CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Transcription

1 CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018

2 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that an adversary can't forge a tag We can construct efficient (and inefficient) MACs using PRFs More efficient constructions will be build in the next chapter Combined secrecy and integrity provides authenticated encryption This is possible but problematic if the underlying components are not used correctly!

3 Identification In the real world, we use unique identifiers for a variety of applications SSN address Fingerprints In cryptography, we often need unique and unpredictable identifiers Cryptographic hashes provide a tool to achieve this Hash functions will be used in many constructions, both symmetric key and public key

4 Hash functions In general, a function that reduces an arbitrary-length input to a fixed-length output is a hash function Hash functions have many uses outside of cryptography Can anyone name one? For this class, we want hashes that can provide guarantees against active adversaries

5 Cryptographic Guarantees Collision-resistant Hard to find two inputs that hash to the same output Preimage-resistant Given a hash, hard to find the input (preimage) that generated it Unpredictable source of randomness, or "Random oracle" More on this later

6 A simple (insecure) example For building a hash table of length N, arithmetic modulo N works as a hash function Is it collision-resistant? Is it preimage-resistant?

7 Defining Security The definitions of collision-resistant and preimageresistant are actually related We focus on the strongest definition, collisionresistance Like previous constructions, we define security based on an adversarial game

8 Hash function definition Gen: takes an input 1 n and outputs a key s H: takes an input of a key s and a string x {0,1}* and outputs a string H s (x) {0,1} l (n), where l is the fixed output length If H only accepts inputs of a fixed-length that is greater than l, we call H a compression function

9 <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="1yaer8ebovf7t5wkf1cuw6utso8=">aaadehicbvjlb9naelybocw8wjhygrgjjfiaxbmakjakhmgxsh1eqtnqvr7bq67xxruueln5bfwofgbxuhni1o2qpguks9/o85vpexzsadma/xr3wg8eptrde9x+8vtz8xf7by9pdv6vhe94lvnyfjknuig8mcjinbulsiyuebzefbhxs2sstcjvsvkwom9yokqsodpkujxwz8cpavwhweq4jiwkheoafwwwiknlwjswnr7alms6yjhjozp1p9uagqly9vtf+9aoqkyeqlfvgzbm4kodcimzfexvvihbfs7b0x5u2rb3knlzl6h4neltdpzaaejenaqmgqki8souldhglqaw6hpdinya4zrjcjvkltyqiggqcorrwa9wf3waukkx+nl+mrham6vfbo9ylda6lkgskw7xbkwmg0vfdvrtduydivd43q5vchmtc91b9oejnkbrf0evbuhwud8zduenwx3gr0hhwduu/svueow8svo5zfqf+6pczgtwgsgl1btswdb+xri8j6hyhnpenzewgrfkisdos/qif+pdrkhzpvuycyntkq3vxqzzf7hzystv57vqjacqfjmorisyhoxbqsrk5eyuctbecuikpgul44bobqutyu2v0kiyyskxzcbbs93sion8u0ldb6fjou/427hz9hkt4p7z2nnj9bzfeeccornn6pw43p3h/nj/u392/rag1w31b1j33hxnk2flwun/4kewsq==</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> <latexit sha1_base64="i+qx+ndcqrqgomi7jgwcftylk24=">aaadahicbvjnb9naef2bj5bwlckry4gekuwlsnobc1ilh+zopkatfefrejo2v12vze66kljy4ddwq1z5jxz5j4ztgjkwot29mz33zmatsknrgucx59+5e+/+zu6dzsnhj5887e49o7nlbqsoralkc5fwi0pqhdvpff5ubnmrkdxplj+2+fmrnfaw+tqtkpwwpnmylyi7ombd38eqc5tdwmvrmtcpiwnvyxcc+gbg+32qfkigrlrzg5y8ce1appcwbrhseewnwoetcjcslbuoumsfv83xsg8ur4ntfw4amyuzsd429fqyd7ywozvy14ktzkruofxq18tozcyjmvim9tbrnjofadlddvq+uq2necv8vbigphojnv/tmov2gsngfxabhgvqy+uiznvetjwvrv2gdkjxaydhullpw42tqugye9cwky4ueyytgpoxakfn6hzleexmflwatkq1rdjnfw0vrf0ucvw2s9ibuzb8x25su/tdtjg6qh1qcs2u1gpcce1hys4ncqcwblgwkrycylnhwtfhtjrpsv0tnjdksirmi+h2up9s0orcm4u6dc6ghyhht8pe0yf1enfzc/asdvji3rijnmirgzphnxifd+v98b/63/zv/o/rut9bv3notsl/+qeonfae</latexit> Hash-coll experiment The collision-finding experiment Hash coll A, (n): 1. Generate a key s using Gen(1 n ) 2. A is given s and outputs x, x 0. These values must be in {0, 1}`0(n) if the hash is fixed-length. 3. The experiment outputs 1 i x 6= x 0 and H s (x) =H s (x 0 ) A hash function =(Gen, H) is collision resistant if for all PPT adversaries A there is a negligible function negl such that Pr[Hash coll A, (n) = 1] apple negl(n) Without compression, this is trivial to achieve

