Hash Functions

Lecture 6 – Hash functions
1
Basic goals of cryptography
AEAD: AES-GCM
Message integrity /
Message privacy
authentication
Message authentication
Symmetric keys Symmetric encryption
codes (MAC)
Asymmetric encryption
Asymmetric keys (a.k.a. public-key Digital signatures
encryption)
Unkeyed Hash functions
2
Hash function applications
• File storage verification
• Data authentication (MACs and digital signatures)
• Certificates
• Randomness extraction and key derivation (PRFs)
• Password hashing
• Quantum-resistant signatures
• Hash chains (Bitcoin)
3
Hash functions
𝐻∶ℳ→𝒴 ℳ >
≫ 𝒴 ℳ
𝐻
Pre-image
𝒴
Keyless function Compressing

Collision!
Examples: Possible security goals:

• MD5 ∶ 0,1 ∗ → 0,1 128 • Hard to find pre-images
• SHA1 ∶ 0,1 ∗ → 0,1 160 • Hard to find collisions
• SHA2˗256 ∶ 0,1 ∗ → 0,1 256
• SHA2˗512 ∶ 0,1 ∗ → 0,1 512
4
Collision resistance
𝐄𝐱𝐩cr
𝐻 𝐴
1. 𝑋, 𝑋′ ← 𝐴
? ?
2. return 𝐻 𝑋 = 𝐻 𝑋 ′ and 𝑋 ≠ 𝑋′
Wanted intuitive idea:

𝐻 is collision resistant if
𝐀𝐝𝐯𝐻cr 𝐴 is “small” for all
“practical” 𝐴
Definition: The CR-advantage of an adversary 𝐴 against 𝐻 is
𝐀𝐝𝐯𝐻cr 𝐴 = Pr 𝐄𝐱𝐩cr
𝐻 𝐴 ⇒1
5
Collision resistance
𝐄𝐱𝐩cr Since ℳ ≫ 𝒴 , there exists 𝑋 ≠ 𝑋′ s.t. 𝐻 𝑋 = 𝐻 𝑋′

𝐻 𝐴
1. 𝑋, 𝑋′ ← 𝐴
𝑨
?
? ′
2. return 𝐻 𝑋 = 𝐻 𝑋 and 𝑋 ≠ 𝑋′ 𝐀𝐝𝐯𝐻cr 𝐴 = 1
1. Output 𝑋 ≠ 𝑋′
…but how do we actually find 𝑋, 𝑋′?

Wanted intuitive idea: Doesn't work!
𝐻 is collision resistant if
𝐀𝐝𝐯𝐻cr 𝐴 is “small” for all
“practical” 𝐴 There always exists a very efficient 𝐴 with 𝐀𝐝𝐯𝐻cr 𝐴 = 1!
Definition: The CR-advantage of an adversary 𝐴 against 𝐻 is
𝐀𝐝𝐯𝐻cr 𝐴 = Pr 𝐄𝐱𝐩cr
𝐻 𝐴 ⇒1
6
One-way / pre-image security
𝐄𝐱𝐩ow
ℳ
𝐻 𝐴
$
1. 𝑋 ← ℳ
2. 𝑌 ← 𝐻(𝑋) 𝒴
3. 𝑋′ ← 𝐴 𝑌
?
𝐻
4. return 𝐻(𝑋 ′ ) = 𝑌
𝑋 𝑌
𝑋′
Definition: The OW-advantage of an adversary 𝐴 against 𝐻 is
𝐀𝐝𝐯𝐻ow 𝐴 = Pr 𝐄𝐱𝐩cr
𝐻 𝐴 ⇒1
7
Collision resistance vs. one-wayness
𝐄𝐱𝐩cr
𝐻 𝐴 𝐄𝐱𝐩ow
𝐻 𝐴
$
1. 𝑋 ← ℳ
1. 𝑋, 𝑋′ ← 𝐴 2. 𝑌 ← 𝐻(𝑋)
? ?
2. return 𝐻 𝑋 = 𝐻 𝑋 ′ and 𝑋 ≠ 𝑋′ 3. 𝑋′ ← 𝐴 𝑌
?
Theorem: Collision-resistance ⟹ One-wayness
Proof idea: suppose 𝐴ow is an algorithm that breaks one-wayness

