show that Pr[Hpoly (k, m0 ) = is over the random choice of let Hpoly (k, m1 )] `/p, where the probability and ).az au Ca, Cai,, key k in Zp. Define the two polynomials: proo± distinct be ( a.,.az?..,aj)e7p... ai. u := X u + a1 Xthe f (X)Consider := )X + b1 XIt g(x) ai v,...,ar -. 1 v 1 +polynomial a2 X u au 1with X + au + b2has X v 2 +at + bv 1 X +l bv roots most in Zp [X]. Then, by definition of Hpoly weatneed to show that random probability His zelo coefficients a point is. E so Xp (7.4) the. Pr[f (k) = g(k)] `/p where k is uniform in Zp. In other words, we need to bound the number of points k 2 Zp for which f (k) g(k) = 0. Since the messages m0 and m1 are distinct we know that f (X) g(x) is a nonzero
9 i PRF as a computational way UHF let FskxM T be a PRF. Then F is a computational UHF. prooi Suppose A is an adversary against the UHF. we construct an adversary Adversary BMC ) B against the PRF Run A let ( m If Fncm, )=F( A,,mz ) be 's output mz ) ret I Elsegt
10 Collision Resistance Definition: A collision for a function h : D! {0, 1} n is a pair x 1, x 2 2 D of points such that h(x 1 )=h(x 2 )butx 1 6= x 2. If D > 2 n then the pigeonhole principle tells us that there must exist a collision for h.
11 The Formalism Key less means µ K e } The formalism considers a family H :Keys(H) D! R of functions, meaning for each K 2 Keys(H) wehaveamaph K : D! R defined by H K (x) =H(K, x). Let Game CR H procedure Initialize K $ Keys(H) Return co K procedure Finalize(x 1, x 2 ) If (x 1 = x 2 )thenreturnfalse If (x 1 62 D or x 2 62 D) thenreturnfalse Return (H K (x 1 )=H K (x 2 )) Adv cr H (A) =Pr h CR A H ) true i.
12 Keyless Hash Functions Practical cryptographic hash functions (SHA3 etc) are keyless
13 Keyless Hash Functions Practical cryptographic hash functions (SHA3 etc) are keyless However, no keyless hash function can be collision resistant
14 Keyless Hash Functions Practical cryptographic hash functions (SHA3 etc) are keyless However, no keyless hash function can be collision resistant This leads to the foundations-of-hashing dilemma (Rogaway)
15 Keyless Hash Functions Practical cryptographic hash functions (SHA3 etc) are keyless However, no keyless hash function can be collision resistant This leads to the foundations-of-hashing dilemma (Rogaway) The solution is to use keyless hash functions in reductions only (no definition)
16 Example Ek ( XII ) a xtr ] = Let E: {0, 1} k {0, 1} n! {0, 1} n be a blockcipher. Let H: {0, 1} k {0, 1} 2n! {0, 1} n be defined by EKCXED #x.ii Alg H(K, x[1]x[2]) y E K (E K (x[1]) x[2]); Return y Ek ( Ek ( x[ itotxtz ] ) = Ekttklx ' a ] ) Ex 't D) Adversary A ( k ) Choose XEI ] set YTH = EIXID, xci, XIDF 'Ll ] ) # XIH aek(x' Ii ) ) return ( xtihih ], x ' 'Ll ] x 'M )
17 Alg SHA1(M) // M < 2 64 Toe SHA1 V SHF1( 5A k 6ED9EBA1 k 8F1BBCDC k CA62C1D6, M ) return V Alg SHF1(K, M) // K = 128 and M < 2 64 y shapad(m) Parse y as M 1 k M 2 k k M n where M i = 512 (1 apple i apple n) V k EFCDAB89 k 98BADCFE k k C3D2E1F0 for i =1,...,n do V shf1(k, M i k V ) return V function M ' = shaped ( M ) 1 f t#dt an M MZ,. v -... Alg shapad(m) // M < 2 64 d (447 M ) mod 512 Let ` be the 64-bit binary representation of M y M k 1 k 0 d k ` // y is a multiple of 512 return y
