References Cryptographic Hash Functions Hash Functions, Chapter 11 - PowerPoint PPT Presentation

References Cryptographic Hash Functions ”Hash Functions,” Chapter 11 of Understanding Cryptography by Paar & Pelzl. & Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 98–99. Signature Schemes ”Digital Signatures,” Chapter 10 of Understanding Cryptography by Paar & Pelzl. (Ignore § 10.5 for the time being.) Jim Royer A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup, https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_4.pdf , see Chapters 13 and 14 and ignore the wilder stuff. Introduction to Cryptography Cryptography: An Introduction, 3/e by Nigel Smart, October 4, 2018 https://www.cs.bris.ac.uk/~nigel/Crypto_Book/ , Chapter 14. Crypto Hash Functions Crypto Hash Functions Current Contents of Our Cryptographic Toolbox The Data-Structures/Algorithms View of Hashing Modern Symmetric Cryptosystems U = universe of keys, N = Card ( U ) (N big!) Block ciphers : 3DES, AES, etc. K = actual keys, n = Card ( K ) (n small!) Stream ciphers : the one-time pad and its descendants ✔ Good for fast encryption of bulk data T [ 0.. m − 1 ] = a table (m also small) ✖ Requires all parties have start with the same secret key a hash function: an h : U → { 0, . . . , m − 1 } Asymmetric Cryptosystems A collision: when k � = k ′ , but h ( k ) = h ( k ′ ) . RSA, Diffie-Hellman, ElGamal, ... ✔ Good for key exchanges What we want of h : ✔ Does not require parties to have any shared secret to state ✖ Relatively slow fast to compute deterministic The Next New Tool: Cryptographic Hash Functions scatters data around These are used for lots of things In particular, we will see how they are used in signature schemes Crypto Hash Functions Crypto Hash Functions

Cryptographic Hash Functions Hashing & Signing h : strings → { 0, 1 } k where typically k = 160 or 256 m sig A h − → h ( m ) − → sig A ( h ( m )) m sig A ( h ( m )) We want h to be: ���� message digest 1. fast to compute. 2. one-way (a.k.a., preimage resistant) , i.e., h ( y ) �→ y is hard. Alice Computes y = sig A ( h ( m )) . (sig A = Alice’s sig. fnctn.) (a.k.a. strongly collision-free ∗ ) Sends ( m , y ) to Bob. 3. collision resistant i.e., it is hard to find distinct m 1 & m 2 ∋ h ( m 1 ) = h ( m 2 ) . Bob Receives ( m , y ) (a.k.a., weakly collision-free ∗ ) Checks ver A ( h ( m )) , y ) . (ver A = Alice’s sig. ver. fnctn.) 3 ′ . second preimage resistant Eve Given ( m , sig A ( h ( m ))) , i.e., given m 1 , hard to find an m 2 � = m 1 ∋ h ( m 1 ) = h ( m 2 ) . Eve wants to forge Alice’s signature on m ′ . So, Eve needs y ′ = sig A ( h ( m ′ )) = sig A ( h ( m )) . Many crypto-hash functions have problems with 3 and 3 ′ . E.g., MD4, MD5, HAVAL-128, and especially SHA-1 . But if h is collision resistant, Eve is out of luck. Crypto. hash functions are a central part of the crypto toolkit — used in Why not sign m directly? signature schemes, etc. ∗ A silly name since there are lots of collisions, but spread very thin We will see some specific signature schemes shortly. Crypto Hash Functions Crypto Hash Functions Hashing, Continued Proof of the CvHP Theorem Proof. A bad hash function: h ( m ) = m ( mod n ) Goal: Solve (1) for a . Suppose Let d = def gcd ( x 1 − x ′ Fast to compute, but not 1-way and not collision resistant. (Why?) 1 , p − 1 ) . ■ m = x 0 + x 1 · q Since p − 1 = 2 · q , d ∈ { 1, 2, q , p − 1 } . ■ m ′ = x ′ 0 + x ′ 1 · q A better one (but slow): CvHP (Chaum, van Heijst, & Pfitzmann) Since 0 ≤ x 1 , x ′ 1 < q , | x 1 − x ′ 1 | < q . ■ x 0 , x ′ 0 , x 1 , x ′ 1 ∈ Z q − 1 Setup: Find a prime p such that q = p − 1 is also prime, and ■ m � = m ′ Since m � = m ′ , by (1), x 1 � = x ′ 2 1 . p , α and β ∋ β = α a ( mod p ) , find two prim. elements of Z ∗ ■ α x 0 β x 1 = α x ′ 0 β x ′ So, d ∈ { 1, 2 } . 1 ( mod p ) . (Take a with gcd ( a , p − 1 ) = 1.) for some a . [Copy on board] Since β = α a ( mod p ) , we have: Function: h ( m ) = def α x 0 β x 1 ( mod p ) , where C ASE : d = 1. Then: 0 − x 0 ) ≡ 1 ( mod p ) . α a ( x 1 − x ′ 1 ) − ( x ′ a = ( x 1 − x ′ 1 ) − 1 ( x ′ 0 − x 0 ) ( mod p − 1 ) . m ∈ Z q 2 , m = x 0 + x 1 · q , and x 0 , x 1 ∈ Z q − 1 [Copy on board] Thus:  a ( x 1 − x ′ 1 ) C ASE : d = 2. Then there are two possibilities  Theorem 1. ≡ (1) for a and they are easy to find. (How?) ( x ′ Try them both. One yields α a = β .  0 − x 0 ) mod ( p − 1 ) Given distinct m , m ′ with h ( m ) = h ( m ′ ) , we can compute a = dlog α ( β ) . [Copy on board] (Why?) In either case you’ve got a . QED ∴ ¬ [computing dlog α is easy] = ⇒ ¬ [finding collisions is easy] Crypto Hash Functions Crypto Hash Functions

Proof of the CvHP Theorem Proof of the CvHP Theorem Hash Functions Hash Functions Proof. Goal: Solve (1) for a . Proof. Goal: Solve (1) for a . Suppose Suppose Let d = def gcd ( x 1 − x ′ Let d = def gcd ( x 1 − x ′ 1 , p − 1 ) . 1 , p − 1 ) . 2018-10-04 ■ m = x 0 + x 1 · q 2018-10-04 ■ m = x 0 + x 1 · q Since p − 1 = 2 · q , d ∈ { 1, 2, q , p − 1 } . Since p − 1 = 2 · q , d ∈ { 1, 2, q , p − 1 } . ■ m ′ = x ′ 0 + x ′ 1 · q ■ m ′ = x ′ 0 + x ′ 1 · q Since 0 ≤ x 1 , x ′ 1 < q , | x 1 − x ′ Since 0 ≤ x 1 , x ′ 1 < q , | x 1 − x ′ ■ x 0 , x ′ 0 , x 1 , x ′ 1 ∈ Z q − 1 1 | < q . ■ x 0 , x ′ 0 , x 1 , x ′ 1 ∈ Z q − 1 1 | < q . ■ m � = m ′ Since m � = m ′ , by (1), x 1 � = x ′ ■ m � = m ′ Since m � = m ′ , by (1), x 1 � = x ′ 1 . 1 . ■ α x 0 β x 1 = α x ′ 0 β x ′ 1 ( mod p ) . So, d ∈ { 1, 2 } . ■ α x 0 β x 1 = α x ′ 0 β x ′ 1 ( mod p ) . So, d ∈ { 1, 2 } . Since β = α a ( mod p ) , we have: Since β = α a ( mod p ) , we have: C ASE : d = 1. Then: C ASE : d = 1. Then: α a ( x 1 − x ′ 1 ) − ( x ′ 0 − x 0 ) ≡ 1 ( mod p ) . α a ( x 1 − x ′ 1 ) − ( x ′ 0 − x 0 ) ≡ 1 ( mod p ) . a = ( x 1 − x ′ 1 ) − 1 ( x ′ 0 − x 0 ) ( mod p − 1 ) . a = ( x 1 − x ′ 1 ) − 1 ( x ′ 0 − x 0 ) ( mod p − 1 ) . Proof of the CvHP Theorem Proof of the CvHP Theorem Thus: a ( x 1 − x ′  Thus: a ( x 1 − x ′  1 ) C ASE : d = 2. Then there are two possibilities 1 ) C ASE : d = 2. Then there are two possibilities   ≡ (1) ≡ (1) for a and they are easy to find. (How?) for a and they are easy to find. (How?) ( x ′ 0 − x 0 ) mod ( p − 1 )  Try them both. One yields α a = β . ( x ′ 0 − x 0 ) mod ( p − 1 )  Try them both. One yields α a = β . (Why?) (Why?) In either case you’ve got a . QED In either case you’ve got a . QED How to find a when d = 2 : How to find a when d = 2 (continued) We are looking for values of a ∈ Z ∗ p − 1 such that, for some k , So we can solve for a in (3) and obtain: a 0 = ( x ′ ) · ( x 1 − x ′ 0 − x 0 ( mod p − 1 a ( x 1 − x ′ 1 ) − ( x ′ 0 − x 0 ) = k · ( p − 1 ) . (2) 1 ) − 1 ) 2 2 2 Since both x 1 − x ′ 1 and p − 1 are even, by (2), so is x ′ 0 − x 0 . Since a 0 solves (3), it also solves (2) — just multiply (3) through by 2. Divide through (2) by 2 and obtain However: a ( x 1 − x ′ ) − ( x ′ 0 − x 0 ) = k · ( p − 1 Claim 1: a 0 + q also solves (2). 1 ) . (3) 2 2 2 Claim 2: If a , a ′ ∈ Z ∗ p − 1 are two solutions to (2), then a ≡ a ′ ( mod q ) . But q = ( p − 1 ) /2 is prime and gcd ( x 1 − x ′ 1 , q ) = 1. (Exercise: Prove these.) 2 So, by Claims 1 and 2 that a 0 and a 0 + q are the only solutions to (2). (next page) QED CvHP: Collision-resistant = ⇒ 1-way A Simple-Minded Hash Function By Theorem 1: If discrete log is hard, then h is collision-resistant. CvHP has nice properties, but it is SLOW. But what about 1-way? Here is a fast, but insecure hash function. Suppose h is fast to invert. Suppose m is a message of length ℓ · n bits. (Pad if needed.) I.e., there is a fast to compute g such that ( ∀ y )[ h ( g ( y )) = y ] . Break m into ℓ -many n -bit blocks � m 0 , . . . , � m ℓ − 1 . m j = def [ m j ,0 , . . . , m j , n − 1 ] . ⊕ = exclusive-or Notation: � The search prob. halts after not many Repeat forever h ( m ) = c 0 . . . c n − 1 , where c i = def m 0, i ⊕ m 1, i ⊕ · · · ⊕ m ℓ − 1, i . ran ∈ Z ∗ iterations. Choose m (Draw the picture!) q 2 Compute y = h ( m ) So, by Theorem 1, we can quickly find To make this more secure, we add more operations. Compute m y = g ( y ) discrete logs. E.g., bit rotations. if m � = m y , ∴ If discrete log is hard, h ′ ( m ) = c 0 . . . c n − 1 , where c i = � ℓ j = 1 m j , (( j + i ) mod n ) then return ( m , m y ) then h is one-way. Crypto Hash Functions Crypto Hash Functions