- 96 Views
- Uploaded on

Download Presentation
## Session 5

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Session 5

Hash functions and digital signatures

Contents

- Hash functions
- Definition
- Requirements
- Construction
- Security
- Applications

Contents

- Digital signatures
- Definition
- Digital signatures – procedure
- Digital signature with RSA
- Signing enciphered messages
- Signing and hashing

Hash functions - definition

- Let k, n be positive integers
- A function f with n bit output and k bit key is called a hash function if
- f is a deterministic function
- f takes 2 inputs, the first is of arbitrary length and the second is of length k
- f outputs a binary string of length n
- Formally:

Hash functions - definition

- The key k is assumed to be known/fixed, unlike in cipher systems
- If k is known/fixed, the hash function is unkeyed
- If k is secret the hash function is keyed
- k is known/fixed in most of the applications (e.g. digital signature schemes)
- k is kept secret in Message Authentication Codes (MACs)

Hash functions – security requirements

- In order to be useful for cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1)
- One-wayness (or preimage resistance): a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk(x )=w.

Hash functions – security requirements

- Security requirements (2)
- Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk(x )=fk(y ).

Hash functions – security requirements

- Security requirements (3):
- (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such thatfk(x )=fk(y ).

Hash functions – security requirements

- The collision resistance implies the second preimage resistance.
- The second preimage resistance and one-wayness are incomparable
- The properties do not follow from one another
- Still, a hash function that would be one-way but not second preimage resistant would be quite artificial

Hash functions – security requirements

- In practice, collision resistance is the strongest security requirement of all the three requirements
- the most difficult to satisfy
- the easiest to breach
- Breaking the collision resistance property is the goal of most attacks on hash functions.

Hash functions – other requirements

- Certificational weakness
- A good hash function should possess avalanche property
- changing a bit of input would approximately change a half of the output bits
- No input bits can be reliably guessed based on the hash function’s local output (local one-wayness)
- Failure to satisfy these (and some other) properties is called certificational weakness.

Hash functions – other requirements

- It is also required that a hash function is feasible to compute, given x (and k ).
- This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.

Hash functions – other requirements

- Example: so called algebraic hash functions, based on the same difficult mathematical problems that are used in public key cryptography
- Shamir’s function (factoring)
- Chaum-vanHeijst-Pfitzmann’s function (discrete log)
- Newer designs: VSH (factoring), LASH (lattice), Dakota (modular arithmetic and symmetric ciphers)

Hash functions - construction

- The Merkle-Damgård construction
- A classical hash function design
- Iterates a compression function
- A compression function
- takes a fixed length input
- outputs a fixed length (shorter) output.

Hash functions - construction

- In practice, symmetric cipher systems are used as compression functions (usually block ciphers).
- Let g =(x,k) be a block cipher, where x is the plaintext message, and k is the key.
- The length of the block x is n bits and the length of the key k is m bits, m >n.

Hash functions - construction

- The hash function f to be constructed
- has the (theoretically) unlimited input length
- has the output bit length n
- The input string to the hash function f is y.

Hash functions - construction

- Hash function iterations
- Pad y such that the length of the padded input y ’ is the least possible multiple of m.
- Let where yi{0,1}m .
- Let f0 be a fixed initialization vector of length n (in bits).
- Then, for i=1,..., r, fi=g (fi-1, ).
- Finally, f =fr.

Hash functions - construction

- Remark:
- The padding algorithm and f0 depend on the particular hash function.
- Schematic of the Merkle-Damgård design

Hash functions - construction

- Advantages of using block ciphers as compression functions
- Efficient, i.e. fast
- Usually already implemented
- Disadvantage
- Employing a strong block cipher in hash function design does not guarantee a good hash function.

Hash functions - construction

- Examples of Merkle-Damgård designs
- The MD (Message Digest) family of hash functions (MD4, MD5), n =128.
- The NIST SHA (Secure Hash Algorithm) family of hash functions (SHA-1 (n =160), SHA-2 (i.e. SHA-256, SHA-512)).
- They all use custom block cipher rounds.

Hash functions - construction

- The speed of such a design depends on the number of rounds of the block cipher involved.
- Example
- MD4 – 3 rounds
- MD5 – 4 rounds – more secure
- But MD5 is 30% slower than MD4.

Hash functions - security

- Security of the most often used hash functions, MD5 and SHA-1 has been recently compromised – collisions were found.
- They are now considered insecure.
- Consequence: the SHA-3 contest, the proposals are due October 2008.

