 Download Download Presentation Session 5

Session 5

Download Presentation Session 5

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

1. Session 5 Hash functions and digital signatures

2. Contents • Hash functions • Definition • Requirements • Construction • Security • Applications

3. Contents • Digital signatures • Definition • Digital signatures – procedure • Digital signature with RSA • Signing enciphered messages • Signing and hashing

4. Hash functions - definition • Let k, n be positive integers • A function f with n bit output and k bit key is called a hash function if • f is a deterministic function • f takes 2 inputs, the first is of arbitrary length and the second is of length k • f outputs a binary string of length n • Formally:

5. Hash functions - definition • The key k is assumed to be known/fixed, unlike in cipher systems • If k is known/fixed, the hash function is unkeyed • If k is secret the hash function is keyed • k is known/fixed in most of the applications (e.g. digital signature schemes) • k is kept secret in Message Authentication Codes (MACs)

6. Hash functions – security requirements • In order to be useful for cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1) • One-wayness (or preimage resistance): a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk(x )=w.

7. Hash functions – security requirements • Security requirements (2) • Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk(x )=fk(y ).

8. Hash functions – security requirements • Security requirements (3): • (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such thatfk(x )=fk(y ).

9. Hash functions – security requirements • The collision resistance implies the second preimage resistance. • The second preimage resistance and one-wayness are incomparable • The properties do not follow from one another • Still, a hash function that would be one-way but not second preimage resistant would be quite artificial

10. Hash functions – security requirements • In practice, collision resistance is the strongest security requirement of all the three requirements • the most difficult to satisfy • the easiest to breach • Breaking the collision resistance property is the goal of most attacks on hash functions.

11. Hash functions – other requirements • Certificational weakness • A good hash function should possess avalanche property • changing a bit of input would approximately change a half of the output bits • No input bits can be reliably guessed based on the hash function’s local output (local one-wayness) • Failure to satisfy these (and some other) properties is called certificational weakness.

12. Hash functions – other requirements • It is also required that a hash function is feasible to compute, given x (and k ). • This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.

13. Hash functions – other requirements • Example: so called algebraic hash functions, based on the same difficult mathematical problems that are used in public key cryptography • Shamir’s function (factoring) • Chaum-vanHeijst-Pfitzmann’s function (discrete log) • Newer designs: VSH (factoring), LASH (lattice), Dakota (modular arithmetic and symmetric ciphers)

14. Hash functions - construction • The Merkle-Damgård construction • A classical hash function design • Iterates a compression function • A compression function • takes a fixed length input • outputs a fixed length (shorter) output.

15. Hash functions - construction • In practice, symmetric cipher systems are used as compression functions (usually block ciphers). • Let g =(x,k) be a block cipher, where x is the plaintext message, and k is the key. • The length of the block x is n bits and the length of the key k is m bits, m >n.

16. Hash functions - construction • The hash function f to be constructed • has the (theoretically) unlimited input length • has the output bit length n • The input string to the hash function f is y.

17. Hash functions - construction • Hash function iterations • Pad y such that the length of the padded input y ’ is the least possible multiple of m. • Let where yi{0,1}m . • Let f0 be a fixed initialization vector of length n (in bits). • Then, for i=1,..., r, fi=g (fi-1, ). • Finally, f =fr.

18. Hash functions - construction • Remark: • The padding algorithm and f0 depend on the particular hash function. • Schematic of the Merkle-Damgård design

19. Hash functions - construction • Advantages of using block ciphers as compression functions • Efficient, i.e. fast • Usually already implemented • Disadvantage • Employing a strong block cipher in hash function design does not guarantee a good hash function.

20. Hash functions - construction • Examples of Merkle-Damgård designs • The MD (Message Digest) family of hash functions (MD4, MD5), n =128. • The NIST SHA (Secure Hash Algorithm) family of hash functions (SHA-1 (n =160), SHA-2 (i.e. SHA-256, SHA-512)). • They all use custom block cipher rounds.

21. Hash functions - construction • The speed of such a design depends on the number of rounds of the block cipher involved. • Example • MD4 – 3 rounds • MD5 – 4 rounds – more secure • But MD5 is 30% slower than MD4.

22. Hash functions - security • Security of the most often used hash functions, MD5 and SHA-1 has been recently compromised – collisions were found. • They are now considered insecure. • Consequence: the SHA-3 contest, the proposals are due October 2008.

