Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
9 views45 pages

Hash Functions

The document discusses cryptographic hash functions, their definitions, security properties, and the concept of hash families. It outlines the importance of preimage resistance, second-preimage resistance, and collision resistance in ensuring data integrity. Additionally, it introduces the Merkle-Damgård construction for creating collision-resistant hash functions and provides examples to illustrate these concepts.

Uploaded by

dr.kalpanakulkarni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
9 views45 pages

Hash Functions

The document discusses cryptographic hash functions, their definitions, security properties, and the concept of hash families. It outlines the importance of preimage resistance, second-preimage resistance, and collision resistance in ensuring data integrity. Additionally, it introduces the Merkle-Damgård construction for creating collision-resistant hash functions and provides examples to illustrate these concepts.

Uploaded by

dr.kalpanakulkarni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 45

Information and

Network Security
Sugata Gangopadhyay
Cryptographic Hash
Functions
Definitions and Notation
• Cryptographic hash functions
• Hash families
Cryptographic Hash Functions
• A hash function can be thought of as a function from a (possibly
infinite) set to a finite set, typically a set of all -bit words . That is
.
• Suppose is some data and is the hash value of .
• If the hash function is secure then given the pair it should be
computationally infeasible to obtain , such that

• Thus, a hash function provides assurance of data integrity.


Hash Family
• Instead of a single hash function it is possible to consider a family of hash
functions whose elements are individual hash functions determined by
keys belonging to a predetermined key space.

• Formal Definition: A hash family is a four-tuple where the following


conditions are satisfied:
• is a set of possible messages.
• is a finite set of possible message digests or authentication tags.
• , the key-space, is a finite set of possible keys.
• For each , there is a hash function . Each
Some notations and terminologies
• can be finite or infinite. is always finite.

• If is finite then a hash function is also called a compression function.

• Elements of are called message digests or authentication tags.

• The number of elements in is always greater than the number of elements in ,


that is, .

• A pair is said to be a valid pair under the key if .


Some notations and terminologies
• Let denote the set of all functions from to .

• Suppose and .

•.

• Any hash family is called an -hash family.


Security of Hash Functions
• Preimage
• Second-Preimage
• Collision
Security of Hash Functions
• If a hash function is to be considered secure, the following problems
must be difficult to solve assuming that we have access to .

• Preimage: Given , find such that .

• Second Preimage: Given an element , find such that and .

• Collision: Find such that and .


Security of Hash Functions
• For a hash function

• If Preimage cannot be efficiently solved, then it is said to be a preimage


resistant function or a one-way function.

• If Second-Preimage cannot be efficiently solved, then it is said to be a second


preimage resistant function.

• If Collision cannot be efficiently solved, then it is said to be a collision


resistant function.
Random Oracle Model and
Randomized Algorithms
• Bellare-Rogaway random oracle model
• Example of a hash function not satisfying the random oracle model
• Randomized algorithms of Las Vegas type
• -algorithms
Random Oracle Model
• A mathematical model of an ideal hash function is provided by the Random
Oracle model which was introduced by Bellare and Rogaway.
• We say that a hash function satisfies the random oracle model if given any
as input to (i.e., given any query ) the image is equivalent to a random
response chosen uniformly from the set .
• We also say that the hash function behaves as a random oracle.
• We say that we have oracle access to a hash function if we can only query
and get a correct answer but we do not know any formula or algorithm to
compute the functional values of .
Example of not Random Oracle
Model
• is defined by , where and .

• Suppose that and .

• For any
A Consequence of the Random
Oracle Model

• Suppose that is chosen randomly, and let . Suppose that the values
have been determined (by querying the oracle for ) if and only if .

• Then for all and all .


Randomized Algorithms
• Randomized algorithms are algorithms that can make random choices
during their execution.

• A Las Vegas algorithm is a randomized algorithm which may fail to give an


answer but if it gives one then that answer must be correct.

• A randomized algorithm has worst-case success probability if it always


returns a correct answer with probability at least .

