OW WCR CR x x’ y x x’ y 6.857: Computer and Network Security – September 16, 2004 LECTURE 3 NOTES HASH FUNCTION h: {0,1}* → {0,1}n ≈ “random” (recall random oracle) h(x) = y h(x’) = y “collision”: h(x) = h(x’) {0,1}* {0,1}n COMPUTATIONAL DIFFICULTY asymptotic complexity (“rates of growth of difficulty”, Θ(2n)) concrete complexity (constants matter) PROPERTIES ① “One-Way” – OW, “preimage resistance” Infeasible, given randomly chosen y∈{0,1}n, to find any x s.t. h(x) = y Given y: (avg) 2 is trials)(# time/2 y) )h(x : Prob(xy )h(x ifcheck ,Pick xnn1ii11⎪⎭⎪⎬⎫===M Back of Envelope Calculation: 230 chips 234 trials/sec π × 107 sec/yr = 225 sec/yr 264 trials/sec 280 trials/ half day 289 trials/yr SHA-1 has 160-bit output → 271 yrs to break OW of SHA-1 ② “Collision Resistance” – CR, “strong collision resistance” Infeasible of finding two distinct values x, x’ s.t. h(x) = h(x’) difficulty = 2n/2 Birthday Problem: n1jit21hhht21/2 )yProb(y function randomdays-b y ,y ,y people x, x, xt values==⎪⎭⎪⎬⎫↓↓↓LL # pairs =⎟⎠⎞⎜⎝⎛2t=2)1t(t −= Θ(t2) E[# pairs w/ same b-day] = ⋅⎟⎠⎞⎜⎝⎛2t2–nwhen ⋅⎟⎠⎞⎜⎝⎛2t2–n ≈ 1, expect collision → t ≈ 2n/2 → t ≈ 280 ③ “Weak Collision Resistance” – WCR Infeasible, given randomly chosen x, to come up with x’ s.t. h(x’) = h(x) 2n time to break “random” hash function “Thm”: CR ⇒WCR contrapositive: CRWCR¬⇒¬ Thm: OW CR Proof: Want h that is OW but not CR Let g be OW y = h(x) = g(z) = g applied to all of x except for last bit x = zb h(0) = h(z1) → collision! inverting h⇒ inverting g Thm: CR OW Proof: Want h that is CR but not OW Let g be CR Let h(x) = CR ish CR is g(x) else 1g(x)collisions no nx if0x ⎥⎦⎤⎩⎨⎧←←= Thm: WCR CR Proof: Want h that is WCR but not CR Let g(i)(x) mean g(g(g(L g(x)))) – g is iteratively applied i times, g is OW and CR Inputs: (x, x’) – pairs of strings w/ arbitrary length h(x, x’) x = x0 →gx1 →gL xi least: ends in 4 zeros or until we take 100 steps (i=100) ↓ x = x0’→gx1’→gL xj ends in 4 zeros or j=100 Output: (g(i)(x), g(i)(x), i+j) h(x, g(x’)) = h(g(x), x’) as bit string oftenAPPLICATIONS ① Password storage: store h(pw) on disk – Need OW ② Detecting file modification: store h(F) for each file in system offline on secure CD – Need WCR ③ Secure URL: <a href = “http://...” sha1=”AC47…09”> – Need WCR ④ Commitments: Alice has some bid $x Alice can compute C(x) Alice submits C(x) as her “sealed bid” Later on, she can “open” C(x) to reveal x in only one way (binding) Properties: Secrecy - Anyone who uses C(x) should learn nothing about x “Non-malleable” – Not possible to come up with commitment to a related value x’ (e.g. x’ = x + 1) Need OW,
View Full Document
Unlocking...