hash functions much ado about something
play

Hash Functions Much Ado about Something Orr Dunkelman D - PowerPoint PPT Presentation

Aug 17, 2023 •106 likes •1.44k views

Introduction MD New Results I New Results II Future Hash Functions Much Ado about Something Orr Dunkelman D epartement dInformatique Ecole Normale sup erieure France Telecom Chaire 22nd of September 2008 Orr Dunkelman

  1. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Collision Resistance of Hash Functions (cont.) ◮ Practical solution — a and b are unknown. For any specific function finding them takes O (1) anyway. So who cares? ◮ Theoretical solution (I) — let us define a family of hash functions, and bundle the collision resistance of one of them to the collision resistance of the family. ◮ But how? Orr Dunkelman Hash Functions — Much Ado about Something 11/ 69

  2. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future The Collision Resistance Game [RS04] ◮ Define a family of hash functions H = { h 1 , h 2 , . . . } . ◮ The adversary is given a random k , and has to produce a collision for h k . ◮ If | H | is exponential, and the adversary has polynomial memory, this prevents him from storing ( a i , b i ) for all h i . ◮ The adversary’s advantage is then: � $ $ − K ; ( M , M ′ ) Adv Coll = Pr K ← ← − A ( K ) : H M � = M ′ ∧ h K ( M ) = h K ( M ′ ) � $ ← − Orr Dunkelman Hash Functions — Much Ado about Something 12/ 69

  3. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Collision Resistance of Hash Functions (cont.) ◮ Theoretical solution (II) — we do not know the value of a , b for a specific hash function. Thus, let us define a protocol Π, which uses a hash function h ( · ), such that we can show that every attacker A against Π yields an attack on h ( · ) [R05]. Orr Dunkelman Hash Functions — Much Ado about Something 13/ 69

  4. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Collision Resistance of Hash Functions (cont.) ◮ Theoretical solution (II) — we do not know the value of a , b for a specific hash function. Thus, let us define a protocol Π, which uses a hash function h ( · ), such that we can show that every attacker A against Π yields an attack on h ( · ) [R05]. ◮ But how can we construct Π? We should agree in advance on such a Π which is secure assuming h ( · ) is collision resistant. ◮ See the paper for some details which constructions we all assume to be OK if the underlying hash function is collision resistant. Orr Dunkelman Hash Functions — Much Ado about Something 13/ 69

  5. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Other Security Properties ◮ Second preimage — when the hash function is keyed the game is: ◮ Choose K at random, choose M at random. ◮ Give the adversary K , M , and ask for a second preimage M ′ . The formal advantage is � Adv Sec [ m ] $ $ $ − { 0 , 1 } m ; M ′ = Pr K ← − K ; M ← ← − A ( K , M ) : H M � = M ′ ∧ h K ( M ) = h K ( M ′ ) $ � ← − ◮ Note that the length of the message is embedded into definition to ensure that we are not biased towards (too) long messages, and to avoid problems arising from (too) small message spaces. Orr Dunkelman Hash Functions — Much Ado about Something 14/ 69

  6. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Other Security Properties (cont.) ◮ Maybe there are weak “keys”? Orr Dunkelman Hash Functions — Much Ado about Something 15/ 69

  7. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Other Security Properties (cont.) ◮ Maybe there are weak “keys”? ◮ Always second preimage — the key is chosen to be the “worst” from security point of view (rather than randomly). The advantage: � � Adv aSec [ m ] $ $ − { 0 , 1 } m ; M ′ = max Pr M ← ← − A ( K , M ) : H K ∈K M � = M ′ ∧ h K ( M ) = h K ( M ′ ) �� $ ← − Orr Dunkelman Hash Functions — Much Ado about Something 15/ 69

  8. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Other Security Properties (cont.) ◮ Maybe there are weak “keys”? ◮ Always second preimage — the key is chosen to be the “worst” from security point of view (rather than randomly). The advantage: � � Adv aSec [ m ] $ $ − { 0 , 1 } m ; M ′ = max Pr M ← ← − A ( K , M ) : H K ∈K M � = M ′ ∧ h K ( M ) = h K ( M ′ ) �� $ ← − ◮ Everywhere second preimage — the message is chosen to be the “worst”. The advantage: � � Adv eSec [ m ] $ $ − K ; M ′ = max Pr K ← ← − A ( K , M ) : H M ∈{ 0 , 1 } m M � = M ′ ∧ h K ( M ) = h K ( M ′ ) �� $ ← − Orr Dunkelman Hash Functions — Much Ado about Something 15/ 69

  9. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Other Security Properties (cont.) ◮ Preimage resistance — pick K at random, a message M at random, give the adversary h K ( M ) and ask for a preimage. ◮ Always preimage resistance — take the worst K , repeat. ◮ Everywhere preimage resistance — take the worst possible hash value, repeat. ◮ When discussing preimage resistance, people might wish to take a random digest. This may lead to a “secure” case becoming insecure (i.e., changing Pre to be ePre). Orr Dunkelman Hash Functions — Much Ado about Something 16/ 69

  10. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Even More Security Definition ◮ Pseudorandom function — If the primitive is keyed, then any adversary cannot distinguish between an instance chosen by a random key, and a random function with the same parameters (input/output size). The advantage: � − K ; A H ( K , · ) = 1 � � A h ( · ) = 1 � $ $ Adv prf = Pr K ← − Pr ← − . H The main issue with hash functions is the way to key them (and the compression function). A good mode of iteration would preserve the “PRFness” of its compression function. Orr Dunkelman Hash Functions — Much Ado about Something 17/ 69