10 Keys in hashes? In reality, hash functions are usually unkeyed In theory, this is an issue since an arbitrary adversary can hard-code a collision and output it against any Hashcoll challenge In reality, as long as no collisions are found in the unkeyed hash, the theory still holds

11 Weaker Definitions In addition to collision-resistance, we also consider two other security definitions: Target collision-resistance Preimage-resistance (one-way) It can be shown that collision-resistance implies both of these weaker notions Fewer restrictions on the adversary == stronger definition In practice, we generally look for collision-resistance

12 Constructing Hash Functions As with block ciphers and modes of operations, hash functions are generally built from compression functions Domain extension techniques allow the compression function to be chained together for longer inputs The Merkle-Damgård transform is by far the most common domain extension technique

13 Merkle-Damgård

14 Applications Hash functions are useful in a plethora of cryptographic applications We will study more in the second half of the semester They are primarily useful in the symmetric-key setting for building MACs We can construct a more efficient MAC than CBC-Mac using hash functions

15 <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> <latexit sha1_base64="k13fgrgg9soel88yaku0rsjhade=">aaaefxichvnntxsxef1cwij9gvbyy6gsslituzylfriqlyfmucqq8swxifi63qwvrx3z3qj0lx/xp9g/0gt7b8ebjskavj9g45n33ryx47hgxny6p5dqy/vhj1dwn6w9ffb8xcv1jvdnruwasloqhnixmtfmcmlolbecxyw1i1ks2hk8ont359+ynlzjezszs15ghpinnbklqf5grfefwfcjyw770dwiniaznuxapsqmcbx9pireaciymwtidkgebjndm2ipe6ipw34ara5kih7xgxxmst8nohudkrktqpjl6hjhmmovyu04t/eq2ncople6p7bidqincrqraoprzaq2en0jizrmvhm92a7a5kqj2vulyjbksucwzfw7m65flglfgfl7ggq4ddr88er6qfoljboco0fkzzbie/bhehejudejwmjqytywopclsr/bxfauyhwo2bks9a2oascpk9u5qyqg7o1djigccswgycjdxv6nhjfwgp6himcuzwty3qh5lze+rqqwwkk1unzg9ufn7pvpzq3wnkc07n9eawtosb2fhprak2twfopaagfncyjjcr1pjoop02j/cifymtmyo95f3+y0o+wb+0fybztedy77g0sr0udrpgpsukgmuqw7y9srilaccrfc3laxcukolzgubbfek8qpmiutzazkd5eoaahm3u4osgbmjiuxmim2nxfvxpkhu8vcju97rwkak3rglotc7d39khhwzagvewwi1ry14nmimlclf28bssr3vxegmvrymgy7i0pnzab14v2j7gdno+0q4687mwefkhnxvtfew6/phd6ud+b1vwpv1ko1h7vftd+1p8t/61v1on6eldawqp7x3skp7/4dhx9jew==</latexit> First example: Hash-and-MAC Let =(Mac,Vrfy) be a MAC for messages of length `(n), and H = (Gen H,H) be a hash function with output length `(n). Construct a MAC 0 =(Gen 0,Mac 0,Vrfy 0 ) for arbitrary-length messages as: Gen 0 : on input 1 n choose a uniform key k 2 {0, 1} n and run Gen H (1 n )to obtain s. Thekeyisk 0 := hk, si Mac 0 : on input hk, si and m 2 {0, 1}, output t Mac k (H s (m)) Vrfy 0 : on input hk, si,m 0,t, output 1 i Vrfy k (H s (m 0 ),t)? =1

16 Proof Intuitively, if an attacker can develop a message/tag pair that has not been queried before, either: The attacker found a colliding message with a previouslyseen tag The attacker forged a new tag on a new message

17 Proof Collision found

18 Proof Tag forged

19 Second example: hashing with a key The previous construction still requires another secure MAC in addition to a hash It is possible (and more efficient) to build a MAC directly from a hash function Could we introduce a key into the message and hash?

20 Hashing a key and a message Construction: Gen : generate a uniformly random k {0,1} n and s using Gen H (1 n ) Mac : generate t H s (k m) Vrfy : output 1 iff H s (k m ) = t Is it secure? Consider a Merkle-Damgård hash. How can we break this MAC?

21 A secure version: HMAC An industry standard, HMAC, is built on this concept HMAC hashes the output of the previous hash Incorporates additional values to reduce the assumptions required of the hash function

22 HMAC

23 Security Informally, HMAC can be seen as a "hash-then-mac" construction where the second MAC is for fixed-length messages Note this solves the issues with using Merkle-Damgård hashes as a MAC The use of two pads on the inner and outer hash emulates the creation of two separate keys Assuming the hash function behaves like a PRG Theorem statement Proof is relatively involved, so we skip

24 Hashing in practice: MD5 128-bit output hash based on Merkle-Damgård Developed in 1991 and used widely Multiple collisions have been found, as well as techniques for generating collisions

25 Hashing in practice: SHA-X A family of hash functions developed starting in the early 90's Output lengths of 160, 256, and 512 bits SHA-0,1,2 all composed of special-purpose block ciphers using the Davies-Meyer compression function and the Merkle-Damgård domain extension transform SHA-3 developed through a NIST bake-off, does not use standard D-M compression functions or the M-D transform Further study in progress

26 Attacks on hash functions Given these handy constructions, how difficult is "finding a collision"? There may be attacks that are specific to different compression functions A brute-force attack tries 2L + 1 inputs, guaranteeing a collision There are probabilistic attacks that are more effective than you might think

27 The Birthday Problem Given a group of people, we consider birthdays as "hashes of people" A collision happens when two people share the same birthday How many people are needed for the collision probability to be over 1/2? Let's try it!

28 The Birthday Bound Appendix A proves that you need roughly n people to get the collision probability to 1/2 How many queries does this imply for our hash functions? How can we relate hash length to security achieved?

29 Additional Applications Hashes are also commonly used to fingerprint files Examples include malware signatures, cloud deduplication, and peer-to-peer file search For large numbers of files, the stored fingerprints can be combined into a Merkle tree An alternative to the Merkle-Damgård construction for domain extension

30 Additional Applications Storing hashed passwords is a common way to thwart attackers who have breached a server's repository of credentials Password salting ensures that an adversary must brute force each password hash instead of maintaining a lookup table A hash chain uses preimage-resistance to create a chain of authentication values that can be used and discarded over time E.g., RSA authentication tokens

31 Additional Applications Assuming high-entropy input, hash functions can be used to generate secret keys Commitment schemes provide a cryptographic protocol for having a party "commit" to a value that remains hidden until the commitment is "opened" Must be both "hiding" and "binding" More (public-key) applications in the coming weeks!

32 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant Implying preimage-resistance In the symmetric-key setting, hash functions are useful for building efficient MACs The birthday bound provides a rule of thumb for the expected concrete security of any hash function

33 Next Time... Fall break Midterm exam Covers chapters 1-5 Open book/note Please be tidy Bring a calculator 33

34 Review: Introduction What is the difference between modern and ancient cryptography? Example schemes Rotation (shift) cipher Vigenere cipher Monoalphabetic substitution Lessons learned?

35 Review: Perfect Secrecy Probability concepts Definitions of perfect secrecy There are four The one-time pad Helpful rule for swapping conditional probabilities? What are the limitations?

36 Review: Symmetric Encryption Definitions What assumptions make them computationally secure? Security levels We discussed three definitions for encryption security Basic primitives PRG PRF PRP

37 Review: Symmetric Encryption Constructions Stream ciphers Block ciphers Block cipher modes of operation Pitfalls Generating randomness (e.g., IVs) Requirement for ALL CPA-secure schemes?

38 Review: Message Integrity Definitions Mac-forge and Mac-sforge Security desired Proves who created the message Proves the message wasn t modified Not guaranteed What were some attacks that we had to be concerned with?

39 Review: Message Integrity Constructions with PRFs Basic construction Extending the input size Necessary addition to prevent tampering? Authenticated encryption Two definitions required Three approaches Which one meets both definitions?

40 Review: Hashing Definitions Collision-resistance Target collision-resistance Preimage-resistance (one-way) Domain extension MAC construction(s) Brute-force attacks