Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Similar documents
Attacks on hash functions. Birthday attacks and Multicollisions

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Cryptographic Hash Functions

DTTF/NB479: Dszquphsbqiz Day 27

Week 12: Hash Functions and MAC

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Improved Collision Attack on MD5

Chapter 5. Hash Functions. 5.1 The hash function SHA1

Asymmetric Encryption

Hashes and Message Digests Alex X. Liu & Haipeng Dai

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Network Security: Hashes

Beyond the MD5 Collisions

Introduction to Information Security

CPSC 467: Cryptography and Computer Security

Henning Schulzrinne Columbia University, New York Columbia University, Fall 2000

HASH FUNCTIONS. Mihir Bellare UCSD 1

Public-key Cryptography: Theory and Practice

HASH FUNCTIONS 1 /62

Leftovers from Lecture 3

Lecture 14: Cryptographic Hash Functions

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Cryptographic Hashing

Introduction Description of MD5. Message Modification Generate Messages Summary

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Further progress in hashing cryptanalysis

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Foundations of Network and Computer Security

4. Hash Functions Contents. 4. Hash Functions Message Digest

New Attacks on the Concatenation and XOR Hash Combiners

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration

Foundations of Network and Computer Security

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Hash Functions. Adam O Neill Based on

An introduction to Hash functions

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Chapter 8 Public-key Cryptography and Digital Signatures

5199/IOC5063 Theory of Cryptology, 2014 Fall

The Hash Function JH 1

Finding good differential patterns for attacks on SHA-1

Cryptographic Hash Functions Part II

Attacks on hash functions: Cat 5 storm or a drizzle?

Analysis of SHA-1 in Encryption Mode

A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost

Digital signature schemes

SOME OBSERVATIONS ON THE CRYPTOGRAPHIC HASH FUNCTIONS

Pseudo-random Number Generation. Qiuliang Tang

Cryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway

STORY of SQUARE ROOTS. and QUADRATIC RESIDUES. Part I. Public-key cryptosystems II. Other cryptosystems and cryptographic primitives

Lecture 1. Crypto Background

SMASH - A Cryptographic Hash Function

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

On the Big Gap Between p and q in DSA

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Avoiding collisions Cryptographic hash functions. Table of contents

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Integers and Division

Digital Signature Algorithm

Martin Cochran. August 24, 2008

Collision Attack on Boole

Cryptanalysis of the Hash Functions MD4 and RIPEMD

Digital Signatures. p1.

Lecture 10 - MAC s continued, hash & MAC

Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Information Security

Number theory (Chapter 4)

Introduction to Elliptic Curve Cryptography

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Notes for Lecture 9. 1 Combining Encryption and Authentication

Lecture 1: Introduction to Public key cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Finding collisions for MD4 hash algorithm using hybrid algorithm

Breaking H 2 -MAC Using Birthday Paradox

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

One-way Hash Function Based on Neural Network

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

2: Iterated Cryptographic Hash Functions

1 Probability Review. CS 124 Section #8 Hashing, Skip Lists 3/20/17. Expectation (weighted average): the expectation of a random quantity X is:

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Hash Function Balance and its Impact on Birthday Attacks

Applications of Expander Graphs in Cryptography. Aleksander Maricq

A Composition Theorem for Universal One-Way Hash Functions

SMASH - A Cryptographic Hash Function

Improved Collision Search for SHA-0

Introduction to Cryptography

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

SPCS Cryptography Homework 13

4.5 Applications of Congruences

CPSC 467: Cryptography and Computer Security

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

The Security of Abreast-DM in the Ideal Cipher Model

Introduction to Cryptography Lecture 4

Transcription:

Hash Functions 1

Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1 0 160-Bit Message Digest 2

Hash Functions Certain properties should be satisfied: 1. Given a message m, the message digest h(m) can be calculated very quickly. 2. Given a y, it is computationally infeasible to find an m with h(m )=y (in other words, h is a one-way, or preimage resistant, function). 3. It is computationally infeasible to find messages m 1 and m 2 with h(m 1 ) = h(m 2 ) (in this case, the function h is said to be strongly collision-free, or collision resistant). 3

Hash Functions Remarks: A hash function h is weakly collision-free (or second preimage resistant): For given x, it is computational infeasible to find x x with h(x ) = h(x) A hash h is strongly collision-free => h is weakly collision-free => h is one-way. 4

Hash Functions (Example) Discrete log hash function Let p and q=(p-1)/2 be primes. Let α, β be two primitive roots for p. Then, there is a such that α a β (mod p). The hash h maps integers mod q 2 to integers mod p. Let m = x 0 +x 1 q with 0 x 0, x 1 q-1. Define h(m) = α x 0 β x 1 (mod p) 5

Hash Functions The following shows that the function h is probably strongly collision-free. (Proposition) If we know messages m m with h(m)=h(m ), then we can determine the discrete logarithm a=log α β. (The discrete log problem is assumed hard.) <Proof> m = x 0 +x 1 q, m' = x 0 +x 1 q h(m) = h(m ) α x 0 β x 1 α x 0β x 1(mod p) α a(x 1-x 1 )-(x 0 -x 0 ) 1 (mod p) a(x 1 -x 1 ) x 0 -x 0 (mod p-1) 6

Hash Functions Let d = gcd(x 1 -x 1, p-1). There are exactly d solutions for a. But the only factors of p-1 are 1, 2, q, p-1. Since 0 x 1, x 1 q-1, it follows that -(q-1) x 1 -x 1 q-1. Therefore if x 1 -x 1 is not zero, then d is not q or p-1, so d=1 or 2. Therefore there are at most two possibilities for a. On the other hand, if if x 1 -x 1 is zero then m=m, contrary to our assumption. # 7

Simple Hash Simple hash Discrete log hash is too slow. Start with a message m of arbitrary length L. We may break it into n-bit blocks. We shall denote these n-bit blocks as m=[m 1, m 2, m 3,, m k ], and the last block m k is padded with zeros to ensure that it has n bits. h(m) = m 1 m 2 m 3 m k But it is easy to find two messages that hash to the same value. (so it is not collision resistant) 8

The Secure Hash Algorithm MD4 proposed by Rivest in 1990 MD5 modified in 1992 SHA proposed as a standard by NIST in 1993, and was adopted as FIPS 180 SHA-1 minor variation, published in 1995 as FIPS 180-1 FIPS 180-2, adopted in 2002, includes SHA1, SHA-256, SHA-384, and SHA-512 A collision for SHA was found by Joux in 2004 Collisions for MD5 and several other popular hash functions were presented in 2004, 2005, by Wang, Feng, Lai and Yu. 9

The Secure Hash Algorithm SHA-1(Secure Hash Algorithm) iterated hash function 160-bit message digest word-oriented (32 bit) operation on bitstrings Padding scheme extends the input x by at most one extra 512-bit block The compression function maps 160+512 bits to 160 bits Make each input affect as many output bits as possible 10

The Secure Hash Algorithm SHA-1-PAD(x) comment: x 2 64-1 d (447- x ) mod 512 l the binary representation of x, where l = 64 y x 1 0 d l ( y is multiple of 512) 11

The Secure Hash Algorithm Operations used in SHA-1 X Y bitwise and of X and Y X Y bitwise or of X and Y X Y bitwise xor of X and Y X bitwise complement of X X + Y integer addition modulo 2 32 ROTL s (X) circular left shift of X by s position (0 s 31) In textbook, X s, instead. 12

The Secure Hash Algorithm f t (B,C,D) = (B C) (( B) D) if 0 t 19 B C D if 20 t 39 (B C) (B D) (C D) if 40 t 59 B C D if 60 t 79 13

