CIS 5371 Cryptography
description
Transcript of CIS 5371 Cryptography
1
CIS 5371 Cryptography
4. Collision Resistant Hash Functions
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
2
Collision ResistanceA collision in a function H is a pair of distinct inputs x, x’ Collision resistance is trivial to achieve if compression is not required (take for example the identity function)We shall be dealing with a family of hash functions indexed by a key s.That is H will take as input a key s and a string x and output a string:
3
Definition 4.11, Hash Function
A hash function is a pair of probabilistic polynomial-time algorithms such that:• takes input the security parameter and outputs a key .• There is a polynomial such that takes as input a key and a string and .
4
A collision finding experiment -(A,)
5
Definition 4.12 Collision Resistant Hash Function
A hash function is collision resistant, if for all probabilistic polynomial-time adversaries there is a function such that: -
6
Weaker notions of security for Hash Functions 1. Collision resistance. The strongest notion, as defined earlier.2. Second pre-image resistance. Informally, given a key and a string it is infeasible for a probabilistic polynomial-time adversary to find such that 3. Pre-image resistance Informally, given a key and a string (but not ) for a randomly chosen it is infeasible for a probabilistic polynomial-time adversary to find such that
7
Weaker notions of security for Hash Functions 1.Collision resistance Second pre-image resistance If given the adversary can find such that pair
with 2.Second pre-image resistance Pre-image resistance If it were possible to invert and find an such that , then it would be possible to take a given input , compute , and then invert to find such that
8
Generic birthday attack Birthday problemLet be a hash function .Assume that the values are uniformly distributed in and independent .Assume that arbitrary inputs are selected.Then the probability that there is a collision using hash evaluations is greater that .½The time taken is .(One has to sort outputs---assume that one can evaluate a hash function in constant time.)
9
Improved birthday attack
Memory is a scarcer resource than time: storing hash evaluations is costly.
10
Improved birthday attack
Improved birthday attackLet be a hash function.Select . For Compute and . If there is a collusion; else continue.It can be shown that we get a collision with probability roughly in steps.½
11
Construction 4.12 The Merkle-Damgård transform
is a fixed-length collision-resistant hash function with inputs of length and outputs . A variable-length hash function is constructed as follows.• : on input , output key .• H : on input and, do:
1. Set , pad so that it can be parsed into blocks of length . Set ( bits).
2. Set .3. For , compute ).4. Output
12
The Merkle-Damgåard transform
𝑥1 𝑥2 𝑥𝐵 𝑥𝐵+1=𝐿
=IV 𝑧1 𝑧𝐵. . . h𝑠h𝑠h𝑠h𝑠
=
𝑧𝐵+1
13
Theorem 4.14
If is a fixed-length collision-resistant hash function then is a collision-resistant hash function.
14
HMAC – A keyed MAC -Notation
Assume that:• are fixed non-secret keys of length • is a secret key of length • is a compression function that compresses its input
by half. • Reminder: is a family of functions indexed by a non-
secret key that on input outputs a string ). • the hash function constructed by using the Merkle-
Damgrd transform applied to .• is the length of the output of .
15
HMAC – A keyed MAC -Notation
Define:
• , and • to be the corresponding Merkle-Damgård
transform.
16
Construction 4.17 HMAC
Let be a fixed-length collision-resistant hash function, and let be the result of applying the Merkle-Damgard transformation to . Let , and be fixed constants of length . HMAC defines a MAC as follows:• : on input , run to get key . Also choose at random. Output the key ().• Mac: on input a key and message of length output the tag: • Verfy: on input a key a message , and tag output 1 if and only if
17
HMAC
𝑘1 𝑖𝑝𝑎𝑑 𝑚1 𝑚𝐵 𝐿=¿𝑚∨¿
𝐼𝑉 . . . h𝑠h𝑠h𝑠h𝑠
𝑘2𝑜𝑝𝑎𝑑
𝐼𝑉 h𝑠h𝑠𝑡
byte x repeatedbyte x repeated
18
Theorem 4.14
If is collision-resistant and G is a pseudorandom
generator then HMAC is existentially unforgeable
under adaptive chosen message attacks (for arbitrary
length messages).