CPSC 418/MATH 318 Introduction to Cryptography Hash Functions - PowerPoint PPT Presentation

CPSC 418/MATH 318 Introduction to Cryptography Hash Functions Randy Yee Department of Computer Science University of Calgary February 28, 2020

Outline Hash functions 1 Properties Some applications Examples Design Strategies 2 Other 3

Hash functions Hash functions Hash function are often called the ‘workhorse’ of cryptography as they are used to accomplish many goals You can also find them in some non cryptographic applications as well What comes to mind (if anything) when you think of hash functions? Visit www.menti.com

Hash functions Definition A function H : { 0 , 1 } ∗ → { 0 , 1 } n for some n ∈ N . The above is referred to as an n -bit hash function since its output is n -bits long. The image x = H ( M ) is called a hash or a digest . Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.

Hash functions Definition A function H : { 0 , 1 } ∗ → { 0 , 1 } n for some n ∈ N . The above is referred to as an n -bit hash function since its output is n -bits long. The image x = H ( M ) is called a hash or a digest . Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.

Hash functions Definition A function H : { 0 , 1 } ∗ → { 0 , 1 } n for some n ∈ N . The above is referred to as an n -bit hash function since its output is n -bits long. The image x = H ( M ) is called a hash or a digest . Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.

Hash functions Definition A function H : { 0 , 1 } ∗ → { 0 , 1 } n for some n ∈ N . The above is referred to as an n -bit hash function since its output is n -bits long. The image x = H ( M ) is called a hash or a digest . Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.

Hash functions Properties Desirable properties Preimage resistance: For almost all hash values x , it is computationally infeasible to find an element M with H ( M ) = x . 2nd Preimage resistance (weak collision resistance): For almost all M , it is computationally infeasible to find a second M ′ � = M such that H ( M ′ ) = H ( M ) . Collision resistance (strong collision resistance): It is computationally infeasible to find two distinct inputs M, M ′ with H ( M ′ ) = H ( M ) .

Hash functions Properties Desirable properties Preimage resistance: For almost all hash values x , it is computationally infeasible to find an element M with H ( M ) = x . 2nd Preimage resistance (weak collision resistance): For almost all M , it is computationally infeasible to find a second M ′ � = M such that H ( M ′ ) = H ( M ) . Collision resistance (strong collision resistance): It is computationally infeasible to find two distinct inputs M, M ′ with H ( M ′ ) = H ( M ) .

Hash functions Properties Desirable properties Preimage resistance: For almost all hash values x , it is computationally infeasible to find an element M with H ( M ) = x . 2nd Preimage resistance (weak collision resistance): For almost all M , it is computationally infeasible to find a second M ′ � = M such that H ( M ′ ) = H ( M ) . Collision resistance (strong collision resistance): It is computationally infeasible to find two distinct inputs M, M ′ with H ( M ′ ) = H ( M ) .

Hash functions Properties Relationships Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.

Hash functions Properties Relationships Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. Contrapositive: If H is not second pre-image resistant (2PR), then it is not collision-resistant. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.

Hash functions Properties Relationships Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. Contrapositive: If H is not second pre-image resistant (2PR), then it is not collision-resistant. Suppose we are given some x . If H is not 2PR, then we can find another x ′ such that H ( x ) = H ( x ′ ) . This is a collision. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.

Hash functions Properties Relationships Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. Contrapositive: If H is not second pre-image resistant (2PR), then it is not collision-resistant. Suppose we are given some x . If H is not 2PR, then we can find another x ′ such that H ( x ) = H ( x ′ ) . This is a collision. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.

Hash functions Properties Notes Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.

Hash functions Properties Notes Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.

Hash functions Properties Notes Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.

Hash functions Properties Notes Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.

Hash functions Some applications Cryptographic hash functions Hash functions that satisfy both preimage resistance and (strong) collision resistance are called cryptographic hash functions . These can allow us to accomplish many security feats: Data integrity (downloading large files and comparing to a checksum) Data integrity with secrecy (see below) Password protection Key derivation functions Randomness ( dev/random , OAEP(later)) More!

Hash functions Some applications Cryptographic hash functions Hash functions that satisfy both preimage resistance and (strong) collision resistance are called cryptographic hash functions . These can allow us to accomplish many security feats: Data integrity (downloading large files and comparing to a checksum) Data integrity with secrecy (see below) Password protection Key derivation functions Randomness ( dev/random , OAEP(later)) More!

Hash functions Some applications Data Integrity + Secrecy Hashing combined with encryption: A sender wanting to transmit a message M can first compute x = H ( M ) , then construct M || x . Sending C = E K ( M || x ) , a receiver can theoretically check that their message has not been tampered. Verify the decrypted value M ′ || x ′ satisfies H ( M ′ ) = x ′ . See Bob’s protocol from Assignment 1. The idea is that an adversary cannot manipulate the ciphertext without disrupting the check equation.

Hash functions Some applications Data Integrity + Secrecy Hashing combined with encryption: A sender wanting to transmit a message M can first compute x = H ( M ) , then construct M || x . Sending C = E K ( M || x ) , a receiver can theoretically check that their message has not been tampered. Verify the decrypted value M ′ || x ′ satisfies H ( M ′ ) = x ′ . See Bob’s protocol from Assignment 1. The idea is that an adversary cannot manipulate the ciphertext without disrupting the check equation.