$
1. Pick 𝑋 ← ℳ and give 𝑌 ← 𝐻 𝑋 to 𝐴ow
2. 𝐴ow outputs 𝑋′ s.t. 𝐻 𝑋 ′ = 𝑌
3. output (𝑋, 𝑋 ′ ) as a collision
Problem: what if 𝑋 ′ = 𝑋? Very unlikely assuming ℳ ≫ 𝒴
8
Collision resistance vs. one-wayness
𝐄𝐱𝐩cr
𝐻 𝐴 𝐄𝐱𝐩ow
𝐻 𝐴
$
1. 𝑋 ← ℳ
1. 𝑋, 𝑋′ ← 𝐴 2. 𝑌 ← 𝐻(𝑋)
? ?
2. return 𝐻 𝑋 = 𝐻 𝑋 ′ and 𝑋 ≠ 𝑋′ 3. 𝑋′ ← 𝐴 𝑌
?
Theorem: Collision-resistance ⟹ One-wayness
Theorem: Collision-resistance ⟸ One-wayness
256
Suppose 𝐻 ∶ ℳ → 0,1 is one-way. Define
𝐻′ is one-way (if ℳ is large)

′ 0256 if 𝑋 ∈ {0,1}
𝐻 𝑋 =
𝐻 𝑋 otherwise 𝐻′ is not collision-resistant
9
Hash function applications – password storage
Username Password
Alice cat1234
Bob dog
Charlie password1234
Dave batman
… …
DB
10
Username Password
Alice H(cat1234)
Bob H(dog)
Charlie H(password1234)
Dave H(batman)
… …
DB
11
Username Password
Alice 0x1b383a798bc2c5
Bob 0x512df2a1e63860
Charlie 0x26c540082d18cd
Dave 0xe33805da40919f
… …
DB
12
Hash function applications – MAC domain extension
𝑛
MAC ∶ 𝒦 × 0,1 →𝒯
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
∗
MAC′ ∶ 𝒦 × 0,1 →𝒯
MAC ′ 𝐾, 𝑀 = MAC 𝐾, 𝐻 𝑀 Hash-then-MAC paradigm
Theorem: If 𝐻 is collision-resistant and MAC is UF-CMA secure, then MAC′ is UF-CMA secure
Example: Collision-resistance is necessary:

