Cryptography. Summer Term 2010
|
|
- Pamela Hampton
- 6 years ago
- Views:
Transcription
1 Summer Term 2010 Chapter 2: Hash Functions
2 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2
3 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 3
4 Definition and applications A hash function h is a function with two properties: Compression: h : {0,1}* {0,1}n Ease of computation: The computation of h(m) is 'fast'. For use in cryptography, we have to impose further conditions (see next slide). Notation: m is a 'document', h(m) its hash value or digest Sample applications: Storage of passwords Electronic signatures (MAC, asymmetric signatures) Forensics 4
5 Basic properties for use in cryptography Preimage Resistance: Second Preimage Resistance: Given a document m, it is infeasible in practice to find a second document m' with m m' and h(m) = h(m'). Collision Resistance: Given a hash value H, it is infeasible in practice to find an input (a document m) with H = h(m). It is infeasible in practice to find any two documents m, m' with m m' and h(m) = h(m'). Relation to birthday problems A and B? 5
6 Hardness of basic properties Assumptions: Hash values behave randomly. Security threshold is 2^{100} hash value computations. Expected number of trials of a brute-force-attack: Preimage computation: Second preimage computation: Collision: Lower bound of n to avoid each attack A today's hash function SHALL satisfy n 6
7 Relationship of basic properties Our proofs make use of the following logical rule: Let A and B be two assertions. Then: Example: ( A => B ) <=> ( B => A ) A: n = 2 B: n is an even integer Preimage resistance vs. Collision resistance Second preimage resistance vs. Collision resistance Preimage resistance vs. Second preimage resistance 7
8 OWHF and CRHF Let h be a hash function as defined above. One-way hash function (OWHF): If h additionally is preimage resistant and second preimage resistant, then it is called a OWHF. Collision resistant hash function (CRHF): If h additionally is collision resistant, it is called a CRHF. Relationship between OWHF and CRHF as described above. Digital signature schemes like RSA, DSA or ECDSA require a CRHF. 8
9 MDC and MAC Modification detection code (MDC): A OWHF or a CRHF, which shall provide integrity or authenticity in conjunction with additional mechanisms (e.g. writing the MDC down on a paper). An MDC has only one input: A document. An MDC is unkeyed. Message authentication code (MAC): A OWHF or a CRHF, which shall provide integrity or authenticity without additional mechanisms. A MAC requires two inputs: A document and a secret key (i.e. a MAC is keyed). 9
10 Classification of cryptographic hash functions Source: Handbook of Applied 10
11 Avalanche effect Let m and h(m) be given. If m is replaced by m', h(m') behaves pseudo randomly. One has no control over the output, if the input is changed. Hash functions are assumed to be surjective. Example: If only one bit in m is changed to get m', the two outputs h(m) and h(m') look 'very' different. Every bit in h(m') changes with probability 50%, independent of the number of different bits in m'. 11
12 Sample hash functions MD5: n = 128 SHA-1: n = 160 SHA-2 family: RIPEMD family: RIPEMD-160, RIPEMD-256, RIPEMD-320 Demo: SHA-256, SHA-384, SHA-512 Computation of hash values using openssl Avalanche effect Performance 12
13 Improving security for given hash functions Two well-known methods: Cascading hash functions HMAC (only for MACs) Cascading hash functions: Let two hash functions h1 and h2 be given Set h(m) = h1(m) h2 (m) The hash function h is collision resistant, if only one of the hash functions h1 or h2 remains collision resistant 13
14 Extending a MAC to HMAC Idea: Iteratively hash a document Due to Bellare, Canetti, Krawczyk Description: Let h be a hash function There are two fixed padding sequences: Outer padding: Inner padding: opad= ipad=5c5c...5c Set HMAC = h ( (k XOR opad) h ( (k XOR ipad) m) ) Security: Harder to find a collision for an HMAC than for the underlying hash function 14
15 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 15
