Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Similar documents
Week 12: Hash Functions and MAC

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Introduction to Information Security

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Leftovers from Lecture 3

Foundations of Network and Computer Security

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Foundations of Network and Computer Security

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Attacks on hash functions: Cat 5 storm or a drizzle?

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Avoiding collisions Cryptographic hash functions. Table of contents

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Exam Security January 19, :30 11:30

Foundations of Network and Computer Security

Hashes and Message Digests Alex X. Liu & Haipeng Dai

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Fundamentals of Modern Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptographic Hash Functions

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

An introduction to Hash functions

Introduction to Cryptography Lecture 4

Lecture 10 - MAC s continued, hash & MAC

Notes for Lecture 9. 1 Combining Encryption and Authentication

Message Authentication Codes (MACs)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Asymmetric Encryption

CPSC 467: Cryptography and Computer Security

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Mathematical Foundations of Public-Key Cryptography

CPSC 467: Cryptography and Computer Security

Public-key Cryptography: Theory and Practice

Question: Total Points: Score:

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Beyond the MD5 Collisions

Cryptographic Hashing

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

DTTF/NB479: Dszquphsbqiz Day 27

CPSC 467: Cryptography and Computer Security

Lecture 1. Crypto Background

Introduction to Cryptography

Crypto Engineering (GBX9SY03) Hash functions

Parallel Implementation of Proposed One Way Hash Function

Introduction Description of MD5. Message Modification Generate Messages Summary

Cryptographic Hash Functions Part II

2: Iterated Cryptographic Hash Functions

Solution of Exercise Sheet 7

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

HASH FUNCTIONS 1 /62

Evaluation Report. Security Level of Cryptography SHA-384 and SHA- 512

The Hash Function JH 1

ECS 189A Final Cryptography Spring 2011

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

AURORA: A Cryptographic Hash Algorithm Family

Lecture 1: Introduction to Public key cryptography

New Attacks on the Concatenation and XOR Hash Combiners

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions

Lecture 14: Cryptographic Hash Functions

Symmetric Crypto Systems

Attacks on hash functions. Birthday attacks and Multicollisions

Security II: Cryptography

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

How (not) to efficiently dither blockcipher-based hash functions?

12 Hash Functions Defining Security

Avoiding collisions Cryptographic hash functions. Table of contents

The Security of Abreast-DM in the Ideal Cipher Model

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Authentication. Chapter Message Authentication

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Lecture 10: NMAC, HMAC and Number Theory

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

New Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Provable Chosen-Target-Forced-Midx Preimage Resistance

Network Security: Hashes

1 Cryptographic hash functions

Introduction to Modern Cryptography Lecture 5

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

SPCS Cryptography Homework 13

Provable Security in Symmetric Key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Public-key Cryptography and elliptic curves

ARIRANG. Designed by CIST ARIRANG. Designed by CIST. Algorithm Name : ARIRANG

Cryptanalysis of EnRUPT

Preimage Attacks on 3, 4, and 5-Pass HAVAL

Introduction to Cybersecurity Cryptography (Part 4)

Cryptographical Security in the Quantum Random Oracle Model

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Symmetric Crypto Systems

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Transcription:

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by Stefan Heyse and Christof Paar and Jan Pelzl

Some legal stuff (sorry): Terms of Use The slides can used free of charge. All copyrights for the slides remain with Christof Paar and Jan Pelzl. The title of the accompanying book Understanding Cryptography by Springer and the author s names must remain on each slide. If the slides are modified, appropriate credits to the book authors and the book title must remain within the slides. It is not permitted to reproduce parts or all of the slides in printed form whatsoever without written consent by the authors. 2/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Content of this Chapter Why we need hash functions How does it work Security properties Algorithms Example: The Secure Hash Algorithm SHA-1 3/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Content of this Chapter Why we need hash functions How does it work Security properties Algorithms Example: The Secure Hash Algorithm SHA-1 4/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Motivation Problem: Naive signing of long messages generates a signature of same length. Three Problems Computational overhead Message overhead Security limitations For more info see Section 11.1 in Understanding Cryptography. Solution: Instead of signing the whole message, sign only a digest (=hash) Also secure, but much faster Needed: Hash Functions 5/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Digital Signature with a Hash Function x x i z i = h( x i z i-1 ) z sig kpr z) Notes: x has fixed length z, y have fixed length z, x do not have equal length in general h(x) does not require a key. h(x) is public. y = sig kpr (z) 6/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Basic Protocol for Digital Signatures with a Hash Function: Alice K pub Bob z' = h(x) ver Kpub (s,z')=true/false (x, s) z = h(x) s = sig Kpr (z) 7/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Principal input output behavior of hash functions 8/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Content of this Chapter Why we need hash functions How does it work Security properties Algorithms Example: The Secure Hash Algorithm SHA-1 9/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

