References Cryptographic Hash Functions Hash Functions, Chapter 11 - - PowerPoint PPT Presentation

Cryptographic Hash Functions & Signature Schemes

Jim Royer

Introduction to Cryptography

October 4, 2018

Crypto Hash Functions

References

”Hash Functions,” Chapter 11 of Understanding Cryptography by Paar & Pelzl. Mathematical Cryptography, by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf, pages 98–99. ”Digital Signatures,” Chapter 10 of Understanding Cryptography by Paar & Pelzl. (Ignore §10.5 for the time being.) A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup, https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_4.pdf, see Chapters 13 and 14 and ignore the wilder stuff. Cryptography: An Introduction, 3/e by Nigel Smart, https://www.cs.bris.ac.uk/~nigel/Crypto_Book/, Chapter 14.

Crypto Hash Functions

Current Contents of Our Cryptographic Toolbox

Modern Symmetric Cryptosystems

Block ciphers: 3DES, AES, etc. Stream ciphers: the one-time pad and its descendants ✔ Good for fast encryption of bulk data ✖ Requires all parties have start with the same secret key

Asymmetric Cryptosystems

RSA, Diffie-Hellman, ElGamal, ... ✔ Good for key exchanges ✔ Does not require parties to have any shared secret to state ✖ Relatively slow

The Next New Tool: Cryptographic Hash Functions These are used for lots of things In particular, we will see how they are used in signature schemes

Crypto Hash Functions

The Data-Structures/Algorithms View of Hashing

U = universe of keys, N = Card(U) (N big!) K = actual keys, n = Card(K) (n small!) T[0..m − 1] = a table (m also small) a hash function: an h: U → { 0, . . . , m − 1 } A collision: when k = k′, but h(k) = h(k′). What we want of h: fast to compute deterministic scatters data around

Crypto Hash Functions

Cryptographic Hash Functions

h: strings → { 0, 1 }k where typically k = 160 or 256 We want h to be:

• 1. fast to compute.
• 2. one-way (a.k.a., preimage resistant) , i.e., h(y) → y is hard.
• 3. collision resistant

(a.k.a. strongly collision-free∗) i.e., it is hard to find distinct m1 & m2 ∋ h(m1) = h(m2). 3′. second preimage resistant (a.k.a., weakly collision-free∗) i.e., given m1, hard to find an m2 = m1 ∋ h(m1) = h(m2). Many crypto-hash functions have problems with 3 and 3′. E.g., MD4, MD5, HAVAL-128, and especially SHA-1.

• Crypto. hash functions are a central part of the crypto toolkit — used in

signature schemes, etc. ∗ A silly name since there are lots of collisions, but spread very thin

Crypto Hash Functions

Hashing & Signing

m

h

− → h(m)

• message digest

sigA

− → sigA(h(m)) m sigA(h(m)) Alice Computes y = sigA(h(m)). (sigA = Alice’s sig. fnctn.) Sends (m, y) to Bob. Bob Receives (m, y) Checks verA(h(m)), y). (verA = Alice’s sig. ver. fnctn.) Eve Given (m, sigA(h(m))), Eve wants to forge Alice’s signature on m′. So, Eve needs y′ = sigA(h(m′)) = sigA(h(m)). But if h is collision resistant, Eve is out of luck. Why not sign m directly? We will see some specific signature schemes shortly.

Crypto Hash Functions

Hashing, Continued

A bad hash function: h(m) = m (mod n) Fast to compute, but not 1-way and not collision resistant. (Why?) A better one (but slow): CvHP (Chaum, van Heijst, & Pfitzmann) Setup: Find a prime p such that q = p−1

2

is also prime, and find two prim. elements of Z∗

p, α and β ∋ β = αa (mod p),

for some a. (Take a with gcd(a, p − 1) = 1.)

[Copy on board]

Function: h(m) =def αx0βx1 (mod p), where m ∈ Zq2, m = x0 + x1 · q, and x0, x1 ∈ Zq−1

[Copy on board]

Theorem 1. Given distinct m, m′ with h(m) = h(m′), we can compute a = dlogα(β).

[Copy on board]

∴ ¬[computing dlogα is easy] =

⇒ ¬[finding collisions is easy]

Crypto Hash Functions

Proof of the CvHP Theorem

Proof.

Suppose ■ m = x0 + x1 · q ■ m′ = x′

0 + x′ 1 · q

■ x0, x′

0, x1, x′ 1 ∈ Zq−1

■ m = m′ ■ αx0βx1 = αx′

0βx′ 1 (mod p).

Since β = αa (mod p), we have: αa(x1−x′

1)−(x′ 0−x0) ≡ 1 (mod p).

Thus: a(x1 − x′

1)

≡ (x′

0 − x0) mod (p − 1)

   (1) (Why?) Goal: Solve (1) for a. Let d =def gcd(x1 − x′

1, p − 1).

Since p − 1 = 2 · q, d ∈ { 1, 2, q, p − 1 }. Since 0 ≤ x1, x′

1 < q, |x1 − x′ 1| < q.

Since m = m′, by (1), x1 = x′

1.

So, d ∈ { 1, 2 }. CASE: d = 1. Then: a = (x1 − x′

1)−1(x′ 0 − x0) (mod p − 1).

CASE: d = 2. Then there are two possibilities for a and they are easy to find. (How?) Try them both. One yields αa = β. In either case you’ve got a. QED

Crypto Hash Functions

Proof of the CvHP Theorem Proof.

Suppose ■ m = x0 + x1 · q ■ m′ = x′ 0 + x′ 1 · q ■ x0, x′ 0, x1, x′ 1 ∈ Zq−1 ■ m = m′ ■ αx0βx1 = αx′

Since β = αa (mod p), we have: αa(x1−x′

Thus: a(x1 − x′ 1) ≡ (x′ 0 − x0) mod (p − 1)    (1) (Why?) Goal: Solve (1) for a. Let d =def gcd(x1 − x′ 1, p − 1). Since p − 1 = 2 · q, d ∈ { 1, 2, q, p − 1 }. Since 0 ≤ x1, x′ 1 < q, |x1 − x′ 1| < q. Since m = m′, by (1), x1 = x′ 1. So, d ∈ { 1, 2 }. CASE: d = 1. Then: a = (x1 − x′ 1)−1(x′ 0 − x0) (mod p − 1). CASE: d = 2. Then there are two possibilities for a and they are easy to find. (How?) Try them both. One yields αa = β. In either case you’ve got a. QED

2018-10-04

Hash Functions Proof of the CvHP Theorem How to find a when d = 2: We are looking for values of a ∈ Z∗

p−1 such that, for some k,

a(x1 − x′

1) − (x′ 0 − x0) = k · (p − 1).

(2) Since both x1 − x′

1 and p − 1 are even, by (2), so is x′ 0 − x0.

Divide through (2) by 2 and obtain a(x1 − x′

1

2 ) − (x′

0 − x0

2 ) = k · (p − 1 2 ). (3) But q = (p − 1)/2 is prime and gcd( x1−x′

1

2

, q) = 1. (next page)

Proof of the CvHP Theorem Proof.

Suppose ■ m = x0 + x1 · q ■ m′ = x′ 0 + x′ 1 · q ■ x0, x′ 0, x1, x′ 1 ∈ Zq−1 ■ m = m′ ■ αx0βx1 = αx′

Since β = αa (mod p), we have: αa(x1−x′

Thus: a(x1 − x′ 1) ≡ (x′ 0 − x0) mod (p − 1)    (1) (Why?) Goal: Solve (1) for a. Let d =def gcd(x1 − x′ 1, p − 1). Since p − 1 = 2 · q, d ∈ { 1, 2, q, p − 1 }. Since 0 ≤ x1, x′ 1 < q, |x1 − x′ 1| < q. Since m = m′, by (1), x1 = x′ 1. So, d ∈ { 1, 2 }. CASE: d = 1. Then: a = (x1 − x′ 1)−1(x′ 0 − x0) (mod p − 1). CASE: d = 2. Then there are two possibilities for a and they are easy to find. (How?) Try them both. One yields αa = β. In either case you’ve got a. QED

2018-10-04

Hash Functions Proof of the CvHP Theorem How to find a when d = 2 (continued) So we can solve for a in (3) and obtain: a0 = (x′

0 − x0

2 ) · (x1 − x′

1

2 )−1 (mod p − 1 2 ) Since a0 solves (3), it also solves (2) — just multiply (3) through by 2. However: Claim 1: a0 + q also solves (2). Claim 2: If a, a′ ∈ Z∗

p−1 are two solutions to (2), then a ≡ a′ (mod q).

(Exercise: Prove these.) So, by Claims 1 and 2 that a0 and a0 + q are the only solutions to (2). QED

CvHP: Collision-resistant = ⇒ 1-way

By Theorem 1: If discrete log is hard, then h is collision-resistant. But what about 1-way? Suppose h is fast to invert. I.e., there is a fast to compute g such that (∀y)[h(g(y)) = y].

Repeat forever Choose m

ran

∈ Z∗

q2

Compute y = h(m) Compute my = g(y) if m = my, then return (m, my)

The search prob. halts after not many iterations. So, by Theorem 1, we can quickly find discrete logs.

∴ If discrete log is hard,

then h is one-way.

Crypto Hash Functions

A Simple-Minded Hash Function

CvHP has nice properties, but it is SLOW. Here is a fast, but insecure hash function.

Suppose m is a message of length ℓ · n bits. (Pad if needed.) Break m into ℓ-many n-bit blocks m0, . . . , mℓ−1. Notation: mj=def[mj,0, . . . , mj,n−1]. ⊕ = exclusive-or h(m) = c0 . . . cn−1, where ci=defm0,i ⊕ m1,i ⊕ · · · ⊕ mℓ−1,i. (Draw the picture!)

To make this more secure, we add more operations. E.g., bit rotations.

h′(m) = c0 . . . cn−1, where ci = ℓ

j=1 mj,((j+i) mod n)

Crypto Hash Functions

A Simple-Minded Hash Function

CvHP has nice properties, but it is SLOW. Here is a fast, but insecure hash function. Suppose m is a message of length ℓ · n bits. (Pad if needed.) Break m into ℓ-many n-bit blocks m0, . . . , mℓ−1. Notation: mj=def[mj,0, . . . , mj,n−1]. ⊕ = exclusive-or h(m) = c0 . . . cn−1, where ci=defm0,i ⊕ m1,i ⊕ · · · ⊕ mℓ−1,i. (Draw the picture!) To make this more secure, we add more operations. E.g., bit rotations. h′(m) = c0 . . . cn−1, where ci = ℓ

j=1 mj,((j+i) mod n)

2018-10-04

Hash Functions A Simple-Minded Hash Function The picture for h(m) m0,0 m0,1 . . . m0,n−1 m1,0 m1,1 . . . m1,n−1 . . . . . . . . . . . . mn−1,0 mn−1,1 . . . mn−1,n−1 ⇓ ⇓ ⇓ ⇓ ⊕ ⊕ ⊕ ⊕ ⇓ ⇓ ⇓ ⇓ c0 c1 . . . cn−1

SHA-1, part I

Designed by the NSA. A NIST standard since 1995. Takes messages of size k · 512 − 64 bits (k > 0) to message digests of 160 bits. Was very widely used. Before 2001, finding collisions was thought to need > 280 bit ops. By the Summer of 2005, this was down to 263. By February 2017 CWI Amsterdam and Google announced they had performed a collision attack against SHA-1 See:

http://en.wikipedia.org/wiki/SHA-1 http://www.ams.org/notices/200603/fea-landau.pdf

Crypto Hash Functions

SHA-1, example

small changes in input → large changes in output

Crypto Hash Functions

SHA-1, part II

The SHA-1 Algorithm, see §11.4 in Paar & Petzl. 80 rounds, t = 0, . . . , 79 For each of the (32-bit) subregisters, we have the computation given by the diagram on the right, where ft(B, C, D) =          (B ∧ C) ∨ ((¬B) ∧ D), if 0 ≤ t < 20; (B ∧ C) ∨ (B ∧ D) ∨ (C ∧ D), if 40 ≤ t < 50; B ⊕ C ⊕ D,

• therwise.

