hash functions in action hash functions in action
play

Hash Functions in Action Hash Functions in Action Lecture 11 Hash - PowerPoint PPT Presentation

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length


  1. CRHF CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QR p* for p=2q+1 a safe prime) h g1,g2 (x 1 ,x 2 ) = g 1x1 g 2x2 (in G ) where g 1 , g 2 ≠ 1 (hence generators) A collision: (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) s.t. h g1,g2 (x 1 ,x 2 )= h g1,g2 (y 1 ,y 2 )

  2. CRHF CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QR p* for p=2q+1 a safe prime) h g1,g2 (x 1 ,x 2 ) = g 1x1 g 2x2 (in G ) where g 1 , g 2 ≠ 1 (hence generators) A collision: (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) s.t. h g1,g2 (x 1 ,x 2 )= h g1,g2 (y 1 ,y 2 ) Then (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) ⇒ x 1 ≠ y 1 and x 2 ≠ y 2 [Why?]

  3. CRHF CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QR p* for p=2q+1 a safe prime) h g1,g2 (x 1 ,x 2 ) = g 1x1 g 2x2 (in G ) where g 1 , g 2 ≠ 1 (hence generators) A collision: (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) s.t. h g1,g2 (x 1 ,x 2 )= h g1,g2 (y 1 ,y 2 ) Then (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) ⇒ x 1 ≠ y 1 and x 2 ≠ y 2 [Why?] Then g 2 = g 1 (x1-y1)/(x2-y2) (exponents in Z q* )

  4. CRHF CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QR p* for p=2q+1 a safe prime) h g1,g2 (x 1 ,x 2 ) = g 1x1 g 2x2 (in G ) where g 1 , g 2 ≠ 1 (hence generators) A collision: (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) s.t. h g1,g2 (x 1 ,x 2 )= h g1,g2 (y 1 ,y 2 ) Then (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) ⇒ x 1 ≠ y 1 and x 2 ≠ y 2 [Why?] Then g 2 = g 1 (x1-y1)/(x2-y2) (exponents in Z q* ) i.e., for some base g 1 , can compute DL of g 2 (a random non-unit element). Breaks DL!

  5. CRHF CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QR p* for p=2q+1 a safe prime) h g1,g2 (x 1 ,x 2 ) = g 1x1 g 2x2 (in G ) where g 1 , g 2 ≠ 1 (hence generators) A collision: (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) s.t. h g1,g2 (x 1 ,x 2 )= h g1,g2 (y 1 ,y 2 ) Then (x 1 ,x 2 ) ≠ (y 1 ,y 2 ) ⇒ x 1 ≠ y 1 and x 2 ≠ y 2 [Why?] Then g 2 = g 1 (x1-y1)/(x2-y2) (exponents in Z q* ) i.e., for some base g 1 , can compute DL of g 2 (a random non-unit element). Breaks DL! Hash halves the size of the input

  6. Domain Extension

  7. Domain Extension Full-domain hash: hash arbitrarily long strings to a single hash value

  8. Domain Extension Full-domain hash: hash arbitrarily long strings to a single hash value So far, UOWHF/CRHF which have a fixed domain

  9. Domain Extension Full-domain hash: hash arbitrarily long strings to a single hash value So far, UOWHF/CRHF which have a fixed domain Idea 1: by repeated application

  10. Domain Extension Full-domain hash: hash arbitrarily long strings to a single hash value So far, UOWHF/CRHF which have a fixed domain Idea 1: by repeated application If one-bit compression, to hash n-bit string, O(n) (independent) invocations of the basic hash function

  11. Domain Extension Full-domain hash: hash arbitrarily long strings to a single hash value So far, UOWHF/CRHF which have a fixed domain Idea 1: by repeated application If one-bit compression, to hash n-bit string, O(n) (independent) invocations of the basic hash function

  12. Domain Extension Full-domain hash: hash arbitrarily long strings to a single hash value So far, UOWHF/CRHF which have a fixed domain Idea 1: by repeated application If one-bit compression, to hash n-bit string, O(n) (independent) invocations of the basic hash function Independent invocations: hash description depends on n (linearly)

  13. Domain Extension h t Full-domain hash: hash arbitrarily long strings to a single hash value h t-1 So far, UOWHF/CRHF which have a fixed domain Idea 1: by repeated application h t-2 If one-bit compression, to hash n-bit string, O(n) (independent) invocations of the basic hash function Independent invocations: hash description h 1 depends on n (linearly)