∗ 256
SHA2˗256 ∶ 0,1 → 0,1
Suppose you can find a collision 𝑋, 𝑋′ for 𝐻
2×128 128
AES˗CBC˗MAC ∶ 𝒦 × 0,1 → 0,1
1. Ask for MAC tag on 𝑋 (receive back 𝑇)
MAC′ 𝐾, 𝑀 = AES˗CBC˗MAC 𝐾, SHA2˗256 𝑀 2. Output 𝑋′, 𝑇 as forgery
13
The birthday paradox
Attacks on hash functions
• Specific attacks: exploit internal design of hash function
∗ 𝑛
• Generic attacks: work for all hash functions 𝐻 ∶ 0,1 → 0,1
• Brute-force: hash 𝟏, 𝟐, 𝟑, … , 𝟐𝒏 + 𝟏
• Output must be long enough
𝑛 = 10 requires only 210 + 1 = 1025 values
• 𝑛 = 100 enough?
• Attacker 𝐵
1. pick distinct values 𝑋1 , 𝑋2 , … , 𝑋𝑞 𝑞 ≪ 2𝑛
2. hash every value
3. look for collisions
What's 𝐀𝐝𝐯𝐻cr 𝐵 ?
15
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌6 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑌1 ← 𝐻(𝑋1 )
𝑌2 ← 𝐻(𝑋2 )
𝑌3 ← 𝐻(𝑋3 )
𝑌4 ← 𝐻(𝑋4 )
𝑌5 ← 𝐻(𝑋5 )
𝑌6 ← 𝐻(𝑋6 )
𝑌𝑞 ← 𝐻(𝑋𝑞 )
16
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑌1 ← 𝐻(𝑋1 )
𝑌2 ← 𝐻(𝑋2 )
𝐀𝐝𝐯𝐻cr 𝐵 = Pr coll = Pr ∃𝑖 ≠ 𝑗 ∶ 𝐻 𝑋𝑖 = 𝐻(𝑋𝑗 )
𝑌3 ← 𝐻(𝑋3 )
𝑌4 ← 𝐻(𝑋4 )
𝑌5 ← 𝐻(𝑋5 )
𝑌6 ← 𝐻(𝑋6 )
𝑌𝑖 ← 𝐻(𝑋𝑖 )
𝑌𝑞 ← 𝐻(𝑋𝑞 )
17
Birthday attack
0 1 ⋯ 𝑁
𝑌1 ← 𝜌(𝑋1 )
𝑌2 ← 𝜌(𝑋2 )
𝐀𝐝𝐯𝐻cr 𝐵 = Pr coll = Pr ∃𝑖 ≠ 𝑗 ∶ 𝜌 𝑋𝑖 = 𝜌(𝑋𝑗 )
𝑌3 ← 𝜌(𝑋3 )
𝑌4 ← 𝜌(𝑋4 )
𝑌5 ← 𝜌(𝑋5 )
𝑌6 ← 𝜌(𝑋6 )
𝑋1 , 𝑋2 , … , 𝑋𝑞 are distinct
𝑌𝑖 ← 𝜌(𝑋𝑖 )
𝑌𝑞 ← 𝜌(𝑋𝑞 )
18
Birthday attack
0 1 ⋯ 𝑁
𝑌1 ←$ 𝒴
𝑌2 ←$ 𝒴
𝐀𝐝𝐯𝐻cr 𝐵 = Pr coll = Pr ∃𝑖 ≠ 𝑗 ∶ 𝑌𝑖 = 𝑌𝑗
𝑌3 ←$ 𝒴
𝑌4 ←$ 𝒴
𝑌5 ←$ 𝒴
𝑌6 ←$ 𝒴
𝑋1 , 𝑋2 , … , 𝑋𝑞 are distinct
𝑌𝑖 ←$ 𝒴
$
𝑌𝑞 ← 𝒴
19
Birthday attack
0 1 ⋯ 𝑁
Pr coll = 1 − Pr no˗coll ≥ 1 − 𝑒 −𝑞(𝑞−1)/2𝑁
𝑁−1 𝑁−2 𝑁−3 𝑁− 𝑞−1

Pr no˗coll = 1 × × × ⋯ × 1 − 𝑥 ≤ 𝑒 −𝑥 𝑥≥0
𝑁 𝑁 𝑁 𝑁
1 2 3 𝑞−1 𝑖
=1× 1− × 1− × 1− ⋯ × 1− (1 − 𝑥) = 1 −
𝑁 𝑁 𝑁 𝑁 𝑁
𝑥 𝑥2 𝑥3 𝑥4
𝑞−1 𝑒 −𝑥 =1− + − + +⋯
1! 2! 3! 4!
𝑖
= 1−
𝑁
𝑖=1
𝑞−1
≤ 𝑒 −𝑖/𝑁 = 𝑒 − 1+2+⋯+𝑞−1 /𝑁 = 𝑒 −𝑞(𝑞−1)/2𝑁

𝑖=1
20
Birthday attack
0 1 ⋯ 𝑁
𝑞(𝑞 − 1)
Pr coll = 1 − Pr no˗coll ≥ 1 − 𝑒 −𝑞(𝑞−1)/2𝑁 ≥ 0.6 ×
2𝑁
1 − 𝑒 −𝑥
𝑞 < 2𝑁
21
Birthday attack
0 1 ⋯ 𝑁
𝑞 𝑞−1
0.6 × ≤ Pr coll = Pr[𝑌1 ∨ 𝑌2 ∨ ⋯ ∨ 𝑌𝑞 ]
2𝑁
≤ Pr 𝑌1 + Pr 𝑌2 + ⋯ + Pr 𝑌𝑞
0 1 𝑞−1
≤ + + ⋯+
𝑁 𝑁 𝑁
𝑞 𝑞−1
=
2𝑁
22
Birthday attack
0 1 ⋯ 𝑁
Pr coll = 0.5:
𝑞 𝑞−1 𝑞 𝑞−1 𝑞≈ 𝑁
0.6 × ≤ Pr coll ≤
2𝑁 2𝑁
𝑁 𝑞
365 23
106 1000
264 232
280 240
Birthday bound:
2
2256 2128
𝑞
Pr coll ≈ (𝑞 ≤ 2𝑁) 2512 2256
2𝑁
23
𝑁 = 106
24
Attacks on hash functions
• Specific attacks: exploit internal design of hash function
∗ 𝑛
• Generic attacks: work for all hash functions 𝐻 ∶ 0,1 → 0,1
• Brute-force: hash 𝟏, 𝟐, 𝟑, … , 𝟐𝒏 + 𝟏
• Output must be long enough
𝑛 = 10 requires only 210 + 1 = 1025 values
• 𝑛 = 100 enough? No! Must take birthday attack into account: 𝑛 / 2 must be large enough
• Attacker 𝐵
1. pick distinct values 𝑋1 , 𝑋2 , … , 𝑋𝑞 𝑞 ≪ 2𝑛
2. hash every value
3. look for collisions
What's 𝐀𝐝𝐯𝐻cr 𝐵 ?
25
Designing hash functions
Merkle-Damgård
𝑛+𝑏 𝑛
• Suppose we have a compression function ℎ ∶ 0,1 → 0,1 which is collision-resistant
∗ 𝑛
• Want to create a hash function 𝐻 ∶ 0,1 → 0,1
• Solution: iterate ℎ
27
Merkle-Damgård
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
𝐻 𝑀 = ℎ ℎ ⋯ ℎ ℎ 𝐼𝑉||𝑀1 || 𝑀2 ⋯ || 𝑀𝑛−1 || 𝑀𝑛
𝑀1 𝑀2 𝑀3 𝑀4
𝐼𝑉
𝑛+𝑏 𝑛
ℎ ∶ 0,1 → 0,1
28
Merkle-Damgård
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
𝐻 𝑀 = ℎ ℎ ⋯ ℎ ℎ 𝐼𝑉||𝑀1 || 𝑀2 ⋯ || 𝑀𝑛−1 || 𝑀𝑛
𝑀1 𝑀2 𝑀3 𝑀4 || pad 𝑀
𝐼𝑉
𝑛+𝑏 𝑛
ℎ ∶ 0,1 → 0,1
29
Merkle-Damgård
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
𝐻 𝑀 = ℎ ℎ ⋯ ℎ ℎ 𝐼𝑉||𝑀1 || 𝑀2 ⋯ || 𝑀𝑛−1 || 𝑀𝑛
𝑀1 𝑀2 𝑀3 𝑀4 || 𝑀
𝐼𝑉
𝑛+𝑏 𝑛
ℎ ∶ 0,1 → 0,1
30
Merkle-Damgård – security
𝑛+𝑏 𝑛 ∗ 𝑛
Theorem: If ℎ ∶ 0,1 → 0,1 is collistion resistant then 𝐻 ∶ 0,1 → 0,1 is collisition resistant
Proof idea:
Collison on 𝐻 ⟹ collision on ℎ
If 𝐻 𝑋 = 𝐻(𝑌) then we can construct 𝑋 ′ , 𝑌′ such that ℎ 𝑋 ′ = ℎ 𝑌 ′
31
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1 𝑋2 𝑋18 𝑋19 𝑋20
𝐼𝑉 ⋯ 𝑍
𝑌1 𝑌2 𝑌3
𝐼𝑉 𝑍
32
𝑋1 𝑋2 𝑋18 𝑋19 … || 𝑋
𝐼𝑉 ⋯ 𝑍
𝑌1 𝑌2 … || 𝑌
𝐼𝑉 𝑍
33
𝑋1 𝑋2 𝑋18 𝑋19 𝑋20
𝐼𝑉 ⋯ 𝑍
𝑌1 𝑌2 𝑌18 𝑌19 𝑌20
𝐼𝑉 ⋯ 𝑍
34
𝑋1 𝑋2 𝑋18 𝑋19 𝑋20
𝐼𝑉 ⋯ 𝑉20
𝑍
𝑌1 𝑌2 𝑌18 𝑌19 𝑌20
𝐼𝑉 ⋯ ′
𝑉20
𝑍
35
𝑋1 𝑋2 𝑋18 𝑋19 𝑋20
Case 1: 𝑋20 ≠ 𝑌20

𝐼𝑉 ⋯ 𝑉20
𝑍
′
Case 2: 𝑉20 ≠ 𝑉20
𝑌1 𝑌2 𝑌18 𝑌19 𝑌20
𝐼𝑉 ⋯ ′
𝑉20
𝑍
36
𝑋1 𝑋2 𝑋18 𝑋19
Case 1: 𝑋20 ≠ 𝑌20

𝐼𝑉 ⋯ 𝑉20
𝑍
′
Case 2: 𝑉20 ≠ 𝑉20
′
𝑌1 𝑌Case 3: 𝑋20 = 𝑌20 and 𝑉20 = 𝑉20 ⟹𝑌 no collision 𝑌19
2 18
𝐼𝑉 ⋯ 𝑉20
𝑍
37
𝑋1 𝑋2 𝑋18 𝑋19
𝐼𝑉 Case 1: 𝑋19 ≠ 𝑌19

⋯ 𝑉19 𝑉20
𝑍
′
Case 2: 𝑉19 ≠ 𝑉19
𝑌1 𝑌 ′ 𝑌 𝑌19
Case 3:2 𝑋19 = 𝑌19 and 𝑉19 = 𝑉19 18
⟹ no collision
𝐼𝑉 ⋯ ′
𝑉19 𝑉20
𝑍
38
𝑋1 𝑋2 𝑋18
𝐼𝑉 Case 1: 𝑋19 ≠ 𝑌19

⋯ 𝑉19 𝑉20
𝑍
′
Case 2: 𝑉19 ≠ 𝑉19
𝑌1 𝑌 ′ 𝑌
Case 3:2 𝑋19 = 𝑌19 and 𝑉19 = 𝑉19 18
⟹ no collision
𝐼𝑉 ⋯ 𝑉19 𝑉20
𝑍
39
𝑋1 𝑋2 𝑋18
𝐼𝑉 ⋯ 𝑉19
𝑍
𝑌1 𝑌2 𝑌18
𝐼𝑉 ⋯ 𝑉19
𝑍
40
𝑋1 𝑋2 𝑋18
𝐼𝑉 ⋯ 𝑍
𝑌1 𝑌2 𝑌18
𝐼𝑉 ⋯ 𝑍
41
𝑋1
𝐼𝑉
𝑉1 𝑉2
⋯
Case 1: 𝑋1 ≠ 𝑌1 𝑍
Case 2: 𝑉1 ≠ 𝑉1′
𝑌1
Case 3: 𝑋1 = 𝑌1 and 𝑉1 = 𝑉1′ ⟹ no collision
𝐼𝑉
𝑉1 𝑉2
⋯ 𝑍
42
Compression function designs
∗ 𝑛 𝑏+𝑛 𝑛
• Merkle-Damgård creates collision resistant 𝐻 ∶ 0,1 → 0,1 from collision resistant ℎ ∶ 0,1 → 0,1
𝐻 ∶ 0,1 ∗ → 0,1 𝑛
• Need only focus on compression function

𝑀1 𝑀2 𝑀3 𝑀4 || 𝑀
𝑏+𝑛 𝑛
ℎ ∶ 0,1 → 0,1
𝐼𝑉
• Many design options for ℎ

• Ad-hoc
• Structured
43
Compression functions from block ciphers – Davies-Meyer
𝑘 + 𝑛 bits
𝑀 = 𝑀1 || 𝑀2
𝑀1
𝑀2 𝐸 𝑍
44
Compression functions from block ciphers – Davies-Meyer
𝑘 + 𝑛 bits
𝑀 = 𝑀1 || 𝑀2
𝑀1
𝑀2 𝐸 𝑍 DM 𝑀 = 𝐸𝑀1 𝑀2 ⊕ 𝑀2
𝑘+𝑛 𝑛
Theorem: DM ∶ 0,1 → 0,1 is a collision resistance compression function in the ideal cipher model
45
Alternatives…
Davies-Mayer
Black, Rogaway & Shrimpton: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV; CRYPTO'02
46
SHA – Secure Hash Algorithm
• Family of hash functions published by NIST
• SHA1 in 1995
• SHA2-256 and SHA2-512 in 2001
• Also truncated versions: SHA2-224, SHA2-384
• SHA3-256 and SHA3-512 in 2015
• SHA1 and SHA2 designed by NSA

• Merkle-Damgård + Davies-Meyer designs
• SHA3 designed by Belgian cryptographers

• Sponge design
47
SHA1
𝐸(𝑀𝑖 , 𝑉𝑖 )
Merkle-Damgård 𝐴1 ← 𝑉𝑖,1 for 𝑗 = 1 … 16 do
𝐵1 ← 𝑉𝑖,2 𝑊𝑗 ← 𝑀𝑖,𝑗
𝐶1 ← 𝑉𝑖,3 for 𝑗 = 17 … 80 do
𝐷1 ← 𝑉𝑖,4 𝑊𝑗 ← 𝑊𝑗−16 ⊕ 𝑊𝑗−14 ⊕ 𝑊𝑗−8 ⊕ 𝑊𝑗−3
𝐸1 ← 𝑉𝑖,5 ⋘1
𝑀1 𝑀2 𝑀𝑛 ||pad
𝐼𝑉 𝐸 𝐸 ⋯ 𝐸 𝑇
Davies-Mayer Repeat
80 times
frac32 2
512 160 160
𝐸 ∶ 0,1 × 0,1 → 0,1
frac32 3
𝒋 𝑲𝒋 𝑭𝒋 𝑩, 𝑪, 𝑫
1 … 20 5A827999 𝐵∧𝐶 ∨ 𝐵∧𝐷
frac32 5
21 … 40 6ED9EBA1 𝐵⊕𝐶⊕𝐷
IV = 67452301 || EFCDAB89 ||98BADCFE || 10325476 ||C3D2E1F0
41 … 60 8F1BBCDC 𝐵∧𝐶 ∨ 𝐵∧𝐷 ∨ 𝐶∧𝐷
frac32 10 61 … 80 CA62C1D6 𝐵⊕𝐶⊕𝐷
48
SHA0
𝐴1 ← 𝑉𝑖,1 for 𝑗 = 1 … 16 do
𝐵1 ← 𝑉𝑖,2 𝑊𝑗 ← 𝑀𝑖,𝑗
𝐶1 ← 𝑉𝑖,3 for 𝑗 = 17 … 80 do
𝐷1 ← 𝑉𝑖,4 𝑊𝑗 ← 𝑊𝑗−16 ⊕ 𝑊𝑗−14 ⊕ 𝑊𝑗−8 ⊕ 𝑊𝑗−3
𝐸1 ← 𝑉𝑖,5 ⋘1
𝑀1 𝑀2 𝑀𝑛 ||pad
𝐼𝑉 𝐸 𝐸 ⋯ 𝐸 𝑇 SHA1
Repeat
80 times
512 160 160

𝐸 ∶ 0,1 × 0,1 → 0,1
𝒋 𝑲𝒋 𝑭𝒋 𝑩, 𝑪, 𝑫
1 … 20 5A827999 𝐵∧𝐶 ∨ 𝐵∧𝐷
21 … 40 6ED9EBA1 𝐵⊕𝐶⊕𝐷
IV = 67452301 || EFCDAB89 ||98BADCFE || 10325476 ||C3D2E1F0
41 … 60 8F1BBCDC 𝐵∧𝐶 ∨ 𝐵∧𝐷 ∨ 𝐶∧𝐷
61 … 80 CA62C1D6 𝐵⊕𝐶⊕𝐷
49
Attacks against SHA1
• 2004: First SHA0 collision found (Wang et al.)
• 2005: Theoretical attack on SHA1 (269 ops.)
• 2017: First SHA1 collision found (263.1 ops.)