• It has an average-case success probability if the success probability when


averaged over all problem instances is at least .
Randomized Algorithms

• By an -algorithm we mean a Las Vegas algorithm with the average-


case success probability when the number of oracle queries are
upper bounded by .
Randomized Algorithms
and the Security of Hash
Functions
• Find preimage; find second-preimage; find collision
• Average case success probabilities
• Collision to second preimage; collision to preimage
Preimage
FIND-PREIMAGE
choose any ,

for each
do
return(failure)
Second Preimage
FIND-SECOND-PREIMAGE

choose any ,

for each
do
return(failure)
Collision
FIND-COLLISION
choose any ,

for each
do
if for some
then return()
else return(failure)
Success Probability of FIND-
PREIMAGE
• For any with , the average-case success
probability of FIND-PREIMAGE is .
• Outline of the proof:
• Let be fixed and
• is the event that .
• and So
• .
Success Probability of
FIND-SECOND-PREIMAGE
• For any with , the average-case success
probability of FIND-SECOND-PREIMAGE is .
• Outline of the proof:
• Let be fixed and
• is the event that .
• and
• So
• .
Collision
FIND-COLLISION
choose any ,

for each
do
if for some
then return()
else return(failure)
Success Probability of Collision

• For any with , the success probability of FIND-


COLLISION algorithm is
Outline of the proof
•.
• is the event that for all .
• We have the following probabilities:

• , for .

(since for small real number , )


Outline of the proof

If , then .
Collision to Second Preimage
• Suppose that we have an algorithm to
compute second preimage. Then we can
use it to find collision.
COLLISION-TO-SECOND-PREIMAGE
external ORACLE-2ND-PREIMAGE
choose uniformly at random
if ORACLE-2ND -PREIMAGE
then return
else return
Collision to Preimage
COLLISION-TO-PREIMAGE
external ORACLE-PREIMAGE,
Choose uniformly at random

if (ORACLE-PREIMAGE) and
then return
else return
Collision to Preimage
• -algorithm for preimage implies

-algorithm for collision.


• Define if .

• is the set of all such equivalence classes. Assume


.

• Given an element , the probability that we will


successfully obtain collision with is
Collision to Preimage
• Averaging out over all possible choices
of
Iterated Construction of
Hash Functions
• Compression functions
• Iterated construction
• Merkle-Damgard iterated construction
Iterated Construction of Hash
Functions
• Our starting point is a compression function
where

• Our intention is to construct a hash function


Preprocessing Step
• Given an input string with , construct a string , using a padding
algorithm such that

•.

• Write as a concatenation of substrings of length


Processing Step
(Publicly available initial vector)

….
Output Transformation

• We might use a output transformation on to obtain the final result


Merkle-Damgård Construction
• is a collision resistant compression function, where .

• Our goal is to construct a collision resistant hash function where


Algorithm 1: Merkle-Damgård
Construction for
external

for to

do
Where || for and
for to
return
do

NOTE: , .
Algorithm 2: Merkle-Damgård
Construction
external NOTE:

where

for to
do
return
Collision resistance of Merkle-
Damgård
Theorem: Suppose compress: is a collision resistant compression
function, where . Then the function

as constructed by Algorithm 1 is a collision resistant hash function.


Collision resistance of Merkle-
Damgård
Suppose compress: is a collisions resistant compression functions.
Then the function

as constructed in Algorithm 2, is a collision resistant hash function.


Example 1
Suppose that is a preimage resistant bijection. Define as follows. Given ,
write

where Then define

Prove that is not second preimage resistant.


Example 2

Suppose is a collision resistant hash function. Define as follows:


• Write as , where .
• Define
.
Prove that is collision resistant.
Example 3
Let the input data be of the form where each is a byte. Consider the
following hash function:

Where stands for bitwise modulo addition. Is this a secure hashing


method in the sense that collisions are hard to find?
Solution for Example 3
• Compute
and
Example 4
Suppose that defined by
.
Is this function second preimage resistant? Is this function collision
resistant?
Solution for Example 4
• Suppose that is a valid pair.
•.
• Thus the function is neither second preimage resistant nor collision
resistant.

You might also like