16 Merkle-Damgard construction: Idea The MD-construction requires a compression function: f : {0,1}s {0,1}n with s > n. Remark: The input size (in bits) is fixed. Merkle-Damgard set s = r + n Basic idea to extend f to h (padding is left out): Split up the input m of h to blocks of length r bits: m = m1m2...mt Iteratively apply f to each block, where the current input is: n bits of the previously computed output of f. r bits of the current processed block of m. 16
17 Merkle-Damgard construction: Overview Notation remarks: Document is referred to as x IV = Initialisation Vector Often g is the identity map Source: Handbook of Applied 17
18 Merkle-Damgard construction: Formal algorithm 18
19 Merkle-Damgard construction: Security Fundamental fact: If the compression function f is collision resistant, then the MD-extended hash function h is collision resistant, too. Remark: We have to fix an initial hash block H0: IV. We have to apply an appropriate padding including the length of the input. Almost all current hash functions implement the MD-design: MD4, MD5 RIPEMD-family SHA-family (SHA-1, SHA-2) 19
20 SHA-1 Standardised in FIPS PUB from 2002: Secure Hash Standard (SHS) SHA-1 is based on the same design principles as MD4: Unary operators: Logical NOT, cyclic SHIFT Binary operators: Bitwise AND, bitwise OR, XOR Addition modulo a word of length 32 bit (i.e. mod 2^{32}) SHA-1 is based on four compression functions (see later): Each has n = 160 and r = 512: s = r + n = 672 Each one is applied in one part for 20 rounds SHA-1 comprises 4 parts and 80 rounds in total 20
21 SHA-1 overview We make use of the notation from SHS For example, a message block is denoted by M ( i ) Three steps (according to Merkle-Damgard): Padding: Expand message length to a multiple of 512 bits. Splitting: Iterative compression: Split message in N blocks of 512 bits These blocks are denoted as M (1) to M ( N ) Apply iteratively the compression function on M (1) to M ( N ) The intermediate hash values are H (1) to H ( N ) The hash value of the message is H ( N ). 21
22 SHA-1 padding (1/2) Let L be the bit length of the message m. Padding comprises three steps: Append a single '1' to the end of the message. Append minimal number of '0's until length is of the form 512k 64. Write binary encoded L at the end (with least significant bit right). The input to SHA-1 is m L 22
23 SHA-1 padding (2/2) Example from SHS: We want to compute SHA-1 ( abc ). abc is the ASCII string of 'a', 'b', 'c' (of bit length 24). Thus we append a '1' and 423 '0's. Finally, we append the length 24. Remarks: The maximum length of a SHA-1 input is This is equivalent to TBytes. 23
24 Overview of a SHA-1 round Source: en.wikipedia.org 24
25 SHA-1 round functions SHA-1 consists of 4 parts of 20 rounds, respectively. Each part has its round function: Input of a round function: Three 32 bit words. Output of a round function: A single 32 bit word. Source: Secure Hash Standard 25
26 SHA-1 constants Each of the 4 SHA-1 parts has its own constant It is a 32 bit word, written in hexadecimal Source: Secure Hash Standard 26
27 Initial hash value The initial hash value is denoted by H ( 0 ). Used as starting IV to apply the first round function on M (1) H ( 0 ) = H0( 0 ) H1( 0 ) H2( 0 ) H3( 0 ) H4( 0 ) with Source: Secure Hash Standard 27
28 Message contribution Each message block M ( i ) is 512 bits long. Write M ( i ) as a concatenation of 16 words of bit length 32: M ( i ) = M0( i ) M1( i ) M2( i )... M 15 ( i ) Each of the 80 SHA-1 requires a 32 bit word Wt : Set Wt = Mt(i) for t = 0 to 15 Rounds t = 16 to 79 require a left-shifted and XORed combination of previously computed input words Wt Source: SHS 28
29 SHA-1 round function to compute H ( i ) SHA-1 makes use of 5 registers of 32 bits initialised as: a = H0 ( i 1), b = H1 ( i 1), c = H2 ( i 1), d = H3( i 1), e = H4( i 1) The registers are manipulated within 80 rounds as: Source: Secure Hash Standard 29
30 SHA-1 computation of intermediate and final hash Computation of intermediate hash H ( i ) : H0( i ) = a + H0( i 1), H1( i ) = b + H1( i 1), H2( i ) = c + H2( i 1), H3( i ) = d + H3( i 1), H4( i ) = e + H4( i 1) The final SHA-1 hash is the final intermediate hash: h(m) = H0( N ) H1( N ) H2( N ) H3( N ) H4( N ) Source: Secure Hash Standard 30
31 Overview of different hash functions Source: Handbook of Applied Wording: Handbook Round Step vs. Lecture vs. vs. Part Round 31
32 Source: Handbook of Applied Test vectors and subtleties $ echo abc sha1sum 03cfd743661f07975fa2f1220c5194cbaff
