Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
19 views12 pages

08 Hash Functions

Alice and Bob want to compare large files over an unreliable internet connection. A hash function allows them to fingerprint their files and compare the hashes to determine if the files are identical without transferring the full files. The lecture discusses hash functions, defining their security properties like collision and preimage resistance, and constructions like Merkle-Damgård that build hash functions from compression functions to provide these security properties.

Uploaded by

Rares Vasile
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views12 pages

08 Hash Functions

Alice and Bob want to compare large files over an unreliable internet connection. A hash function allows them to fingerprint their files and compare the hashes to determine if the files are identical without transferring the full files. The lecture discusses hash functions, defining their security properties like collision and preimage resistance, and constructions like Merkle-Damgård that build hash functions from compression functions to provide these security properties.

Uploaded by

Rares Vasile
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

01426 Cryptology 2

Lecture 8 — Hash functions

Luisa Siniscalchi & Tyge Tiessen


Fall 2023
DTU Compute, Technical University of Denmark
A faithful data fingerprint

Problem
Alice and Bob live far apart, each having a very large file. They would like to determine
whether the two files are identical but have a terrible internet connection, so they
cannot just send the files to compare them. How can they be sure whether the files are
identical?

1
An informal definition of hash functions

A hash function is a function 𝐻 ∶ {0 , 1 }∗ → {0 , 1 }𝑛 . It is expected to behave like a


“random” function. In particular it should be difficult

• to find a preimage 𝑥 given an image 𝑦 such that 𝐻 (𝑥) = 𝑦,


(preimage resistant)
• to find a second preimage 𝑥2 given another preimage 𝑥1 such that 𝐻 (𝑥2 ) = 𝐻 (𝑥1 ),
(2nd preimage resistant)
• to find two different preimages 𝑥1 and 𝑥2 such that 𝐻 (𝑥2 ) = 𝐻 (𝑥1 ).
(collision resistant)

2
Generic attacks on a hash function

Collision brute force


2nd preimage brute force
𝒜𝑐𝑟 ():
𝒜2𝑝𝑖 (𝑥):
for 𝑖 = 1, …:
while true:
𝑥𝑖 ← {0 , 1 }𝑚
𝑥 ′ ← {0 , 1 }𝑚
𝑦𝑖 ∶= 𝐻 (𝑥𝑖 )
𝑦 ′ ∶= 𝐻 (𝑥 ′ )
if there is some 𝑗 < 𝑖 with 𝑥𝑖 ≠ 𝑥𝑗 but 𝑦𝑖 = 𝑦𝑗 :
if 𝑦 ′ = 𝐻 (𝑥): return 𝑥 ′
return (𝑥𝑖 , 𝑥𝑗 )

How many steps do these attacks take on average?

3
An attempt at defining collision resistance

We expect a hash function 𝐻 to be secure if the following holds:

TEST(𝑥, 𝑥 ′ ):
TEST(𝑥, 𝑥 ′ ):
if 𝑥 ≠ 𝑥 ′ and 𝐻 (𝑥) = 𝐻 (𝑥 ′ ): return true ∼
∼ return false
else: return false

4
A better definition

We need to introduce an additional input to the hash function called salt.


Definition
A hash function 𝐻 is collision-resistant if L𝐻
cr-real
∼ L𝐻
cr-fake , where

L𝐻
cr-real L𝐻
cr-fake
𝜆
𝑠 ← {0 , 1 }
𝑠 ← {0 , 1 }𝜆
getsalt():
getsalt():
return 𝑠
return 𝑠
test(𝑥, 𝑥 ′ ∈ {0 , 1 }∗ ):
test(𝑥, 𝑥 ′ ∈ {0 , 1 }∗ ):
if 𝑥 ≠ 𝑥 ′ and 𝐻 (𝑠, 𝑥) = 𝐻 (𝑠, 𝑥 ′ ): return true
return false
else: return false

5
Building a hash function

A compression function is a function ℎ ∶ {0 , 1 }𝑛+𝑡 → {0 , 1 }𝑛 , where 𝑡 > 0.


We want to use this as a building block for a hash function.

6
The Merkle-Damgård construction

MDℎ (𝑥):
mdpad𝑡 (𝑥):
𝑥1 ‖ ⋯ ‖𝑥𝑘+1 ∶= mdpad𝑡 (𝑥)
ℓ ∶= |𝑥|, as length-𝑡 binary number
𝑦0 ∶= 0 𝑛
while |𝑥| not a multiple of 𝑡:
for 𝑖 = 1 to 𝑘 + 1:
𝑥 ∶= 𝑥‖0
𝑦𝑖 ∶= ℎ(𝑦𝑖−1 ‖𝑥𝑖 )
return 𝑥‖ℓ
return 𝑦𝑘+1

mdpad(𝑥) = 𝑥1 𝑥2 𝑥3 𝑥4

𝑦0 ℎ ℎ ℎ ℎ ⋯
𝑦1 𝑦2 ℎ𝑦3
7
Example

On the blackboard.

8
Security of the Merkle-Damgård construction

Claim
Suppose ℎ is a compression function and MDℎ is the Merkle-Damgård construction
applied to ℎ. Given a collision 𝑥, 𝑥 ′ in MDℎ , it is easy to find a collision in ℎ.

Proof.
On the blackboard.

9
Creating a MAC from a hash function

Can we create a MAC from a hash function by keeping the salt secret?
The answer is “No” in general.
For the Merkle-Damgård construction there exists a length-extension attack: knowing
𝐻 (𝑥) allows you to predict the hash of any string that starts with mdpad(𝑥).
Demonstrate on blackboard.

10
What is the issue here?

• This is not breaking collision resistance of the MD construction.


• The problem is that the final output is also a valid intermediate state.

We can fix this issue in two ways:

• Not leaking all of the internal state at the end.


• Doing a specific final step that is different from any internal steps.

11

You might also like