  14. Domain Extension

  15. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree”

  16. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree” Suppose basic hash from {0,1} k to {0,1} k/2 . A hash function from {0,1} 4k to {0,1} k/2 using a tree of depth 3

  17. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree” Suppose basic hash from {0,1} k to {0,1} k/2 . A hash function from {0,1} 4k to {0,1} k/2 using a tree of depth 3

  18. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree” Suppose basic hash from {0,1} k to {0,1} k/2 . A hash function from {0,1} 4k to {0,1} k/2 using a tree of depth 3 If basic hash from {0,1} k to {0,1} k-1 , first construct new basic hash from {0,1} k to {0,1} k/2 , by repeated hashing

  19. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree” Suppose basic hash from {0,1} k to {0,1} k/2 . A hash function from {0,1} 4k to {0,1} k/2 using a tree of depth 3 If basic hash from {0,1} k to {0,1} k-1 , first construct new basic hash from {0,1} k to {0,1} k/2 , by repeated hashing

  20. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree” Suppose basic hash from {0,1} k to {0,1} k/2 . A hash function from {0,1} 4k to {0,1} k/2 using a tree of depth 3 If basic hash from {0,1} k to {0,1} k-1 , first construct new basic hash from {0,1} k to {0,1} k/2 , by repeated hashing Any tree can be used, with consistent I/O sizes

  21. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree” Suppose basic hash from {0,1} k to {0,1} k/2 . A hash function from {0,1} 4k to {0,1} k/2 using a tree of depth 3 If basic hash from {0,1} k to {0,1} k-1 , first construct new basic hash from {0,1} k to {0,1} k/2 , by repeated hashing Any tree can be used, with consistent I/O sizes Independent hashes or same hash?

  22. Domain Extension Can compose hash functions more efficiently, using a “Merkle tree” Suppose basic hash from {0,1} k to {0,1} k/2 . A hash function from {0,1} 4k to {0,1} k/2 using a tree of depth 3 If basic hash from {0,1} k to {0,1} k-1 , first construct new basic hash from {0,1} k to {0,1} k/2 , by repeated hashing Any tree can be used, with consistent I/O sizes Independent hashes or same hash? Depends!

  23. Domain Extension for CRHF

  24. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash

  25. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash

  26. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  27. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  28. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  29. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  30. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  31. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  32. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  33. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  34. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  35. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top

  36. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top Collision at some step (different values on i th front, same on i+1 st ); gives a collision for basic hash

  37. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top Collision at some step (different values on i th front, same on i+1 st ); gives a collision for basic hash

  38. Domain Extension for CRHF For CRHF , same basic hash used through out the Merkle tree. Hash description same as for a single basic hash If a collision ( (x 1 ...x n ), (y 1 ...y n ) ) over all, then some collision (x’,y’) for basic hash Consider moving a “frontline” from bottom to top Collision at some step (different values on i th front, same on i+1 st ); gives a collision for basic hash A *(h): run A(h) to get (x 1 ...x n ), (y 1 ...y n ). Move frontline to find (x’,y’)

  39. Domain Extension for UOWHF

  40. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout!

  41. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h

  42. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h Can guess a random node (i.e., random pair of 
 frontlines) where collision occurs, but if not a 
 leaf, can’ t compute x’ until h is fixed!

  43. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h Can guess a random node (i.e., random pair of 
 frontlines) where collision occurs, but if not a 
 leaf, can’ t compute x’ until h is fixed!

  44. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h Can guess a random node (i.e., random pair of 
 frontlines) where collision occurs, but if not a 
 leaf, can’ t compute x’ until h is fixed! Solution: a different h for each level of the 
 tree (i.e., no ancestor/successor has same h)

  45. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h Can guess a random node (i.e., random pair of 
 frontlines) where collision occurs, but if not a 
 leaf, can’ t compute x’ until h is fixed! Solution: a different h for each level of the 
 tree (i.e., no ancestor/successor has same h) To compute x’: pick a random node (say at 
 level i), pick h j for levels below i, give it to A, 
 get back (x 1 …x n ), and compute input to the node; this be x’

