cryptographic hash functions cryptographic hash functions
play

Cryptographic Hash Functions Cryptographic Hash Functions and their - PowerPoint PPT Presentation

Cryptographic Hash Functions Cryptographic Hash Functions and their many applications and their many applications Shai Halevi IBM Research IBM Research Shai Halevi USENIX Security USENIX Security August 2009 August 2009


  1. Cryptographic Hash Functions Cryptographic Hash Functions and their many applications and their many applications Shai Halevi – – IBM Research IBM Research Shai Halevi USENIX Security – USENIX Security – August 2009 August 2009 Thanks to Charanjit Jutla and Hugo Krawczyk

  2. What are hash functions? What are hash functions?  Just a method of compressing strings  Just a method of compressing strings  {0,1} E.g., H : {0,1}*  160 – E.g., H : {0,1}* {0,1} 160 – – Input is called Input is called “ “message message” ”, output is , output is “ “digest digest” ” –  Why would you want to do this?  Why would you want to do this? – Short, fixed Short, fixed- -size better than long, variable size better than long, variable- -size size –  True also for non  True also for non- -crypto hash functions crypto hash functions – Digest can be added for redundancy Digest can be added for redundancy – – Digest hides possible structure in message Digest hides possible structure in message –

  3. How are they built? How are they built? But not always… Typically using Merkle Merkle- -Damg Damgå ård rd iteration: iteration: Typically using 1. Start from a Start from a “ “compression function compression function” ” 1.  {0,1} b+n  |M|=b=512 bits n – h: {0,1} b+n {0,1} n – h: {0,1}   =160 bits   160 bits 2. Iterate it Iterate it 2. M 1 M 2 M L-1 M L … d 2 d L-1 d L d 1 IV=d 0     d=H(M)

  4. What are they good for? What are they good for? “Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm , such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes , pseudo random number generators , and key derivation functions .” “Request for Candidate Algorithm Nominations Request for Candidate Algorithm Nominations” ”, , “ -- NIST, November 2007 NIST, November 2007 --

  5. Some examples Some examples  Signatures:  ) = RSA - -1 1 ( H(M) ) Signatures: sign(M sign(M) = RSA ( H(M) )  Message  Message- -authentication: authentication: tag= tag=H(key,M H(key,M) )  Commitment:  Commitment: commit(M commit(M) = H(M, ) = H(M,… …) )  Key derivation:  Key derivation: AES AES- -key = H(DH key = H(DH- -value) value)  Removing interaction  Removing interaction [Fiat-Shamir, 1987] – Take interactive identification protocol Take interactive identification protocol – A B smthng challenge – Replace one side by a hash function Replace one side by a hash function – response Challenge = H(smthng H(smthng, context) , context) Challenge = – Get non Get non- -interactive signature scheme interactive signature scheme – smthng, response

  6. Part I: Random functions Part I: Random functions vs. hash functions vs. hash functions

  7. Random functions Random functions  What we really want is H that behaves  What we really want is H that behaves “just like a random function just like a random function” ”: : “ Digest d=H(M) chosen uniformly for each M Digest d=H(M) chosen uniformly for each M – Digest d=H(M) has no correlation with M Digest d=H(M) has no correlation with M – – For distinct M For distinct M 1 ,M 2 ,… …, digests , digests d d i =H(M H(M i ) are – 1 ,M 2 , i = i ) are completely uncorrelated to each other completely uncorrelated to each other – Cannot find collisions, or even near Cannot find collisions, or even near- -collisions collisions – – Cannot find M to Cannot find M to “ “hit hit” ” a specific d a specific d – – Cannot find fixed Cannot find fixed- -points (d = points (d = H(d H(d)) )) – – etc. etc. –

  8. The “ “Random Random- -Oracle paradigm Oracle paradigm” ” The [Bellare-Rogaway, 1993] 1. Pretend hash function is really this good Pretend hash function is really this good 1. 2. Design a secure cryptosystem using it Design a secure cryptosystem using it 2.   Prove security relative to a “ “random oracle random oracle” ” Prove security relative to a

  9. The “ “Random Random- -Oracle paradigm Oracle paradigm” ” The [Bellare-Rogaway, 1993] 1. Pretend hash function is really this good Pretend hash function is really this good 1. 2. Design a secure cryptosystem using it Design a secure cryptosystem using it 2.   Prove security relative to a “ “random oracle random oracle” ” Prove security relative to a 3. Replace oracle with a hash function Replace oracle with a hash function 3.   Hope that it remains secure Hope that it remains secure

  10. The “ “Random Random- -Oracle paradigm Oracle paradigm” ” The [Bellare-Rogaway, 1993] 1. Pretend hash function is really this good Pretend hash function is really this good 1. 2. Design a secure cryptosystem using it Design a secure cryptosystem using it 2.   Prove security relative to a “ “random oracle random oracle” ” Prove security relative to a 3. Replace oracle with a hash function Replace oracle with a hash function 3.   Hope that it remains secure Hope that it remains secure   Very successful paradigm, many schemes Very successful paradigm, many schemes – E.g., OAEP encryption, FDH,PSS signatures E.g., OAEP encryption, FDH,PSS signatures –   Also all the examples from before… Also all the examples from before … – Schemes seem to Schemes seem to “ “withstand test of time withstand test of time” ” –

  11. Random oracles: rationale Random oracles: rationale    is some crypto scheme (e.g., signatures),  is some crypto scheme (e.g., signatures), that uses a hash function H that uses a hash function H    proven secure when H is random function  proven secure when H is random function  Any attack on real   must use world  Any attack on real- -world must use some “ “nonrandom property nonrandom property” ” of H of H some  We should have chosen a better H  We should have chosen a better H – without that without that “ “nonrandom property nonrandom property” ” –  Caveat: how do we know what  Caveat: how do we know what “ “nonrandom nonrandom properties” ” are important? are important? properties

  12. This rationale isn’ ’t sound t sound This rationale isn [Canetti-Goldreich-H 1997]  Exist signature schemes that are:  Exist signature schemes that are: 1. Provably secure wrt wrt a random function a random function 1. Provably secure 2. Easily broken for EVERY hash function 2. Easily broken for EVERY hash function  Idea: hash functions are computable  Idea: hash functions are computable – This is a This is a “ “nonrandom property nonrandom property” ” by itself by itself –  Exhibit a scheme which is secure only  Exhibit a scheme which is secure only for “ “non non- -computable H computable H’ ’s s” ” for – Scheme is (very) Scheme is (very) “ “contrived contrived” ” –

  13. Contrived example Contrived example  Start from any secure signature scheme  Start from any secure signature scheme Denote signature algorithm by SIG1 H H (key,msg) – Denote signature algorithm by SIG1 (key,msg) –  Change SIG1 to SIG2 as follows:  Change SIG1 to SIG2 as follows: Some Technicalities H (key,msg): SIG2 H (key,msg): interprate interprate msg msg as code as code Π SIG2 Π – If If Π (i)= )=H(i H(i) for i=1,2,3, ) for i=1,2,3,… …,| ,|msg msg|, then output key |, then output key – Π (i Else output the same as SIG1 H H (key,msg) – Else output the same as SIG1 – (key,msg)  If H is random, always the  If H is random, always the “ “Else Else” ” case case  If H is a hash function, attempting to sign  If H is a hash function, attempting to sign the code of H outputs the secret key the code of H outputs the secret key

  14. Cautionary note Cautionary note  ROM proofs may not mean what you think  ROM proofs may not mean what you think… … – Still they give valuable assurance, rule out Still they give valuable assurance, rule out – “almost all realistic attacks almost all realistic attacks” ” “  What  What “ “nonrandom properties nonrandom properties” ” are important are important for OAEP / FDH / PSS / … …? ? for OAEP / FDH / PSS /  How would these scheme be affected by a  How would these scheme be affected by a weakness in the hash function in use? weakness in the hash function in use?  ROM may lead to careless implementation  ROM may lead to careless implementation

Recommend


More recommend