1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1

CS 255 Lecture 6Hash Functions

Brent Waters

2

Recap-Notions of Security

• What attacker can do•Random plaintext attack•Chosen plaintext attack•Chosen ciphertext attack

• Attacker’s Goal•Discover secret key•Decrypt a ciphertext, C*

•Distinguish two messages

3

Recap- Notions of Security

• 3x3=9 possible notions of security

• Strongest system =Semantic security against CCAweakest adversary goal + most adversary power

4

Recap- Semantic Securityof Counter Mode

1) Defined notion of security for block cipher --Indistinguishable from PRP --Formal definition game --Believe this is true for AES…

5

Recap-

2) Prove that if cipher is indist. from Random Permutation then counter mode is semantically secure against CPA attack--Assume counter mode is not ) A breaks it

--Build algorithm B that uses algorithm A

--Want to show that A’s answer gives B information to play his game

6

Why do we do this?

• Aren’t we assuming AES, 3DES secure anyway?

• Why not just make same assumption for mode X?

• Reduce to simplest assumptions possible

7

Hash Functions

Hash function- h: {0,1} * \rightarrow {0,1}n

typically n ¼ 160 bits (will see why soon)

Hi, I recently….. …should be used

h(x)

01100100…1

8

Properties

• Compression

• Pre-image resistanc: Given y=h(x) difficult to determine x’ s.t. h(x’)=y

• 2nd preimage resistance: Given x find x’ x s.t. h(x) = h(x’)

• Collision resistance: Find x’ x s.t. h(x)=h(x’)

9

Relations

• If h is collision resistant then h is 2nd order pre-image resistant

• How do we show this?•Reduction—simple here

10

Applications

• Show three applications and do one together

• For each one keep in mind what properties we need

11

Password protection

pword=jeitlsePassword file

U1=…

U2=…

•What should we put in there?

•What if backup tape stolen?

•What property do we need

12

Virus protection

• Worried virus might modify an application

• Small amount of trusted storage on USB token

• What properties do we need?

• Mirror sites distributing software

13

Digital Signatures

• One party can sign a message M, many parties can verify

• Contract signing, code signing

• Raw signature scheme only signs messages ~160 bits

• What properties do we need?

14

Birthday Attack for Collisions

• Let r1, … rj 2 [0,1…B]

• When n=1.2 sqrt(B) then Pr[9 i j: ri=rj]

Pr[9 i j: ri=rj]

=1-Pr[8 i j:ri rj] =1-(1-1/B)(1-2/B)...(1-(n-1)/B) =1-n-1 (1-i/B) ¼ 1- n-1e-i/B

=1-e1/2n2/B

=1-1/e.7 for n=1.2 sqrt(B)=1/2

15

Lesson

• 80 bit hash implies 40 bit security (for collisions)

• Need 160 bit hash output

• For n integers have ¼ n^2 pairs each is a possibility for a collision

16

Iterated Construction(Merkle-Damgard)

M1 M2 M3 M4 pad

IV f f f fH0 H1 H2 H3

1. f – Compression function

2. Hi – chaining variables

3. IV – Initial Value

17

Iterated Construction(Merkle-Damgard)

M1 M2 M3 M4 pad

IV f f f fH0 H1 H2 H3

Padding: 100000 | length

Pad out last message block

Add one block with message length

18

Collision resistance

• If compression function resistant then so is iterated construction

• Way we prove this is to show if we have M M’ and hash(M)=hash(M’) then we can find two

different inputs to compression function (x,y) and (x’,y’) such that f(x,y)=f(x,y)

-Note (x,y) (x’,y’) if x x’ or y y’

19

Collision Resistance

• Suppose h(M)=h(M’)

• IV=H0, H1,H2....Ht

• IV=H0’, H1’, H2’...Hr’

Collision means Ht = Hr’

Case I:

• Suppose t r thenHt=Hr’ =f(Ht-1, t)=f(Hr-1’, r) ) collision!

20

Collision Resistance

• Suppose h(M)=h(M’)

• M=M0, M1...Mt-1, M’=M0, M1,... Mr-1

• IV=H0, H1, H2....Ht

• IV=H0’, H1’, H2’...Hr’

Case 2: t r (Messages same # of blocks)Look at ith chaining variableHave Hi=Hi’ so f(Hi,Mi)=f(Hi’,Mi’)

if Mi Mi’ or if Hi Hi’ then have a collision

otherwise repeat observation for i-1 chaining var.However, 9 j: Mj Mj’ so must have a collision at

some point

21

Block cipher construction

Matyas-Meyer

f(M,H)=E(M,g(h)) © M

EHi g

Mi

© Hi+1...

Thm: Suppose Ek(x) =E(X,K) is a collection of random permutations. Then finding a collision take 2n/2 evaluations of E. Best possible.

22

Customized Hash functions

• Merkle-Damgard types—compression functionfaster than block ciphers

• MD4 128 Collisions found

• MD5 128 28.5MB/s Collisons found

• SHA-1 160 15.2MB/s

• SHA-2 160,256

• RIPEMD 160 12.6 Collisions found

23

“Provable” hash functions

• Discrete log problem:Given ga mod p Output a

• f(a,b)=ga hb mod p

• Slow

24

Paper submission project

• Professors/grad students submit papers to conferences electronically

• Strict deadlines: 9pm Jan. 29th

• People always wait to last minute – get flood of papers at end

• Graphics people send in videos – potentially GBs of data– no way server can handle them all

25

Solutions?

• Attacks?

• Properties