33 Security remarks on SHA-1 Birthday attack = Brute force attack: 2^{80} trials X. Wang et al. (February 2005): 2^{69} trials X. Wang et al. (August 2005): 2^{63} trials C. McDonald et al. (May 2009): 2^{52} trials (however, they withdraw their estimation later) General observations: Finding collisions for SHA-1 is much easier than using brute force We need a new long-term hash function: SHA-3 33
34 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 34
35 Overview The SHA-3 competition started on November 2, 2007 Publication by NIST in the Federal Register: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) family General requirements: Output hash values of 224, 256, 384, 512 bits Replacement of SHA-2 (although SHA-2 is not withdrawn) No 160 bit output allowed (this fits to the security threshold of 100 bits) Similar process as the AES competition 35
36 NIST expectations Security strength is at least as good as SHA-2 Attacks on SHA-2 are unlikely to work on SHA-3 More efficient than SHA-2 Maximum message length at least 2^{64} 1 bits Interoperability: Implementable in a wide range of hardware and software platforms A single hash family is preferred Worldwide availability and royalty free use 36
37 Time schedule NIST hash workshop: Initial publication: Submission deadline for first round: First candidate conference (KU Leuven): 2009, Feb. Second candidate conference: 2010, 2Q Candidate conference of finalists: 2012, 1Q Publication: 2012, 4Q 37
38 Round 1 64 submissions Announcement of 51 first round candidates on First SHA-3 candidate conference: Feb , 2009 at KU Leuven, Belgium All submitters of 51 first round candidates were invited to defend their proposals Preneel's statement at CASED distinguished lecture (May 14, 2009): From 30 candidates 50 % follow MD-design 25 % sponge design 25 % Haifa July 24, 2009: 14 candidates were selected for round 2 38
39 Round 2 Sample candidates: by N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno, J. Callas and J. Walker CubeHash by Dan Bernstein Keccak by G. Bertoni, J. Daemen, M. Peeters, G. Van Assche Second SHA-3 candidate conference: August 23-24, 2010 at Santa Barbara in the scope of Crypto 39
Cryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 34 Cryptographic Hash Functions A hash function provides message integrity and authentication
More informationCryptographic Hash Functions. William R. Speirs
Cryptographic Hash Functions William R. Speirs What is a hash function? Compression: A function that maps arbitrarily long binary strings to fixed length binary strings Ease of Computation: Given a hash
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 17, 2016 Part 3 Modern Crypto SSN Modern Cryptography Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Presentations Minimum
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security CHF-s are used for many authentication, integrity, digital
More informationCryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015
Cryptographic Hash Functions Rocky K. C. Chang, February 5, 2015 1 This set of slides addresses 2 Outline Cryptographic hash functions Unkeyed and keyed hash functions Security of cryptographic hash functions
More informationECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key
ECE 646 Lecture 11 Hash functions & MACs Digital Signature Alice Message Signature Message Signature Bob Hash function Hash function Hash value Public key algorithm yes Hash value 1 Hash value 2 no Public
More informationOverview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 28, 2017 Overview Today: Review Homework 8 solutions Discuss cryptographic hash functions Next: Study for quiz
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (receiver) Fran
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 8 Hash Functions 8.1 Hash Functions Hash Functions A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Cryptographic Hash Functions (Chapter 11) March 22 and 27, 2018 Overview Today: Quiz (based on HW 6) Graded HW 2 due Grad/honors students: Project topic selection
More informationHash functions & MACs
ECE 646 Lecture 11 Hash functions & MACs Required Reading W. Stallings, "Cryptography and Network-Security, Chapter 11 Cryptographic Hash Functions Appendix 11A Mathematical Basis of Birthday Attack Chapter
More informationECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.
ECE 646 Lecture 12 Required Reading W. Stallings, "Cryptography and Network-Security, Chapter 11 Cryptographic Hash Functions & MACs Appendix 11A Mathematical Basis of Birthday Attack Chapter 12 Message
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationCS-E4320 Cryptography and Data Security Lecture 5: Hash Functions
Lecture 5: Hash Functions Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Hash Functions Birthday Paradox Design of Hash Functions SHA-3
More informationHashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5
Hashes, MACs & Passwords Tom Chothia Computer Security Lecture 5 Today s Lecture Hashes and Message Authentication Codes Properties of Hashes and MACs CBC-MAC, MAC -> HASH (slow), SHA1, SHA2, SHA3 HASH
More informationKeccak discussion. Soham Sadhu. January 9, 2012
Keccak discussion Soham Sadhu January 9, 2012 Keccak (pronounced like Ketchak ) is a cryptographic hash function designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. Keccak is
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Next Topic in Cryptographic Tools Symmetric key encryption Asymmetric key encryption Hash functions and
More informationHash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18
Hash Function Guido Bertoni Luca Breveglieri Fundations of Cryptography - hash function pp. 1 / 18 Definition a hash function H is defined as follows: H : msg space digest space the msg space is the set
More informationData Integrity. Modified by: Dr. Ramzi Saifan
Data Integrity Modified by: Dr. Ramzi Saifan Encryption/Decryption Provides message confidentiality. Does it provide message authentication? 2 Message Authentication Bob receives a message m from Alice,
More informationNetwork Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services
Chair for Network Architectures and Services Technische Universität München Network Security Cryptographic Hash Functions Add-on Benjamin s slides are authoritative Motivation (1) Common practice in data
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms
Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationHOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)
AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? It is a function E of parameters k and n that maps { 0, 1} k { 0, 1} n { 0,
More informationH must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)
What is a hash function? mapping of: {0, 1} {0, 1} n H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls) The Merkle-Damgård algorithm
More informationThe SHA-3 Process. Keccak & SHA-3 day Brussels, 27 March 2013
The SHA-3 Process Keccak & SHA-3 day Brussels, 27 March 2013 Timeline 05 06 07 08 09 10 11 12 13 Summer 2005: Attacks on MD5, RIPEMD, SHA-0, SHA-1 The Wang effect Before 2005 MD4 (Dobbertin) MD5 (Boss.,
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 12 Hash Algorithms Each of the messages, like each one he had ever read of Stern's commands,
More informationCSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions
CSCI 454/554 Computer and Network Security Topic 4. Cryptographic Hash Functions Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication Code
More informationOutline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question
Hash function lengths Outline AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationOutline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.
AIT 682: Network and Systems Security Topic 4. Cryptographic Hash Functions Instructor: Dr. Kun Sun Hash function lengths Outline Hash function applications MD5 standard SHA-1 standard Hashed Message Authentication
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationA hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 5 5.1 A hash function is an efficient function mapping binary strings of arbitrary length to binary strings of fixed length (e.g. 128 bits), called the hash-value
More informationIntegrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationMessage Authentication and Hash function 2
Message Authentication and Hash function 2 Concept and Example 1 SHA : Secure Hash Algorithm Four secure hash algorithms, SHA-11, SHA-256, SHA-384, and SHA-512. All four of the algorithms are iterative,
More informationData Integrity & Authentication. Message Authentication Codes (MACs)
Data Integrity & Authentication Message Authentication Codes (MACs) Goal Ensure integrity of messages, even in presence of an active adversary who sends own messages. Alice (sender) Bob (reciever) Fran
More informationMessage Authentication Codes and Cryptographic Hash Functions
Message Authentication Codes and Cryptographic Hash Functions Readings Sections 2.6, 4.3, 5.1, 5.2, 5.4, 5.6, 5.7 1 Secret Key Cryptography: Insecure Channels and Media Confidentiality Using a secret key
More informationarxiv: v1 [cs.cr] 5 Feb 2016
A replay-attack resistant message authentication scheme using time-based keying hash functions and unique message identifiers arxiv:1602.02148v1 [cs.cr] 5 Feb 2016 Boudhayan Gupta Department of Computer
More informatione-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text Cryptography and Network Security Module 28- Hash Algorithms
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationECE 646 Lecture 11. Hash functions & MACs. Digital Signature. Vocabulary. hash value message digest hash total. m message.
ECE 646 Lecture 11 Alice Message Digital Signature Signature Message Signature Bob & s Has Has Has value 1 Has value yes no Public key algoritm Has value 2 Public key algoritm Alice s private key Alice
More informationPermutation-based symmetric cryptography
Permutation-based symmetric cryptography Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March
More informationECE 646 Lecture 11. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value
ECE 646 Lecture 11 Required Reading W. Stallings, "Cryptograpy and Network-Security, Capter 11 Cryptograpic Has Functions & s Appendix 11A Matematical Basis of Birtday Attack Capter 12 Autentication Codes
More informationA j-lanes tree hashing mode and j-lanes SHA-256
A j-lanes tree hashing mode and j-lanes SHA-5 Shay Gueron 1, 1 Department of Mathematics, University of Haifa, Israel Intel Corporation, Israel Development Center, Haifa, Israel August 1, Abstract. j-lanes
More informationJaap van Ginkel Security of Systems and Networks
Jaap van Ginkel Security of Systems and Networks November 5, 2012 Part 3 Modern Crypto SSN Week 2 Hashes MD5 SHA Secret key cryptography AES Public key cryptography DES Book Chapter 1 in full Chapter 2
More informationObservations and Attacks On The SHA-3 Candidate Blender
Observations and Attacks On The SHA-3 Candidate Blender Craig Newbold cjnewbold@googlemail.com Abstract 51 candidates have been accepted as first round candidates in NIST s SHA-3 competition, to decide
More informationSecurity Analysis of Extended Sponge Functions. Thomas Peyrin
Security Analysis of Extended Sponge Functions Hash functions in cryptology: theory and practice Leiden, Netherlands Orange Labs University of Versailles June 4, 2008 Outline 1 The Extended Sponge Functions
More informationMessage authentication codes
Message authentication codes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction security of MAC Constructions block cipher
More informationGeneric collision attacks on hash-functions and HMAC
Generic collision attacks on hash-functions and HMAC Chris Mitchell Royal Holloway, University of London 1 Agenda 1. Hash-functions and collision attacks 2. Memoryless strategy for finding collisions 3.
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 2 information security cryptographic primitives unkeyed primitives NSA... one-way functions hash functions
More informationENEE 459-C Computer Security. Message authentication
ENEE 459-C Computer Security Message authentication Data Integrity and Source Authentication Encryption does not protect data from modification by another party. Why? Need a way to ensure that data arrives
More informationLecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS
Lecture 5 Cryptographic Hash Functions Read: Chapter 5 in KPS 1 Purpose CHF one of the most important tools in modern cryptography and security In crypto, CHF instantiates a Random Oracle paradigm In security,
More informationCryptographic Hash Functions
Cryptographic Hash Functions Cryptographic Hash Functions A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length. Iterated Hash Function A (compression)
More informationCS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012
CS 645 : Lecture 6 Hashes, HMAC, and Authentication Rachel Greenstadt May 16, 2012 Reminders Graded midterm, available on bbvista Project 3 out (crypto) Hash Functions MAC HMAC Authenticating SSL Man-in-the-middle
More informationEnhancing the Security Level of SHA-1 by Replacing the MD Paradigm
Journal of Computing and Information Technology - CIT 21, 2013, 4, 223 233 doi:10.2498/cit.1002181 223 Enhancing the Security Level of SHA-1 by Replacing the MD Paradigm Harshvardhan Tiwari and Krishna
More informationAppendix K SHA-3. William Stallings
Appendix K SHA-3 William Stallings K.1 THE ORIGINS OF SHA-3... 2 K.2 EVALUATION CRITERIA FOR SHA-3... 4 K.3 THE SPONGE CONSTRUCTION... 6 K.4 THE SHA-3 ITERATION FUNCTION f... 13 Structure of f... 14 Theta
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationMultiple forgery attacks against Message Authentication Codes
Multiple forgery attacks against Message Authentication Codes David A. McGrew and Scott R. Fluhrer Cisco Systems, Inc. {mcgrew,sfluhrer}@cisco.com May 31, 2005 Abstract Some message authentication codes
More informationChapter 11 Message Integrity and Message Authentication
Chapter 11 Message Integrity and Message Authentication Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 11.1 Chapter 11 Objectives To define message integrity
More informationSkein. John Kevin Hicks