  11. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Even More Security Definition (cont.) ◮ Pseudorandom oracle — Does the hash function is indistinguishable from a random oracle? Orr Dunkelman Hash Functions — Much Ado about Something 18/ 69

  12. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Even More Security Definition (cont.) ◮ Pseudorandom oracle — Does the hash function is indistinguishable from a random oracle? ◮ Of course it is easy to distinguish any hash function from a random oracle. Orr Dunkelman Hash Functions — Much Ado about Something 18/ 69

  13. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Even More Security Definition (cont.) ◮ Pseudorandom oracle — Does the hash function is indistinguishable from a random oracle? ◮ Of course it is easy to distinguish any hash function from a random oracle. ◮ But let us assume that we are given a random oracle as a compression function (FIL-RO). Is the hash function now is indistinguishable from a random oracle? ◮ The security game is very different. Orr Dunkelman Hash Functions — Much Ado about Something 18/ 69

  14. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Indistinguishability from Random Oracle ◮ There is the hash function which has access to a FIL-RO. ◮ There is a simulator which has access to a VIL-RO. ◮ The adversary can query either the hash and the FIL-RO, or the simulator and the VIL-RO. ◮ The advantage is the success of the adversary distinguishing between the two cases. H ( · ) RO F RO V S A Orr Dunkelman Hash Functions — Much Ado about Something 19/ 69

  15. Definition CR Sec/Pre PRO/PRF UOWHF Introduction MD New Results I New Results II Future Universal One-Way Hash Functions ◮ Introduced by Naor & Yung in 1989 to overcome the collision-resistance “problem”. ◮ Let H be a family of hash functions H = { h 1 , h 2 , . . . , h k } . ◮ H is UOWHF if for all x : Pr [ A ( h k , x ) = y | h k ( x ) = h k ( y ) ∧ x � = y ] $ ← − K k ◮ This property is the Target Collision Resistance which is the same as eSec. ◮ This means that for a specific h i , it might be easy to find collisions, but not for all functions in H . Orr Dunkelman Hash Functions — Much Ado about Something 20/ 69

  16. Introduction MD New Results I New Results II Future Outline 1 Introducing Hash Functions The Definition War Collision Resistance (Second) Preimage Security Other Security Properties Universal One-Way Hash Functions 2 The Merkle-Damg˚ ard Construction ard Does Not Offer 2 n Second Preimage Resistance 3 Why Merkle-Damg˚ Using Fix Points Expandable Messages Herding Second Preimage Attacks 4 And then Came Prof. Wang 5 New Directions in Cryptographic Hash Functions Alternative Modes of Iteration New Design Methodologies Permutation-Based Hashing Proving the Security of the Hash Function SHA-3 — the AHS Competition Orr Dunkelman Hash Functions — Much Ado about Something 21/ 69

  17. Introduction MD New Results I New Results II Future The Merkle-Damg˚ ard Construction ◮ Presented by Merkle and Damg˚ ard independently as an answer to the following problem: ◮ Given a compression function f : { 0 , 1 } m c × { 0 , 1 } n → { 0 , 1 } m c , how would you generate a hash function H f : { 0 , 1 } ∗ → { 0 , 1 } m . Orr Dunkelman Hash Functions — Much Ado about Something 22/ 69

  18. Introduction MD New Results I New Results II Future The Merkle-Damg˚ ard Construction ◮ Presented by Merkle and Damg˚ ard independently as an answer to the following problem: ◮ Given a compression function f : { 0 , 1 } m c × { 0 , 1 } n → { 0 , 1 } m c , how would you generate a hash function H f : { 0 , 1 } ∗ → { 0 , 1 } m . ◮ The solution is as follows: 1 Pad the message M to a multiple of b (with 1, and many 0’s as needed and the length of the message). 2 Divided the padded message into l blocks m 1 m 2 . . . m l . 3 Set h 0 = IV . 4 For i = 1 to l , do h i = f ( h i − 1 , m i ). 5 Output h l (or some function of it). Orr Dunkelman Hash Functions — Much Ado about Something 22/ 69

  19. Introduction MD New Results I New Results II Future The Security of the Merkle-Damg˚ ard Construction ◮ Finding a collision in H f means finding a collision in f . ◮ Thus, if f is collision-resistant, so is H f . Orr Dunkelman Hash Functions — Much Ado about Something 23/ 69

  20. Introduction MD New Results I New Results II Future The Security of the Merkle-Damg˚ ard Construction ◮ Finding a collision in H f means finding a collision in f . ◮ Thus, if f is collision-resistant, so is H f . ◮ Also, finding a second preimage in H f means finding a collision in f . Orr Dunkelman Hash Functions — Much Ado about Something 23/ 69

  21. Introduction MD New Results I New Results II Future The Security of the Merkle-Damg˚ ard Construction ◮ Finding a collision in H f means finding a collision in f . ◮ Thus, if f is collision-resistant, so is H f . ◮ Also, finding a second preimage in H f means finding a collision in f . ◮ The same is true for finding a preimage (because you can use it to find a second preimage). Orr Dunkelman Hash Functions — Much Ado about Something 23/ 69

  22. Introduction MD New Results I New Results II Future The Security of the Merkle-Damg˚ ard Construction ◮ Finding a collision in H f means finding a collision in f . ◮ Thus, if f is collision-resistant, so is H f . ◮ Also, finding a second preimage in H f means finding a collision in f . ◮ The same is true for finding a preimage (because you can use it to find a second preimage). To conclude, if f is collision resistant (i.e., it takes O (2 m c / 2 ) invocations to find a collision), then H f is collision resistant and (second) preimage resistant with security level of O (2 m c / 2 ). Orr Dunkelman Hash Functions — Much Ado about Something 23/ 69

  23. Introduction MD New Results I New Results II Future The Security of the Merkle-Damg˚ ard Construction ◮ Finding a collision in H f means finding a collision in f . ◮ Thus, if f is collision-resistant, so is H f . ◮ Also, finding a second preimage in H f means finding a collision in f . ◮ The same is true for finding a preimage (because you can use it to find a second preimage). To conclude, if f is collision resistant (i.e., it takes O (2 m c / 2 ) invocations to find a collision), then H f is collision resistant and (second) preimage resistant with security level of O (2 m c / 2 ). But we want better security guarantees, (of O (2 m c )) for (second) preimage! Orr Dunkelman Hash Functions — Much Ado about Something 23/ 69

  24. Fix Expandable Herding Introduction MD New Results I New Results II Future Outline 1 Introducing Hash Functions The Definition War Collision Resistance (Second) Preimage Security Other Security Properties Universal One-Way Hash Functions 2 The Merkle-Damg˚ ard Construction ard Does Not Offer 2 n Second Preimage Resistance 3 Why Merkle-Damg˚ Using Fix Points Expandable Messages Herding Second Preimage Attacks 4 And then Came Prof. Wang 5 New Directions in Cryptographic Hash Functions Alternative Modes of Iteration New Design Methodologies Permutation-Based Hashing Proving the Security of the Hash Function SHA-3 — the AHS Competition Orr Dunkelman Hash Functions — Much Ado about Something 24/ 69

  25. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack on Merkle-Damg˚ ard ◮ If a fix-point can be easily found, a second preimage attack on a 2 l -block message takes — min { O (2 m c − l ) , O (2 m c / 2 ) } [D99] ◮ Find O (2 m c / 2 ) fix-points denoted by h i A = ( h , m ). ◮ Select O (2 m c / 2 ) single blocks and compute m i E B = ( C MD ( IV , ˜ m ) , ˜ m ). ◮ Find a collision between A and B . m || m t for ◮ Voil` a — an expandable message ˜ all t lead to the same chaining value h . h i +1 Orr Dunkelman Hash Functions — Much Ado about Something 25/ 69

  26. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack on Merkle-Damg˚ ard ◮ If a fix-point can be easily found, a second preimage attack on a 2 l -block message takes — min { O (2 m c − l ) , O (2 m c / 2 ) } [D99] ◮ Find O (2 m c / 2 ) fix-points denoted by A = ( h , m ). ◮ Select O (2 m c / 2 ) single blocks and compute E B = ( C MD ( IV , ˜ m ) , ˜ m ). ◮ Find a collision between A and B . 0 m || m t for ◮ Voil` a — an expandable message ˜ all t lead to the same chaining value h . Orr Dunkelman Hash Functions — Much Ado about Something 25/ 69

  27. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack on Merkle-Damg˚ ard ◮ If a fix-point can be easily found, a second preimage attack on a 2 l -block message takes — min { O (2 m c − l ) , O (2 m c / 2 ) } [D99] ◮ Find O (2 m c / 2 ) fix-points denoted by A = ( h , m ). ◮ Select O (2 m c / 2 ) single blocks and compute m i E B = ( C MD ( IV , ˜ m ) , ˜ m ). Pick at ◮ Find a collision between A and B . Random 0 m || m t for ◮ Voil` a — an expandable message ˜ all t lead to the same chaining value h . Orr Dunkelman Hash Functions — Much Ado about Something 25/ 69

  28. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack on Merkle-Damg˚ ard ◮ If a fix-point can be easily found, a second preimage attack on a 2 l -block message takes — min { O (2 m c − l ) , O (2 m c / 2 ) } [D99] ◮ Find O (2 m c / 2 ) fix-points denoted by h i A = ( h , m ). ◮ Select O (2 m c / 2 ) single blocks and compute m i E B = ( C MD ( IV , ˜ m ) , ˜ m ). Pick at ◮ Find a collision between A and B . Random 0 m || m t for ◮ Voil` a — an expandable message ˜ all t lead to the same chaining value h . Orr Dunkelman Hash Functions — Much Ado about Something 25/ 69

  29. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack on Merkle-Damg˚ ard ◮ If a fix-point can be easily found, a second preimage attack on a 2 l -block message takes — min { O (2 m c − l ) , O (2 m c / 2 ) } [D99] ◮ Find O (2 m c / 2 ) fix-points denoted by h i A = ( h , m ). ◮ Select O (2 m c / 2 ) single blocks and compute m i E B = ( C MD ( IV , ˜ m ) , ˜ m ). Pick at ◮ Find a collision between A and B . Random 0 m || m t for ◮ Voil` a — an expandable message ˜ all t lead to the same chaining value h . h i +1 = h i Orr Dunkelman Hash Functions — Much Ado about Something 25/ 69

  30. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack on Merkle-Damg˚ ard (cont.) ◮ If a fix-point can be easily found, a second preimage attack on a 2 l -block message takes — min { O (2 m c − l ) , O (2 m c / 2 ) } [D99] ◮ Take the message M . h i ◮ Starting from h , try to find a message block x s.t., f ( h , x ) = h i , for one of the chaining m i E values of M . ◮ If succeeded, pad the message to the right length and obtain a second preimage. h i +1 = h i Orr Dunkelman Hash Functions — Much Ado about Something 26/ 69

  31. Fix Expandable Herding Introduction MD New Results I New Results II Future Multi-collision Attacks on Iterative Hashing ◮ Finding 2 t collisions in iterative hash function with chaining value length m c , takes O ( t · 2 m c / 2 ) [J04] Orr Dunkelman Hash Functions — Much Ado about Something 27/ 69

  32. Fix Expandable Herding Introduction MD New Results I New Results II Future Multi-collision Attacks on Iterative Hashing ◮ Finding 2 t collisions in iterative hash function with chaining value length m c , takes O ( t · 2 m c / 2 ) [J04] m 1 m 1 m 1 m 1 1 2 3 4 h 0 h 1 h 2 h 3 h 4 m 2 m 2 m 2 m 2 1 2 3 4 In an ideal hash function the time complexity should be 2 t − 1 · m c ). O (2 2 t Orr Dunkelman Hash Functions — Much Ado about Something 27/ 69

  33. Fix Expandable Herding Introduction MD New Results I New Results II Future Another Way to Generate Expandable Messages ◮ In [KS05] the expandable message is constructed as a multi-collision. In the first block between a message of one block and a message of two blocks, then between one block and three blocks, one and five, etc. m 1 m 2 m 3 m 4 h 0 h 1 h 2 h 3 h 4 m ′ 1 || m ′ m ′ 3 || m ′ 4 || m ′ m ′ 11 || . . . || m ′ 2 5 19 m ′ 6 || . . . || m ′ 10 Orr Dunkelman Hash Functions — Much Ado about Something 28/ 69

  34. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  35. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack ◮ Generate an expandable message that covers lengths from l to 2 l + l − 1, whose output chaining value is h . IV h h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  36. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack ◮ Generate an expandable message that covers lengths from l to 2 l + l − 1, whose output chaining value is h . ◮ Try to find x , such that f ( h , x ) = h i (one of the chaining values computed for the original message). IV h x ? h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  37. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack ◮ Generate an expandable message that covers lengths from l to 2 l + l − 1, whose output chaining value is h . ◮ Try to find x , such that f ( h , x ) = h i (one of the chaining values computed for the original message). IV h x ? h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  38. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack ◮ Generate an expandable message that covers lengths from l to 2 l + l − 1, whose output chaining value is h . ◮ Try to find x , such that f ( h , x ) = h i (one of the chaining values computed for the original message). IV h x h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  39. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack ◮ Generate an expandable message that covers lengths from l to 2 l + l − 1, whose output chaining value is h . ◮ Try to find x , such that f ( h , x ) = h i (one of the chaining values computed for the original message). ◮ Once the “connection” step succeeds, fix the length using the precomputed expandable message. IV h x h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  40. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack ◮ Generate an expandable message that covers lengths from l to 2 l + l − 1, whose output chaining value is h . ◮ Try to find x , such that f ( h , x ) = h i (one of the chaining values computed for the original message). ◮ Once the “connection” step succeeds, fix the length using the precomputed expandable message. message of length i − 1 IV h x h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  41. Fix Expandable Herding Introduction MD New Results I New Results II Future Expandable Message → a Second Preimage Attack ◮ Generate an expandable message that covers lengths from l to 2 l + l − 1, whose output chaining value is h . ◮ Try to find x , such that f ( h , x ) = h i (one of the chaining values computed for the original message). ◮ Once the “connection” step succeeds, fix the length using the precomputed expandable message. ◮ Time complexity: offline O ( l · 2 m c / 2 + 2 l ). Online O (2 m c − l ). message of length i − 1 IV h x h L − 1 IV h 1 h 2 h 3 h i h L Orr Dunkelman Hash Functions — Much Ado about Something 29/ 69

  42. Fix Expandable Herding Introduction MD New Results I New Results II Future The Herding Attack — Targeted Preimage Attack ◮ Presented in [KK06] – the attacker fixes h T , and given a challenge P , generates a message m = P || S , such that h ( m ) = h T in time O (2 m c − t + 2 ( m c + t ) / 2 ). Precomputation — generation of a diamond structure . m 1 h 1 m 2 h 2 m h 3 3 m 4 h 4 h ⋄ m h i 3 m j h 2 t Orr Dunkelman Hash Functions — Much Ado about Something 30/ 69

  43. Fix Expandable Herding Introduction MD New Results I New Results II Future The Herding Attack — Targeted Preimage Attack ◮ The attacker tries 2 m c − t possible x ’s until H ( P || x ) is one of the precomputed h i ’s in the diamond structure. ◮ Then, by concatenating the path in the diamond structure to P || x it is possible to find a preimage of h ⋄ . h 1 h 2 h 3 h 4 h ⋄ P h i h 2 t Orr Dunkelman Hash Functions — Much Ado about Something 31/ 69

  44. Fix Expandable Herding Introduction MD New Results I New Results II Future The Herding Attack — Targeted Preimage Attack ◮ The attacker tries 2 m c − t possible x ’s until H ( P || x ) is one of the precomputed h i ’s in the diamond structure. ◮ Then, by concatenating the path in the diamond structure to P || x it is possible to find a preimage of h ⋄ . h 1 h 2 h 3 h 4 x ? h ⋄ P h i h 2 t Orr Dunkelman Hash Functions — Much Ado about Something 31/ 69

  45. Fix Expandable Herding Introduction MD New Results I New Results II Future The Herding Attack — Targeted Preimage Attack ◮ The attacker tries 2 m c − t possible x ’s until H ( P || x ) is one of the precomputed h i ’s in the diamond structure. ◮ Then, by concatenating the path in the diamond structure to P || x it is possible to find a preimage of h ⋄ . h 1 h 2 h 3 x ? h 4 h ⋄ P h i h 2 t Orr Dunkelman Hash Functions — Much Ado about Something 31/ 69

  46. Fix Expandable Herding Introduction MD New Results I New Results II Future The Herding Attack — Targeted Preimage Attack ◮ The attacker tries 2 m c − t possible x ’s until H ( P || x ) is one of the precomputed h i ’s in the diamond structure. ◮ Then, by concatenating the path in the diamond structure to P || x it is possible to find a preimage of h ⋄ . h 1 h 2 x h 3 h 4 h ⋄ P h i h 2 t Orr Dunkelman Hash Functions — Much Ado about Something 31/ 69

  47. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack Based on Herding ◮ Using the herding attack to allow short “patches” to messages O (2 m c − t + 2 ( m c + t ) / 2 + 2 m c − l ) [A+08]. h L − 1 h L IV h 1 h 2 h 3 h i Orr Dunkelman Hash Functions — Much Ado about Something 32/ 69

  48. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack Based on Herding ◮ Using the herding attack to allow short “patches” to messages O (2 m c − t + 2 ( m c + t ) / 2 + 2 m c − l ) [A+08]. ◮ Generate a diamond structure. h ⋄ h L − 1 h L IV h 1 h 2 h 3 h i Orr Dunkelman Hash Functions — Much Ado about Something 32/ 69

  49. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack Based on Herding ◮ Using the herding attack to allow short “patches” to messages O (2 m c − t + 2 ( m c + t ) / 2 + 2 m c − l ) [A+08]. ◮ Generate a diamond structure. ◮ Try random m link 2 , until f ( h ⋄ , m link 2 ) = h i , for some h i obtained during the computation of h ( M ). h ⋄ m link 2 ? h L − 1 h L IV h 1 h 2 h 3 h i Orr Dunkelman Hash Functions — Much Ado about Something 32/ 69

  50. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack Based on Herding ◮ Using the herding attack to allow short “patches” to messages O (2 m c − t + 2 ( m c + t ) / 2 + 2 m c − l ) [A+08]. ◮ Generate a diamond structure. ◮ Try random m link 2 , until f ( h ⋄ , m link 2 ) = h i , for some h i obtained during the computation of h ( M ). h ⋄ m link 2 h L − 1 h L IV h 1 h 2 h 3 h i Orr Dunkelman Hash Functions — Much Ado about Something 32/ 69

  51. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack Based on Herding ◮ Using the herding attack to allow short “patches” to messages O (2 m c − t + 2 ( m c + t ) / 2 + 2 m c − l ) [A+08]. ◮ Generate a diamond structure. ◮ Try random m link 2 , until f ( h ⋄ , m link 2 ) = h i , for some h i obtained during the computation of h ( M ). ◮ So starting from h i − t − 2 , try random m link 1 until one of the entry points of the diamond structure are found. h ⋄ m link 1 ? m link 2 h L − 1 h L IV h 1 h 2 h 3 h i Orr Dunkelman Hash Functions — Much Ado about Something 32/ 69

  52. Fix Expandable Herding Introduction MD New Results I New Results II Future Second Preimage Attack Based on Herding ◮ Using the herding attack to allow short “patches” to messages O (2 m c − t + 2 ( m c + t ) / 2 + 2 m c − l ) [A+08]. ◮ Generate a diamond structure. ◮ Try random m link 2 , until f ( h ⋄ , m link 2 ) = h i , for some h i obtained during the computation of h ( M ). ◮ So starting from h i − t − 2 , try random m link 1 until one of the entry points of the diamond structure are found. h ⋄ m link 1 m link 2 h L − 1 h L IV h 1 h 2 h 3 h i Orr Dunkelman Hash Functions — Much Ado about Something 32/ 69

  53. Introduction MD New Results I New Results II Future Outline 1 Introducing Hash Functions The Definition War Collision Resistance (Second) Preimage Security Other Security Properties Universal One-Way Hash Functions 2 The Merkle-Damg˚ ard Construction ard Does Not Offer 2 n Second Preimage Resistance 3 Why Merkle-Damg˚ Using Fix Points Expandable Messages Herding Second Preimage Attacks 4 And then Came Prof. Wang 5 New Directions in Cryptographic Hash Functions Alternative Modes of Iteration New Design Methodologies Permutation-Based Hashing Proving the Security of the Hash Function SHA-3 — the AHS Competition Orr Dunkelman Hash Functions — Much Ado about Something 33/ 69

  54. Introduction MD New Results I New Results II Future The MD/SHA-Family The MD/SHA family is composed of many hash functions with similar design criteria: ◮ Davies-Meyer transformation of a block cipher into a compression function. ◮ Merkle-Damg˚ ard hash function. ◮ Simple round functions (with little nonlinearity). ◮ The nonlinearity is “introduced” bit-by-bit (AND, MAJ operations) and using addition modulo 2 32 . ◮ The message expansion (key schedule) is linear (either repetition, or through an LFSR). ◮ Very software-friendly (not so bad on hardware as well). ◮ Message block: 512-bit; Digest size: 128-bit (MD4/5), 160-bit (SHA). Orr Dunkelman Hash Functions — Much Ado about Something 34/ 69

  55. Introduction MD New Results I New Results II Future History of the World (part I) ◮ MD4 introduced in 1990 by Rivest. Collision attack — Dobbertin (1996) (attack on the last two steps — den Boer & Bosselaers, 1991). ◮ MD5 introduced in 1991 by Rivest. Some non-randomness problems by Berson (1992) and a free-start collision by den Boer & Bosselaers (1993). ◮ SHA-0 introduced in 1995 by NIST. Larger digest size, message is expanded using an LFSR. A collision attack by Chabaud & Joux (1998). ◮ SHA-1 followed immediately after SHA-0. ◮ And the land had rest eight years . . . Orr Dunkelman Hash Functions — Much Ado about Something 35/ 69

  56. Introduction MD New Results I New Results II Future History of the World (part II) ◮ Crypto 2004: Near collisions of SHA0 (Biham & Chen). ◮ Rump session: Wang presents collision attacks against MD4. ◮ Eurocrypt 2005: Wang et al. publish the MD4 paper, finding collisions in MD4, RIPEMD, MD5. Biham et al. find collisions in SHA-0, reduced round SHA-1. ◮ Crypto 2005: Wang, Yu, Yin: Better SHA-0 collisions, SHA-1 collision attack. ◮ NIST 2005: Wang announces better collision attack on SHA-1. ◮ Asiacrypt 2006: De Canni´ ere & Rechberger, improved collision attack on SHA-1. ◮ August 2007: Graz people start their SHA-1 BOINC project. ◮ FSE 2008: Preimage attack on MD4 (Leurent). ◮ Crypto 2008: Preimage attacks on reduced SHA-0 and SHA-1 (De Canni´ ere & Rechberger). Orr Dunkelman Hash Functions — Much Ado about Something 36/ 69

  57. Introduction MD New Results I New Results II Future History of the World (part III) ◮ MD4/MD5 collisions start to be applied to NMAC/HMAC. ◮ In the related-key model NMAC-MD4/-MD5 (Contini & Yin 2006, Fouque, Leurent & Nguyen 2007, . . . ) can be attacked. ◮ HMAC-MD4 is also broken (Wang, Ohta, & Kunihiro 2008). ◮ Things start to get complicated. . . Orr Dunkelman Hash Functions — Much Ado about Something 37/ 69

  58. Introduction MD New Results I New Results II Future History of the World (part IV) ◮ Random collisions can be source of trouble for some file formats (Daum & Lucks 2005, later extended by Gebhardt, Illies, & Schindler 2005). ◮ Colliding X.509 certificates with same name, different keys (Lenstra & de-Weger 2005). ◮ Technique was improved to generate colliding X.509 certificates for different names (Stevens, Lenstra & de-Weger 2007). Orr Dunkelman Hash Functions — Much Ado about Something 38/ 69

  59. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Outline 1 Introducing Hash Functions The Definition War Collision Resistance (Second) Preimage Security Other Security Properties Universal One-Way Hash Functions 2 The Merkle-Damg˚ ard Construction ard Does Not Offer 2 n Second Preimage Resistance 3 Why Merkle-Damg˚ Using Fix Points Expandable Messages Herding Second Preimage Attacks 4 And then Came Prof. Wang 5 New Directions in Cryptographic Hash Functions Alternative Modes of Iteration New Design Methodologies Permutation-Based Hashing Proving the Security of the Hash Function SHA-3 — the AHS Competition Orr Dunkelman Hash Functions — Much Ado about Something 39/ 69

  60. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future So What’s Next? Open issues: ◮ Mode of iteration that preserves second preimage resistance. ◮ Better compression functions. ◮ Information theoretic approach? ◮ Proofs! We want proofs! ◮ The next generation hash function — SHA-3. Orr Dunkelman Hash Functions — Much Ado about Something 40/ 69

  61. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Randomized Hashing ◮ Introduced by Halevi & Krawczyk to solve the issue of a random collision collapsing the entire security of the hash function. ◮ The main idea: Instead of hashing m , one chooses a random value r , and hashes h ( m ⊕ r || r || . . . || r ) or h r ( m ⊕ r || r || . . . || r ). ◮ The security is enhanced Target Collision Resistant (eTCR) which defines the advantage in the game: 1 The adversary commits to a message M . 2 The adversary is given a key k (chosen at random). 3 The adversary has to find M ′ , k ′ s.t., h k ( M ) = h k ′ ( M ′ ). Orr Dunkelman Hash Functions — Much Ado about Something 41/ 69

  62. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Dithering Sequences ◮ Suggested by Rivest as a solution to expandable message issues. ◮ The compression function is called every time with a dither sequence. ◮ One proposal uses a dither sequence over 4 characters which has very nice properties. ◮ Practical proposal: take the nice sequence, and embed it into a more efficient sequence. Use 16-bit dither sequence: ◮ First bit is 0, but for the last block (1). ◮ Next two bits are encoding of the “nice sequence”. ◮ Next thirteen bits are a counter. Once the counter overflows, change the character in the “nice sequence”. Orr Dunkelman Hash Functions — Much Ado about Something 42/ 69

  63. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Dithering Sequences (cont.) ◮ While the security of the dithered hash is indeed better than of plain Merkle-Damg˚ ard it is not optimal. ◮ The second preimage attack based on herding is still applicable (even though there is an “added” security of 2 15 ). Orr Dunkelman Hash Functions — Much Ado about Something 43/ 69

  64. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Enveloped Merkle-Damg˚ ard ◮ The Enveloped Merkle-Damg˚ ard [BR06] is a transformation of a “good” compression function into a hash function which preserves the following three properties: 1 Collision resistance. 2 Pseudo-random oracle behavior. 3 Pseudo-random function behavior. ◮ The mode is similar to Merkle-Damg˚ ard, up to the last block, where in the last block: 1 The chaining value is fixed to a second IV value. 2 The previous chaining value (the output of the one before last compression function call) is concatenated to the message block (the last message block is shorter than the previous ones). Orr Dunkelman Hash Functions — Much Ado about Something 44/ 69

  65. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future ROX ◮ The ROX transformation [A+07], is a way to preserve the compression function’s properties (Coll, (a/e)Sec, (a/e)Pre) in the hash function. ◮ The proposal follows Shoup’s hash (a UOWHF [S01]): ◮ Before each compression function call, the chaining value is XORed with a masks µ ν ( i ) when hashing the i ’th block, where ν ( i ) = max j { 2 j | i } . ◮ The padding is derived using a random oracle query. ◮ The masks are also derived using a random oracle queries. ◮ The random oracle queries are “keyed” by a prefix of the message. Orr Dunkelman Hash Functions — Much Ado about Something 45/ 69

  66. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Widepipe [L05] ◮ We know to prove that the (second) preimage resistance is as secure as collision resistance. ◮ Internal collisions cause many problems. ◮ Solution: increase the chaining value. ◮ For example, with chaining value of length twice the digest size. ◮ If the compression function is good (as well as the last block which compresses the double chaining value), then we have a secure hash function. Orr Dunkelman Hash Functions — Much Ado about Something 46/ 69

  67. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Sponges IV ⊕ m 1 f ⊕ m 2 ◮ A theoretical framework for constructions like PANAMA. f ⊕ ◮ The internal state is relatively large (e.g., 59 m 3 l -bit words in PANAMA’s successor, f RadioGAT´ UN). ⊕ m l f x Orr Dunkelman Hash Functions — Much Ado about Something 47/ 69

  68. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Sponges IV ⊕ m 1 ◮ A theoretical framework for constructions like f PANAMA. ⊕ m 2 ◮ The internal state is relatively large (e.g., 59 f l -bit words in PANAMA’s successor, ⊕ m 3 RadioGAT´ UN). f ◮ During message processing, each round, a ⊕ m l small message block is processed, and the f new internal state is computed. x Orr Dunkelman Hash Functions — Much Ado about Something 47/ 69

  69. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Sponges x ⊕ 0 ◮ A theoretical framework for constructions like f PANAMA. ⊕ 0 ◮ The internal state is relatively large (e.g., 59 f l -bit words in PANAMA’s successor, ⊕ 0 RadioGAT´ UN). f ◮ After all the message blocks affect the ⊕ 0 internal state, some blank rounds are run (i.e., processing an all-zero block). f y Orr Dunkelman Hash Functions — Much Ado about Something 47/ 69

  70. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Sponges y O 1 ◮ A theoretical framework for constructions like f PANAMA. O 2 ◮ The internal state is relatively large (e.g., 59 f l -bit words in PANAMA’s successor, O 3 RadioGAT´ UN). f ◮ For output, the sponge is squeezed, each O l round some of its internal state leaks as an f output. Orr Dunkelman Hash Functions — Much Ado about Something 47/ 69

  71. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Sponges (cont.) ◮ If the update function is random (permutation/function) than the sponge is indifferentable from a random oracle [B+08]. Orr Dunkelman Hash Functions — Much Ado about Something 48/ 69

  72. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Sponges (cont.) ◮ If the update function is random (permutation/function) than the sponge is indifferentable from a random oracle [B+08]. ◮ This requires a “strong” f which diffuses and confuses the entire (large) internal state. ◮ Such functions are very resource consuming, and the actual designs have a relatively “light” f . ◮ PANAMA [DC98] was broken using attacks which uses the slow “diffusion” & “confusion” [R01,DvA07]. ◮ Grindhal [KRT07], was broken using the quick diffusion and the weak confusion [P07]. ◮ Only “surviving” candidate — RadioGAT´ UN (and to some extent Grindhal 2). Orr Dunkelman Hash Functions — Much Ado about Something 48/ 69

  73. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future HAsh Iterative FrAmework (HAIFA) ◮ Major features: ◮ Supports salts (defines families of hash functions). ◮ Supports variable output size. ◮ Offers as good security properties as can be. ◮ Strong backward compatibility. ◮ All suggested modes can be realized as HAIFA. (This a joint work with Eli Biham) Orr Dunkelman Hash Functions — Much Ado about Something 49/ 69

  74. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future The HAIFA Compression Function ◮ Accepts as inputs: ◮ A chaining value (of size m c ) ◮ A message block (of size n ) ◮ A bit counter (of size b ) ◮ A salt (of size s ) f : { 0 , 1 } m c × { 0 , 1 } n × { 0 , 1 } b × { 0 , 1 } s → { 0 , 1 } m c . Orr Dunkelman Hash Functions — Much Ado about Something 50/ 69

  75. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future The HAIFA Initialization ◮ Let m be the target digest size. ◮ Let IV be a general initial value. ◮ IV m = C ( IV , m , 0 , 0). Orr Dunkelman Hash Functions — Much Ado about Something 51/ 69

