HASH FUNCTIONS. Mihir Bellare UCSD 1
|
|
- Joleen Marsh
- 6 years ago
- Views:
Transcription
1 HASH FUNCTIONS Mihir Bellare UCSD 1
2 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant data compression, but they have many other purposes and properties as well. A good hash function is often treated like a magic wand... Mihir Bellare UCSD 2
3 Collision resistance (CR) Definition: A collision for a function h : D {0, 1} n is a pair x 1, x 2 D of points such that h(x 1 ) = h(x 2 ) but x 1 x 2. If D > 2 n then the pigeonhole principle tells us that there must exist a collision for h. Mihir Bellare UCSD 3
4 Collision resistance (CR) Definition: A collision for a function h : D {0, 1} n is a pair x 1, x 2 D of points such that h(x 1 ) = h(x 2 ) but x 1 x 2. If D > 2 n then the pigeonhole principle tells us that there must exist a collision for h. Mihir Bellare UCSD 4
5 Collision resistance (CR) Definition: A collision for a function h : D {0, 1} n is a pair x 1, x 2 D of points such that h(x 1 ) = h(x 2 ) but x 1 x 2. If D > 2 n then the pigeonhole principle tells us that there must exist a collision for h. We want that even though collisions exist, they are hard to find. Mihir Bellare UCSD 5
6 Collision-resistance of a function family The formalism considers a family H : Keys(H) D R of functions, meaning for each K Keys(H) we have a map H K : D R defined by H K (x) = H(K, x). Game CR H procedure Initialize K $ Keys(H) Return K procedure Finalize(x 1, x 2 ) If (x 1 = x 2 ) then return false If (x 1 D or x 2 D) then return false Return (H K (x 1 ) = H K (x 2 )) Let Adv cr H (A) = Pr [ CR A H true ]. Mihir Bellare UCSD 6
7 Collision-resistance Game CR H procedure Initialize K $ Keys(H) Return K procedure Finalize(x 1, x 2 ) If (x 1 = x 2 ) then return false If (x 1 D or x 2 D) then return false Return (H K (x 1 ) = H K (x 2 )) The Return statement in Initialize means that the adversary A gets K as input. The key K here is not secret! Adversary A takes K and tries to output a collision x 1, x 2 for H K. A s output is the input to Finalize, and the game returns true if the collision is valid. Mihir Bellare UCSD 7
8 Example Let E: {0, 1} k {0, 1} n {0, 1} n be a blockcipher. Let H: {0, 1} k {0, 1} 2n {0, 1} n be defined by Alg H(K, x[1]x[2]) y E K (E K (x[1]) x[2]); Return y Let s show that H is not collision-resistant by giving an efficient adversary A such that Adv cr H (A) = 1. Mihir Bellare UCSD 8
9 Example Let E: {0, 1} k {0, 1} n {0, 1} n be a blockcipher. Let H: {0, 1} k {0, 1} 2n {0, 1} n be defined by Alg H(K, x[1]x[2]) y E K (E K (x[1]) x[2]); Return y Let s show that H is not collision-resistant by giving an efficient adversary A such that Adv cr H (A) = 1. Idea: Pick x 1 = x 1 [1]x 1 [2] and x 2 = x 2 [1]x 2 [2] so that E K (x 1 [1]) x 1 [2] = E K (x 2 [1]) x 2 [2] Mihir Bellare UCSD 9
10 Example Alg H(K, x[1]x[2]) y E K (E K (x[1]) x[2]); Return y Idea: Pick x 1 = x 1 [1]x 1 [2] and x 2 = x 2 [1]x 2 [2] so that adversary A(K) E K (x 1 [1]) x 1 [2] = E K (x 2 [1]) x 2 [2] x 1 0 n 1 n ; x 2 [2] 0 n ; x 2 [1] E 1 K (E K (x 1 [1]) x 1 [2] x 2 [2]) return x 1, x 2 Then Adv cr H (A) = 1 and A is efficient, so H is not CR. Note how we used the fact that A knows K and the fact that E is a blockcipher! Mihir Bellare UCSD 10
11 Exercise Let E: {0, 1} k {0, 1} l {0, 1} l be a blockcipher. Let D be the set of all strings whose length is a positive multiple of l. Define the hash function H: {0, 1} k D {0, 1} l as follows: Alg H(K, M) M[1]M[2]... M[n] M C[0] 0 l For i = 1,..., n do B[i] E(K, C[i 1] M[i]); C[i] E(K, B[i] M[i]) Return C[n] Show that H is not CR by giving an efficient adversary A such that (A) = 1. Adv cr H Mihir Bellare UCSD 11
12 Keyless hash functions We say that H: Keys(H) D R is keyless if Keys(H) = {ε} consists of just one key, the empty string. In this case we write H(x) in place of H(ε, x) or H ε (x). Practical hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are keyless. Mihir Bellare UCSD 12
13 SHA1 Alg SHA1(M) // M < 2 64 V SHF1( 5A ED9EBA1 8F1BBCDC CA62C1D6, M ) return V Alg SHF1(K, M) // K = 128 and M < 2 64 y shapad(m) Parse y as M 1 M 2 M n where M i = 512 (1 i n) V EFCDAB89 98BADCFE C3D2E1F0 for i = 1,..., n do V shf1(k, M i V ) return V Alg shapad(m) // M < 2 64 d (447 M ) mod 512 Let l be the 64-bit binary representation of M y M 1 0 d l // y is a multiple of 512 return y Mihir Bellare UCSD 13
14 shf1 Alg shf1(k, B V ) // K = 128, B = 512 and V = 160 Parse B as W 0 W 1 W 15 where W i = 32 (0 i 15) Parse V as V 0 V 1 V 4 where V i = 32 (0 i 4) Parse K as K 0 K 1 K 2 K 3 where K i = 32 (0 i 3) for t = 16 to 79 do W t ROTL 1 (W t 3 W t 8 W t 14 W t 16 ) A V 0 ; B V 1 ; C V 2 ; D V 3 ; E V 4 for t = 0 to 19 do L t K 0 ; L t+20 K 1 ; L t+40 K 2 ; L t+60 K 3 for t = 0 to 79 do if (0 t 19) then f (B C) (( B) D) if (20 t 39 OR 60 t 79) then f B C D if (40 t 59) then f (B C) (B D) (C D) temp ROTL 5 (A) + f + E + W t + L t E D ; D C ; C ROTL 30 (B) ; B A ; A temp V 0 V 0 +A ; V 1 V 1 +B ; V 2 V 2 +C ; V 3 V 3 +D ; V 4 V 4 +E V V 0 V 1 V 2 V 3 V 4 ; return V Mihir Bellare UCSD 14
15 SHA1 calculator Mihir Bellare UCSD 15
16 Applications of hash functions The killer-app is hashing before digitally signing, but we ll discuss a few others: primitive in cryptographic schemes tool for security applications tool for non-security applications Mihir Bellare UCSD 16
17 Password verification Client A has a password PW that is also held by server B A authenticates itself by sending PW to B over a secure channel (TLS) A PW PW B PW Problem: The password will be found by an attacker who compromises the server. Mihir Bellare UCSD 17
18 Password verification Client A has a password PW and server stores PW = H(PW ). A sends PW to B (over a secure channel) and B checks that H(PW ) = PW A PW PW B PW Server compromise results in attacker getting PW which should not reveal PW as long as H is one-way, which we will see is a consequence of collision-resistance. But we will revisit this when we consider dictionary attacks! Mihir Bellare UCSD 18
19 File comparision A has a large file F A and B has a large file F B. For example, music collections. They want to know whether F A = F B A sends F A to B and B checks whether F A = F B A F A F A B F B Problem: Transmission could be slow. Mihir Bellare UCSD 19
20 Compare-by-hash A has a large file F A and B has a large file F B and they want to know whether F A = F B A computes h A = H(F A ) and sends it to B, and B checks whether h A = H(F B ). A F A h A B F B Collision-resistance of H guarantees that B does not accept if F A F B! Mihir Bellare UCSD 20
21 Virus protection An executable may be available at lots of sites S 1, S 2,..., S N. Which one can you trust? Provide a safe way to get the hash h = H(X ) of the correct executable X. Download an executable from anywhere, and check hash. Mihir Bellare UCSD 21
22 Birthday attacks Let H : {0, 1} k D {0, 1} n be a family of functions with D > 2 n. The q-trial birthday attack finds a collision with probability about q 2 2 n+1. So a collision can be found in about q = 2 n+1 2 n/2 trials. Mihir Bellare UCSD 22
23 Recall Birthday Problem $ for i = 1,..., q do y i {0, 1} n if i, j (i j and y i = y j ) then COLL true Pr [COLL] = C(2 n, q) q2 2 n+1 Mihir Bellare UCSD 23
24 Birthday attack Let H : {0, 1} k D {0, 1} n. adversary A(K) $ for i = 1,..., q do x i D ; y i H K (x i ) if i, j (i j and y i = y j and x i x j ) then return x i, x j else return FAIL Mihir Bellare UCSD 24
25 Analysis of birthday attack Let H : {0, 1} k D {0, 1} n. adversary A(K) $ for i = 1,..., q do x i D ; y i H K (x i ) if i, j (i j and y i = y j and x i x j ) then return x i, x j else return FAIL What is the probability that this attack finds a collision? adversary A(K) $ for i = 1,..., q do x i D ; y i H K (x i ) if i, j (i j and y i = y j ) then COLL true We have dropped things that don t much affect the advantage and focused on success probability. So we want to know what is Pr [COLL]. Mihir Bellare UCSD 25
26 Analysis of birthday attack Birthday for i = 1,..., q do $ y i {0, 1} n if i, j (i j and y i = y j ) then COLL true Adversary A for i = 1,..., q do $ x i D ; y i H K (x i ) if i, j(i j and y i = y j ) then COLL true Pr [COLL] = C(2 n, q) Pr [COLL] =? Are the two collision probabilities the same? Mihir Bellare UCSD 26
27 Analysis of birthday attack Birthday for i = 1,..., q do $ y i {0, 1} n if i, j (i j and y i = y j ) then COLL true Adversary A for i = 1,..., q do $ x i D ; y i H K (x i ) if i, j(i j and y i = y j ) then COLL true Pr [COLL] = C(2 n, q) Pr [COLL] =? Are the two collision probabilities the same? Not necessarily, because $ on the left y i {0, 1} n $ on the right x i D ; y i H K (x i ) Mihir Bellare UCSD 27
28 Analysis of birthday attack We say that H : {0, 1} k D {0, 1} n is regular if every range point has the same number of pre-images under H K. That is if we let then H is regular if H 1 K (y) = {x D : H K (x) = y} H 1 D K (y) = 2 n for all K and y. In this case the following processes both result in a random output Process 1 y $ {0, 1} n return y Process 2 x $ D; y $ H K (x) return y Mihir Bellare UCSD 28
29 Analysis of birthday attack If H: {0, 1} k D {0, 1} n is regular then the birthday attack finds a collision in about 2 n/2 trials. Mihir Bellare UCSD 29
30 Analysis of birthday attack If H: {0, 1} k D {0, 1} n is regular then the birthday attack finds a collision in about 2 n/2 trials. If H is not regular, the attack may succeed sooner. So we want functions to be close to regular. It seems MD4, MD5, SHA1, SHA2, SHA3,... have this property. Mihir Bellare UCSD 30
31 Birthday attack times Function n T B MD MD SHA SHA SHA SHA SHA T B is the number of trials to find collisions via a birthday attack. Mihir Bellare UCSD 31
32 Compression functions A compression function is a family h : {0, 1} k {0, 1} b+n {0, 1} n of hash functions whose inputs are of a fixed size b + n, where b is called the block size. E.g. b = 512 and n = 160, in which case h : {0, 1} k {0, 1} 672 {0, 1} 160 x v h K h K (x v) Mihir Bellare UCSD 32
33 The MD transform Design principle: To build a CR hash function where D = {0, 1} 264 : H : {0, 1} k D {0, 1} n First build a CR compression function h : {0, 1} k {0, 1} b+n {0, 1} n. Appropriately iterate h to get H, using h to hash block-by-block. Mihir Bellare UCSD 33
34 MD setup Assume for simplicity that M is a multiple of b. Let M b be the number of b-bit blocks in M, and write M = M[1]... M[l] where l = M b. i denote the b-bit binary representation of i {0,..., 2 b 1}. D be the set of all strings of at most 2 b 1 blocks, so that M b {0,..., 2 b 1} for any M D, and thus M b can be encoded as above. Mihir Bellare UCSD 34
35 MD transform Given: Compression function h : {0, 1} k {0, 1} b+n {0, 1} n. Build: Hash function H : {0, 1} k D {0, 1} n. Algorithm H K (M) m M b ; M[m + 1] m ; V [0] 0 n For i = 1,..., m + 1 do v[i] h K (M[i] V [i 1]) Return V [m + 1] M[1] M[2] 2 0 n h K h K h K H K (M) Mihir Bellare UCSD 35
36 MD preserves CR Assume h is CR H is built from h using MD Then H is CR too! This means No need to attack H! You won t find a weakness in it unless h has one H is guaranteed to be secure assuming h is. For this reason, MD is the design used in many current hash functions. Newer hash functions use other iteration methods with analogous properties. Mihir Bellare UCSD 36
37 MD preserves CR Theorem: Let h : {0, 1} k {0, 1} b+n {0, 1} n be a family of functions and let H : {0, 1} k D {0, 1} n be obtained from h via the MD transform. Given a cr-adversary A H we can build a cr-adversary A h such that Adv cr H (A H) Adv cr h (A h) and the running time of A h is that of A H plus the time for computing h on the outputs of A H. Implication: h CR Adv cr h (A h) small Adv cr H (A H) small H CR Mihir Bellare UCSD 37
38 How A h works Let (M 1, M 2 ) be the H K -collision returned by A H. The A h will trace the chains backwards to find an h k -collision. Mihir Bellare UCSD 38
39 Case 1: M 1 b M 2 b Let x 1 = 2 V 1 [2] and x 2 = 1 V 2 [1]. Then h K (x 1 ) = h K (x 2 ) because H K (M 1 ) = H K (M 2 ). But x 1 x 2 because 1 2. Mihir Bellare UCSD 39
40 Case 2: M 1 b = M 2 b x 1 2 V 1 [2] ; x 2 2 V 2 [2] If x 1 x 2 then return x 1, x 2 Mihir Bellare UCSD 40
41 Case 2: M 1 b = M 2 b x 1 2 V 1 [2] ; x 2 2 V 2 [2] If x 1 x 2 then return x 1, x 2 Else // V 1 [2] = V 2 [2] Mihir Bellare UCSD 41
42 Case 2: M 1 b = M 2 b x 1 2 V 1 [2] ; x 2 2 V 2 [2] If x 1 x 2 then return x 1, x 2 Else // V 1 [2] = V 2 [2] x 1 M 1 [2] V 1 [1] ; x 2 M 2 [2] V 2 [1] If x 1 x 2 then return x 1, x 2 Mihir Bellare UCSD 42
43 Case 2: M 1 b = M 2 b x 1 2 V 1 [2] ; x 2 2 V 2 [2] If x 1 x 2 then return x 1, x 2 Else // V 1 [2] = V 2 [2] x 1 M 1 [2] V 1 [1] ; x 2 M 2 [2] V 2 [1] If x 1 x 2 then return x 1, x 2 Else // V 1 [1] = V 2 [1] Mihir Bellare UCSD 43
44 Case 2: M 1 b = M 2 b x 1 2 V 1 [2] ; x 2 2 V 2 [2] If x 1 x 2 then return x 1, x 2 Else // V 1 [2] = V 2 [2] x 1 M 1 [2] V 1 [1] ; x 2 M 2 [2] V 2 [1] If x 1 x 2 then return x 1, x 2 Else // V 1 [1] = V 2 [1] x 1 M 1 [1] 0 n ; x 2 M 2 [1] 0 n Return x 1, x 2 Mihir Bellare UCSD 44
45 Exercise Let h: K {0, 1} 2b {0, 1} b be a compression function. Define H: K {0, 1} 4b {0, 1} b as follows: Alg H(K, M) M 1 M 2 M V 1 h(k, M 1 ); V 2 h(k, M 2 ) V h(k, V 1 V 2 ) return V Above, by M 1 M 2 M, we mean that M 1 is the first 2b bits of M and M 2 is the rest, so that M 1 = M 2 = 2b. Show that if h is collision-resistant then so is H. Do this by stating and proving an analogue of the Theorem above. Mihir Bellare UCSD 45
46 How are compression functions designed? Let E : {0, 1} b {0, 1} n {0, 1} n be a block cipher. Let us define keyless compression function h : {0, 1} b+n {0, 1} n by Question: Is H collision resistant? h(x v) = E x (v). Mihir Bellare UCSD 46
47 How are compression functions designed? Let E : {0, 1} b {0, 1} n {0, 1} n be a block cipher. Let us define keyless compression function h : {0, 1} b+n {0, 1} n by Question: Is H collision resistant? h(x v) = E x (v). We seek an adversary that outputs distinct x 1 v 1, x 2 v 2 satisfying E x1 (v 1 ) = E x2 (v 2 ). Mihir Bellare UCSD 47
48 How are compression functions designed? Let E : {0, 1} b {0, 1} n {0, 1} n be a block cipher. Let us define keyless compression function h : {0, 1} b+n {0, 1} n by Question: Is H collision resistant? h(x v) = E x (v). We seek an adversary that outputs distinct x 1 v 1, x 2 v 2 satisfying E x1 (v 1 ) = E x2 (v 2 ). Answer: NO, h is NOT collision-resistant, because the following adversary A has Adv cr h (A) = 1: adversary A x 1 0 b ; x 2 1 b ; v 1 0 n ; y E x1 (v 1 ) ; v 2 Ex 1 2 (y) Return x 1 v 1, x 2 v 2 Mihir Bellare UCSD 48
49 How are compression functions designed? Let E : {0, 1} b {0, 1} n {0, 1} n be a block cipher. Let us define keyless compression function h : {0, 1} b+n {0, 1} n by h(x v) = E x (v) v. The compression function of SHA1 is underlain in this way by a block cipher E : {0, 1} 512 {0, 1} 160 {0, 1} 160. The compression function of SHA256 is underlain in this way by a block cipher E : {0, 1} 512 {0, 1} 256 {0, 1} 256. Mihir Bellare UCSD 49
50 Cryptanalytic attacks So far we have looked at attacks that do not attempt to exploit the structure of H. Can we do better than birthday if we do exploit the structure? Ideally not, but functions have fallen short! Mihir Bellare UCSD 50
51 Cryptanalytic attacks against hash functions 1993,1996 : collisions found in compression function md5 of MD5 in 2 16 time [dbbo,do]. But these did not yield collisions for MD , 2005 : collisions found in RIPEMD, SHA0 [WaFeLaYu]. 2005, 2006: collisions can be found in MD5 in 1 minute [WaFeLaYu, LeWadW, Kl] 2015: collisions found in compression function sha1 of SHA1 [SKP]. But these do not yield collisions for SHA : collisions found for SHA1 in time [SBKAM] : Google, Microsoft and Mozilla browsers stop accepting SHA1-based certificates. Mihir Bellare UCSD 51