Diagram from http://en.wikipedia.org/wiki/SHA-1

Wt is the expanded message word of round t Kt is the round constant of round t ⊞ denotes addition modulo 232 Crypto Hash Functions

SHA-2 and SHA-3

SHA-2 (i.e., the family SHA-224, SHA-256, SHA-384, SHA-512) are, very roughly, more elaborate versions of SHA-1. SHA-3 was introduced in 2015 and is built along very different lines. For details, see:

http://en.wikipedia.org/wiki/SHA-2 http://en.wikipedia.org/wiki/SHA-3 On the Understanding Cryptography homepage http://www.crypto-textbook.com, look under Sample Chapters and between Chapters 11 and 12 is an “extension chapter” on SHA-3.

Crypto Hash Functions

Birthday Attacks

Probability Puzzle Given 23 people, Prob[two have the same b-day] ≥ 0.5 Given 30 people, Prob[two have the same b-day] ≥ 0.7 Given 40 people, Prob[two have the same b-day] ≥ 0.89 Calculation Probability that 23 people all have different birthdays: = 1 · ( 365−1

365 ) · ( 365−2 365 ) · · · · ( 365−22 365 )

≈ .493 Thus, prob. two have the same birthday ≈ 1 − 0.493 = 0.507 What is the connection with hashing? h : People → (Days of the year) h(x) = x’s birthday collision ≡ finding two people with the same birthday

Crypto Hash Functions

Probability of a Match in the Birthday Paradox

Crypto Hash Functions

Birthday attacks, continued

A generalization We have n objects two groups of r people each each person selects an object Picture on board Q: What is the prob. that some object is selected by a person from each group? A: If λ = r2/n, then probability of one match ≈ 1 − e−λ probability of k matches ≈ λke−λ/k!

For details see: https://en.wikipedia.org/wiki/Birthday_problem#Generalizations

Crypto Hash Functions

Birthday attacks, continued

Suppose h: messages → Z50

2 .

Eve

has a message m she knows Alice will sign & has a message m′ she knows Alice would never sign Computes (possibly in parallel): For i = 1, . . . , 230, (230 = 1, 073, 741, 824) mi ← (a slight change of m) & m′

i ← (a slight change of m′)

Check for a collision: h(mi) = h(m′

j).

If she finds one, then: Eve has Alice sign mi (with sigA(h(mi))) & Alice has Eve constructs (m′

j, sigA(hmi)) = (m′ j, sigA(hm′

j)).

trouble! Q: How likely is such a collision? n = 250 / r = 230 / λ = 210 / 1 − e−1024 ≈ 1 = certainity!

Crypto Hash Functions

Possible Fixes

Fix 1: 50 is too small in h: messages → Z50

2 .

Pick a bigger number. Fix 2: Alice makes the last move by randomly changing m before signing.

Crypto Hash Functions

Recall: Hashing & Signing

m

h

− → h(m)

• message digest

sigA

− → sigA(h(m)) m sigA(h(m)) Alice Computes y = sigA(h(m)). (sigA = Alice’s sig. fnctn.) Sends (m, y) to Bob. Bob Receives (m, y) Checks verA(h(m)), y). (verA = Alice’s sig. ver. fnctn.) Eve Given (m, sigA(h(m))), Eve wants to forge Alice’s signature on m′. So, Eve needs y′ = sigA(h(m′)) = sigA(h(m)). But if h is collision-resistant, Eve is out of luck.

Crypto Hash Functions

The Digital Signature Algorithm (DSA)

h : messages → Z160

2

Setup for Alice Finds a prime q ∋ q is 160 bits & there is another prime p with q|(p − 1). Finds g a primitive elmement of Z∗

p.

(So {g1, g2, . . . , gp−1} = Z∗

p.)

Lets α =def g(p−1)/q mod p.

(So αq ≡ 1 (mod p).)

Chooses a ∈ Z∗

q and lets β =def αa mod p.

Public: p, q, α, β Private: a

Crypto Hash Functions

DSA, Continued

DSA parameters

• p and q primes with q|(p − 1).
• g prim. elm. of Z∗

p.

• α = g(p−1)/g (mod p).
• β = αa (mod p) with a ∈ Z∗

q.

Alice wants to sign m Chooses k

ran

∈ Z∗

q.

Private Computes r = (αk mod p) mod q & s = (k−1(m + ar)) mod q. Sends (m, r, s). Bob wants to verify (m, r, s) Check on board Checks v ? = r, where: u1 = s−1m (mod q). u2 = s−1r (mod q). v = (αu1βu2 mod p) mod q. This is a bit faster than ElGamal (covered later). ElGamal: 3 mod-exps. DSA: 2 mod-exps.

Crypto Hash Functions

DSA, Continued

DSA parameters

• p and q primes with q|(p − 1).
• g prim. elm. of Z∗

p.

• α = g(p−1)/g (mod p).
• β = αa (mod p) with a ∈ Z∗

q. Alice wants to sign m Chooses k ran

∈ Z∗

q. Private Computes r = (αk mod p) mod q & s = (k−1(m + ar)) mod q. Sends (m, r, s). Bob wants to verify (m, r, s) Check on board Checks v ?

= r, where: u1 = s−1m (mod q). u2 = s−1r (mod q). v = (αu1βu2 mod p) mod q. This is a bit faster than ElGamal (covered later). ElGamal: 3 mod-exps. DSA: 2 mod-exps.

2018-10-04

Hash Functions DSA, Continued Recall: r = (αk mod p) mod q and s = (k−1(m + ar)) mod q Why should v = r? By the definition of s: m ≡ (−ar + ks) (mod q). Hence, u1 ≡ s−1m ≡ (−ars−1 + k) (mod q). Thus, k ≡ (s−1m + ars−1) ≡ (u1 + au2) (mod q). That is, k = u1 + au2 + jq for some integer j. ∴ αk = αu1(αa)u2αjq = αu1βu2(αq)j ≡ αu1βu2 (mod p) (since αq ≡ 1 (mod p)). So, r = (αk mod p) mod q = (αu1βu2 mod p) mod q = v.

Digital Signatures

message sig

1

How do we bind a signature to a message?

2

How do we verify a signature is valid?

3

How do we prevent reuse of a signature?

Crypto Hash Functions

RSA Signatures

Setup, for each user n = p · q, where p and q are distinct, big primes e, d ∈ Z∗

ϕ(n) such that e · d ≡ 1 (mod ϕ(n))

n and e public p, q, and d private

• r, alternatively

sigA(m) =def mdA (mod n) =def (h(m))dA (mod n) verA(m, y) =def [m ? = yeA (mod n)] =def [h(m) ? = yeA (mod n)] Binding? the sig combines private key + message Verifying? (calculation on board) Making reuse hard? What is Eve’s problem?

Crypto Hash Functions

Blind Signatures

Used for sealed bids, etc. Bob wants Alice’s signature on a message, but he does not want her to know the message Bob Chooses k

ran

∈ Z∗

n.

Computes t = (keA · m) mod n & sends t to Alice Alice Computes s = tdA mod n & sends s to Bob. Bob Computes s · k−1 ≡ sigA(m) (mod n). Note: s ≡ tdA ≡ (keA · m)dA ≡ keA·dA · mdA ≡ k · mdA ≡ k · sigA(m) (mod n)

Crypto Hash Functions

Encryption and signatures

Scheme 1 Alice Given x Computes y = sigA(x) Computes z = encryptB(x||y) Sends z to Bob Bob Computes (x||y) = decryptB(z) Checks verA(x, y) Definition 2. || =def string concatenation. E.g.: ”abc” || ”xyz” = ”abcxyz”

Crypto Hash Functions

Encryption and signatures

Scheme 2 Alice Given x Computes z = encryptB(x) & y = sigA(z) Sends (z, y) to Bob Bob Checks verA(z, y) and computes x = decryptB(z) BUT, Binding Trouble!! Eve Obtains (z, y) Computes y′ = sigE(z) Sends Bob (z, y′) Bob Checks verE(z, y′) and computes x = decryptB(z) x = The treasure is under the rock by the oak tree. Send me 50%.

Crypto Hash Functions

Recall: The ElGamal Cryptosystem

Setup

Each user picks a key (p, α, a, b): p, a prime such that Z∗

p’s discrete log

problem is hard. α, a prim. elem. of a and b such that b ≡ αa (mod p) plaintexts = Z∗

p

public: p, α, b ciphertexts = Z∗

p × Z∗ p

private: a

Alice’s key = (p, α, a, b) Bob

Wants to send m ∈ Z∗

p to Alice.

Chooses k

ran

∈ { 1, . . . , p − 1 }. Computes r ≡ αk (mod p) and t ≡ bkm (mod p) & sends (r, t). Sends (r, t) to Alice. Alice Computes m′ = t · r−a (mod p). Claim: m = m′. [PoB]

Crypto Hash Functions

Recall: The ElGamal Cryptosystem

Setup Each user picks a key (p, α, a, b): p, a prime such that Z∗

p’s discrete log problem is hard. α, a prim. elem. of a and b such that b ≡ αa (mod p) plaintexts = Z∗ p public: p, α, b ciphertexts = Z∗ p × Z∗ p private: a

Alice’s key = (p, α, a, b) Bob Wants to send m ∈ Z∗

p to Alice. Chooses k ran

∈ { 1, . . . , p − 1 }. Computes r ≡ αk (mod p) and t ≡ bkm (mod p) & sends (r, t). Sends (r, t) to Alice. Alice Computes m′ = t · r−a (mod p). Claim: m = m′. [PoB]

2018-10-04

Hash Functions Recall: The ElGamal Cryptosystem Key Observation: By Fermat’s Little Lemma, xa ≡ xa mod (p−1) (mod p). Proof: First note that r ≡ αk b ≡ αa t ≡ bkm    (mod p) So: t · r−a ≡ bkmα−a·k ≡ (αa)km(α−ak) ≡ m (mod p).

The ElGamal Signature Scheme

Setup for each user p, a prime with hard discrete log problem for Z∗

p

α ∈ Z∗

p, a primitive element of Z∗ p

Plaintext: Z∗

p

Ciphertext: Z∗

p × Zp−1

a ∈ Z∗

p−1 & β = αa (mod p)

p, α, β : public a : private Alice wants to sign m where (p, α, β) = A’s public key Alice Chooses k

ran

∈ Z∗

p−1

Computes: r = αk (mod p) s = k−1(m − a · r) mod p − 1 Sends (m, r, s) to Bob. Bob Checks that [βrrs ≡ αm (mod p)] Check βrrs ≡ (αa)r(αk)s ≡ αa·r+k·s ≡ αa·r+k·(k−1(m−a·r)) ≡ αm (mod p).

Crypto Hash Functions

Security Requirements for Signature Schemes

Possible attacks Key only attack: Eve has Alice’s public key — only! Known message attack: Eve has (m1, s1), . . . , (mk, sk) messages signed by Alice Chosen message attack: Eve chooses m1, . . . , mk and has Alice sign all of them si = sigA(mi), i = 1, . . . , k Eve’s possible goals Total break: Find Alice’s private key Selective forgery: Given m, Eve creates a valid signature of Alice for m — with reasonable probability Existential forgery: Eve is able to create a valid sigA for at least one message (likely junk)

Crypto Hash Functions

Examples of Security Problems (via RSA Sigs)

∃ forgery/key only Given s, compute m = eA(s). Recall: verA(m, y)=

def[m ?

= yeA (mod n). ∃ forgery/known messages Alice sends (m1, s1), (m2, s2) Eve computes (m1 · m2 mod n, s1 · s2 mod n) So what? Recall: sigA(m) = decryptA(m) = mdA mod n. Claim (a) (encryptU(x1) · encryptU(x2)) mod n = encryptU(x1 · x2) mod n (b) (decryptU(x1) · decryptU(x2)) mod n = decryptU(x1 · x2) mod n Corollary 3. (s1 · s2) mod n is a valid signature for (m1 · m2) mod n.

Crypto Hash Functions

More Forgery Examples

Eve wants to forge Alice’s signature on m Eve finds x1 and x2 such that m = (x1 · x2) mod n. asks Alice to sign x1 and x2. Alice produces y1 = sigA(x1) and y2 = sigA(x2). !! Then (y1 · y2) mod n is a valid signature for m! How can we guard against stuff like this?

Crypto Hash Functions

More Forgery Examples

Eve wants to forge Alice’s signature on m Eve finds x1 and x2 such that m = (x1 · x2) mod n. asks Alice to sign x1 and x2. Alice produces y1 = sigA(x1) and y2 = sigA(x2). !! Then (y1 · y2) mod n is a valid signature for m! How can we guard against stuff like this? Randomize!

Crypto Hash Functions