Download Presentation
## Session 5

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Session 5**Hash functions and digital signatures**Contents**• Hash functions • Definition • Requirements • Construction • Security • Applications**Contents**• Digital signatures • Definition • Digital signatures – procedure • Digital signature with RSA • Signing enciphered messages • Signing and hashing**Hash functions - definition**• Let k, n be positive integers • A function f with n bit output and k bit key is called a hash function if • f is a deterministic function • f takes 2 inputs, the first is of arbitrary length and the second is of length k • f outputs a binary string of length n • Formally:**Hash functions - definition**• The key k is assumed to be known/fixed, unlike in cipher systems • If k is known/fixed, the hash function is unkeyed • If k is secret the hash function is keyed • k is known/fixed in most of the applications (e.g. digital signature schemes) • k is kept secret in Message Authentication Codes (MACs)**Hash functions – security requirements**• In order to be useful for cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1) • One-wayness (or preimage resistance): a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk(x )=w.**Hash functions – security requirements**• Security requirements (2) • Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk(x )=fk(y ).**Hash functions – security requirements**• Security requirements (3): • (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such thatfk(x )=fk(y ).**Hash functions – security requirements**• The collision resistance implies the second preimage resistance. • The second preimage resistance and one-wayness are incomparable • The properties do not follow from one another • Still, a hash function that would be one-way but not second preimage resistant would be quite artificial**Hash functions – security requirements**• In practice, collision resistance is the strongest security requirement of all the three requirements • the most difficult to satisfy • the easiest to breach • Breaking the collision resistance property is the goal of most attacks on hash functions.**Hash functions – other requirements**• Certificational weakness • A good hash function should possess avalanche property • changing a bit of input would approximately change a half of the output bits • No input bits can be reliably guessed based on the hash function’s local output (local one-wayness) • Failure to satisfy these (and some other) properties is called certificational weakness.**Hash functions – other requirements**• It is also required that a hash function is feasible to compute, given x (and k ). • This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.**Hash functions – other requirements**• Example: so called algebraic hash functions, based on the same difficult mathematical problems that are used in public key cryptography • Shamir’s function (factoring) • Chaum-vanHeijst-Pfitzmann’s function (discrete log) • Newer designs: VSH (factoring), LASH (lattice), Dakota (modular arithmetic and symmetric ciphers)**Hash functions - construction**• The Merkle-Damgård construction • A classical hash function design • Iterates a compression function • A compression function • takes a fixed length input • outputs a fixed length (shorter) output.**Hash functions - construction**• In practice, symmetric cipher systems are used as compression functions (usually block ciphers). • Let g =(x,k) be a block cipher, where x is the plaintext message, and k is the key. • The length of the block x is n bits and the length of the key k is m bits, m >n.**Hash functions - construction**• The hash function f to be constructed • has the (theoretically) unlimited input length • has the output bit length n • The input string to the hash function f is y.**Hash functions - construction**• Hash function iterations • Pad y such that the length of the padded input y ’ is the least possible multiple of m. • Let where yi{0,1}m . • Let f0 be a fixed initialization vector of length n (in bits). • Then, for i=1,..., r, fi=g (fi-1, ). • Finally, f =fr.**Hash functions - construction**• Remark: • The padding algorithm and f0 depend on the particular hash function. • Schematic of the Merkle-Damgård design**Hash functions - construction**• Advantages of using block ciphers as compression functions • Efficient, i.e. fast • Usually already implemented • Disadvantage • Employing a strong block cipher in hash function design does not guarantee a good hash function.**Hash functions - construction**• Examples of Merkle-Damgård designs • The MD (Message Digest) family of hash functions (MD4, MD5), n =128. • The NIST SHA (Secure Hash Algorithm) family of hash functions (SHA-1 (n =160), SHA-2 (i.e. SHA-256, SHA-512)). • They all use custom block cipher rounds.**Hash functions - construction**• The speed of such a design depends on the number of rounds of the block cipher involved. • Example • MD4 – 3 rounds • MD5 – 4 rounds – more secure • But MD5 is 30% slower than MD4.**Hash functions - security**• Security of the most often used hash functions, MD5 and SHA-1 has been recently compromised – collisions were found. • They are now considered insecure. • Consequence: the SHA-3 contest, the proposals are due October 2008.