(Stevens & Karpman + Google 2017)
SHA2
𝐴1 ← 𝑉𝑖,1
𝐵1 ← 𝑉𝑖,2 for 𝑗 = 1 … 16 do
𝐶1 ← 𝑉𝑖,3 𝑊𝑗 ← 𝑀𝑖,𝑗
𝐷1 ← 𝑉𝑖,4 for 𝑗 = 17 … 64 do
𝐸1 ← 𝑉𝑖,5 𝜎0 ← ROTR7 (𝑊𝑗−15 ) ⊕ ROTR18 (𝑊𝑗−15 ) ⊕ SHR3 (𝑊𝑗−15 )
𝑀1 𝑀2 𝑀𝑛 ||pad 𝐹1 ← 𝑉𝑖,6 𝜎1 ← ROTR17 (𝑊𝑗−2 ) ⊕ ROTR19 (𝑊𝑗−2 ) ⊕ SHR10 (𝑊𝑗−2 )
𝐺1 ← 𝑉𝑖,7 𝑊𝑗 ← 𝑊𝑗−16 + 𝜎0 + 𝑊𝑖−7 + 𝜎1
𝐻1 ← 𝑉𝑖,8
𝐼𝑉 𝐸 𝐸 ⋯ 𝐸 𝑇
𝑗
512 256 256
𝐸 ∶ 0,1 × 0,1 → 0,1
Repeat
64 times
1024 512 512
𝐸 ∶ 0,1 × 0,1 → 0,1
51
MACs from hash functions – 𝑯(𝑲 || 𝑴)
• Doesn't work in general
• Length-extension attacks on Merkle-Damgård hash functions
𝐻 𝐾||𝑀
𝐾 𝑀 pad 𝐾|𝑀
𝐼𝑉
𝑇
𝐻 𝐾||𝑀 𝐻 𝐾||𝑀||pad 𝐾|𝑀
𝐾 𝑀 pad 𝐾|𝑀 pad 𝐾|𝑀|pad 𝐾|𝑀
𝐼𝑉
𝑇 𝑇′
𝐻 𝐾||𝑀 𝐻 𝐾||𝑀||pad 𝐾|𝑀 ||𝑋1 ||𝑋2 || ⋯ ||𝑋𝑡
𝐾 𝑀 pad 𝐾|𝑀 𝑋1 𝑋2 𝑋𝑡 pad …
𝐼𝑉 ⋯
𝑇 𝑇′
NMAC
𝑀1 𝑀2 𝑀𝑡 ||pad
𝐾1′ ⋯
𝑇 ′ ||pad
𝐾2′ 𝑇
Theorem (Gaži, Pietrzak, Rybár ‘2014):

𝑛 𝑏 𝑛 𝑛 ∗ 𝑛
If ℎ ∶ 0,1 × 0,1 → 0,1 is a secure PRF then NMAC ∶ 0,1 × 0,1 → 0,1 is a secure PRF.
55
HMAC
𝐻 𝐾 ⊕ ipad || 𝑀
𝐾1 𝑀1 𝑀2 𝑀𝑡 ||pad
𝐼𝑉
𝐾1′
⋯
𝐾2 𝑇 ′ ||pad 𝐻 𝐾 ⊕ opad || …
𝐾1 = 𝐾 ⊕ ipad
𝐼𝑉 𝑇
𝐾2 = 𝐾 ⊕ opad 𝐾2′
HMAC 𝐾, 𝑀 = 𝐻 𝐾 ⊕ opad || 𝐻 𝐾 ⊕ ipad || 𝑀
56
HMAC
𝐾 ⊕ ipad
• Very widely used 𝐾1 𝑀1 𝑀2 𝑀𝑡 ||pad
• TLS
𝐼𝑉 ⋯
• IPsec
𝐾 ⊕ opad
• SSH 𝐾2 𝑇 ′ ||pad
• LTE
• … 𝐼𝑉 𝑇
• Standardized by NIST and IETF (RFC 2104) HMAC 𝐾, 𝑀 = 𝐻 𝐾 ⊕ opad || 𝐻 𝐾 ⊕ ipad || 𝑀
• Security proof for NMAC can be lifted to HMAC:

• + assume ℎ is a secure dual PRF (ℎ keyed through the message is also a secure PRF)
• + assume ℎ is secure against related-key attacks (since 𝐾1 , 𝐾2 are derived from 𝐾)
• very tricky proof; controversies
SHA3
1600 1600
𝑓 ∶ 0,1 → 0,1
Absorption phase Squeezing phase

Hash Functions

Uploaded by

Copyright:

Available Formats

You might also like

Hash Functions

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hash Functions

Uploaded by

Copyright:

Available Formats

Lecture 6 – Hash functions

Unkeyed Hash functions

• Data authentication (MACs and digital signatures)

• Randomness extraction and key derivation (PRFs)

• Hash chains (Bitcoin)

Keyless function Compressing

Examples: Possible security goals:

• SHA2˗512 ∶ 0,1 ∗ → 0,1 512

Wanted intuitive idea:

Definition: The CR-advantage of an adversary 𝐴 against 𝐻 is

𝐄𝐱𝐩cr Since ℳ ≫ 𝒴 , there exists 𝑋 ≠ 𝑋′ s.t. 𝐻 𝑋 = 𝐻 𝑋′

…but how do we actually find 𝑋, 𝑋′?

Definition: The CR-advantage of an adversary 𝐴 against 𝐻 is

Definition: The OW-advantage of an adversary 𝐴 against 𝐻 is

Theorem: Collision-resistance ⟹ One-wayness

Proof idea: suppose 𝐴ow is an algorithm that breaks one-wayness

Problem: what if 𝑋 ′ = 𝑋? Very unlikely assuming ℳ ≫ 𝒴

Theorem: Collision-resistance ⟹ One-wayness

Theorem: Collision-resistance ⟸ One-wayness

𝐻′ is one-way (if ℳ is large)

MAC ′ 𝐾, 𝑀 = MAC 𝐾, 𝐻 𝑀 Hash-then-MAC paradigm

Example: Collision-resistance is necessary:

• Specific attacks: exploit internal design of hash function

Pr coll = 1 − Pr no˗coll ≥ 1 − 𝑒 −𝑞(𝑞−1)/2𝑁

𝑁−1 𝑁−2 𝑁−3 𝑁− 𝑞−1

≤ 𝑒 −𝑖/𝑁 = 𝑒 − 1+2+⋯+𝑞−1 /𝑁 = 𝑒 −𝑞(𝑞−1)/2𝑁

• Specific attacks: exploit internal design of hash function

If 𝐻 𝑋 = 𝐻(𝑌) then we can construct 𝑋 ′ , 𝑌′ such that ℎ 𝑋 ′ = ℎ 𝑌 ′

𝑋1 𝑋2 𝑋18 𝑋19 𝑋20

𝑋1 𝑋2 𝑋18 𝑋19 𝑋20

𝑌1 𝑌2 𝑌18 𝑌19 𝑌20

𝑋1 𝑋2 𝑋18 𝑋19 𝑋20

𝑌1 𝑌2 𝑌18 𝑌19 𝑌20

𝑋1 𝑋2 𝑋18 𝑋19 𝑋20

Case 1: 𝑋20 ≠ 𝑌20

𝑌1 𝑌2 𝑌18 𝑌19 𝑌20

Case 1: 𝑋20 ≠ 𝑌20

𝐼𝑉 Case 1: 𝑋19 ≠ 𝑌19

𝐼𝑉 Case 1: 𝑋19 ≠ 𝑌19

• Need only focus on compression function

• Many design options for ℎ

• SHA1 and SHA2 designed by NSA

• SHA3 designed by Belgian cryptographers

512 160 160

• 2004: First SHA0 collision found (Wang et al.)

• 2005: Theoretical attack on SHA1 (269 ops.)

• 2017: First SHA1 collision found (263.1 ops.)

• Doesn't work in general

• Length-extension attacks on Merkle-Damgård hash functions

• Doesn't work in general

• Length-extension attacks on Merkle-Damgård hash functions

𝐻 𝐾||𝑀 𝐻 𝐾||𝑀||pad 𝐾|𝑀

𝐾 𝑀 pad 𝐾|𝑀 pad 𝐾|𝑀|pad 𝐾|𝑀

• Doesn't work in general

• Length-extension attacks on Merkle-Damgård hash functions

𝐻 𝐾||𝑀 𝐻 𝐾||𝑀||pad 𝐾|𝑀 ||𝑋1 ||𝑋2 || ⋯ ||𝑋𝑡

𝐾 𝑀 pad 𝐾|𝑀 𝑋1 𝑋2 𝑋𝑡 pad …