SLIDE 1
CPSC 418/MATH 318 Introduction to Cryptography
Hash Functions Randy Yee
Department of Computer Science University of Calgary
Outline
1
Hash functions Properties Some applications Examples
2
Design Strategies
3
CPSC 418/MATH 318 Introduction to Cryptography Hash Functions - - PowerPoint PPT Presentation
CPSC 418/MATH 318 Introduction to Cryptography Hash Functions - - PowerPoint PPT Presentation
CPSC 418/MATH 318 Introduction to Cryptography Hash Functions Randy Yee Department of Computer Science University of Calgary February 28, 2020 Outline Hash functions 1 Properties Some applications Examples Design Strategies 2 Other 3
SLIDE 2
SLIDE 3
Hash functions
Hash functions
Hash function are often called the ‘workhorse’ of cryptography as they are used to accomplish many goals You can also find them in some non cryptographic applications as well What comes to mind (if anything) when you think of hash functions? Visit www.menti.com
SLIDE 4
Hash functions
Definition
A function H : {0, 1}∗ → {0, 1}n for some n ∈ N. The above is referred to as an n-bit hash function since its
- utput is n-bits long. The image x = H(M) is called a
hash or a digest. Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.
SLIDE 5
Hash functions
Definition
A function H : {0, 1}∗ → {0, 1}n for some n ∈ N. The above is referred to as an n-bit hash function since its
- utput is n-bits long. The image x = H(M) is called a
hash or a digest. Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.
SLIDE 6
Hash functions
Definition
A function H : {0, 1}∗ → {0, 1}n for some n ∈ N. The above is referred to as an n-bit hash function since its
- utput is n-bits long. The image x = H(M) is called a
hash or a digest. Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.
SLIDE 7
Hash functions
Definition
A function H : {0, 1}∗ → {0, 1}n for some n ∈ N. The above is referred to as an n-bit hash function since its
- utput is n-bits long. The image x = H(M) is called a
hash or a digest. Hash function are thus compression functions (taking arbitrary length inputs to a fixed-length output). In most settings, one assumes that the hash function is fast and easy to compute, and that small changes to the input create large changes in the digest.
SLIDE 8
Hash functions Properties
Desirable properties
Preimage resistance: For almost all hash values x, it is computationally infeasible to find an element M with H(M) = x. 2nd Preimage resistance (weak collision resistance): For almost all M, it is computationally infeasible to find a second M ′ = M such that H(M ′) = H(M). Collision resistance (strong collision resistance): It is computationally infeasible to find two distinct inputs M, M ′ with H(M ′) = H(M).
SLIDE 9
Hash functions Properties
Desirable properties
Preimage resistance: For almost all hash values x, it is computationally infeasible to find an element M with H(M) = x. 2nd Preimage resistance (weak collision resistance): For almost all M, it is computationally infeasible to find a second M ′ = M such that H(M ′) = H(M). Collision resistance (strong collision resistance): It is computationally infeasible to find two distinct inputs M, M ′ with H(M ′) = H(M).
SLIDE 10
Hash functions Properties
Desirable properties
Preimage resistance: For almost all hash values x, it is computationally infeasible to find an element M with H(M) = x. 2nd Preimage resistance (weak collision resistance): For almost all M, it is computationally infeasible to find a second M ′ = M such that H(M ′) = H(M). Collision resistance (strong collision resistance): It is computationally infeasible to find two distinct inputs M, M ′ with H(M ′) = H(M).
SLIDE 11
Hash functions Properties
Relationships
Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.
SLIDE 12
Hash functions Properties
Relationships
Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. Contrapositive: If H is not second pre-image resistant (2PR), then it is not collision-resistant. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.
SLIDE 13
Hash functions Properties
Relationships
Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. Contrapositive: If H is not second pre-image resistant (2PR), then it is not collision-resistant. Suppose we are given some x. If H is not 2PR, then we can find another x′ such that H(x) = H(x′). This is a collision. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.
SLIDE 14
Hash functions Properties
Relationships
Show that if H is a collision resistant hash function, then it is also 2nd-preimage resistant. Contrapositive: If H is not second pre-image resistant (2PR), then it is not collision-resistant. Suppose we are given some x. If H is not 2PR, then we can find another x′ such that H(x) = H(x′). This is a collision. In assignment 3, you’ll construct examples that illustrate the other relationships do not hold.
SLIDE 15
Hash functions Properties
Notes
Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.
SLIDE 16
Hash functions Properties
Notes
Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.
SLIDE 17
Hash functions Properties
Notes
Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.
SLIDE 18
Hash functions Properties
Notes
Despite the theory, collision resistance usually ensures preimage resistance in practice. There is some inconsistency in the literature on hash functions regarding these terms. We have followed the definitions of Menezes, van Oorschot and Vanstone. For a very formal treatment, see Rogaway and Shrimpton’s Cryptographic Hash-Function Basics (available online). A helpful video, but with some different terminology.
SLIDE 19
Hash functions Some applications
Cryptographic hash functions
Hash functions that satisfy both preimage resistance and (strong) collision resistance are called cryptographic hash functions. These can allow us to accomplish many security feats:
Data integrity (downloading large files and comparing to a checksum) Data integrity with secrecy (see below) Password protection Key derivation functions Randomness (dev/random, OAEP(later)) More!
SLIDE 20
Hash functions Some applications
Cryptographic hash functions
Hash functions that satisfy both preimage resistance and (strong) collision resistance are called cryptographic hash functions. These can allow us to accomplish many security feats:
Data integrity (downloading large files and comparing to a checksum) Data integrity with secrecy (see below) Password protection Key derivation functions Randomness (dev/random, OAEP(later)) More!
SLIDE 21
Hash functions Some applications
Data Integrity + Secrecy
Hashing combined with encryption: A sender wanting to transmit a message M can first compute x = H(M), then construct M||x. Sending C = EK(M||x), a receiver can theoretically check that their message has not been tampered.
Verify the decrypted value M′||x′ satisfies H(M′) = x′. See Bob’s protocol from Assignment 1.
The idea is that an adversary cannot manipulate the ciphertext without disrupting the check equation.
SLIDE 22
Hash functions Some applications
Data Integrity + Secrecy
Hashing combined with encryption: A sender wanting to transmit a message M can first compute x = H(M), then construct M||x. Sending C = EK(M||x), a receiver can theoretically check that their message has not been tampered.
Verify the decrypted value M′||x′ satisfies H(M′) = x′. See Bob’s protocol from Assignment 1.
The idea is that an adversary cannot manipulate the ciphertext without disrupting the check equation.
SLIDE 23
Hash functions Some applications
Data Integrity + Secrecy
Hashing combined with encryption: A sender wanting to transmit a message M can first compute x = H(M), then construct M||x. Sending C = EK(M||x), a receiver can theoretically check that their message has not been tampered.
Verify the decrypted value M′||x′ satisfies H(M′) = x′. See Bob’s protocol from Assignment 1.
The idea is that an adversary cannot manipulate the ciphertext without disrupting the check equation.
SLIDE 24
Hash functions Some applications
Data Integrity + Secrecy
Hashing combined with encryption: A sender wanting to transmit a message M can first compute x = H(M), then construct M||x. Sending C = EK(M||x), a receiver can theoretically check that their message has not been tampered.
Verify the decrypted value M′||x′ satisfies H(M′) = x′. See Bob’s protocol from Assignment 1.
The idea is that an adversary cannot manipulate the ciphertext without disrupting the check equation.
SLIDE 25
Hash functions Examples
Example hash functions
SHA-1 (NIST/NSA, 1995) – broken! SHA-2 (NIST/NSA, 2001)
A family of functions offering various bit lengths, including SHA-224, SHA-256 etc.
SHA-3 (Bertoni, Daemen, Peeters, Van Assche, 2012)
Winner of NIST competition (2007-2012) Comes as a family, SHA3-224, SHA3-256, etc.
MD5 – broken! BLAKE (Aumasson, Henzen, Meier, Phan, 2008)
A NIST finalist. New variants BLAKE2 (2012) and BLAKE3 (2020).
SLIDE 26
Hash functions Examples
Example hash functions
SHA-1 (NIST/NSA, 1995) – broken! SHA-2 (NIST/NSA, 2001)
A family of functions offering various bit lengths, including SHA-224, SHA-256 etc.
SHA-3 (Bertoni, Daemen, Peeters, Van Assche, 2012)
Winner of NIST competition (2007-2012) Comes as a family, SHA3-224, SHA3-256, etc.
MD5 – broken! BLAKE (Aumasson, Henzen, Meier, Phan, 2008)
A NIST finalist. New variants BLAKE2 (2012) and BLAKE3 (2020).
SLIDE 27
Hash functions Examples
SHA-1: Secure Hash Algorithm 1
Iterated hash function with hash length of 160 bits. Collisions can be found in 257 hash operations. (Steven, Karpman, Peyrin, 2015). Chosen-prefix attacks demonstrated (Leurent, Peyrin, 2020) using ≈ 263 hash ops; measly cost of 45K USD!
This type of attack is devastating since it means you can start with any two different files, and append values until their hash is the same.
Subject to crypto-puns such as the “SHAttered” attack (2017), and article titles like “SHA-1 is in Shambles” (2020).
SLIDE 28
Hash functions Examples
SHA-1: Secure Hash Algorithm 1
Iterated hash function with hash length of 160 bits. Collisions can be found in 257 hash operations. (Steven, Karpman, Peyrin, 2015). Chosen-prefix attacks demonstrated (Leurent, Peyrin, 2020) using ≈ 263 hash ops; measly cost of 45K USD!
This type of attack is devastating since it means you can start with any two different files, and append values until their hash is the same.
Subject to crypto-puns such as the “SHAttered” attack (2017), and article titles like “SHA-1 is in Shambles” (2020).
SLIDE 29
Hash functions Examples
SHA-1: Secure Hash Algorithm 1
Iterated hash function with hash length of 160 bits. Collisions can be found in 257 hash operations. (Steven, Karpman, Peyrin, 2015). Chosen-prefix attacks demonstrated (Leurent, Peyrin, 2020) using ≈ 263 hash ops; measly cost of 45K USD!
This type of attack is devastating since it means you can start with any two different files, and append values until their hash is the same.
Subject to crypto-puns such as the “SHAttered” attack (2017), and article titles like “SHA-1 is in Shambles” (2020).
SLIDE 30
Design Strategies
Iterated Hash functions
How can we get a function to take in arbitrary inputs? Merkle and Damgard showed one way in which this can be done. Let f be a compression function which takes in an m-bit input from the previous step (chaining) and an n-bit block from M.
Think of the input as being of length n + r, obtained simply from concatenation of the previous output and a piece of M.
We also require an n-bit IV.
SLIDE 31
Design Strategies
Iterated Hash functions
How can we get a function to take in arbitrary inputs? Merkle and Damgard showed one way in which this can be done. Let f be a compression function which takes in an m-bit input from the previous step (chaining) and an n-bit block from M.
Think of the input as being of length n + r, obtained simply from concatenation of the previous output and a piece of M.
We also require an n-bit IV.
SLIDE 32
Design Strategies
Iterated Hash functions
How can we get a function to take in arbitrary inputs? Merkle and Damgard showed one way in which this can be done. Let f be a compression function which takes in an m-bit input from the previous step (chaining) and an n-bit block from M.
Think of the input as being of length n + r, obtained simply from concatenation of the previous output and a piece of M.
We also require an n-bit IV.
SLIDE 33
Design Strategies
Iterated Hash functions
How can we get a function to take in arbitrary inputs? Merkle and Damgard showed one way in which this can be done. Let f be a compression function which takes in an m-bit input from the previous step (chaining) and an n-bit block from M.
Think of the input as being of length n + r, obtained simply from concatenation of the previous output and a piece of M.
We also require an n-bit IV.
SLIDE 34
Design Strategies
Figure: Obtained from https://www.slideshare.net/pakmuzammil/network-security-lec5
SLIDE 35
Design Strategies
Formal description
If M is some message, divide it into r-bit blocks M1, M2, . . . ML., padding if necessary. H0 = IV , Hi = f(Hi−1, Mi), 1 ≤ i ≤ L. The final output is H(M) = HL. Merkle and Damgard independently showed that as long as f is collision resistant, then so is H. Question: If we found a collision in the compression function f, describe how we can find arbitrarily many collisions in H.
SLIDE 36
Design Strategies
Formal description
If M is some message, divide it into r-bit blocks M1, M2, . . . ML., padding if necessary. H0 = IV , Hi = f(Hi−1, Mi), 1 ≤ i ≤ L. The final output is H(M) = HL. Merkle and Damgard independently showed that as long as f is collision resistant, then so is H. Question: If we found a collision in the compression function f, describe how we can find arbitrarily many collisions in H.
SLIDE 37
Design Strategies
Formal description
If M is some message, divide it into r-bit blocks M1, M2, . . . ML., padding if necessary. H0 = IV , Hi = f(Hi−1, Mi), 1 ≤ i ≤ L. The final output is H(M) = HL. Merkle and Damgard independently showed that as long as f is collision resistant, then so is H. Question: If we found a collision in the compression function f, describe how we can find arbitrarily many collisions in H.
SLIDE 38
Design Strategies
Sponge Construction
Following earlier signs of SHA-1 being insecure, NIST held a competition for a new hash function to standardize. The eventual winner Keccak, now known as SHA-3, used a different construction than Merkle-Damgard. We’ll discuss this construction next time.
SLIDE 39
Other
Proof-of-work systems
Used as a consensus mechanism. Deters DoS attacks and spam on networks by requiring some work from the service requester. A popular mechanism is to use partial-hash inversion. The system Hashcash asks that in order to prove you’ve done work, you must provide a novel M such that H(M) has a certain number of preceding ‘0’s. Bitcoin employs a version of Hashcash using double SHA-256.
SLIDE 40
Other
The Random Oracle Model (ROM)
The ROM was introduced to analyze the security of certain protocols (Bellare and Rogaway, 1993). Informally, one regards the hash function H as a random
- racle – i.e. a blackbox that takes in a bitstring M, and
- utputs a random value.
The oracle keeps a record of which M have been input, and repeats that response if M is provided again.
This is a very strong assumption which has sparked some controversy: Another Look
SLIDE 41
Other
The Random Oracle Model (ROM)
The ROM was introduced to analyze the security of certain protocols (Bellare and Rogaway, 1993). Informally, one regards the hash function H as a random
- racle – i.e. a blackbox that takes in a bitstring M, and
- utputs a random value.
The oracle keeps a record of which M have been input, and repeats that response if M is provided again.
This is a very strong assumption which has sparked some controversy: Another Look
SLIDE 42
Other
The Random Oracle Model (ROM)
The ROM was introduced to analyze the security of certain protocols (Bellare and Rogaway, 1993). Informally, one regards the hash function H as a random
- racle – i.e. a blackbox that takes in a bitstring M, and
- utputs a random value.
The oracle keeps a record of which M have been input, and repeats that response if M is provided again.
This is a very strong assumption which has sparked some controversy: Another Look
SLIDE 43
Other
Generic attacks on hash functions (under ROM)
Two possible goals on cryptographic hash functions: find a preimage or find a collision. Generically, to find a preimage costs an expected O(2n)
- perations for an n-bit hash function.
Given a particular hash x, an arbitrary element M has probability 1/2n of satisfying H(M) = x (under certain randomness hypotheses). Hence one would expect to have to try an average of 2n messages before succeeding.
SLIDE 44
Other
Generic attacks on hash functions (under ROM)
Two possible goals on cryptographic hash functions: find a preimage or find a collision. Generically, to find a preimage costs an expected O(2n)
- perations for an n-bit hash function.
Given a particular hash x, an arbitrary element M has probability 1/2n of satisfying H(M) = x (under certain randomness hypotheses). Hence one would expect to have to try an average of 2n messages before succeeding.
SLIDE 45
Other
Generic attacks on hash functions (under ROM)
Two possible goals on cryptographic hash functions: find a preimage or find a collision. Generically, to find a preimage costs an expected O(2n)
- perations for an n-bit hash function.
Given a particular hash x, an arbitrary element M has probability 1/2n of satisfying H(M) = x (under certain randomness hypotheses). Hence one would expect to have to try an average of 2n messages before succeeding.
SLIDE 46
Other
Generic attacks on hash functions (under ROM)
Two possible goals on cryptographic hash functions: find a preimage or find a collision. Generically, to find a preimage costs an expected O(2n)
- perations for an n-bit hash function.
Given a particular hash x, an arbitrary element M has probability 1/2n of satisfying H(M) = x (under certain randomness hypotheses). Hence one would expect to have to try an average of 2n messages before succeeding.
SLIDE 47
Other
Generic attacks on hash functions cont.
To find a collision, the expected cost is O(2n/2).
Since we are looking for any collision, the birthday paradox gives us a roughly square root improvement.
Question: What is the expected time of a generic attack to find a second preimage?
SLIDE 48
Other
Generic attacks on hash functions cont.
To find a collision, the expected cost is O(2n/2).
Since we are looking for any collision, the birthday paradox gives us a roughly square root improvement.
Question: What is the expected time of a generic attack to find a second preimage?
SLIDE 49
Other
Generic attacks on hash functions cont.
To find a collision, the expected cost is O(2n/2).
Since we are looking for any collision, the birthday paradox gives us a roughly square root improvement.
Question: What is the expected time of a generic attack to find a second preimage?
SLIDE 50
Other
Controversy with ROM
Another look at "provable security" – Koblitz, Menezes Post-Modern Cryptography – Oded Goldreich ROM: Twenty Year Retrospective – Koblitz, Menezes
SLIDE 51
Other
Hash-based cryptography
There is interest in constructing cryptographic primitives based solely on the security of hash functions. Currently limited to only signature schemes One candidate in the ongoing NIST competition, SPHINCS+
SLIDE 52
Other
Hash-based cryptography
There is interest in constructing cryptographic primitives based solely on the security of hash functions. Currently limited to only signature schemes One candidate in the ongoing NIST competition, SPHINCS+
SLIDE 53
Other