View
215
Download
1
Embed Size (px)
Citation preview
1
CS 255 Lecture 6Hash Functions
Brent Waters
2
Recap-Notions of Security
• What attacker can do•Random plaintext attack•Chosen plaintext attack•Chosen ciphertext attack
• Attacker’s Goal•Discover secret key•Decrypt a ciphertext, C*
•Distinguish two messages
3
Recap- Notions of Security
• 3x3=9 possible notions of security
• Strongest system =Semantic security against CCAweakest adversary goal + most adversary power
4
Recap- Semantic Securityof Counter Mode
1) Defined notion of security for block cipher --Indistinguishable from PRP --Formal definition game --Believe this is true for AES…
5
Recap-
2) Prove that if cipher is indist. from Random Permutation then counter mode is semantically secure against CPA attack--Assume counter mode is not ) A breaks it
--Build algorithm B that uses algorithm A
--Want to show that A’s answer gives B information to play his game
6
Why do we do this?
• Aren’t we assuming AES, 3DES secure anyway?
• Why not just make same assumption for mode X?
• Reduce to simplest assumptions possible
7
Hash Functions
Hash function- h: {0,1} * \rightarrow {0,1}n
typically n ¼ 160 bits (will see why soon)
Hi, I recently….. …should be used
h(x)
01100100…1
8
Properties
• Compression
• Pre-image resistanc: Given y=h(x) difficult to determine x’ s.t. h(x’)=y
• 2nd preimage resistance: Given x find x’ x s.t. h(x) = h(x’)
• Collision resistance: Find x’ x s.t. h(x)=h(x’)
9
Relations
• If h is collision resistant then h is 2nd order pre-image resistant
• How do we show this?•Reduction—simple here
10
Applications
• Show three applications and do one together
• For each one keep in mind what properties we need
11
Password protection
pword=jeitlsePassword file
U1=…
U2=…
•What should we put in there?
•What if backup tape stolen?
•What property do we need
12
Virus protection
• Worried virus might modify an application
• Small amount of trusted storage on USB token
• What properties do we need?
• Mirror sites distributing software
13
Digital Signatures
• One party can sign a message M, many parties can verify
• Contract signing, code signing
• Raw signature scheme only signs messages ~160 bits
• What properties do we need?
14
Birthday Attack for Collisions
• Let r1, … rj 2 [0,1…B]
• When n=1.2 sqrt(B) then Pr[9 i j: ri=rj]
Pr[9 i j: ri=rj]
=1-Pr[8 i j:ri rj] =1-(1-1/B)(1-2/B)...(1-(n-1)/B) =1-n-1 (1-i/B) ¼ 1- n-1e-i/B
=1-e1/2n2/B
=1-1/e.7 for n=1.2 sqrt(B)=1/2
15
Lesson
• 80 bit hash implies 40 bit security (for collisions)
• Need 160 bit hash output
• For n integers have ¼ n^2 pairs each is a possibility for a collision
16
Iterated Construction(Merkle-Damgard)
M1 M2 M3 M4 pad
IV f f f fH0 H1 H2 H3
1. f – Compression function
2. Hi – chaining variables
3. IV – Initial Value
17
Iterated Construction(Merkle-Damgard)
M1 M2 M3 M4 pad
IV f f f fH0 H1 H2 H3
Padding: 100000 | length
Pad out last message block
Add one block with message length
18
Collision resistance
• If compression function resistant then so is iterated construction
• Way we prove this is to show if we have M M’ and hash(M)=hash(M’) then we can find two
different inputs to compression function (x,y) and (x’,y’) such that f(x,y)=f(x,y)
-Note (x,y) (x’,y’) if x x’ or y y’
19
Collision Resistance
• Suppose h(M)=h(M’)
• IV=H0, H1,H2....Ht
• IV=H0’, H1’, H2’...Hr’
Collision means Ht = Hr’
Case I:
• Suppose t r thenHt=Hr’ =f(Ht-1, t)=f(Hr-1’, r) ) collision!
20
Collision Resistance
• Suppose h(M)=h(M’)
• M=M0, M1...Mt-1, M’=M0, M1,... Mr-1
• IV=H0, H1, H2....Ht
• IV=H0’, H1’, H2’...Hr’
Case 2: t r (Messages same # of blocks)Look at ith chaining variableHave Hi=Hi’ so f(Hi,Mi)=f(Hi’,Mi’)
if Mi Mi’ or if Hi Hi’ then have a collision
otherwise repeat observation for i-1 chaining var.However, 9 j: Mj Mj’ so must have a collision at
some point
21
Block cipher construction
Matyas-Meyer
f(M,H)=E(M,g(h)) © M
EHi g
Mi
© Hi+1...
Thm: Suppose Ek(x) =E(X,K) is a collection of random permutations. Then finding a collision take 2n/2 evaluations of E. Best possible.
22
Customized Hash functions
• Merkle-Damgard types—compression functionfaster than block ciphers
• MD4 128 Collisions found
• MD5 128 28.5MB/s Collisons found
• SHA-1 160 15.2MB/s
• SHA-2 160,256
• RIPEMD 160 12.6 Collisions found
23
“Provable” hash functions
• Discrete log problem:Given ga mod p Output a
• f(a,b)=ga hb mod p
• Slow
24
Paper submission project
• Professors/grad students submit papers to conferences electronically
• Strict deadlines: 9pm Jan. 29th
• People always wait to last minute – get flood of papers at end
• Graphics people send in videos – potentially GBs of data– no way server can handle them all
25
Solutions?
• Attacks?
• Properties