Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Similar documents
Notes for Lecture 9. 1 Combining Encryption and Authentication

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Leftovers from Lecture 3

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Week 12: Hash Functions and MAC

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Introduction to Information Security

Introduction to Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Avoiding collisions Cryptographic hash functions. Table of contents

Exam Security January 19, :30 11:30

Foundations of Network and Computer Security

1 Number Theory Basics

Lecture 7: CPA Security, MACs, OWFs

5199/IOC5063 Theory of Cryptology, 2014 Fall

Authentication. Chapter Message Authentication

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Lecture 10 - MAC s continued, hash & MAC

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Katz, Lindell Introduction to Modern Cryptrography

Introduction to Cybersecurity Cryptography (Part 4)

Post-quantum security models for authenticated encryption

Introduction to Cybersecurity Cryptography (Part 4)

Avoiding collisions Cryptographic hash functions. Table of contents

Cryptographic Hash Functions

CPA-Security. Definition: A private-key encryption scheme

Lecture 1. Crypto Background

Foundations of Network and Computer Security

Question: Total Points: Score:

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

ASYMMETRIC ENCRYPTION

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Introduction to Cryptography Lecture 4

The Advanced Encryption Standard

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Foundations of Network and Computer Security

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Block Ciphers/Pseudorandom Permutations

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

ECS 189A Final Cryptography Spring 2011

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Message Authentication Codes (MACs) and Hashes

CPSC 467: Cryptography and Computer Security

Attacks on hash functions. Birthday attacks and Multicollisions

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Historical cryptography. cryptography encryption main applications: military and diplomacy

Lecture 5, CPA Secure Encryption from PRFs

Attacks on hash functions: Cat 5 storm or a drizzle?

Lecture 14: Cryptographic Hash Functions

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

CPSC 467: Cryptography and Computer Security

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

New Attacks on the Concatenation and XOR Hash Combiners

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Modern Cryptography Lecture 4

Lecture 18: Message Authentication Codes & Digital Signa

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

12 Hash Functions Defining Security

AURORA: A Cryptographic Hash Algorithm Family

Cryptography and Security Final Exam

Dan Boneh. Introduction. Course Overview

1 Cryptographic hash functions

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Cryptography and Security Final Exam

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Known and Chosen Key Differential Distinguishers for Block Ciphers

Public-key Cryptography: Theory and Practice

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Symmetric Crypto Systems

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Lecture 10: NMAC, HMAC and Number Theory

Symmetric Crypto Systems

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

Scribe for Lecture #5

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Modern symmetric-key Encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

BEYOND POST QUANTUM CRYPTOGRAPHY

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

SPCS Cryptography Homework 13

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

CTR mode of operation

Lecture 1: Introduction to Public key cryptography

On High-Rate Cryptographic Compression Functions

Solution of Exercise Sheet 7

1 Cryptographic hash functions

An introduction to Hash functions

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

Transcription:

Cryptographic Hashes Yan Huang Credits: David Evans, CS588

Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts via Enc(k, ). 3. A picks two plaintexts M 0 and M 1. (Picking plaintexts for which A previously learned ciphertexts is allowed!) 4. A receives the ciphertext of M b, and continues to have accesses to Enc(k, ). 5. A outputs b. A wins if b =b. 2

Recap: CPA Challenger. Adversary A k K, b {0,1} for i=1,,q, CPA query: m i,0, m i,1 M : m i,0 = m i,1 c i E(k, m i,b ) m 0, m 1 M : m 0 = m 1 c E(k, m b ) m i,0, m i,1 M : m i,0 = m i,1 c i E(k, m i,b ) For all efficient adversary A, Pr[ b=b ] - 1/2 is negligible. b {0,1}

Recap: Message Integrity Game 1. k Gen(1 n ). 2. A is given polynomial time and an oracle access to query Mac(k, ). Let t i =Mac(k, m i ) and Q={(m 1, t 1 ),, (m q, t q )}. 3. A outputs (m, t). A wins the game if Vrfy(m, t)=1 and (m,t) Q.

Recap: Message Integrity (Gen, Mac, Vrfy) --- a message authentication code scheme. Chal. k Gen(1 n ) m 1 M t 1 Mac(k,m 1 ) m 2 t 2,, m q,, t q Adversary A (m,t) b b=1 if Vrfy(k,m,t) = 1 and (m,t) { (m 1, t 1 ),, (m q, t q ) } b=0 otherwise Def: (Gen, Mac, Vrfy) is a Secure Message Authentication Code if for all efficient A: Adv Mac [A ] = Pr[Chal. outputs 1] is negligible.

Normal CS Hashing 0 1 2 3 4 5 6 7 8 9 dog horse neanderthal H (char s[]) = (s[0] a ) mod 10 6

Magic Function f One Way: For every integer x, easy to compute f (x) Given f (x), hard to find any information about x Collision Resistant: Impossible to find pair (x, y) where x y and f (x) = f (y) 7

Regular Hash Functions 1. Many-to-one: maps a large number of values to a small number of hash values 2. Evenly distributed: for typical data sets, Pr (H(x) = n) = 1/N where N is the number of hash values and n = 0.. N 1. 3. Efficient: H(x) is easy to compute. How well does H (char s[]) = (s[0] a ) mod 10 satisfy these properties? 8

Cryptographic Hash Functions Collision resistance (even for malicious adversary): Preimage resistance: for a uniformly chosen v, it is hard to find x such that H(x) = v. Second-preimage resistance: given x, it is hard to find y x such that H(y) = H(x). Collision resistance: it is hard to find any x and y such that y x and H(x) = H(y). 9

Merkle-Damgård Transform m=(m 1, m 2, m 3 ) m 1 m 2 m 3 IV h h h H (m) Compressing by a single bit is as easy (or as hard) as compressing by an arbitrary amount.

Example Real World Hash Functions MD5 is broken SHA-1 is phasing out SHA-256 M-D Transform 256-bit output 512-bit block size 64 rounds a combination of AND, OR, XOR, ADD, RotR, ShR 128 bit security

Authentication through Hash and Mac If (Gen, Mac, Vrfy ) is a MAC for fixed length messages, Gen: Gen Mac: t = Mac (k, H(m)) Vrfy: outputs 1 if and only if Vrfy (k, H(m), t) = 1

Other Applications of Hashing Fingerprinting Authenticated Data Structures Coin tossing

IOU Request Protocol m Alice Mac K [H(m)] Bob K m Mac K [H(m)] Judge can subpoena for K 14

Attacking IOU Request Protocol m 1 Alice Mac K [H(m 1 )] Bob K m 2 Mac K [H(m 1 )] Judge can subpoena for K Bob picks m 1 and m 2 such that H(m 1 ) = H(m 2 ). 15

Finding m 1 and m 2 Bob generates different agreeable m 1 messages: I, { Alice Alice Hacker Alice P. Hacker Ms. A. Hacker }, { owe agree to pay } Bob { the sum of the amount of } { $2 $2.00 2 dollars two dollars } { by before } { January 1 st 1 Jan 1/1 1-1 } { 2016 2016 AD}. How many different-text messages are there? 16

Finding m 1 and m 2 Bob generates 2 10 different agreeable m 2 messages: I, { Alice Alice Hacker Alice P. Hacker Ms. A. Hacker }, { owe agree to pay } Bob { the sum of the amount of } { $2 quadrillion $2000000000000000 2 quadrillion dollars two quadrillion dollars } { by before } { January 1 st 1 Jan 1/1 1-1 } { 2016 2016 AD}. 17

Bob s Quadrillionaire Plan For each message m 1,i and m 2,i, Bob computes H(m 1,i ) and H(m 2,i ). If H(m 1,i ) = H(m ) for some i and j, Bob 2,j sends Alice m 1,i, gets Mac [H(m K 1,i )] back. Bob sends the judge m 2,j and Mac K [H(m 1,i )]. 18

Chances of Success Assume the Hash function H is good (uniform randomly distributed outcome) What is the probability that H(m 1,i ) = H(m 2,j ) for some i and j? 19

Birthday Paradox What is the probability that two people in this room have the same birthday? 20

Birthday Paradox Ways to assign k different birthdays without duplicates: N = 365 * 364 *... * (365 k + 1) = 365! / (365 k)! Ways to assign k different birthdays with possible duplicates: D = 365 * 365 *... * 365 = 365 k 21

Birthday Paradox Assuming real birthdays assigned randomly: N/D = probability there are no duplicates 1 - N/D = probability there is a duplicate = 1 365! / ((365 k)!(365) k ) 22

Generalizing Birthdays P(n, k) = 1 n! (n k)! n k Given k random selections from n possible values, P(n, k) gives the probability that there is at least 1 duplicate. 23

Applying to Birthdays For n = 365, k = 20: P(365, 20).4114 For n = 365, k = 40: P (365, 40).8912 24

Is 128 bits enough for hash output? For n = 2 128, k = 2 40 : P (2 128, 2 40 ) > 1.77 x 10-15 For n = 2 128, k = 2 60 : P (2 128, 2 60 ) > 1.95 x 10-3 For n = 2 128, k = 2 65 : P (2 128, 2 60 ) > 0.86 A 10 thousand core machine can brute-force 2 65 hashes in about 50 days (assuming 10 9 hashes per second on each core). Assumes you hash function is perfect (e.g., MD5 was not broken merely as a result of bruteforce). 25

A Most Disturbing Program! #!/usr/bin/perl -w use strict; use Digest::MD5 qw(md5_hex); # Create a stream of bytes from hex. my @bytes1 = map {chr(hex($_))} qw(d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a 08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0 e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70); my @bytes2 = map {chr(hex($_))} qw(d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a 08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0 e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70); # Print MD5 hashes print md5_hex(@bytes1), "\n", md5_hex(@bytes2), "\n"; From https://freedom-to-tinker.com/blog/felten/report-crypto-2004/ 79054025255fb1a26e4bc422aef54eb4 79054025255fb1a26e4bc422aef54eb4 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback