Professional Documents
Culture Documents
Hash Functions
Hash Functions
Hash Functions
1
Basic goals of cryptography
AEAD: AES-GCM
Message integrity /
Message privacy
authentication
Message authentication
Symmetric keys Symmetric encryption
codes (MAC)
Asymmetric encryption
Asymmetric keys (a.k.a. public-key Digital signatures
encryption)
2
Hash function applications
• File storage verification
• Certificates
• Password hashing
• Quantum-resistant signatures
3
Hash functions
𝐻∶ℳ→𝒴 ℳ >
≫ 𝒴 ℳ
𝐻
Pre-image
𝒴
4
Collision resistance
𝐄𝐱𝐩cr
𝐻 𝐴
1. 𝑋, 𝑋′ ← 𝐴
? ?
2. return 𝐻 𝑋 = 𝐻 𝑋 ′ and 𝑋 ≠ 𝑋′
𝐀𝐝𝐯𝐻cr 𝐴 = Pr 𝐄𝐱𝐩cr
𝐻 𝐴 ⇒1
5
Collision resistance
1. 𝑋, 𝑋′ ← 𝐴
𝑨
?
? ′
2. return 𝐻 𝑋 = 𝐻 𝑋 and 𝑋 ≠ 𝑋′ 𝐀𝐝𝐯𝐻cr 𝐴 = 1
1. Output 𝑋 ≠ 𝑋′
𝐀𝐝𝐯𝐻cr 𝐴 = Pr 𝐄𝐱𝐩cr
𝐻 𝐴 ⇒1
6
One-way / pre-image security
𝐄𝐱𝐩ow
ℳ
𝐻 𝐴
$
1. 𝑋 ← ℳ
2. 𝑌 ← 𝐻(𝑋) 𝒴
3. 𝑋′ ← 𝐴 𝑌
?
𝐻
4. return 𝐻(𝑋 ′ ) = 𝑌
𝑋 𝑌
𝑋′
𝐀𝐝𝐯𝐻ow 𝐴 = Pr 𝐄𝐱𝐩cr
𝐻 𝐴 ⇒1
7
Collision resistance vs. one-wayness
𝐄𝐱𝐩cr
𝐻 𝐴 𝐄𝐱𝐩ow
𝐻 𝐴
$
1. 𝑋 ← ℳ
1. 𝑋, 𝑋′ ← 𝐴 2. 𝑌 ← 𝐻(𝑋)
? ?
2. return 𝐻 𝑋 = 𝐻 𝑋 ′ and 𝑋 ≠ 𝑋′ 3. 𝑋′ ← 𝐴 𝑌
?
4. return 𝐻(𝑋 ′ ) = 𝑌
8
Collision resistance vs. one-wayness
𝐄𝐱𝐩cr
𝐻 𝐴 𝐄𝐱𝐩ow
𝐻 𝐴
$
1. 𝑋 ← ℳ
1. 𝑋, 𝑋′ ← 𝐴 2. 𝑌 ← 𝐻(𝑋)
? ?
2. return 𝐻 𝑋 = 𝐻 𝑋 ′ and 𝑋 ≠ 𝑋′ 3. 𝑋′ ← 𝐴 𝑌
?
4. return 𝐻(𝑋 ′ ) = 𝑌
256
Suppose 𝐻 ∶ ℳ → 0,1 is one-way. Define
9
Hash function applications – password storage
Username Password
Alice cat1234
Bob dog
Charlie password1234
Dave batman
… …
DB
10
Hash function applications – password storage
Username Password
Alice H(cat1234)
Bob H(dog)
Charlie H(password1234)
Dave H(batman)
… …
DB
11
Hash function applications – password storage
Username Password
Alice 0x1b383a798bc2c5
Bob 0x512df2a1e63860
Charlie 0x26c540082d18cd
Dave 0xe33805da40919f
… …
DB
12
Hash function applications – MAC domain extension
𝑛
MAC ∶ 𝒦 × 0,1 →𝒯
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
∗
MAC′ ∶ 𝒦 × 0,1 →𝒯
Theorem: If 𝐻 is collision-resistant and MAC is UF-CMA secure, then MAC′ is UF-CMA secure
13
The birthday paradox
Attacks on hash functions
∗ 𝑛
• Generic attacks: work for all hash functions 𝐻 ∶ 0,1 → 0,1
• Brute-force: hash 𝟏, 𝟐, 𝟑, … , 𝟐𝒏 + 𝟏
• Output must be long enough
𝑛 = 10 requires only 210 + 1 = 1025 values
• 𝑛 = 100 enough?
• Attacker 𝐵
1. pick distinct values 𝑋1 , 𝑋2 , … , 𝑋𝑞 𝑞 ≪ 2𝑛
2. hash every value
3. look for collisions
What's 𝐀𝐝𝐯𝐻cr 𝐵 ?
15
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌6 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑌1 ← 𝐻(𝑋1 )
𝑌2 ← 𝐻(𝑋2 )
𝑌3 ← 𝐻(𝑋3 )
𝑌4 ← 𝐻(𝑋4 )
𝑌5 ← 𝐻(𝑋5 )
𝑌6 ← 𝐻(𝑋6 )
𝑌𝑞 ← 𝐻(𝑋𝑞 )
16
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑌1 ← 𝐻(𝑋1 )
𝑌2 ← 𝐻(𝑋2 )
𝐀𝐝𝐯𝐻cr 𝐵 = Pr coll = Pr ∃𝑖 ≠ 𝑗 ∶ 𝐻 𝑋𝑖 = 𝐻(𝑋𝑗 )
𝑌3 ← 𝐻(𝑋3 )
𝑌4 ← 𝐻(𝑋4 )
𝑌5 ← 𝐻(𝑋5 )
𝑌6 ← 𝐻(𝑋6 )
𝑌𝑖 ← 𝐻(𝑋𝑖 )
𝑌𝑞 ← 𝐻(𝑋𝑞 )
17
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑌1 ← 𝜌(𝑋1 )
𝑌2 ← 𝜌(𝑋2 )
𝐀𝐝𝐯𝐻cr 𝐵 = Pr coll = Pr ∃𝑖 ≠ 𝑗 ∶ 𝜌 𝑋𝑖 = 𝜌(𝑋𝑗 )
𝑌3 ← 𝜌(𝑋3 )
𝑌4 ← 𝜌(𝑋4 )
𝑌5 ← 𝜌(𝑋5 )
𝑌6 ← 𝜌(𝑋6 )
𝑋1 , 𝑋2 , … , 𝑋𝑞 are distinct
𝑌𝑖 ← 𝜌(𝑋𝑖 )
𝑌𝑞 ← 𝜌(𝑋𝑞 )
18
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑌1 ←$ 𝒴
𝑌2 ←$ 𝒴
𝐀𝐝𝐯𝐻cr 𝐵 = Pr coll = Pr ∃𝑖 ≠ 𝑗 ∶ 𝑌𝑖 = 𝑌𝑗
𝑌3 ←$ 𝒴
𝑌4 ←$ 𝒴
𝑌5 ←$ 𝒴
𝑌6 ←$ 𝒴
𝑋1 , 𝑋2 , … , 𝑋𝑞 are distinct
𝑌𝑖 ←$ 𝒴
$
𝑌𝑞 ← 𝒴
19
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
1 2 3 𝑞−1 𝑖
=1× 1− × 1− × 1− ⋯ × 1− (1 − 𝑥) = 1 −
𝑁 𝑁 𝑁 𝑁 𝑁
𝑥 𝑥2 𝑥3 𝑥4
𝑞−1 𝑒 −𝑥 =1− + − + +⋯
1! 2! 3! 4!
𝑖
= 1−
𝑁
𝑖=1
𝑞−1
20
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑞(𝑞 − 1)
Pr coll = 1 − Pr no˗coll ≥ 1 − 𝑒 −𝑞(𝑞−1)/2𝑁 ≥ 0.6 ×
2𝑁
1 − 𝑒 −𝑥
𝑞 < 2𝑁
21
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
𝑞 𝑞−1
0.6 × ≤ Pr coll = Pr[𝑌1 ∨ 𝑌2 ∨ ⋯ ∨ 𝑌𝑞 ]
2𝑁
≤ Pr 𝑌1 + Pr 𝑌2 + ⋯ + Pr 𝑌𝑞
0 1 𝑞−1
≤ + + ⋯+
𝑁 𝑁 𝑁
𝑞 𝑞−1
=
2𝑁
22
Birthday attack
0 1 ⋯ 𝑁
𝑌3 𝑌1 𝑌𝑌6𝑖 𝑌2 𝑌𝑞 𝑌5 𝑌4
Pr coll = 0.5:
𝑞 𝑞−1 𝑞 𝑞−1 𝑞≈ 𝑁
0.6 × ≤ Pr coll ≤
2𝑁 2𝑁
𝑁 𝑞
365 23
106 1000
264 232
280 240
Birthday bound:
2
2256 2128
𝑞
Pr coll ≈ (𝑞 ≤ 2𝑁) 2512 2256
2𝑁
23
𝑁 = 106
24
Attacks on hash functions
∗ 𝑛
• Generic attacks: work for all hash functions 𝐻 ∶ 0,1 → 0,1
• Brute-force: hash 𝟏, 𝟐, 𝟑, … , 𝟐𝒏 + 𝟏
• Output must be long enough
𝑛 = 10 requires only 210 + 1 = 1025 values
• 𝑛 = 100 enough? No! Must take birthday attack into account: 𝑛 / 2 must be large enough
• Attacker 𝐵
1. pick distinct values 𝑋1 , 𝑋2 , … , 𝑋𝑞 𝑞 ≪ 2𝑛
2. hash every value
3. look for collisions
What's 𝐀𝐝𝐯𝐻cr 𝐵 ?
25
Designing hash functions
Merkle-Damgård
𝑛+𝑏 𝑛
• Suppose we have a compression function ℎ ∶ 0,1 → 0,1 which is collision-resistant
∗ 𝑛
• Want to create a hash function 𝐻 ∶ 0,1 → 0,1
• Solution: iterate ℎ
27
Merkle-Damgård
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
𝐻 𝑀 = ℎ ℎ ⋯ ℎ ℎ 𝐼𝑉||𝑀1 || 𝑀2 ⋯ || 𝑀𝑛−1 || 𝑀𝑛
𝑀1 𝑀2 𝑀3 𝑀4
𝐼𝑉
𝑛+𝑏 𝑛
ℎ ∶ 0,1 → 0,1
28
Merkle-Damgård
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
𝐻 𝑀 = ℎ ℎ ⋯ ℎ ℎ 𝐼𝑉||𝑀1 || 𝑀2 ⋯ || 𝑀𝑛−1 || 𝑀𝑛
𝑀1 𝑀2 𝑀3 𝑀4 || pad 𝑀
𝐼𝑉
𝑛+𝑏 𝑛
ℎ ∶ 0,1 → 0,1
29
Merkle-Damgård
∗ 𝑛
𝐻 ∶ 0,1 → 0,1
𝐻 𝑀 = ℎ ℎ ⋯ ℎ ℎ 𝐼𝑉||𝑀1 || 𝑀2 ⋯ || 𝑀𝑛−1 || 𝑀𝑛
𝑀1 𝑀2 𝑀3 𝑀4 || 𝑀
𝐼𝑉
𝑛+𝑏 𝑛
ℎ ∶ 0,1 → 0,1
30
Merkle-Damgård – security
𝑛+𝑏 𝑛 ∗ 𝑛
Theorem: If ℎ ∶ 0,1 → 0,1 is collistion resistant then 𝐻 ∶ 0,1 → 0,1 is collisition resistant
Proof idea:
Collison on 𝐻 ⟹ collision on ℎ
31
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝐼𝑉 ⋯ 𝑍
𝑌1 𝑌2 𝑌3
𝐼𝑉 𝑍
32
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1 𝑋2 𝑋18 𝑋19 … || 𝑋
𝐼𝑉 ⋯ 𝑍
𝑌1 𝑌2 … || 𝑌
𝐼𝑉 𝑍
33
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝐼𝑉 ⋯ 𝑍
𝐼𝑉 ⋯ 𝑍
34
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝐼𝑉 ⋯ 𝑉20
𝑍
𝐼𝑉 ⋯ ′
𝑉20
𝑍
35
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝐼𝑉 ⋯ ′
𝑉20
𝑍
36
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1 𝑋2 𝑋18 𝑋19
′
𝑌1 𝑌Case 3: 𝑋20 = 𝑌20 and 𝑉20 = 𝑉20 ⟹𝑌 no collision 𝑌19
2 18
𝐼𝑉 ⋯ 𝑉20
𝑍
37
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1 𝑋2 𝑋18 𝑋19
′
Case 2: 𝑉19 ≠ 𝑉19
𝑌1 𝑌 ′ 𝑌 𝑌19
Case 3:2 𝑋19 = 𝑌19 and 𝑉19 = 𝑉19 18
⟹ no collision
𝐼𝑉 ⋯ ′
𝑉19 𝑉20
𝑍
38
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1 𝑋2 𝑋18
′
Case 2: 𝑉19 ≠ 𝑉19
𝑌1 𝑌 ′ 𝑌
Case 3:2 𝑋19 = 𝑌19 and 𝑉19 = 𝑉19 18
⟹ no collision
𝐼𝑉 ⋯ 𝑉19 𝑉20
𝑍
39
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1 𝑋2 𝑋18
𝐼𝑉 ⋯ 𝑉19
𝑍
𝑌1 𝑌2 𝑌18
𝐼𝑉 ⋯ 𝑉19
𝑍
40
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1 𝑋2 𝑋18
𝐼𝑉 ⋯ 𝑍
𝑌1 𝑌2 𝑌18
𝐼𝑉 ⋯ 𝑍
41
Merkle-Damgård – security
Assumption: 𝐻 𝑋 = 𝐻 𝑌 = 𝑍
𝑋1
𝐼𝑉
𝑉1 𝑉2
⋯
Case 1: 𝑋1 ≠ 𝑌1 𝑍
Case 2: 𝑉1 ≠ 𝑉1′
𝑌1
Case 3: 𝑋1 = 𝑌1 and 𝑉1 = 𝑉1′ ⟹ no collision
𝐼𝑉
𝑉1 𝑉2
⋯ 𝑍
42
Compression function designs
∗ 𝑛 𝑏+𝑛 𝑛
• Merkle-Damgård creates collision resistant 𝐻 ∶ 0,1 → 0,1 from collision resistant ℎ ∶ 0,1 → 0,1
𝐻 ∶ 0,1 ∗ → 0,1 𝑛
𝑏+𝑛 𝑛
ℎ ∶ 0,1 → 0,1
𝐼𝑉
43
Compression functions from block ciphers – Davies-Meyer
𝑘 + 𝑛 bits
𝑀 = 𝑀1 || 𝑀2
𝑀1
𝑀2 𝐸 𝑍
44
Compression functions from block ciphers – Davies-Meyer
𝑘 + 𝑛 bits
𝑀 = 𝑀1 || 𝑀2
𝑀1
𝑀2 𝐸 𝑍 DM 𝑀 = 𝐸𝑀1 𝑀2 ⊕ 𝑀2
𝑘+𝑛 𝑛
Theorem: DM ∶ 0,1 → 0,1 is a collision resistance compression function in the ideal cipher model
45
Alternatives…
Davies-Mayer
Black, Rogaway & Shrimpton: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV; CRYPTO'02
46
SHA – Secure Hash Algorithm
• Family of hash functions published by NIST
• SHA1 in 1995
• SHA2-256 and SHA2-512 in 2001
• Also truncated versions: SHA2-224, SHA2-384
• SHA3-256 and SHA3-512 in 2015
47
SHA1
𝐸(𝑀𝑖 , 𝑉𝑖 )
Merkle-Damgård 𝐴1 ← 𝑉𝑖,1 for 𝑗 = 1 … 16 do
𝐵1 ← 𝑉𝑖,2 𝑊𝑗 ← 𝑀𝑖,𝑗
𝐶1 ← 𝑉𝑖,3 for 𝑗 = 17 … 80 do
𝐷1 ← 𝑉𝑖,4 𝑊𝑗 ← 𝑊𝑗−16 ⊕ 𝑊𝑗−14 ⊕ 𝑊𝑗−8 ⊕ 𝑊𝑗−3
𝐸1 ← 𝑉𝑖,5 ⋘1
