1 / 18

CIS 5371 Cryptography

CIS 5371 Cryptography. 4. Collision Resistant Hash Functions B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography. Collision Resistance. A collision in a function H is a pair of distinct inputs x, x’

rigg
Download Presentation

CIS 5371 Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 5371 Cryptography 4.Collision Resistant Hash Functions Based on: Jonathan Katz and Yehuda LindellIntroduction to Modern Cryptography

  2. Collision Resistance A collision in a function H is a pair of distinct inputs x, x’ Collision resistance is trivial to achieve if compression is not required (take for example the identity function) We shall be dealing with a family of hash functions indexed by a key s. That is H will take as input a key s and a string x and output a string:

  3. Definition 4.11, Hash Function A hash function is a pair of probabilistic polynomial-time algorithms such that: • takes input the security parameter and outputs a key . • There is a polynomial such that takes as input a key and a stringand .

  4. A collision finding experiment -(A,)

  5. Definition 4.12 Collision Resistant Hash Function A hash function is collision resistant, if for all probabilistic polynomial-time adversaries there is a function such that: -

  6. Weaker notions of security for Hash Functions • Collision resistance.The strongest notion, as defined earlier. • Second pre-image resistance.Informally, given a key and a string it is infeasible for a probabilistic polynomial-time adversary to find such that • Pre-image resistance Informally, given a key and a string (but not) for a randomly chosen it is infeasible for a probabilistic polynomial-time adversary to find such that

  7. Weaker notions of security for Hash Functions • Collision resistance Second pre-image resistance If given the adversary can find such that pair with • Second pre-image resistancePre-image resistanceIf it were possible to invert and find an such that , then it would be possible to take a given input, compute, and then invert to find such that

  8. Generic birthday attack Birthday problem Let be a hash function . • Assume that the values are uniformlydistributed in and independent . • Assume that arbitrary inputs are selected. Then the probability that there is a collision using hash evaluations is greater that ½. The time taken is . (One has to sort outputs---assume that one can evaluate a hash function in constant time.)

  9. Improved birthday attack Memory is a scarcer resource than time: storing hash evaluations is costly.

  10. Improved birthday attack Improved birthday attack Let be a hash function. Select. For • Compute and . • If there is a collusion; else continue. It can be shown that we get a collision with probability roughly ½ in steps.

  11. Construction 4.12 The Merkle-Damgård transform is a fixed-length collision-resistant hash function with inputs of length and outputs . A variable-length hash function is constructed as follows. • : on input , output key . • H : on inputand, do: • Set , pad so that it can be parsed into blocks of length . Set ( bits). • Set . • For , compute ). • Output

  12. The Merkle-Damgåard transform . . . =IV =

  13. Theorem 4.14 If is a fixed-length collision-resistant hash function then is a collision-resistant hash function.

  14. HMAC – A keyed MAC -Notation Assume that: • are fixed non-secret keys of length • is a secret key of length • is a compression function that compresses its input by half. • Reminder: is a family of functions indexed by a non-secret key that on input outputs astring ). • the hash function constructed by using the Merkle-Damgrd transform applied to . • is the length of the output of .

  15. HMAC – A keyed MAC -Notation Define: • , and • to be the corresponding Merkle-Damgård transform.

  16. Construction 4.17 HMAC Let be a fixed-length collision-resistant hash function, and let be the result of applying the Merkle-Damgard transformation to . Let , and be fixed constants of length . HMAC defines a MAC as follows: • : on input , run to get key . Also choose at random. Output the key (). • Mac: on input a key and message of length output the tag: • Verfy: on input a keya message , and tag output 1 if and only if

  17. HMAC . . . byte x repeated bytexrepeated 

  18. Theorem 4.14 If is collision-resistant and G is a pseudorandom generator then HMAC is existentially unforgeable under adaptive chosen message attacks (for arbitrary length messages).

More Related