Lecture 1. Crypto Background

Similar documents
CPSC 467: Cryptography and Computer Security

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Lecture 18: Message Authentication Codes & Digital Signa

1 Cryptographic hash functions

Lecture 14: Cryptographic Hash Functions

1 Cryptographic hash functions

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Foundations of Network and Computer Security

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

An introduction to Hash functions

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Authentication. Chapter Message Authentication

Avoiding collisions Cryptographic hash functions. Table of contents

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Foundations of Network and Computer Security

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

Avoiding collisions Cryptographic hash functions. Table of contents

Notes for Lecture 9. 1 Combining Encryption and Authentication

2: Iterated Cryptographic Hash Functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

12 Hash Functions Defining Security

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Introduction to Information Security

Week 12: Hash Functions and MAC

On High-Rate Cryptographic Compression Functions

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Cryptographical Security in the Quantum Random Oracle Model

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Known and Chosen Key Differential Distinguishers for Block Ciphers

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Digital signature schemes

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Lecture 7: CPA Security, MACs, OWFs

Some Attacks on Merkle-Damgård Hashes

Cryptographic Hash Functions

Provable Chosen-Target-Forced-Midx Preimage Resistance

Hash-based signatures & Hash-and-sign without collision-resistance

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Topics. Probability Theory. Perfect Secrecy. Information Theory

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration

CPSC 467: Cryptography and Computer Security

Lecture 3: Interactive Proofs and Zero-Knowledge

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

CPSC 467: Cryptography and Computer Security

A Composition Theorem for Universal One-Way Hash Functions

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 15: Message Authentication

On the Security of Hash Functions Employing Blockcipher Post-processing

Katz, Lindell Introduction to Modern Cryptrography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Introduction to Cybersecurity Cryptography (Part 4)

SPCS Cryptography Homework 13

March 19: Zero-Knowledge (cont.) and Signatures

Non-Conversation-Based Zero Knowledge

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Higher Order Universal One-Way Hash Functions

From Secure MPC to Efficient Zero-Knowledge

Breaking H 2 -MAC Using Birthday Paradox

Construction of universal one-way hash functions: Tree hashing revisited

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

New Attacks on the Concatenation and XOR Hash Combiners

Cryptography and Security Final Exam

Attacks on hash functions: Cat 5 storm or a drizzle?

Beyond the MD5 Collisions

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

New Preimage Attack on MDC-4

CTR mode of operation

Provable Seconde Preimage Resistance Revisited

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption

10 Concrete candidates for public key crypto

Foundations of Network and Computer Security

Foundations of Network and Computer Security

Collapsing sponges: Post-quantum security of the sponge construction

Comparing With RSA. 1 ucl Crypto Group

Introduction to Cryptography Lecture 4

John Hancock enters the 21th century Digital signature schemes. Table of contents

Random Oracles in a Quantum World

Lecture Notes 20: Zero-Knowledge Proofs

Digital Signatures. Adam O Neill based on

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

ECS 189A Final Cryptography Spring 2011

Lecture 10 - MAC s continued, hash & MAC

Lecture 1: Introduction to Public key cryptography

BEYOND POST QUANTUM CRYPTOGRAPHY

Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Transcription:

Lecture 1 Crypto Background

This lecture Crypto background hash functions random oracle model digital signatures and applications

Cryptographic Hash Functions

Hash function takes a string of arbitrary length as input fixed-size output (i.e., hash function compresses the input) efficiently computable Security properties: Collision resistance Preimage resistance (one-way)

Property 1: Collision resistance No efficient adversary can find x and y such that x!= y and H(x)=H(y) x y H(x) = H(y)

Collisions do exist... possible outputs possible inputs but can a real-world adversary find them?

How to find a collision (for 256 bit output) try 2 130 randomly chosen inputs 99.8% chance that two of them will collide This works no matter what H is, but it takes too long to matter If a computer calculates 10,000 hashes/sec, it would take 10 27 years to compute 2 128 hashes

Is there a faster way to find collisions? For some possible H s, yes. For others (like SHA-256), we don t know of one. Provably secure collision-resistant hash functions can be constructed based on hard number-theoretic problems.

Defining Collision Resistance Modeling real-world adversaries In practice, everyone has bounded resources Therefore, reasonable to model adversary as such an entity However, we do not make any assumptions about the adversarial strategy. He can use its (bounded) resources however We will model adversary as a probabilistic polynomial-time (PPT) algorithm

Defining Collision Resistance Collision Resistance (informal): A hash function H is collision-resistant if for all uniform PPT adversaries A, Pr[A outputs x,x s.t. x!=x and H(x)=H(x )] = small

Negligible functions Want to model success probability of adversary as a function of some input parameter k. Want that adversary s success probability quickly decreases as k increases (e.g., 1/2^k) Suppose adversary takes as input a parameter k, runs in time polynomial in k, and finds a collision with probability 1/k However, 1/k decays very slowly. To make 1/k very small, we would need to use a very large k. However, this would mean that all algorithms (even honest ones) run in very long time. Negligible function: Function that decays faster than any inverse poly Definition: A function n(k) is negligible if for every polynomial p(k), there exists k 0 s.t. for all k > k 0, n(k) < p(k) Note: Negligible probability cannot be amplified by polynomial number of trials

Defining Collision Resistance Collision Resistance: A hash function H is collision-resistant if for all uniform PPT adversaries A, there exists a negligible function n(k), where k denotes the security parameter, s.t. Pr[A(1 k ) outputs x,x s.t. x!=x and H(x)=H(x )] = n(k)

Application: Hash as message digest If we know H(x) = H(y), it s safe to assume that x = y. To recognize a file that we saw before, just remember its hash. Useful because the hash is small.

Property 2: Pre-image Resistance Intuition: Given H(x), no efficient adversary can find x (except with negligible probability) Problem: What if input space of x is very small, or some inputs are much more likely than others? H( heads ) H( tails ) easy to find x!

Defining Preimage Resistance Preimage Resistance: A hash function H is preimage-resistant if for all PPT adversaries A, there exists a negligible function n(k), where k denotes the security parameter, s.t. Pr[xß{0,1} poly(k), A(1 k,h(x)) outputs x s.t. H(x )=H(x)] = n(k) x is drawn from uniform distribution

Preimage Resistance (contd.) If x is drawn from the uniform distribution, then inverting H(x) is hard But what if x is drawn from low-entropy distribution? Can append a random string r to x and then compute H(r x) to prevent enumeration attacks Theorem: Collision resistance implies preimage resistance (if the hash function is sufficiently compressing)

Application: Commitment Want to seal a value in an envelope, and open the envelope later. Commit to a value, reveal it later.

Commitment Schemes (com, key) := commit(msg) match := verify(com, key, msg) To seal msg in envelope: (com, key) := commit(msg) -- then publish com To open envelope: publish key, msg anyone can use verify() to check validity

Commitment Schemes (com, key) ß commit(msg) match ß verify(com, key, msg) Security properties: Weak Hiding: Given com, no PPT adversary can find* msg. Weak Binding: No PPT adversary can find* msg!= msg such that verify(commit(msg), msg ) == true * Except with negligible probability

Commitment Schemes commit(msg) à ( H(key msg), key ) where key is a random 256-bit value verify(com, key, msg) à ( H(key msg) == com ) Security properties: Hiding: If H is a random oracle, given H(key msg), hard to find msg. Binding: Collision-reistance à Hard to find msg!= msg such that H(key msg) == H(key msg )

Random Oracle (RO) Imagine an elf in a box with an infinite writing scroll Upon receiving an input x, the elf checks the scroll if there is an entry y corresponding to x. If yes, it returns y. Otherwise, elf chooses a random value y (from the output space) and returns it. It adds an entry (x,y) to the scroll.

Random Oracle (RO) In practice-oriented provable security, hash functions are often modeled as a random oracle Each party (including adversary) is given black-box access to the random oracle. They can query the random oracle any polynomial number of times By definition, the answers of random oracle answers are unpredictable Random oracle captures many security properties such as one-wayness, collision-resistance.

SHA-256 hash function Suppose msg is of length L s.t. L is a multiple of 512 (pad with 0s otherwise) 512 bits msg (block 1) msg (block 2) msg (block n) L 256 bits 256 bits IV c c c c Hash Theorem [Merkle-Damgard]: If c is collision-resistant, then SHA-256 is collision-resistant.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback