Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5

Hash functions and digital signatures

Contents

• Hash functions– Definition– Requirements– Construction– Security– Applications

2/44

Contents

• Digital signatures– Definition– Digital signatures – procedure– Digital signature with RSA– Signing enciphered messages– Signing and hashing

3/44

Hash functions - definition

• Let k, n be positive integers• A function f with n bit output and k

bit key is called a hash function if1. f is a deterministic function2. f takes 2 inputs, the first is of arbitrary

length and the second is of length k3. f outputs a binary string of length n

• Formally:

4/44

nk* ,,,:f 101010

Hash functions - definition

• The key k is assumed to be known/fixed, unlike in cipher systems

• If k is known/fixed, the hash function is unkeyed

• If k is secret the hash function is keyed• k is known/fixed in most of the

applications (e.g. digital signature schemes)

• k is kept secret in Message Authentication Codes (MACs)

5/44

Hash functions – security requirements• In order to be useful for

cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1)1. One-wayness (or preimage resistance):

a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk (x )=w.

6/44

Hash functions – security requirements• Security requirements (2)

2. Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk (x )=fk

(y ).

7/44

Hash functions – security requirements• Security requirements (3):

3. (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such that fk (x )=fk (y ).

8/44

Hash functions – security requirements• The collision resistance implies the

second preimage resistance.• The second preimage resistance and

one-wayness are incomparable– The properties do not follow from one

another– Still, a hash function that would be one-

way but not second preimage resistant would be quite artificial

9/44

Hash functions – security requirements• In practice, collision resistance is the

strongest security requirement of all the three requirements– the most difficult to satisfy– the easiest to breach

• Breaking the collision resistance property is the goal of most attacks on hash functions.

10/44

Hash functions – other requirements• Certificational weakness– A good hash function should possess

avalanche property• changing a bit of input would approximately

change a half of the output bits

– No input bits can be reliably guessed based on the hash function’s local output (local one-wayness)

– Failure to satisfy these (and some other) properties is called certificational weakness.

11/44

Hash functions – other requirements• It is also required that a hash

function is feasible to compute, given x (and k ).

• This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.

12/44

Hash functions – other requirements• Example: so called algebraic hash

functions, based on the same difficult mathematical problems that are used in public key cryptography– Shamir’s function (factoring)– Chaum-vanHeijst-Pfitzmann’s function

(discrete log)– Newer designs: VSH (factoring), LASH

(lattice), Dakota (modular arithmetic and symmetric ciphers)

13/44

Hash functions - construction

• The Merkle-Damgård construction

– A classical hash function design

– Iterates a compression function

– A compression function

• takes a fixed length input

• outputs a fixed length (shorter) output.

14/44

Hash functions - construction

• In practice, symmetric cipher systems

are used as compression functions

(usually block ciphers).

• Let g =(x,k ) be a block cipher, where x is

the plaintext message, and k is the key.

• The length of the block x is n bits and the

length of the key k is m bits, m >n.

15/44

Hash functions - construction

• The hash function f to be

constructed

– has the (theoretically) unlimited input

length

– has the output bit length n

• The input string to the hash function

f is y.

16/44

Hash functions - construction

• Hash function iterations

– Pad y such that the length of the padded

input y ’ is the least possible multiple of

m.

– Let where yi {0,1}m .

– Let f0 be a fixed initialization vector of

length n (in bits).

– Then, for i =1,..., r, fi =g (fi -1, ).

– Finally, f =fr .17/44

'r

''' y||||y||yy 21

'iy

Hash functions - construction

• Remark:

– The padding algorithm and f0 depend on

the particular hash function.

• Schematic of the Merkle-Damgård

design

18/44

Hash functions - construction

• Advantages of using block ciphers as

compression functions

– Efficient, i.e. fast

– Usually already implemented

• Disadvantage

– Employing a strong block cipher in hash

function design does not guarantee a

good hash function.19/44

Hash functions - construction

• Examples of Merkle-Damgård

designs

– The MD (Message Digest) family of hash

functions (MD4, MD5), n =128.

– The NIST SHA (Secure Hash Algorithm)

family of hash functions (SHA-1 (n

=160), SHA-2 (i.e. SHA-256, SHA-512)).

• They all use custom block cipher

rounds.20/44

Hash functions - construction

• The speed of such a design depends

on the number of rounds of the block

cipher involved.

• Example

–MD4 – 3 rounds

–MD5 – 4 rounds – more secure

– But MD5 is 30% slower than MD4.

21/44

Hash functions - security

• Security of the most often used hash

functions, MD5 and SHA-1 has been

recently compromised – collisions

were found.

• They are now considered insecure.

• Consequence: the SHA-3 contest, the

proposals are due October 2008.22/44

Hash functions - applications

• Data integrity protection

– Digital signature schemes

• Authentication

–Message authentication codes (MACs)

– If MAC uses a hash function it is called

HMAC

– HMAC standard RFC2104 (Bellare-

Canetti-Krawczyk, 1996).23/44

Digital signatures - definition

• Digital signature

– A number dependent on some secret

known only to the signer and on the

contents of the signed message

–Must be verifiable in case of

• a signer repudiating a signature

• a fraudulent claimant

24/44

Digital signatures - definition

• Applications

– Authentication

– Data integrity protection and non-

repudiation

– Certification of public keys in large

networks.

25/44

Digital signatures - procedure

• Basic elements (1)

–M – the set of messages that can be

signed

– S – the set of signatures, e.g. binary

strings of fixed length

– SA – signing transformation for the entity

A

• SA is kept secret by A

• Used to create signatures from M

26/44

SM:S A

Digital signatures - procedure

• Basic elements (2)

– VA – verification transformation for the

A’s signatures

• Publicly known

• Used by other entities to verify signatures

created by A

27/44

false,trueSM:VA

Digital signatures - procedure

• Both SA and VA should be feasible to

compute

• It should not be computationally

feasible to forge a digital signature y

on a message x

– Given x, only A (i.e. Alice) should be

able to compute the signature y such

that VA(x,y )=true. 28/44

Digital signatures - procedure

• Signing a message x

– Alice uses the algorithm SA to compute

the signature over the message x

– Alice publishes (or sends to some

recipient) the message x, together with

the signature y =SA(x )

29/44

Digital signatures - procedure

• Verifying a signature of a message

published/sent by Alice

– Upon receiving the pair (x,y ), the verifier

uses the algorithm VA (publicly known) to

verify the integrity of the received

message x

– If VA (x,y )=true, the signature is verified.

30/44

Digital signatures - procedure

• It can be shown that asymmetric

ciphers can be used for digital

signature purposes

• To prevent forgery, it should be

infeasible for an attacker to retrieve

the secret information used for

signing – the transformation SA.31/44

Digital signature with RSA

• Alice signs the message x by using

the deciphering transformation

• Alice is the only one that can sign,

since dA is kept secret.

32/44

Ad nxy A mod

Digital signature with RSA

• Bob verifies the signature y received

from Alice by employing

encipherment of y using Alice’s

public key (eA,nA), i.e.

• If c =x, then the signature y is

verified.33/44

Ae nyc A mod

Digital signature with RSA - security

• Suppose Eve wants to sign her own

message x ’ with Alice’s signature y

(i.e. to forge Alice’s signature).

• Eve does not know dA, she only

knows Alice’s public key (eA,nA ).

34/44

Digital signature with RSA - security

• Direct verification, if Eve’s signed

document (x ’,y ) is to be verified

– This will fail, since c ≠x ’.

• Thus, what Eve needs is another

signature, y ’, such that

• Getting y ’ is a difficult problem.35/44

Ae nyc A mod

'mod' xny AeA

Digital signature with RSA - security

• Another possibility for Eve – she can

choose y ’ first and then generate

the message

• y ’ will then be easily verified, i.e.

such a forgery is successful.

• But then the probability that x ’ is

meaningful is very small.36/44

Ae nyx A mod''

Signing enciphered messages

• Suppose Alice wants to send a signed

enciphered message x to Bob.

– Alice computes her signature y =SA (x )

– Then Alice enciphers both x and y by

means of Bob’s public key

– The ciphertext z is transmitted to Bob.

37/44

Signing enciphered messages

• Deciphering and verification

– Bob deciphers z by means of his private

key and thus obtains (x,y )

– Then Bob uses Alice’s public verification

function VA to verify the Alice’s signature

y.

38/44

Signing and hashing

• Usually, public key ciphers are used

in digital signature schemes

• If the original message is signed, the

signature is at least as long as the

message – inefficient

39/44

Signing and hashing

• Another problem is that of Eve’s

ability to generate the signature and

then get the corresponding message

that may be meaningful, although

with small probability.

• Solution: sign hashed message.

40/44

Signing and hashing

• The hash function f is made public

• Starting with a message x, Alice first

computes f (x ), which is significantly

smaller than x

• Alice then computes y =SA(f (x ))

• Alice then sends (x,y ) to Bob.

41/44

• Verification process

– Bob computes f (x )

– Bob also computes VA (f (x ),y )

– If VA (f (x ),y ) =true, then Alice’s

signature is verified.

Signing and hashing

42/44

• Suppose Eve has (x,y =SA(f (x ))

• Eve would like to sign her own message

x ’ with Alice’s signature (i.e. to forge it)

• So she needs SA(f (x ’))=SA(f (x )), which

means she needs f (x ’)=f (x ). This is

difficult if f (x ) is second preimage

resistant.

Signing and hashing - security

43/44

• Moreover, it is highly unlikely that Eve

would be able to find two messages, x’

and x ’’ with the same hashes and

consequently signatures, if f is collision

resistant.

• So it is difficult for Eve to choose the

signature first and then get the

corresponding message.

Signing and hashing - security

44/44