Cryptographic Hash Functions Cryptographic Hash Functions and their many applications and their many applications Shai Halevi – – IBM Research IBM Research Shai Halevi USENIX Security – USENIX Security – August 2009 August 2009 Thanks to Charanjit Jutla and Hugo Krawczyk
What are hash functions? What are hash functions? Just a method of compressing strings Just a method of compressing strings {0,1} E.g., H : {0,1}* 160 – E.g., H : {0,1}* {0,1} 160 – – Input is called Input is called “ “message message” ”, output is , output is “ “digest digest” ” – Why would you want to do this? Why would you want to do this? – Short, fixed Short, fixed- -size better than long, variable size better than long, variable- -size size – True also for non True also for non- -crypto hash functions crypto hash functions – Digest can be added for redundancy Digest can be added for redundancy – – Digest hides possible structure in message Digest hides possible structure in message –
How are they built? How are they built? But not always… Typically using Merkle Merkle- -Damg Damgå ård rd iteration: iteration: Typically using 1. Start from a Start from a “ “compression function compression function” ” 1. {0,1} b+n |M|=b=512 bits n – h: {0,1} b+n {0,1} n – h: {0,1} =160 bits 160 bits 2. Iterate it Iterate it 2. M 1 M 2 M L-1 M L … d 2 d L-1 d L d 1 IV=d 0 d=H(M)
What are they good for? What are they good for? “Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm , such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes , pseudo random number generators , and key derivation functions .” “Request for Candidate Algorithm Nominations Request for Candidate Algorithm Nominations” ”, , “ -- NIST, November 2007 NIST, November 2007 --
Some examples Some examples Signatures: ) = RSA - -1 1 ( H(M) ) Signatures: sign(M sign(M) = RSA ( H(M) ) Message Message- -authentication: authentication: tag= tag=H(key,M H(key,M) ) Commitment: Commitment: commit(M commit(M) = H(M, ) = H(M,… …) ) Key derivation: Key derivation: AES AES- -key = H(DH key = H(DH- -value) value) Removing interaction Removing interaction [Fiat-Shamir, 1987] – Take interactive identification protocol Take interactive identification protocol – A B smthng challenge – Replace one side by a hash function Replace one side by a hash function – response Challenge = H(smthng H(smthng, context) , context) Challenge = – Get non Get non- -interactive signature scheme interactive signature scheme – smthng, response
Part I: Random functions Part I: Random functions vs. hash functions vs. hash functions
Random functions Random functions What we really want is H that behaves What we really want is H that behaves “just like a random function just like a random function” ”: : “ Digest d=H(M) chosen uniformly for each M Digest d=H(M) chosen uniformly for each M – Digest d=H(M) has no correlation with M Digest d=H(M) has no correlation with M – – For distinct M For distinct M 1 ,M 2 ,… …, digests , digests d d i =H(M H(M i ) are – 1 ,M 2 , i = i ) are completely uncorrelated to each other completely uncorrelated to each other – Cannot find collisions, or even near Cannot find collisions, or even near- -collisions collisions – – Cannot find M to Cannot find M to “ “hit hit” ” a specific d a specific d – – Cannot find fixed Cannot find fixed- -points (d = points (d = H(d H(d)) )) – – etc. etc. –
The “ “Random Random- -Oracle paradigm Oracle paradigm” ” The [Bellare-Rogaway, 1993] 1. Pretend hash function is really this good Pretend hash function is really this good 1. 2. Design a secure cryptosystem using it Design a secure cryptosystem using it 2. Prove security relative to a “ “random oracle random oracle” ” Prove security relative to a
The “ “Random Random- -Oracle paradigm Oracle paradigm” ” The [Bellare-Rogaway, 1993] 1. Pretend hash function is really this good Pretend hash function is really this good 1. 2. Design a secure cryptosystem using it Design a secure cryptosystem using it 2. Prove security relative to a “ “random oracle random oracle” ” Prove security relative to a 3. Replace oracle with a hash function Replace oracle with a hash function 3. Hope that it remains secure Hope that it remains secure
The “ “Random Random- -Oracle paradigm Oracle paradigm” ” The [Bellare-Rogaway, 1993] 1. Pretend hash function is really this good Pretend hash function is really this good 1. 2. Design a secure cryptosystem using it Design a secure cryptosystem using it 2. Prove security relative to a “ “random oracle random oracle” ” Prove security relative to a 3. Replace oracle with a hash function Replace oracle with a hash function 3. Hope that it remains secure Hope that it remains secure Very successful paradigm, many schemes Very successful paradigm, many schemes – E.g., OAEP encryption, FDH,PSS signatures E.g., OAEP encryption, FDH,PSS signatures – Also all the examples from before… Also all the examples from before … – Schemes seem to Schemes seem to “ “withstand test of time withstand test of time” ” –
Random oracles: rationale Random oracles: rationale is some crypto scheme (e.g., signatures), is some crypto scheme (e.g., signatures), that uses a hash function H that uses a hash function H proven secure when H is random function proven secure when H is random function Any attack on real must use world Any attack on real- -world must use some “ “nonrandom property nonrandom property” ” of H of H some We should have chosen a better H We should have chosen a better H – without that without that “ “nonrandom property nonrandom property” ” – Caveat: how do we know what Caveat: how do we know what “ “nonrandom nonrandom properties” ” are important? are important? properties
This rationale isn’ ’t sound t sound This rationale isn [Canetti-Goldreich-H 1997] Exist signature schemes that are: Exist signature schemes that are: 1. Provably secure wrt wrt a random function a random function 1. Provably secure 2. Easily broken for EVERY hash function 2. Easily broken for EVERY hash function Idea: hash functions are computable Idea: hash functions are computable – This is a This is a “ “nonrandom property nonrandom property” ” by itself by itself – Exhibit a scheme which is secure only Exhibit a scheme which is secure only for “ “non non- -computable H computable H’ ’s s” ” for – Scheme is (very) Scheme is (very) “ “contrived contrived” ” –
Contrived example Contrived example Start from any secure signature scheme Start from any secure signature scheme Denote signature algorithm by SIG1 H H (key,msg) – Denote signature algorithm by SIG1 (key,msg) – Change SIG1 to SIG2 as follows: Change SIG1 to SIG2 as follows: Some Technicalities H (key,msg): SIG2 H (key,msg): interprate interprate msg msg as code as code Π SIG2 Π – If If Π (i)= )=H(i H(i) for i=1,2,3, ) for i=1,2,3,… …,| ,|msg msg|, then output key |, then output key – Π (i Else output the same as SIG1 H H (key,msg) – Else output the same as SIG1 – (key,msg) If H is random, always the If H is random, always the “ “Else Else” ” case case If H is a hash function, attempting to sign If H is a hash function, attempting to sign the code of H outputs the secret key the code of H outputs the secret key
Cautionary note Cautionary note ROM proofs may not mean what you think ROM proofs may not mean what you think… … – Still they give valuable assurance, rule out Still they give valuable assurance, rule out – “almost all realistic attacks almost all realistic attacks” ” “ What What “ “nonrandom properties nonrandom properties” ” are important are important for OAEP / FDH / PSS / … …? ? for OAEP / FDH / PSS / How would these scheme be affected by a How would these scheme be affected by a weakness in the hash function in use? weakness in the hash function in use? ROM may lead to careless implementation ROM may lead to careless implementation
Recommend
More recommend