  46. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h Can guess a random node (i.e., random pair of 
 frontlines) where collision occurs, but if not a 
 leaf, can’ t compute x’ until h is fixed! Solution: a different h for each level of the 
 h 1 h 1 h 1 h 1 tree (i.e., no ancestor/successor has same h) To compute x’: pick a random node (say at 
 level i), pick h j for levels below i, give it to A, 
 get back (x 1 …x n ), and compute input to the node; this be x’

  47. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h Can guess a random node (i.e., random pair of 
 frontlines) where collision occurs, but if not a 
 leaf, can’ t compute x’ until h is fixed! Solution: a different h for each level of the 
 h 1 h 1 h 1 h 1 tree (i.e., no ancestor/successor has same h) To compute x’: pick a random node (say at 
 level i), pick h j for levels below i, give it to A, 
 get back (x 1 …x n ), and compute input to the node; this be x’ On getting h, plug it in as h i , pick h j for remaining levels; get (y 1 ...y n ) and compute y’

  48. Domain Extension for UOWHF For UOWHF , can’ t use same basic hash throughout! h 3 A * has to output an x’ on getting (x 1 ...x n ) from A, 
 before getting h Can guess a random node (i.e., random pair of 
 h 2 h 2 frontlines) where collision occurs, but if not a 
 leaf, can’ t compute x’ until h is fixed! Solution: a different h for each level of the 
 h 1 h 1 h 1 h 1 tree (i.e., no ancestor/successor has same h) To compute x’: pick a random node (say at 
 level i), pick h j for levels below i, give it to A, 
 get back (x 1 …x n ), and compute input to the node; this be x’ On getting h, plug it in as h i , pick h j for remaining levels; get (y 1 ...y n ) and compute y’

  49. UOWHF vs. CRHF

  50. UOWHF vs. CRHF UOWHF has a weaker guarantee than CRHF

  51. UOWHF vs. CRHF UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions”

  52. UOWHF vs. CRHF UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log)

  53. UOWHF vs. CRHF UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log) Domain extension of CRHF is simpler, with no blow-up in the description size. For UOWHF description increases logarithmically in the input size

  54. UOWHF vs. CRHF UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log) Domain extension of CRHF is simpler, with no blow-up in the description size. For UOWHF description increases logarithmically in the input size UOWHF theoretically important (based on simpler assumptions, good if paranoid), but CRHF can substitute for it

  55. UOWHF vs. CRHF UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log) Domain extension of CRHF is simpler, with no blow-up in the description size. For UOWHF description increases logarithmically in the input size UOWHF theoretically important (based on simpler assumptions, good if paranoid), but CRHF can substitute for it Current practice: much less paranoid; faith on efficient, ad hoc (and unkeyed) constructions (though increasingly under attack)

  56. Hash Functions in Practice

  57. Hash Functions in Practice A single function, not a family (e.g. SHA-3, SHA-256, MD4, MD5)

  58. Hash Functions in Practice A single function, not a family (e.g. SHA-3, SHA-256, MD4, MD5) Often from a fixed input-length compression function

  59. Hash Functions in Practice A single function, not a family (e.g. SHA-3, SHA-256, MD4, MD5) Often from a fixed input-length compression function Merkle-Damgård iterated hash function:

  60. Hash Functions in Practice A single function, not a family (e.g. SHA-3, SHA-256, MD4, MD5) Often from a fixed input-length compression function Merkle-Damgård iterated hash function: m 1 m t m 2 |m| IV ... f f f f T

  61. Hash Functions in Practice A single function, not a family (e.g. SHA-3, SHA-256, MD4, MD5) C o Often from a fixed input-length compression function l l i s i o e n v e r e n s w i s t i t a h n i c n v p e a Merkle-Damgård iterated hash function: u r t i - a l b e l n e g t h m 1 m t m 2 |m| IV ... f f f f T

  62. Hash Functions in Practice A single function, not a family (e.g. SHA-3, SHA-256, MD4, MD5) C o Often from a fixed input-length compression function l l i s i o e n v e r e n s w i s t i t a h n i c n v p e a Merkle-Damgård iterated hash function: u r t i - a l b e l n e g t h m 1 m t m 2 |m| IV ... f f f f T If f collision resistant (not as “keyed” hash, but “concretely”), then so is the Merkle-Damgård iterated hash-function (for any IV)

  63. MAC

Recommend


More recommend