Skein John Kevin Hicks 2 Outline Introduction Skein Overview Threefish Block Cipher Unique Block Iteration Optional Argument System Skein Performance Security Claims and Current Cryptanalysis Conclusions
More informationMessage Authentication with MD5 *
Message Authentication with MD5 * Burt Kaliski and Matt Robshaw RSA Laboratories 100 Marine Parkway, Suite 500 Redwood City, CA 94065 USA burt@rsa.com matt@rsa.com Message authentication is playing an
More informationComputer Security: Hashing
Computer Security: Hashing B. Jacobs and J. Daemen Institute for Computing and Information Sciences Digital Security Radboud University Nijmegen Version: fall 2016 Page 1 of 52 Jacobs and Daemen Version:
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationCIT 480: Securing Computer Systems. Hashes and Random Numbers
CIT 480: Securing Computer Systems Hashes and Random Numbers Topics 1. Hash Functions 2. Applications of Hash Functions 3. Secure Hash Functions 4. Collision Attacks 5. Pre-Image Attacks 6. Current Hash
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011
Internet Engineering Task Force (IETF) S. Turner Request for Comments: 6149 IECA Obsoletes: 1319 L. Chen Category: Informational NIST ISSN: 2070-1721 March 2011 Abstract MD2 to Historic Status This document
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationNetwork and System Security
Network and System Security Lecture 5 2/12/2013 Hashes and Message Digests Mohammad Almalag 1 Overview 1. What is a cryptographic hash? 2. How are hashes used? 3. One-Way Functions 4. Birthday Problem
More informationSponge-based pseudo-random number generators
Sponge-based pseudo-random number generators Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. This paper proposes a new construction
More informationNetwork Working Group. Category: Standards Track NIST November 1998
Network Working Group Request for Comments: 2404 Category: Standards Track C. Madson Cisco Systems Inc. R. Glenn NIST November 1998 Status of this Memo The Use of HMAC-SHA-1-96 within ESP and AH This document
More informationBuilding a 256-bit hash function on a stronger MD variant
Cent. Eur. J. Comp. Sci. 4(2) 2014 67-85 DOI: 10.2478/s13537-014-0204-7 Central European Journal of Computer Science Building a 256-bit hash function on a stronger MD variant Research Article Harshvardhan
More informationThe Customizeable Shake Function (Cshake)
NIST Special Publication 800-XXX The Customizeable Shake Function (Cshake) John Kelsey Computer Security Division Information Technology Laboratory http://dx.doi.org/10.6028/nist.sp.xxx Month and Year
More informationFEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
FIPS PUB 202 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions CATEGORY: COMPUTER SECURITY SUBCATEGORY: CRYPTOGRAPHY Information
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationNIST Cryptographic Toolkit
Cryptographic Toolkit Elaine Barker ebarker@nist.gov National InformationSystem Security Conference October 16, 2000 Toolkit Purpose The Cryptographic Toolkit will provide Federal agencies, and others
More informationKeccak specifications
Keccak specifications Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors http://keccak.noekeon.org/ Version 2 September 10, 2009 Keccak
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationP2_L8 - Hashes Page 1
P2_L8 - Hashes Page 1 Reference: Computer Security by Stallings and Brown, Chapter 21 In this lesson, we will first introduce the birthday paradox and apply it to decide the length of hash, in order to
More informationCourse Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here
Course Business Midterm is on March 1 Allowed to bring one index card (double sided) Final Exam is Monday, May 1 (7 PM) Location: Right here 1 Cryptography CS 555 Topic 18: AES, Differential Cryptanalysis,
More information9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng Basic concepts in cryptography systems Secret cryptography Public cryptography 1 2 Encryption/Decryption Cryptanalysis
More informationNetwork Working Group Request for Comments: 2085 Category: Standards Track NIST February HMAC-MD5 IP Authentication with Replay Prevention
Network Working Group Request for Comments: 2085 Category: Standards Track M. Oehler NSA R. Glenn NIST February 1997 Status of This Memo HMAC-MD5 IP Authentication with Replay Prevention This document
More informationVortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication
Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation,
More informationCryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng
Cryptography Basics IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Outline Basic concepts in cryptography systems Secret key cryptography Public key cryptography Hash functions 2 Encryption/Decryption
More informationCryptography Trends: A US-Based Perspective. Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000
Cryptography Trends: A US-Based Perspective Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000 Outline Advanced Encryption Standard Dominant design Thoughts on key size Advanced
More informationPower Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18
Power Analysis of MAC-Keccak: A Side Channel Attack Advanced Cryptography Kyle McGlynn 4/12/18 Contents Side-Channel Attack Power Analysis Simple Power Analysis (SPA) Differential Power Analysis (DPA)
More informationBetriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität
Betriebssysteme und Sicherheit Stefan Köpsell, Thorsten Strufe Modul 5: Mechanismen Integrität Disclaimer: large parts from Mark Manulis, Dan Boneh, Stefan Katzenbeisser Dresden, WS 17/18 Reprise from
More informationSecurity Analysis of a Design Variant of Randomized Hashing
Security Analysis of a Design Variant of Randomized ashing Praveen Gauravaram 1, Shoichi irose 2, Douglas Stebila 3 1 Tata Consultancy Services, Australia 2 University of Fukui, Japan 3 McMaster University,
More informationCollision and Preimage Resistance of the Centera Content Address
Collision and Preimage Resistance of the Centera Content Address Robert Primmer, Carl D Halluin Abstract Centera uses cryptographic hash functions as a means of addressing stored objects, thus creating
More informationMasterMath Cryptology /2 - Cryptanalysis
MasterMath Cryptology 2015 2/2 Cryptanalysis Friday, 17 April, 2015 09:59 10. Hash Function Cryptanalysis (v3) Cryptographic hash functions map messages of arbitrary size to a fixed size hash, e.g. a bitstring
More informationS. Erfani, ECE Dept., University of Windsor Network Security. All hash functions operate using the following general principles:
4.14 Simple Hash Functions All hash functions operate using the following general principles: a) The input string is viewed as a sequence of n-byte blocks. b) The input is processed one block at a time
More informationThe road from Panama to Keccak via RadioGatún
The road from Panama to Keccak via RadioGatún Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2 and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. In this paper, we explain the
More informationPushing the Limits of SHA-3 Hardware Implementations to Fit on RFID
Motivation Keccak Our Designs Results Comparison Conclusions 1 / 24 Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID Peter Pessl and Michael Hutter Motivation Keccak Our Designs Results
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationStatistical Analysis of the SHA-1 and SHA-2 Hash Functions
Statistical Analysis of the SHA-1 and SHA-2 Hash Functions Will Smith Department of Computer Science Rochester Institute of Technology wjs3641@rit.edu Abstract - The SHA-1 and SHA-2 hash functions are
More informationSecurity Requirements of FIPS PUB 140 & Reconfigurable Hardware. G. Bertoni Politecnico di Milano
Security Requirements of FIPS PUB 140 & Reconfigurable Hardware G. Bertoni Politecnico di Milano What is FIPS PUB 140? It is a standard, issued by NIST and CSE, to define different levels of security requirements
More informationNEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES.
NEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES. 1 ZAKARIA KADDOURI, 2 FOUZIA OMARY, 3 ABDOLLAH ABOUCHOUAR, 4 MOHSSIN DAARI, 5 KHADIJA ACHKOUN. LRI Laboratory (Ex: Networks and Data
More informationCryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 12 Message Authentication Codes At cats' green on the Sunday he took the message from
More informationCryptographic hash functions and MACs
Cryptographic hash functions and MACs Myrto Arapinis School of Informatics University of Edinburgh October 05, 2017 1 / 21 Introduction Encryption confidentiality against eavesdropping 2 / 21 Introduction
More informationDemise of MD5 and SHA-1. Designing the New Hash. Stanis law Pawe l Radziszowski Department of Computer Science Rochester Institute of Technology
Demise of MD5 and SHA-1 Designing the New Hash Stanis law Pawe l Radziszowski Department of Computer Science Rochester Institute of Technology August 2008 1 Abstract A hash function H : {0,1} {0,1} m produces
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More information