52 SHA1 collision Mihir Bellare UCSD 52
53 SHA1 collision news Mihir Bellare UCSD 53
54 SHA2 The SHA256 and SHA512 hash functions are still viewed as secure, meaning the best known attack is the birthday attack. These are based on the MD paradigm we discussed above. Mihir Bellare UCSD 54
55 SHA3 National Institute for Standards and Technology (NIST) held a world-wide competition to develop a new hash function standard. Contest webpage: Requested parameters: Design: Family of functions with 224, 256, 384, 512 bit output sizes Security: CR, one-wayness, near-collision resistance, others... Efficiency: as fast or faster than SHA2-256 Mihir Bellare UCSD 55
56 SHA3 Submissions: 64 Round 1: 51 Round 2: 14: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grostl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. Finalists: 5: BLAKE, Grostl, JH, Keccak, Skein. SHA3: 1: Keccak Mihir Bellare UCSD 56
57 SHA3: The Sponge construction f : {0, 1} r+c {0, 1} r+c is a (public, invertible!) permutation. d is the number of output bits, and c = 2d. SHA3 does not use the MD paradigm used by SHA1 and SHA2. Shake(M, d) Extendable-output function, returning any given number d of bits. Mihir Bellare UCSD 57
HASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationHash Functions. Adam O Neill Based on
Hash Functions Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Where we are We ve seen a lower-level primitive (blockciphers) and a higher-level primitive (symmetric encryption) Where we are
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationChapter 5. Hash Functions. 5.1 The hash function SHA1
Chapter 5 Hash Functions A hash function usually means a function that compresses, meaning the output is shorter than the input. Often, such a function takes an input of arbitrary or almost arbitrary length
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationBLOCK CIPHERS KEY-RECOVERY SECURITY
BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Notation Mihir Bellare UCSD 2 Notation {0, 1} n is the set of n-bit strings and {0, 1} is the set of all strings of finite length. By ε we denote
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More information12 Hash Functions Defining Security
12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationSHA-1 Algorithm. Pre-process the message pad and end with size: One bit of '1' following message. Pad with 0's to within 64 bits of end of block
Hash Algorithms Hash Algorithms Driven by the slowness of RSA in signing a message. The idea was to create (relatively fast) a digest of a message and sign that. This was the origin of MD and MD2 algorithms
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationSecurity without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCLASSICAL ENCRYPTION. Mihir Bellare UCSD 1
CLASSICAL ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: (Adversary) Mihir Bellare UCSD 2 Correct decryption requirement For all K, M
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationMessage Authentication. Adam O Neill Based on
Message Authentication Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Authenticity and Integrity - Message actually comes from. claimed Sender - Message was not modified in transit ' Electronic
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More informationQuantum Preimage and Collision Attacks on CubeHash
Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, Gaetan.Leurent@uni.lu Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationIntroduction to Cryptography Lecture 4
Data Integrity, Message Authentication Introduction to Cryptography Lecture 4 Message authentication Hash functions Benny Pinas Ris: an active adversary might change messages exchanged between and M M
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationCryptographic Hashing
Innovation and Cryptoventures Cryptographic Hashing Campbell R. Harvey Duke University, NBER and Investment Strategy Advisor, Man Group, plc January 30, 2017 Campbell R. Harvey 2017 2 Overview Cryptographic
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationNetwork Security: Hashes
1 Network Security: Hashes Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified October 5, 2000 2
More informationTitle of Presentation
The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition Title of Presentation Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash
More informationHash Function Balance and its Impact on Birthday Attacks
Hash Function Balance and its Impact on Birthday Attacks Mihir Bellare 1 and Tadayoshi Kohno 1 Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive, La Jolla,
More informationDTTF/NB479: Dszquphsbqiz Day 27
DTTF/NB479: Dszquphsbqiz Day 27 Announceents: Questions? This week: Discrete Logs, Diffie-Hellan, ElGaal Hash Functions and SHA-1 Birthday attacks Hash Functions Message (long) Cryptographic hash Function,
More informationPublic-seed Pseudorandom Permutations EUROCRYPT 2017
Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017 Cryptographic schemes often built from generic building blocks Cryptographic schemes often
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationWhy not SHA-3? A glimpse at the heart of hash functions.
Why not SHA-3? A glimpse at the heart of hash functions. Alexis Breust, François Etcheverry June 18, 2013 Abstract. October 2012, the NIST (National Institute of Standards and Technology) hash function
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationThe Hash Function Fugue
The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationFurther progress in hashing cryptanalysis
Further progress in hashing cryptanalysis Arjen K. Lenstra Lucent Technologies, Bell Laboratories February 26, 2005 Abstract Until further notice all new designs should use SHA-256. Existing systems using
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationDistinguishers for the Compression Function and Output Transformation of Hamsi-256
Distinguishers for the Compression Function and Output Transformation of Hamsi-256 Jean-Philippe Aumasson Emilia Käsper Lars Ramkilde Knudsen Krystian Matusiewicz Rune Ødegård Thomas Peyrin Martin Schläffer
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationHenning Schulzrinne Columbia University, New York Columbia University, Fall 2000
1 Network Security: Hashes Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified October 5, 2000 Slide
More informationPractical consequences of the aberration of narrow-pipe hash designs from ideal random functions
Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions Danilo Gligoroski 1 and Vlastimil Klima 2 1 Faculty of Information Technology, Mathematics and Electrical
More informationA Pseudo-Random Encryption Mode
A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationIntroduction to the Design and. Cryptanalysis of Cryptographic Hash Functions
Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions,
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationMessage-locked Encryption with File Update
Message-locked Encryption with File Update Suyash Kandele [ 2 5887 297] and Souradyuti Paul [ 1 544 9975] Indian Institute of Technology Bhilai, C.G., India {suyashk,souradyuti}@iitbhilai.ac.in Abstract.
More informationHash Function Balance and its Impact on Birthday Attacks
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 04, Lecture Notes in Computer Science Vol. 307, C. Cachin and J. Camenisch eds., Springer-Verlag, 004. This is the full version.
More informationMESSAGE AUTHENTICATION 1/ 103
MESSAGE AUTHENTICATION 1/ 103 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified in transit 2/ 103 Integrity and authenticity
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationContributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions
Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More information