18 shf1 Alg shf1(k, B k V ) // K = 128, B = 512 and V = 160 Parse B as W 0 k W 1 k k W 15 where W i = 32 (0 apple i apple 15) Parse V as V 0 k V 1 k k V 4 where V i = 32 (0 apple i apple 4) Parse K as K 0 k K 1 k K 2 k K 3 where K i = 32 (0 apple i apple 3) for t = 16 to 79 do W t ROTL 1 (W t 3 W t 8 W t 14 W t 16 ) A V 0 ; B V 1 ; C V 2 ; D V 3 ; E V 4 for t = 0 to 19 do L t K 0 ; L t+20 K 1 ; L t+40 K 2 ; L t+60 K 3 for t = 0 to 79 do if (0 apple t apple 19) then f (B ^ C) _ (( B) ^ D) if (20 apple t apple 39 OR 60 apple t apple 79) then f B C D if (40 apple t apple 59) then f (B ^ C) _ (B ^ D) _ (C ^ D) temp ROTL 5 (A)+f + E + W t + L t E D ; D C ; C ROTL 30 (B); B A ; A temp V 0 V 0 +A ; V 1 V 1 +B ; V 2 V 2 +C ; V 3 V 3 +D ; V 4 V 4 +E V V 0 k V 1 k V 2 k V 3 k V 4 ; return V
19 SHA3 Selected October 2012 as winner of NIST competition
20 SHA3 Selected October 2012 as winner of NIST competition NOT Merkle-Damgard, uses sponge construction
21 SHA3 Selected October 2012 as winner of NIST competition NOT Merkle-Damgard, uses sponge construction Natively supports variable-length output
22 Sponge Function 9 9 g q Figure 8.11: The sponge construction Input: M 2 {0, 1} applel and ` > 0 Output: a tag h 2 {0, 1} v // Absorbing stage Pad M and break into r-bit blocks m 1,...,m s h for i 0 n 1tos do m 0 i m i k 0 c 2 {0, 1} n h (h m 0 i ) // Squeezing stage z h[0.. r 1] for i 1todv/re do h (h) z z k (h[0.. r 1]) output z[0.. v 1]
23 Applications Killer app: Hash before sign
24 Applications Killer app: Hash before sign Used both in security and non-security applications
25 Applications Killer app: Hash before sign Used both in security and non-security applications Password verification
26 Applications Killer app: Hash before sign Used both in security and non-security applications Password verification Compare-by-Hash
27 Applications Killer app: Hash before sign Used both in security and non-security applications Password verification Compare-by-Hash Virus protection
28 Applications Killer app: Hash before sign Used both in security and non-security applications Password verification Compare-by-Hash Virus protection
29 Birthday Attack Let H : {0, 1} k D! {0, 1} n. adversary A(K) for i =1,...,q do x i $ D ; y i H K (x i ) if 9i, j (i 6= j and y i = y j and x i 6= x j ) then return x i, x j else return FAIL
30 Analysis Let H : {0, 1} k D! {0, 1} n. adversary A(K) for i =1,...,q do x i $ D ; y i H K (x i ) if 9i, j (i 6= j and y i = y j and x i 6= x j ) then return x i, x j else return FAIL What is the probability that this attack finds a collision? adversary A(K) for i =1,...,q do x i $ D ; y i H K (x i ) if 9i, j (i 6= j and y i = y j ) then COLL true We have dropped things that don t much a ect the advantage and focused on success probability. So we want to know what is Pr [COLL].
31 Choose points at random from range Birthday choose points at random from domain E Adversary A, hash them for i =1,...,q do for i =1,...,q do y $ i {0, 1} n x $ ttrvtfandon i D ; y i H K (x i ) if 9i, j (i 6= j and y i = y j ) then if 9i, j(i 6= j and y i = y j ) then COLL true COLL true Pr [COLL] = C(2 n, q) Pr [COLL] =? Are the two collision probabilities the same?