The three security properties of hash functions 10/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Hash Funktionen: Security Properties Preimage resistance: For a given output z, it is impossible to find any input x such that h(x) = z, i.e., h(x) is one-way. Second preimage resistance: Given x 1, and thus h(x 1 ), it is computationally infeasible to find any x 2 such that h(x 1 ) = h(x 2 ). Collision resistance: It is computationally infeasible to find any pairs x 1 x 2 such that h(x 1 ) = h(x 2 ). 11/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Hash Funktionen: Security It turns out that collison resistance causes most problems How hard is it to find a collision with a probability of 0.5? Related Problem: How many people are needed such that two of them have the same birthday with a probability of 0.5? No! Not 365/2=183. 23 are enough! This is called the birthday paradoxon (Search takes 2 n steps). For more info see Chapter 11.2.3 in Understanding Cryptography. To deal with this paradox, hash functions need a output size of at least 160 bits. 12/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Content of this Chapter Why we need hash functions How does it work Security properties Algorithms Example: The Secure Hash Algorithm SHA-1 13/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Hash Funktionen: Algorithms Hash Algorithms Special Algorithms, e.g. MD5 - family based on block ciphers MD5 - family SHA-1: output - 160 Bit; input - 512 bit chunks of message x; operations - bitwise AND, OR, XOR, complement und cyclic shifts. RIPE-MD 160: output - 160 Bit; input - 512 bit chunks of message x; operations like in SHA-1, but two in parallel and combinations of them after each round. 14/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Content of this Chapter Why we need hash functions How does it work Security properties Algorithms Example: The Secure Hash Algorithm SHA-1 15/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

SHA-1 Part of the MD-4 family. Based on a Merkle-Dåmgard construction. 160-bit output from a message of maximum length 2 64 bit. Widely used ( even tough some weaknesses are known) 16/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

SHA-1 High Level Diagramm Compression Function consists of 80 rounds which are divided into four stages of 20 rounds each 17/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

SHA-1: Padding Message x has to be padded to fit a size of a multiple of 512 bit. k 512 64 1 l = 448 (l + 1) mod 512. 18/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

SHA-1: Hash Computation Each message block x i is processed in four stages with 20 rounds each SHA-1 uses: A message schedule which computes a 32-bit word W0,W1,...,W79 for each of the 80 rounds Five working registers of size of 32 bits A,B,C,D,E A hash value H i consisting of five 32-bit words H (0) i, H (1) i, H (2) i, H (3) i, H (4) i In the beginning, the hash value holds the initial value H 0, which is replaced by a new hash value after the processing of each single message block. The final hash value H n is equal to the output h(x) of SHA-1. 19/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

SHA-1: All four stages 20/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

SHA-1: Internals of a Round Stage t Round j Constant K t Function f t 1 00 19 K=5A827999 f(b,c,d)=(b C) ( B D) 2 20 39 K=6ED9EBA1 f(b,c,d)=b C D 3 40 59 K=8F1BBCDC f(b,c,d)=(b C) (B D) (C D) 4 60 79 K=CA62C1D6 f(b,c,d)=b C D 21/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

Lessons Learned: Hash-Funktionen Hash functions are keyless. The two most important applications of hash functions are their use in digital signatures and in message authentication codes such as HMAC. The three security requirements for hash functions are one-wayness, second preimage resistance and collision resistance. Hash functions should have at least 160-bit output length in order to withstand collision attacks; 256 bit or more is desirable for long-term security. MD5, which was widely used, is insecure. Serious security weaknesses have been found in SHA-1, and the hash function should be phased out. The SHA-2 algorithms all appear to be secure. The ongoing SHA-3 competition will result in new standardized hash functions in a few years. 22/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback