- 97 Views
- Uploaded on
- Presentation posted in: General

Hash Functions

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Hash Functions

Nathanael Paul

Oct. 9, 2002

- Cryptographic hash functions
- Input – any length
- Output – fixed length
- H(x) – easy
- H(x) – one way
- “hard to invert”

- H(x) collision free

- Data Integrity
- Ex: Tripwire
- Message digest
- y = h(x). y is called the message digest.
- 160 bits in size – “birthday attack”

- Message Source
- Digital Signatures
- Message Authentication Codes (MAC)

- Suppose Alice and Bob share a secret key k which determines hash function hk
- Alice sends (x, y) to Bob where y = hk(x)
- Bob receives (x,y) and verifies with y = hk(x). If condition holds, neither x nor y was modified in transit.

- (X,Y,K,H)
- For each k in K, there exists an h in H, such that hk(x) y

- Assume |X| >= |Y| (even better, 2|X| >= |Y|)
- Unkeyed hash function
- |K| = 1
- Ex. SHA-1 (successor of MD4)

- Preimage
- Find x such that h(x) = y, given y and the function f().
- one-way

- Second Preimage
- Find x’ != x, such that h(x) = h(x’), given x and the function h().
- weak collision resistance

- Collision
- Find h(x) = h(x’) such that x != x’, given function h()
- strong collision resistance

- compression function
- Given input of length m, produce output of length n
- inputs to compression function:
- message block, mi
- output of previous blocks of text
- hi = f(mi, hi-1)

- MD-strengthening (Merkle-Damgard)
- pre-image contains length of entire message
- initialization vector (padding function)

- Modes of operation
- ECB, CBC, CFB, OFB
- different characteristics:
- error propagation
- efficiency
- increase in data size

- NIST document on modes of operation
- http://csrc.nist.gov/encryption/tkmodes.html

- Next slide shows CBC mode of operation...

- Oscar’s (adversary) goal:
- produce a pair (x,y) that is valid, but the key k is not known

- Oscar knows
- valid pairsPairs = {(x1,y1),(x2,y2),...,(xq,yq)}

- forgery
- Oscar outputs an (x,y) where x is not in Pairs

- Ciphertext-only
- Oscar possesses a string of ciphertext, y

- Known plaintext
- has ciphertext, y, corresponding to a message, x

- Chosen plaintext
- access to encryption. choose x, get y

- Chosen ciphertext
- choose y, get x

- Base MAC on block cipher
- block cipher already implemented, so part of implementation is done

- MAC from an unkeyed hash
- just add a key to output of unkeyed hash
- requires careful analysis

- Create a customized MAC

- use block cipher in CBC mode with fixed IV
- best general attack is birthday attack

- Nested MAC
- composition of 2 keyed hash families
- G o H = {g o h : g is in G, h is in H} where (g o h)(k,l)(x) = hl(gk(x))

- Secure if the following holds (given unknown key):
- G is collision-resistant
- H is secure as a MAC

- composition of 2 keyed hash families

- forger for nested MAC
- forger for the little MAC
- attack on component MAC H

- unknown-key collision attack

- pair of keys (k,l) are kept secret
- Oscar:
- chooses an x
- oracle – “magic box”
- given x, oracle computes z = hl(gk(x))
- tries to find (x’, z) where x’ was not any x given to oracle

- key l is chosen and kept secret (l is in keyspace of H family of hashes)
- Oscar:
- chooses y
- given y, oracle computes z = hl(y)
- tries to output (y’,z) where y’ was not in one of its previous queries to oracle

- key k in K is kept secret
- Oscar:
- chooses an x
- given x, oracle computes gk(x)
- tries to find x’ and x’’ where x’ != x’’ and gk(x’) = gk(x’’)

- nested MAC algorithm (proposed standard)
- based on SHA-1
- uses 512-bit key k
- 2 512-bit constants, ipad and opad

- 160-bit MAC
- HMACk(x) = SHA-1((k opad) || SHA-1((K ipad) || x))
- ipad component resistant against unknown-key collision attack

- HMACk(x) = SHA-1((k opad) || SHA-1((K ipad) || x))

- Applied Cryptography,Bruce Schneier
- Cryptography: Theory and Practice, Douglas Stinson
- Handbook of Applied Cryptography, Alfred Menezes, et. al.
- available for download at:
- http://www.cacr.math.uwaterloo.ca/hac/