32 Regularity We say that H : {0, 1} k D! {0, 1} n is regular if every range point has the same number of pre-images under H K.Thatisifwelet then H is regular if H 1 K (y) ={x 2 D : H K (x) =y} H 1 D K (y) = 2 n for all K and y. In this case the following processes both result in a random output Process 1 y $ {0, 1} n return y Process 2 x $ D; y $ H K (x) return y
33 If H: {0, 1} k D! {0, 1} n is regular then the birthday attack finds a collision in about 2 n/2 trials. If H is not regular, the attack may succeed sooner. So we want functions to be close to regular. It seems MD4, MD5, SHA1, SHA2, SHA3,... have this property.
34 Birthday attack times Function n T B MD MD SHA SHA SHA SHA SHA Muff} deignedby 7990 's hash output is 128 bits. SHAI hash output is 160 bits T B is the number of trials to find collisions via a birthday attack. M 5I*s{ tp Ps*,., Y '
35 Compression Functions A compression function is a family h : {0, 1} k {0, 1} b+n! {0, 1} n of hash functions whose inputs are of a fixed size b + n, whereb is called the block size. E.g. b = 512 and n = 160, in which case h : {0, 1} k {0, 1} 672! {0, 1} 160 x v h K h K (x k v)
36 MD Transform Merkle - Damgoird Design principle: To build a CR hash function where D = {0, 1} apple264 : H : {0, 1} k D! {0, 1} n First build a CR compression function h : {0, 1} k {0, 1} b+n! {0, 1} n. Appropriately iterate h to get H, usingh to hash block-by-block.
37 Setup Assume for simplicity that M is a multiple of b. Let kmk b be the number of b-bit blocks in M, andwrite M = M[1]...M[`] where` = kmk b. hii denote the b-bit binary representation of i 2 {0,...,2 b 1}. D be the set of all strings of at most 2 b 1 blocks, so that kmk b 2 {0,...,2 b 1} for any M 2 D, andthuskmk b can be encoded as above.
38 The Transform Given: Compression function h : {0, 1} k {0, 1} b+n! {0, 1} n. Build: Hash function H : {0, 1} k D! {0, 1} n. Algorithm H K (M) m kmk b ; M[m + 1] hmi ; V [0] 0 n For i =1,...,m +1dov[i] h K (M[i] V [i 1]) Return V [m + 1] M M ' Hm#Hill ; M[1] M[2] o h2i iv. h 0 n K t A h K h K H K (M) chtainirgvaivbll If SHAI this is Not on
39 MD preserves CR Assume h is CR H is built from h using MD Then H is CR too! This means No need to attack H! You won t find a weakness in it unless h has one H is guaranteed to be secure assuming h is. For this reason, MD is the design used in many current hash functions. Newer hash functions use other iteration methods with analogous properties.
40 The Theorem Theorem: Let h : {0, 1} k {0, 1} b+n! {0, 1} n be a family of functions and let H : {0, 1} k D! {0, 1} n be obtained from h via the MD transform. Given a cr-adversary A H we can build a cr-adversary A h such that Adv cr 2 H (A H) apple Adv cr h (A h) + -. and the running time of A h is that of A H plus the time for computing h on the outputs of A H. Implication: h CR ) Adv cr h (A h)small ) Adv cr H (A H)small ) H CR
41 Proof
42 6 Case 1 k k k k Let x 1 = h2i V 1 [2] and x 2 = h1i V 2 [1]. Then h K (x 1 )=h K (x 2 )becauseh K (M 1 )=H K (M 2 ). But x 1 6= x 2 because h1i 6= h2i.
43 Case 2 k k k k a #. : x 1 h2i V 1 [2] ; x 2 h2i V 2 [2] If x 1 6= x 2 then return x 1, x 2 Else // V 1 [2] = V 2 [2] x 1 M 1 [2] V 1 [1] ; x 2 M 2 [2] V 2 [1] If x 1 6= x 2 then return x 1, x 2 Else // V 1 [1] = V 2 [1] x 1 M 1 [1] 0 n ; x 2 M 2 [1] 0 n Return x 1, x 2 Mihir Bellare UCSD
44 Joux s Attack
45 Joux s Attack random functions may lead to incorrect conclusions when applied to a Merkle-Damgård function. We say that an s-collision for a hash function H is a set of messages M 1,...,M s 2 M such that H(M 1 )=...= H(M s ). Joux showed how to find an s-collision for a Merkle-Damgård function in time O((log 2 s) X 1/2 ). Using Joux s method we can find a 2 n/2 -collision M 1,...,M 2 n/2 for H 1 in time O(n2 n/2 ). Then, by the birthday paradox it is likely that two of these messages, say M i,m j, are also a collision for H 2. This pair M i,m j is a collision for both H 1 and H 2 and therefore a collision for H 12. It was found in time O(n2 n/2 ), as promised.
46 v = ExitI Compression Function from Blockcipher: An Example Let E : {0, 1} b {0, 1} n! {0, 1} n be a block cipher. Let us design keyless compression function h : {0, 1} b+n! {0, 1} n by h(x v) =E x (v) Is H collision resistant? Ex Cu ) = Ex Cv ' ) Extil )
47 Davies-Meyer y := m i 2 K L t i := E(m i, t i 1 ) t i 1 2 X x := t i 1 E Figure 8.6: The Davies-Meyer compression function h ( xlly Ey = ) ( x ) # Eyfx ) ox = Ey, ( x ' ) ox ' Ey ( ) = = Eye ' Ey, ( x, ( x ' / ox fty ' ) ax ' ' A X 8 x )
48 Other Examples Davies-Meyer variants. The Davies-Meyer construction is not unique. Many other similar methods can convert a block cipher into a collision resistant compression function. For example, one could use Matyas-Meyer-Oseas: h 1 (x, y) := E(x, y) y Miyaguchi-Preneel: h 2 (x, y) := E(x, y) y x Or even: h 3 (x, y) := E(x y, y) y or many other such variants. Preneel et al. [89] give twelve di erent variants that can be shown to be collision resistant.
49 Davies-Meyer Security A Theorem 8.4 (Davies-Meyer). Let h DM be the Davies-Meyer hash function derived from a block cipher E =(E,D) defined over (K, X ), where X is large. Then h DM is collision resistant in the ideal cipher model. In particular, every collision finding adversary A that issues at most q ideal-cipher queries will satisfy CR ic adv[a,h DM ] apple (q + 1)(q + 2)/ X.
50 Proof
51 Cryptanalysis So far we have looked at attacks that do not attempt to exploit the structure of H. Can we do better than birthday if we do exploit the structure? Ideally not, but functions have fallen short!
52 MD5 Designed by Ron Rivest in the early 1990s and still widely used.
53 MD5 Designed by Ron Rivest in the early 1990s and still widely used. Collisions can be found in under a minute [WaFeLaYu,LeWadW,KI]
54 MD5 Designed by Ron Rivest in the early 1990s and still widely used. Collisions can be found in under a minute [WaFeLaYu,LeWadW,KI] Can find two Win32 executables whose MD5 hashes collide (break virus protection)
55 MD5 Designed by Ron Rivest in the early 1990s and still widely used. Collisions can be found in under a minute [WaFeLaYu,LeWadW,KI] Can find two Win32 executables whose MD5 hashes collide (break virus protection) Can break deployed cryptographic protocols
56 SHA1
57 SHA3 Theorem 8.6. Let H be the hash function obtained from a permutation : {0, 1} n! {0, 1} n,with capacity c, rater (so n = r + c), and output length v apple r. In the ideal permutation model, where is modeled as a random permutation, the hash function H is collision resistant, assuming 2 v and 2 c are super-poly. In particular, for every collision finding adversary A, if the number of ideal-permutation queries plus the number of r-bit blocks in the output messages of A is bounded by q, then CR ic adv[a,h] apple q(q 1) 2 v + q(q + 1) 2 c.
HASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationHASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationChapter 5. Hash Functions. 5.1 The hash function SHA1
Chapter 5 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationMessage Authentication. Adam O Neill Based on
Message Authentication Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Authenticity and Integrity - Message actually comes from. claimed Sender - Message was not modified in transit ' Electronic
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More information12 Hash Functions Defining Security
12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 10, 2008 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Jonathan Voris, Md. Borhan Uddin 1 Recap 1.1 MACs A message authentication code (MAC)
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationCPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions
CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary
More informationOnline Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh
Online Cryptography Course Message integrity Message Auth. Codes Message Integrity Goal: integrity, no confiden>ality. Examples: Protec>ng public binaries on disk. Protec>ng banner ads on web pages. Message
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationLecture 10: NMAC, HMAC and Number Theory
CS 6903 Modern Cryptography April 13, 2011 Lecture 10: NMAC, HMAC and Number Theory Instructor: Nitesh Saxena Scribes: Anand Desai,Manav Singh Dahiya,Amol Bhavekar 1 Recap 1.1 MACs A Message Authentication
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationSymmetric Encryption. Adam O Neill based on
Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter - Correctness Pr [ NCK,
More informationCollapsing sponges: Post-quantum security of the sponge construction
Collapsing sponges: Post-quantum security of the sponge construction Dominique Unruh University of Tartu March 27, 2017 Abstract We investigate the post-quantum security of hash functions based on the
More informationMessage Authentication Codes (MACs) and Hashes
Message Authentication Codes (MACs) and Hashes David Brumley dbrumley@cmu.edu Carnegie Mellon University Credits: Many slides from Dan Boneh s June 2012 Coursera crypto class, which is awesome! Recap so
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationNetwork Security: Hashes
1 Network Security: Hashes Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified October 5, 2000 2
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationGeneral Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity
General Distinguishing Attacks on MAC and HMAC with Birthday Attack Complexity Donghoon Chang 1 and Mridul andi 2 1 Center or Inormation Security Technologies(CIST), Korea University, Korea dhchang@cist.korea.ac.kr
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationBounded Pre-Image Awareness and the Security of Hash-Tree Keyless Signatures
Bounded Pre-Image Awareness and the Security of Hash-Tree Keyless Signatures Ahto Buldas 1,,, Risto Laanoja 1,, Peeter Laud 3, and Ahto Truu 1 1 GuardTime AS, Tammsaare tee 60, 11316 Tallinn, Estonia.
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
New Proofs for NMAC and HMAC: Security without Collision-Resistance Mihir Bellare Dept. of Computer Science & Engineering 0404, University of California San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404,
More informationHash Function Balance and its Impact on Birthday Attacks
Hash Function Balance and its Impact on Birthday Attacks Mihir Bellare 1 and Tadayoshi Kohno 1 Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive, La Jolla,
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationHow to Build a Hash Function from any Collision-Resistant Function
A preliminary version of this paper appears in Advances in Cryptology ASIACRYPT 07, Lecture Notes in Computer Science Vol. 4833, pp. 147 163, K. Kurosawa ed., Springer-Verlag, 2007. This is the full version.
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationHenning Schulzrinne Columbia University, New York Columbia University, Fall 2000
1 Network Security: Hashes Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified October 5, 2000 Slide
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationThe Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function J. Black July 1, 2005 Abstract The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationAdaptive Preimage Resistance and Permutation-based Hash Functions
daptive Preimage Resistance and Permutation-based ash Functions Jooyoung Lee, Je ong Park The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More information