𝑀1 𝑀2 𝑀𝑛 ||pad
𝐼𝑉 𝐸 𝐸 ⋯ 𝐸 𝑇
Davies-Mayer Repeat
80 times
frac32 2
512 160 160
𝐸 ∶ 0,1 × 0,1 → 0,1
frac32 3
𝒋 𝑲𝒋 𝑭𝒋 𝑩, 𝑪, 𝑫
1 … 20 5A827999 𝐵∧𝐶 ∨ 𝐵∧𝐷
frac32 5
21 … 40 6ED9EBA1 𝐵⊕𝐶⊕𝐷
IV = 67452301 || EFCDAB89 ||98BADCFE || 10325476 ||C3D2E1F0
41 … 60 8F1BBCDC 𝐵∧𝐶 ∨ 𝐵∧𝐷 ∨ 𝐶∧𝐷
frac32 10 61 … 80 CA62C1D6 𝐵⊕𝐶⊕𝐷
48
SHA0
𝐸(𝑀𝑖 , 𝑉𝑖 )
𝐴1 ← 𝑉𝑖,1 for 𝑗 = 1 … 16 do
𝐵1 ← 𝑉𝑖,2 𝑊𝑗 ← 𝑀𝑖,𝑗
𝐶1 ← 𝑉𝑖,3 for 𝑗 = 17 … 80 do
𝐷1 ← 𝑉𝑖,4 𝑊𝑗 ← 𝑊𝑗−16 ⊕ 𝑊𝑗−14 ⊕ 𝑊𝑗−8 ⊕ 𝑊𝑗−3
𝐸1 ← 𝑉𝑖,5 ⋘1
𝑀1 𝑀2 𝑀𝑛 ||pad
𝐼𝑉 𝐸 𝐸 ⋯ 𝐸 𝑇 SHA1
Repeat
80 times
𝒋 𝑲𝒋 𝑭𝒋 𝑩, 𝑪, 𝑫
1 … 20 5A827999 𝐵∧𝐶 ∨ 𝐵∧𝐷
21 … 40 6ED9EBA1 𝐵⊕𝐶⊕𝐷
IV = 67452301 || EFCDAB89 ||98BADCFE || 10325476 ||C3D2E1F0
41 … 60 8F1BBCDC 𝐵∧𝐶 ∨ 𝐵∧𝐷 ∨ 𝐶∧𝐷
61 … 80 CA62C1D6 𝐵⊕𝐶⊕𝐷
49
Attacks against SHA1
𝐴1 ← 𝑉𝑖,1
𝐵1 ← 𝑉𝑖,2 for 𝑗 = 1 … 16 do
𝐶1 ← 𝑉𝑖,3 𝑊𝑗 ← 𝑀𝑖,𝑗
𝐷1 ← 𝑉𝑖,4 for 𝑗 = 17 … 64 do
𝐸1 ← 𝑉𝑖,5 𝜎0 ← ROTR7 (𝑊𝑗−15 ) ⊕ ROTR18 (𝑊𝑗−15 ) ⊕ SHR3 (𝑊𝑗−15 )
𝑀1 𝑀2 𝑀𝑛 ||pad 𝐹1 ← 𝑉𝑖,6 𝜎1 ← ROTR17 (𝑊𝑗−2 ) ⊕ ROTR19 (𝑊𝑗−2 ) ⊕ SHR10 (𝑊𝑗−2 )
𝐺1 ← 𝑉𝑖,7 𝑊𝑗 ← 𝑊𝑗−16 + 𝜎0 + 𝑊𝑖−7 + 𝜎1
𝐻1 ← 𝑉𝑖,8
𝐼𝑉 𝐸 𝐸 ⋯ 𝐸 𝑇
𝑗
512 256 256
𝐸 ∶ 0,1 × 0,1 → 0,1
Repeat
64 times
1024 512 512
𝐸 ∶ 0,1 × 0,1 → 0,1
51
MACs from hash functions – 𝑯(𝑲 || 𝑴)
𝐻 𝐾||𝑀
𝐾 𝑀 pad 𝐾|𝑀
𝐼𝑉
𝑇
MACs from hash functions – 𝑯(𝑲 || 𝑴)
𝐼𝑉
𝑇 𝑇′
MACs from hash functions – 𝑯(𝑲 || 𝑴)
𝐼𝑉 ⋯
𝑇 𝑇′
NMAC
𝑀1 𝑀2 𝑀𝑡 ||pad
𝐾1′ ⋯
𝑇 ′ ||pad
𝐾2′ 𝑇
55
HMAC
𝐻 𝐾 ⊕ ipad || 𝑀
𝐾1 𝑀1 𝑀2 𝑀𝑡 ||pad
𝐼𝑉
𝐾1′
⋯
𝐾2 𝑇 ′ ||pad 𝐻 𝐾 ⊕ opad || …
𝐾1 = 𝐾 ⊕ ipad
𝐼𝑉 𝑇
𝐾2 = 𝐾 ⊕ opad 𝐾2′
56
HMAC
𝐾 ⊕ ipad
• TLS
𝐼𝑉 ⋯
• IPsec
𝐾 ⊕ opad
• SSH 𝐾2 𝑇 ′ ||pad
• LTE
• … 𝐼𝑉 𝑇
1600 1600
𝑓 ∶ 0,1 → 0,1