**Hash functions - applications**• Data integrity protection • Digital signature schemes • Authentication • Message authentication codes (MACs) • If MAC uses a hash function it is called HMAC • HMAC standard RFC2104 (Bellare-Canetti-Krawczyk, 1996).**Digital signatures - definition**• Digital signature • A number dependent on some secret known only to the signer and on the contents of the signed message • Must be verifiable in case of • a signer repudiating a signature • a fraudulent claimant**Digital signatures - definition**• Applications • Authentication • Data integrity protection and non-repudiation • Certification of public keys in large networks.**Digital signatures - procedure**• Basic elements (1) • M – the set of messages that can be signed • S – the set of signatures, e.g. binary strings of fixed length • SA – signing transformation for the entity A • SA is kept secret by A • Used to create signatures from M**Digital signatures - procedure**• Basic elements (2) • VA – verification transformation for the A’s signatures • Publicly known • Used by other entities to verify signatures created by A**Digital signatures - procedure**• Both SA and VA should be feasible to compute • It should not be computationally feasible to forge a digital signature y on a message x • Given x, only A (i.e. Alice) should be able to compute the signature y such that VA(x,y)=true.**Digital signatures - procedure**• Signing a message x • Alice uses the algorithm SA to compute the signature over the message x • Alice publishes (or sends to some recipient) the message x, together with the signature y =SA(x )**Digital signatures - procedure**• Verifying a signature of a message published/sent by Alice • Upon receiving the pair (x,y), the verifier uses the algorithm VA (publicly known) to verify the integrity of the received message x • If VA (x,y)=true, the signature is verified.**Digital signatures - procedure**• It can be shown that asymmetric ciphers can be used for digital signature purposes • To prevent forgery, it should be infeasible for an attacker to retrieve the secret information used for signing – the transformation SA.**Digital signature with RSA**• Alice signs the message x by using the deciphering transformation • Alice is the only one that can sign, since dA is kept secret.**Digital signature with RSA**• Bob verifies the signature y received from Alice by employing encipherment of y using Alice’s public key (eA,nA), i.e. • If c =x, then the signature y is verified.**Digital signature with RSA - security**• Suppose Eve wants to sign her own message x ’ with Alice’s signature y (i.e. to forge Alice’s signature). • Eve does not know dA, she only knows Alice’s public key (eA,nA).**Digital signature with RSA - security**• Direct verification, if Eve’s signed document (x ’,y ) is to be verified • This will fail, since c ≠x ’. • Thus, what Eve needs is another signature, y ’, such that • Getting y ’ is a difficult problem.**Digital signature with RSA - security**• Another possibility for Eve – she can choose y ’ first and then generate the message • y ’ will then be easily verified, i.e. such a forgery is successful. • But then the probability that x ’ is meaningful is very small.**Signing enciphered messages**• Suppose Alice wants to send a signed enciphered message x to Bob. • Alice computes her signature y =SA (x ) • Then Alice enciphers both x and y by means of Bob’s public key • The ciphertext z is transmitted to Bob.**Signing enciphered messages**• Deciphering and verification • Bob deciphers z by means of his private key and thus obtains (x,y) • Then Bob uses Alice’s public verification function VA to verify the Alice’s signature y.**Signing and hashing**• Usually, public key ciphers are used in digital signature schemes • If the original message is signed, the signature is at least as long as the message – inefficient**Signing and hashing**• Another problem is that of Eve’s ability to generate the signature and then get the corresponding message that may be meaningful, although with small probability. • Solution: sign hashed message.**Signing and hashing**• The hash function f is made public • Starting with a message x, Alice first computes f (x ), which is significantly smaller than x • Alice then computes y =SA(f (x )) • Alice then sends (x,y) to Bob.**Signing and hashing**• Verification process • Bob computes f (x ) • Bob also computes VA (f (x ),y ) • If VA (f (x ),y ) =true, then Alice’s signature is verified.**Signing and hashing - security**• Suppose Eve has (x,y=SA(f (x )) • Eve would like to sign her own message x ’ with Alice’s signature (i.e. to forge it) • So she needs SA(f (x ’))=SA(f (x )), which means she needs f (x ’)=f (x ). This is difficult iff (x ) is second preimage resistant.**Signing and hashing - security**• Moreover, it is highly unlikely that Eve would be able to find two messages, x’ and x ’’ with the same hashes and consequently signatures, if f is collision resistant. • So it is difficult for Eve to choose the signature first and then get the corresponding message.