Hash functions - applications

- Data integrity protection
- Digital signature schemes
- Authentication
- Message authentication codes (MACs)
- If MAC uses a hash function it is called HMAC
- HMAC standard RFC2104 (Bellare-Canetti-Krawczyk, 1996).

Digital signatures - definition

- Digital signature
- A number dependent on some secret known only to the signer and on the contents of the signed message
- Must be verifiable in case of
- a signer repudiating a signature
- a fraudulent claimant

Digital signatures - definition

- Applications
- Authentication
- Data integrity protection and non-repudiation
- Certification of public keys in large networks.

Digital signatures - procedure

- Basic elements (1)
- M – the set of messages that can be signed
- S – the set of signatures, e.g. binary strings of fixed length
- SA – signing transformation for the entity A
- SA is kept secret by A
- Used to create signatures from M

Digital signatures - procedure

- Basic elements (2)
- VA – verification transformation for the A’s signatures
- Publicly known
- Used by other entities to verify signatures created by A

Digital signatures - procedure

- Both SA and VA should be feasible to compute
- It should not be computationally feasible to forge a digital signature y on a message x
- Given x, only A (i.e. Alice) should be able to compute the signature y such that VA(x,y)=true.

Digital signatures - procedure

- Signing a message x
- Alice uses the algorithm SA to compute the signature over the message x
- Alice publishes (or sends to some recipient) the message x, together with the signature y =SA(x )

Digital signatures - procedure

- Verifying a signature of a message published/sent by Alice
- Upon receiving the pair (x,y), the verifier uses the algorithm VA (publicly known) to verify the integrity of the received message x
- If VA (x,y)=true, the signature is verified.

Digital signatures - procedure

- It can be shown that asymmetric ciphers can be used for digital signature purposes
- To prevent forgery, it should be infeasible for an attacker to retrieve the secret information used for signing – the transformation SA.

Digital signature with RSA

- Alice signs the message x by using the deciphering transformation
- Alice is the only one that can sign, since dA is kept secret.

Digital signature with RSA

- Bob verifies the signature y received from Alice by employing encipherment of y using Alice’s public key (eA,nA), i.e.
- If c =x, then the signature y is verified.

Digital signature with RSA - security

- Suppose Eve wants to sign her own message x ’ with Alice’s signature y (i.e. to forge Alice’s signature).
- Eve does not know dA, she only knows Alice’s public key (eA,nA).

Digital signature with RSA - security

- Direct verification, if Eve’s signed document (x ’,y ) is to be verified
- This will fail, since c ≠x ’.
- Thus, what Eve needs is another signature, y ’, such that
- Getting y ’ is a difficult problem.

Digital signature with RSA - security

- Another possibility for Eve – she can choose y ’ first and then generate the message
- y ’ will then be easily verified, i.e. such a forgery is successful.
- But then the probability that x ’ is meaningful is very small.

Signing enciphered messages

- Suppose Alice wants to send a signed enciphered message x to Bob.
- Alice computes her signature y =SA (x )
- Then Alice enciphers both x and y by means of Bob’s public key
- The ciphertext z is transmitted to Bob.

Signing enciphered messages

- Deciphering and verification
- Bob deciphers z by means of his private key and thus obtains (x,y)
- Then Bob uses Alice’s public verification function VA to verify the Alice’s signature y.

Signing and hashing

- Usually, public key ciphers are used in digital signature schemes
- If the original message is signed, the signature is at least as long as the message – inefficient

Signing and hashing

- Another problem is that of Eve’s ability to generate the signature and then get the corresponding message that may be meaningful, although with small probability.
- Solution: sign hashed message.

Signing and hashing

- The hash function f is made public
- Starting with a message x, Alice first computes f (x ), which is significantly smaller than x
- Alice then computes y =SA(f (x ))
- Alice then sends (x,y) to Bob.

Signing and hashing

- Verification process
- Bob computes f (x )
- Bob also computes VA (f (x ),y )
- If VA (f (x ),y ) =true, then Alice’s signature is verified.

Signing and hashing - security

- Suppose Eve has (x,y=SA(f (x ))
- Eve would like to sign her own message x ’ with Alice’s signature (i.e. to forge it)
- So she needs SA(f (x ’))=SA(f (x )), which means she needs f (x ’)=f (x ). This is difficult iff (x ) is second preimage resistant.

Signing and hashing - security

- Moreover, it is highly unlikely that Eve would be able to find two messages, x’ and x ’’ with the same hashes and consequently signatures, if f is collision resistant.
- So it is difficult for Eve to choose the signature first and then get the corresponding message.

Download Presentation

Connecting to Server..