1Hash functions & MACsECE 646 Lecture 11MessageHashfunctionPublic keyalgorithmAliceSignatureAlice’s private keyBobHashfunctionAlice’s public keyDigital SignatureHash value 1Hash value 2Hash valuePublic keyalgorithmyesnoMessageSignature2Hash functionarbitrary lengthmessagehashfunctionhash valueh(m)hmfixed lengthVocabularyhash functionmessage digesthash valuehash totalfingerprintimprintcryptographic checksumcompressed encodingMDC, Message Digest Codemessage digest3Hash functionsBasic requirements1. Public description, NO key2. Compressionarbitrary length input fixed length output3. Ease of computationHash functionsSecurity requirements1. Preimage resistanceIt is computationally infeasibleGiven To Findyx, such thath(x) = y2. 2nd preimage resistancex and y=h(x)x’ x, such thath(x’) = h(x) = y3. Collision resistance x’ x, such thath(x’) = h(x)4Hash functionsDependence between requirementscollision resistant2nd preimage resistantHash functions(unkeyed)OWHF CRHFOne-WayHash FunctionsCollision-ResistantHash Functionspreimage resistance2nd preimage resistancecollision resistance5Brute force attack againstOne-Way Hash Functionmi’i=1..2n2nmessages with the contentsrequired by the forgerhh(mi’) = yn - bits?Given yCreating multiple versions ofthe required messageIstateconfirmthereby-that Iborrowedreceived$10,000ten thousand dollarsfromMr.Dr.KrisKrzysztofGaj onNovember 19,11 / 19 /2008.Thismoneysum of moneyshouldis required tobereturnedgiven backtoMr.Dr.Gajby the27th28thday ofNovemberNov.2006.6Brute force attack againstCollision Resistant Hash FunctionYuvalmihn - bitsh(mi)r messagesacceptable for the signermj’hn - bitsh(mj’)r messagesrequired by the forgerh(mi) = h(mj’)i=1..r j=1..rIstateconfirmthereby-that Iborrowedreceived$10,000ten thousand dollarsfromMr.Dr.KrisKrzysztofGaj onNovember 19,11 / 19 /2008.Thismoneysum of moneyshouldis required tobereturnedgiven backtoMr.Dr.Gajby the27th28thday ofNovemberNov.2006.Message required by the forger7Istateconfirmthereby-that onborrowedreceivedfromMr.Dr.KrisKrzysztofonNovember 19,11 / 19 /2008Thistextitemshouldis required tobereturnedgiven backtoMr.Dr.GajMessage acceptable for the signerIabookmanuscriptimplementing hash functions.factoring using Number Field Sieve.by the27th28thday ofNovemberNov.2008.Birthday paradoxHow many students must be in a class so thatthere is a greater than 50% chance that2. any two of the students share the samebirthday (up to the day and month)?1. one of the students shares the teacher’sbirthday (up to the day and month)?8Birthday paradoxHow many students must be in a class so thatthere is a greater than 50% chance that1. one of the students shares the teacher’sbirthday (day and month)?~ 366/2 = 1882. any two of the students share the samebirthday (day and month)?~366 19Brute force attack againstCollision Resistant Hash FunctionProbability p that two different messages have thesame hash value:p = 1 − exp (−r22n)For r = 2n/2p = 63%9Brute force attack againstCollision Resistant Hash FunctionStorage requirementsJ.J. Quisquatercollision search algorithmNumber of operations: 2 /2 · 2n/2 2.5 · 2n/2Storage: NegligibleHash value sizeOlder algorithms:Current algorithms:One-Way Collision-Resistantn 648 bytesn 12816 bytesn 8010 bytesn 16020 bytesNewly proposed algorithms:n = 128, 192, 25616, 24, 32 bytesn = 256, 384, 51232, 48, 64 bytes10Hash function algorithmsCustomized(dedicated)Based onblock ciphersBased onmodular arithmeticMDC-2MDC-4IBM, Brachtl, Meyer, Schilling, 1988MASH-11988-1996MD2Rivest 1988MD4Rivest 1990MD5Rivest 1990SHA-0SHA-1RIPEMDRIPEMD-160European RACE IntegrityPrimitives Evaluation Project, 1992NSA, 1992NSA, 1995SHA-256, SHA-384, SHA-512NSA, 2000Attacks againstdedicated hash functionsknown by 2004MD2MD4MD5SHA-0SHA-1RIPEMDRIPEMD-160partially brokenbroken, H. Dobbertin, 1995(one hour on PC, 20 free bytes at the start of the message)partially broken,collisions for thecompression function,Dobbertin, 1996(10 hours on PC)weaknessdiscovered,1995 NSA,1998 Francereduced roundversion broken,Dobbertin 1995SHA-256, SHA-384, SHA-51211MD4MD5SHA-0SHA-1RIPEMDRIPEMD-160SHA-256, SHA-384, SHA-512broken;Wang, Feng, Lai, YuCrypto 2004(1 hr on a PC)attack with240operationsCrypto 2004What was discovered in 2004-2005?broken;Wang, Feng, Lai, Yu, Crypto 2004(manually, without using a computer)broken;Wang, Feng,Lai, Yu,Crypto 2004(manully, withoutusing a computer)attack with263operationsWang, Yin,Yu, Aug 2005263operationsSchneier, 2005In hardware:Machine similar to the one used to break DES:Cost = $50,000-$70,000 Time: 18 daysorCost = $0.9-$1.26M Time: 24 hoursIn software:Computer network similar to distributed.netused to break DES (~331,252 computers) :Cost = ~ $0 Time: 7 months12Recommendations of NIST (1)NIST Brief Comments on Recent Cryptanalytic Attacks on SHA-1Feb 2005The new attack is applicable primarilyto the use of hash functions in digital signatures.In many cases applications of digital signaturesintroduce additional context information,which may make attacks impracticle.Other applications of hash functions,such as Message Authentication Codes (MACs),are not threatened by the new attacks.NIST was already earlier planning to withdraw SHA-1in favor of SHA-224, SHA-256, SHA-384 & SHA-512do roku 2010New implementations should use new hash functions.NIST encourages government agancies to develop plansfor gradually moving towards new hash functions,taking into account the sensitivity of the systemswhen setting the timetables.Recommendations of NIST (2)13SHA-3 Contest Timeline2007• publication of requirements• 29.X. 2007: request for candidates2008• 31.X.2008: deadline for submitting candidates20092 Q – first workshop devoted to the presentation of candidates20102 Q: second workshop devoted to the analysis of candidates3 Q: selection of finalists20121 Q: last workshop2 Q: selection of the winner3 Q: draft version of the standard published4 Q: final version of the standard publishedHash functionsApplications (1)1. Digital SignaturesAdvantages1. Shorter signature2. Much faster computations3. Larger resistance to manipulation(one block instead of several blocks of signature)4. Resistance to the multiplicative attacks5. Avoids problems with different sizes of thesender and the receiver moduli14Hash functionsApplications (2)2. Fingerprint of a program or a document(e.g., to detect a modification by a virusor an
View Full Document