Session 5
description
Transcript of Session 5
Session 5
Hash functions and digital signatures
Contents
• Hash functions– Definition– Requirements– Construction– Security– Applications
2/44
Contents
• Digital signatures– Definition– Digital signatures – procedure– Digital signature with RSA– Signing enciphered messages– Signing and hashing
3/44
Hash functions - definition• Let k, n be positive integers• A function f with n bit output and k
bit key is called a hash function if1. f is a deterministic function2. f takes 2 inputs, the first is of arbitrary
length and the second is of length k3. f outputs a binary string of length n
• Formally:
4/44
nk* ,,,:f 101010
Hash functions - definition• The key k is assumed to be known/fixed,
unlike in cipher systems• If k is known/fixed, the hash function is
unkeyed• If k is secret the hash function is keyed• k is known/fixed in most of the
applications (e.g. digital signature schemes)
• k is kept secret in Message Authentication Codes (MACs)
5/44
Hash functions – security requirements• In order to be useful for
cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1)1. One-wayness (or preimage resistance):
a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk (x )=w.
6/44
Hash functions – security requirements• Security requirements (2)
2. Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk
(x )=fk (y ).
7/44
Hash functions – security requirements• Security requirements (3):
3. (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such that fk (x )=fk (y ).
8/44
Hash functions – security requirements• The collision resistance implies the
second preimage resistance.• The second preimage resistance and
one-wayness are incomparable– The properties do not follow from one
another– Still, a hash function that would be one-
way but not second preimage resistant would be quite artificial
9/44
Hash functions – security requirements• In practice, collision resistance is the
strongest security requirement of all the three requirements– the most difficult to satisfy– the easiest to breach
• Breaking the collision resistance property is the goal of most attacks on hash functions.
10/44
Hash functions – other requirements• Certificational weakness– A good hash function should possess
avalanche property• changing a bit of input would approximately
change a half of the output bits– No input bits can be reliably guessed
based on the hash function’s local output (local one-wayness)
– Failure to satisfy these (and some other) properties is called certificational weakness.
11/44
Hash functions – other requirements• It is also required that a hash
function is feasible to compute, given x (and k ).
• This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.
12/44
Hash functions – other requirements• Example: so called algebraic hash
functions, based on the same difficult mathematical problems that are used in public key cryptography– Shamir’s function (factoring)– Chaum-vanHeijst-Pfitzmann’s function
(discrete log)– Newer designs: VSH (factoring), LASH
(lattice), Dakota (modular arithmetic and symmetric ciphers)
13/44
Hash functions - construction
• The Merkle-Damgård construction– A classical hash function design– Iterates a compression function– A compression function• takes a fixed length input• outputs a fixed length (shorter) output.
14/44
Hash functions - construction
• In practice, symmetric cipher systems are used as compression functions (usually block ciphers).
• Let g =(x,k ) be a block cipher, where x is the plaintext message, and k is the key.
• The length of the block x is n bits and the length of the key k is m bits, m >n.
15/44
Hash functions - construction
• The hash function f to be constructed– has the (theoretically) unlimited input
length– has the output bit length n
• The input string to the hash function f is y.
16/44
Hash functions - construction
• Hash function iterations– Pad y such that the length of the padded
input y ’ is the least possible multiple of m.
– Let where yi {0,1}m .– Let f0 be a fixed initialization vector of
length n (in bits).– Then, for i =1,..., r, fi =g (fi -1, ).
– Finally, f =fr .17/44
'r
''' y||||y||yy 21
'iy
Hash functions - construction
• Remark:– The padding algorithm and f0 depend on
the particular hash function.• Schematic of the Merkle-Damgård
design
18/44
Hash functions - construction• Advantages of using block ciphers as
compression functions– Efficient, i.e. fast– Usually already implemented
• Disadvantage– Employing a strong block cipher in hash
function design does not guarantee a good hash function.
19/44
Hash functions - construction
• Examples of Merkle-Damgård designs– The MD (Message Digest) family of hash
functions (MD4, MD5), n =128.– The NIST SHA (Secure Hash Algorithm)
family of hash functions (SHA-1 (n =160), SHA-2 (i.e. SHA-256, SHA-512)).
• They all use custom block cipher rounds.
20/44
Hash functions - construction
• The speed of such a design depends on the number of rounds of the block cipher involved.
• Example–MD4 – 3 rounds–MD5 – 4 rounds – more secure– But MD5 is 30% slower than MD4.
21/44
Hash functions - security
• Security of the most often used hash functions, MD5 and SHA-1 has been recently compromised – collisions were found.
• They are now considered insecure.• Consequence: the SHA-3 contest, the
proposals are due October 2008.22/44
Hash functions - applications
• Data integrity protection– Digital signature schemes
• Authentication–Message authentication codes (MACs)– If MAC uses a hash function it is called
HMAC– HMAC standard RFC2104 (Bellare-
Canetti-Krawczyk, 1996).23/44
Digital signatures - definition
• Digital signature– A number dependent on some secret
known only to the signer and on the contents of the signed message
–Must be verifiable in case of• a signer repudiating a signature• a fraudulent claimant
24/44
Digital signatures - definition
• Applications– Authentication– Data integrity protection and non-
repudiation– Certification of public keys in large
networks.
25/44
Digital signatures - procedure
• Basic elements (1)–M – the set of messages that can be
signed– S – the set of signatures, e.g. binary
strings of fixed length– SA – signing transformation for the entity
A
• SA is kept secret by A• Used to create signatures from M
26/44
SM:SA
Digital signatures - procedure
• Basic elements (2)– VA – verification transformation for the
A’s signatures
• Publicly known• Used by other entities to verify signatures
created by A
27/44
false,trueSM:VA
Digital signatures - procedure
• Both SA and VA should be feasible to compute
• It should not be computationally feasible to forge a digital signature y on a message x– Given x, only A (i.e. Alice) should be
able to compute the signature y such that VA(x,y )=true. 28/44
Digital signatures - procedure
• Signing a message x– Alice uses the algorithm SA to compute
the signature over the message x– Alice publishes (or sends to some
recipient) the message x, together with the signature y =SA(x )
29/44
Digital signatures - procedure
• Verifying a signature of a message published/sent by Alice– Upon receiving the pair (x,y ), the verifier
uses the algorithm VA (publicly known) to verify the integrity of the received message x
– If VA (x,y )=true, the signature is verified.
30/44
Digital signatures - procedure
• It can be shown that asymmetric ciphers can be used for digital signature purposes
• To prevent forgery, it should be infeasible for an attacker to retrieve the secret information used for signing – the transformation SA.
31/44
Digital signature with RSA
• Alice signs the message x by using the deciphering transformation
• Alice is the only one that can sign, since dA is kept secret.
32/44
Ad nxy A mod
Digital signature with RSA
• Bob verifies the signature y received from Alice by employing encipherment of y using Alice’s public key (eA,nA), i.e.
• If c =x, then the signature y is verified.
33/44
Ae nyc A mod
Digital signature with RSA - security
• Suppose Eve wants to sign her own message x ’ with Alice’s signature y (i.e. to forge Alice’s signature).
• Eve does not know dA, she only knows Alice’s public key (eA,nA ).
34/44
Digital signature with RSA - security
• Direct verification, if Eve’s signed document (x ’,y ) is to be verified
– This will fail, since c ≠x ’.• Thus, what Eve needs is another
signature, y ’, such that• Getting y ’ is a difficult problem.
35/44
Ae nyc A mod
'mod' xny AeA
Digital signature with RSA - security
• Another possibility for Eve – she can choose y ’ first and then generate the message
• y ’ will then be easily verified, i.e. such a forgery is successful.
• But then the probability that x ’ is meaningful is very small.
36/44
Ae nyx A mod''
Signing enciphered messages
• Suppose Alice wants to send a signed enciphered message x to Bob.– Alice computes her signature y =SA (x )– Then Alice enciphers both x and y by
means of Bob’s public key– The ciphertext z is transmitted to Bob.
37/44
Signing enciphered messages
• Deciphering and verification– Bob deciphers z by means of his private
key and thus obtains (x,y )– Then Bob uses Alice’s public verification
function VA to verify the Alice’s signature y.
38/44
Signing and hashing
• Usually, public key ciphers are used in digital signature schemes
• If the original message is signed, the signature is at least as long as the message – inefficient
39/44
Signing and hashing
• Another problem is that of Eve’s ability to generate the signature and then get the corresponding message that may be meaningful, although with small probability.
• Solution: sign hashed message.
40/44
Signing and hashing
• The hash function f is made public• Starting with a message x, Alice first
computes f (x ), which is significantly smaller than x
• Alice then computes y =SA(f (x ))• Alice then sends (x,y ) to Bob.
41/44
• Verification process– Bob computes f (x )– Bob also computes VA (f (x ),y )– If VA (f (x ),y ) =true, then Alice’s
signature is verified.
Signing and hashing
42/44
• Suppose Eve has (x,y =SA(f (x ))• Eve would like to sign her own message
x ’ with Alice’s signature (i.e. to forge it)• So she needs SA(f (x ’))=SA(f (x )), which
means she needs f (x ’)=f (x ). This is difficult if f (x ) is second preimage resistant.
Signing and hashing - security
43/44
• Moreover, it is highly unlikely that Eve would be able to find two messages, x’ and x ’’ with the same hashes and consequently signatures, if f is collision resistant.
• So it is difficult for Eve to choose the signature first and then get the corresponding message.
Signing and hashing - security
44/44