23. Hash functions - applications • Data integrity protection • Digital signature schemes • Authentication • Message authentication codes (MACs) • If MAC uses a hash function it is called HMAC • HMAC standard RFC2104 (Bellare-Canetti-Krawczyk, 1996).

24. Digital signatures - definition • Digital signature • A number dependent on some secret known only to the signer and on the contents of the signed message • Must be verifiable in case of • a signer repudiating a signature • a fraudulent claimant

25. Digital signatures - definition • Applications • Authentication • Data integrity protection and non-repudiation • Certification of public keys in large networks.

26. Digital signatures - procedure • Basic elements (1) • M – the set of messages that can be signed • S – the set of signatures, e.g. binary strings of fixed length • SA – signing transformation for the entity A • SA is kept secret by A • Used to create signatures from M

27. Digital signatures - procedure • Basic elements (2) • VA – verification transformation for the A’s signatures • Publicly known • Used by other entities to verify signatures created by A

28. Digital signatures - procedure • Both SA and VA should be feasible to compute • It should not be computationally feasible to forge a digital signature y on a message x • Given x, only A (i.e. Alice) should be able to compute the signature y such that VA(x,y)=true.

29. Digital signatures - procedure • Signing a message x • Alice uses the algorithm SA to compute the signature over the message x • Alice publishes (or sends to some recipient) the message x, together with the signature y =SA(x )

30. Digital signatures - procedure • Verifying a signature of a message published/sent by Alice • Upon receiving the pair (x,y), the verifier uses the algorithm VA (publicly known) to verify the integrity of the received message x • If VA (x,y)=true, the signature is verified.

31. Digital signatures - procedure • It can be shown that asymmetric ciphers can be used for digital signature purposes • To prevent forgery, it should be infeasible for an attacker to retrieve the secret information used for signing – the transformation SA.

32. Digital signature with RSA • Alice signs the message x by using the deciphering transformation • Alice is the only one that can sign, since dA is kept secret.

33. Digital signature with RSA • Bob verifies the signature y received from Alice by employing encipherment of y using Alice’s public key (eA,nA), i.e. • If c =x, then the signature y is verified.

34. Digital signature with RSA - security • Suppose Eve wants to sign her own message x ’ with Alice’s signature y (i.e. to forge Alice’s signature). • Eve does not know dA, she only knows Alice’s public key (eA,nA).

35. Digital signature with RSA - security • Direct verification, if Eve’s signed document (x ’,y ) is to be verified • This will fail, since c ≠x ’. • Thus, what Eve needs is another signature, y ’, such that • Getting y ’ is a difficult problem.

36. Digital signature with RSA - security • Another possibility for Eve – she can choose y ’ first and then generate the message • y ’ will then be easily verified, i.e. such a forgery is successful. • But then the probability that x ’ is meaningful is very small.

37. Signing enciphered messages • Suppose Alice wants to send a signed enciphered message x to Bob. • Alice computes her signature y =SA (x ) • Then Alice enciphers both x and y by means of Bob’s public key • The ciphertext z is transmitted to Bob.

38. Signing enciphered messages • Deciphering and verification • Bob deciphers z by means of his private key and thus obtains (x,y) • Then Bob uses Alice’s public verification function VA to verify the Alice’s signature y.

39. Signing and hashing • Usually, public key ciphers are used in digital signature schemes • If the original message is signed, the signature is at least as long as the message – inefficient

40. Signing and hashing • Another problem is that of Eve’s ability to generate the signature and then get the corresponding message that may be meaningful, although with small probability. • Solution: sign hashed message.

41. Signing and hashing • The hash function f is made public • Starting with a message x, Alice first computes f (x ), which is significantly smaller than x • Alice then computes y =SA(f (x )) • Alice then sends (x,y) to Bob.

42. Signing and hashing • Verification process • Bob computes f (x ) • Bob also computes VA (f (x ),y ) • If VA (f (x ),y ) =true, then Alice’s signature is verified.

43. Signing and hashing - security • Suppose Eve has (x,y=SA(f (x )) • Eve would like to sign her own message x ’ with Alice’s signature (i.e. to forge it) • So she needs SA(f (x ’))=SA(f (x )), which means she needs f (x ’)=f (x ). This is difficult iff (x ) is second preimage resistant.

44. Signing and hashing - security • Moreover, it is highly unlikely that Eve would be able to find two messages, x’ and x ’’ with the same hashes and consequently signatures, if f is collision resistant. • So it is difficult for Eve to choose the signature first and then get the corresponding message.