  76. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future The HAIFA Computation ◮ Take M , the message, and pad it: ◮ Pad a single bit of 1. ◮ Pad as many 0 bits as needed such that the length of the padded message (with the 1 bit and the 0’s) is congruent modulo n to ( n − ( t + r )). ◮ Pad the message length encoded in t bits. ◮ Pad the digest size encoded in r bits. ◮ Set h 0 = IV m ◮ For i = 1 , 2 , . . ., l compute h i = C ( h i − 1 , M i , # bits , salt ). ◮ Truncate h l to m bits. Orr Dunkelman Hash Functions — Much Ado about Something 52/ 69

  77. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Permutation-Based Hashing ◮ Standard compression functions are a transformation of a block cipher into a hash function (following the PGV “approved” list). ◮ In all of them, there is a need to re-key the block cipher. ◮ But block ciphers are efficient when the key is fixed. Orr Dunkelman Hash Functions — Much Ado about Something 53/ 69

  78. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Permutation-Based Hashing ◮ A compression function from mn bits to rn bits using k calls to permutations of n -bit to n -bit, has a maximal information theoretic security of 2 n [1 − ( m − 0 . 5 r ) / k ] 2 n [1 − ( m − r ) / k ] / queries for collision resistance/preimage resistance [BR08]. ◮ Note that this results discuss the number of queries to the permutation. ◮ This means that if the compression function uses 8-bit S-boxes and compresses 768 bits to 256 bits, it has security of 2 8(1 − 80 / k ) or 2 8(1 − 64 / k ) queries. ◮ Finding the actual collisions/preimages are very time consuming. Orr Dunkelman Hash Functions — Much Ado about Something 54/ 69

  79. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Proving the Security of the Compression Function ◮ Very Smooth Hash [CLS06] is a provable secure hash function. Orr Dunkelman Hash Functions — Much Ado about Something 55/ 69

  80. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Proving the Security of the Compression Function ◮ Very Smooth Hash [CLS06] is a provable secure hash function. ◮ Provable collision resistance that is. Orr Dunkelman Hash Functions — Much Ado about Something 55/ 69

  81. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Proving the Security of the Compression Function ◮ Very Smooth Hash [CLS06] is a provable secure hash function. ◮ Provable collision resistance that is. ◮ Finding a collision means a factorization of a large number (following prior works [D87]). ◮ The construction: 1 Let n be a large number (whose factorization is unknown). 2 Let p i be the i th prime number, and let k be the maximal for which � k i =1 p i < n . 3 To compress a message block (of length k ) x i , and a chaining value h i , compute k p x i , i h i +1 = h 2 � i × j j =1 Orr Dunkelman Hash Functions — Much Ado about Something 55/ 69

  82. Alternatives Design Permutation Proofs SHA3 Introduction MD New Results I New Results II Future Some More on VHS ◮ VHS is very slow (even though it is way faster than previous similar constructions) — about 8.8 Mbit/sec on 1 GHz machine (about 910 cpb). Orr Dunkelman Hash Functions — Much Ado about Something 56/ 69

Recommend

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar &amp; Pelzl. &amp; Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.85k views • 147 slides
Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.76k views • 147 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | &gt; 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Dictionaries 1/19/2005 11:37 PM Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to Dictionaries and Hash Tables integers in a fixed interval [0, N 1] Example: h ( x ) = x mod N 0 is a hash function for

503 views • 4 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions Prof. Nadim Kobeissi 1.1a Why Hash Functions? Describing the importance of the cryptographers Swiss Army knife. 2 CSCI-UA.9480:

569 views • 34 slides
Hash Functions in Action Lecture 15 RECALL Hash Functions Main syntactic feature: Variable input

Hash Functions in Action Lecture 15 RECALL Hash Functions Main syntactic feature: Variable input

Hash Functions in Action Lecture 15 RECALL Hash Functions Main syntactic feature: Variable input length to fixed length output Primary requirement: collision-resistance If for all PPT A, Pr[x y and h(x)=h(y)] is negligible in the following

500 views • 13 slides
Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family Unconditionally Secure MACs Ref: D Stinson: Cryprography Theory and Practice (3 rd ed), Chap 4. Universal hash family Notations: X is a

457 views • 12 slides
Chapter 4 Cryptographic hash functions References: A. J. Menezes, P. C. van Oorschot, S. A.

Chapter 4 Cryptographic hash functions References: A. J. Menezes, P. C. van Oorschot, S. A.

Grenoble University M2 SCCI Security Proofs - JL Roch Chapter 4 Cryptographic hash functions References: A. J. Menezes, P. C. van Oorschot, S. A. Vanstone: Handbook of Applied Cryptography Chapter 9 - Hash Functions and Data

750 views • 48 slides
H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro 1 Introduction Hash Functions and SHA-3 2 Iterated hash functions 3 Block cipher

786 views • 13 slides
Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into arrays: hash tables Converting long strings into shorter strings in an irreversible way: one-way function Turn a 200 KB document into a 16

434 views • 5 slides
Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services

Hash Functions, Message Hash Functions, Message Security Services Security Services Authentication Codes Authentication Codes Confidentiality : Symmetric encryption solves Integrity Ahmet Burak Can Authentication Hacettepe

341 views • 4 slides
Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Cryptocurrency Technologies Cryptography and Cryptocurrencies Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public

489 views • 27 slides

More recommend