The Secure Hash Algorithm K t = 5A827999 if 0 t 19 6ED9EBA1 if 20 t 39 8F1BBCDC if 40 t 59 CA62C1D6 if 60 t 79 14

The Secure Hash Algorithm Algorithm SHA-1(x) extern SHA-1-PAD global K 0,,K 79 y SHA-1-PAD(x) denote y = M 1 M 2.. M n, where each M i is a 512 block H 0 67452301, H 1 EFCDAB89, H 2 98BADCFE, H 3 10325476, H 4 C3D2E1F0 15

The Secure Hash Algorithm for i 1 to n denote M i = W 0 W 1.. W 15, where each W i is a word for t 16 to 79 do W t ROTL 1 (W t-3 W t-8 W t-14 W t-16 ) A H 0,,B H 1, C H 2, D H 3, E H 4 for t 0 to 79 temp ROTL 5 (A) + f t (B,C,D) + E +W t + K t E D, D C, C ROTL 30 (B), B A, A temp H 0 H 0 + A, H 1 H 1 + B, H 2 H 2 + C, H 3 H 3 + D, H 4 H 4 + E Return (H 0 H 1 H 2 H 3 H 4 ) 16

Birthday Attacks Birthday paradox In a group of 23 randomly chosen people, at least two will share a birthday with probability at least 50%. If there are 30, the probability is around 70%. Finding two people with the same birthday is the same thing as finding a collision for this particular hash function. 17

Birthday Attacks The probability that all 23 people have different birthdays is 1 2 22 1 (1 )(1 )...(1 ) 0.493 365 365 365 Therefore, the probability of at least two having the same birthday is 1-0.493=0.507 More generally, suppose we have N objects, where N is large. There are r people, and each chooses an object. Then P(there is a match) 1 e r 2 / 2N 18

Birthday Attacks Choosing r 2 /2N = ln2, we find that if r 1.177 N, then the probability is 50% that at least two people choose the same object. If there are N possibilities and we have a list of length N, then there is a good chance of a match. If we want to increase the chance of a match, we can make a list of length of a constant times N. 19

Birthday Attacks (Example) We have 40 license plates, each ending in a 3-digit number. What is the probability that two of the license plates end in the same 3 digits? (Solution) N=1000, r=40 1. Approximation: 1 e 2. The exact answer: 40 2 / 21000 0.551 1 2 39 1 (1 )(1 )...(1 ) 1000 1000 1000 0.546 20

Birthday Attacks What is the probability that none of these 40 license plates ends in the same 3 digits as yours? 1 (1 ) 40 0.961 1000 The reason the birthday paradox works is that we are not just looking for matches between one fixed plate and the other plates. We are looking for matches between any two plates in the set, so there are more opportunities for matches. 21

Birthday Attacks The birthday attack can be used to find collisions for hash functions if the output of the hash function is not sufficiently large. Suppose h is an n-bit hash function. Then there are N = 2 n possible outputs. We have the situation of list of length r N people with N possible birthdays, so there is a good chance of having two values with the same hash value. If the hash function outputs 128-bit values, then the lists have length around 2 64 10 19, which is too large, both in time and in memory. 22

Birthday Attacks Suppose there are N objects and there are two groups of r people. Each person from each group selects an object. What is the probability that someone from the first group choose the same object as someone from the second group? P(there is a 1 e r 2 / N match between two groups) Eg. If we take N=365 and r=30, then P(there is a match between two groups) 1 e 30 2 /365 0.915 23

Birthday Attacks A birthday attack on discrete logarithm We want to solve α x β (mod p). Make two lists, both of length around 1 st list: α k (mod p) for random k. 2 nd list: βα -h (mod p) for random h. There is a good chance that there is a match α k βα -h (mod p), hence x=k+h. Compared with BSGS: BSGS algorithm is deterministic while the birthday attack algorithm is probabilistic. p 24

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback