Cryptographic Hashing

1
Cryptographic Hashing
(A lecture in lieu of Chapter 6)

Feb 13, 2007
2
What are cryptographic hash functions?
File
Publicly computable Hash function
string in 0,1
eg., md5sum,SHA-1
string in 0,1n
Cryptographic Fingerprint
eg., n160
3
SHA-1
512 bits
NIST
...
M1
M2
Mm
for i 1 to m do
Wt
t-th word of Mi
0 t 15
( Wt-3 Å Wt-8 Å Wt-14 Å Wt-16 ) ltlt 1 16
t 79
A H0i-1 B H1i-1 C H2i-1 D
H3i-1 E H4i-1
for t 0 to 79 do
T A ltlt 5 gt (B, C, D) E Kt Wt
E D D C C B gtgt 2 B A A T
end
H0i A H0i-1 H1i B H1i-1 H2i
C H2i-1 H3i D H3i-1 H4i E
H4i-1
end
return H0m H1m H2m H3m H4m
160 bits
4
Real-world applications
Hash functions are pervasive

• File comparison (compare-by-hash, e.g. RSYNC)
• Digital signatures (hash-and-sign)
• Message authentication codes (HMAC)
• Micropayment schemes
• Commitment protocols
• Key exchange
• ID establishment
• ...

5
Hash function breaks 2004-2006

• Near-collisions in SHA-0 Biham, CRYPTO04
• Collisions in SHA-0 Joux, rump session,
  CRYPTO04
• Collisions in reduced-round SHA-1 Biham, rump
  session
• Collisions in MD4, MD5, RIPEMD, HAVAL-128
• 
  Wang et al., rump session
• Collisions in SHA-1 (262 work) Wang et al.
• MD5 collisions in 1 minute Klimov
• Colliding Postscript Documents Lucks, Daum
• Colliding X.509 Certificates Lenstra, Wang,
  Weger
• Colliding C programs Black, Cochran, Highland

6
Today
P

• What are these objects?
• What cryptographic properties do we like for them
  to have?
• How do we build them
• from blockciphers
• Moving Theory to Practice
• Go Faster!
• Be Harder!

7
Standard cryptographic properties
1. Preimage resistance given a hash function
and given
an hash output it is
hard to invert that output
2. Second-preimage given a hash function
and resistance given a first
input, it is hard to find a
second input
that collides with the first
3. Collision resistance given a hash function
it is hard
to find two colliding inputs
8
Generic attacks
View Hash as a black box or oracle

• Preimage attack hash about 2n domain points
• 2nd-Preimage attack same
• Collision-finding attack hash about 2n/2 domain
  points

Birthday paradox/attack/bound
9
2nd-preimage resistance
universal one-way hash function
?
?
?
?
weak collision resistance
inversion resistance
collision-intractable
?
?
?
?
?
?
strong hash
?
one-way function
?
strong collision resistance
?
collision resistance
?
?
target collision resistance
?
?
?
?
preimage resistance
?
collision-free
10
A motivating quote, and a fact
2nd-preimage resistance it is computationally
infeasible to find any second-input which has the
same output as any specified input, i.e., given
x, to find a 2nd-preimage x ? x such that h(x)
h(x). MOV
How are inputs specified?
How is h selected?
Fact Collision resistance implies 2nd-preimage
resistance of hash functions MOV
This fact depends on how you answer the above
questions!
11
A cryptographic property
(quite informal)
Collision resistance given a hash function
it is hard to
find two colliding inputs
BAD H(M) M mod 701
12
Collision resistance
(intuition, but slightly more formal)
M
h
h
0,1128
M
This should be hard for all reasonable
adversaries
Strings
13
Hash function families
Da89
To reason about all adversaries, we formalize
hash functions as families
a finite, nonempty set
(key name, not secret!)
Strings Í 0,1 set of strings
n the hash length
14
Collision resistance
(almost there)
H Strings 0,1n
M
HK
Y
HK
0,1160
M
This should be hard for all reasonable
adversaries
Strings
15
Collision resistance a definition
(formal)
probabilistic game
- random key - A runs, returns two domain points
name of game
event did A win (find collision)?
16
More cryptographic properties
P
1. Collision resistance given a hash function
it is hard
to find two colliding inputs
2. Preimage resistance given a hash function
and given
an hash output it is
hard to invert that output
3. Second-preimage given a hash function
and resistance given a first
input, it is hard to find a
second input
that collides with the first
17
Second Preimage
Preimage
fixed range point
fixed domain point
random range point
random domain point
aPre
fixed key
fixed key
Pre
ePre
random key
random key
Collision
fixed key
(Much more about this topic in Rogaway, Shrimpton
04)
random key
18
How the notions relate
RS04
Coll
aSec
eSec
Provisional
Sec
Conventional
Separation
no arrow
aPre
ePre
Pre
19
What about near-collisions?
M
HK
Y
Such that Y Y
HK
Y
0,1n
M
This should be hard for any reasonable
adversary
(Hmm.. what does this mean now?)
Strings
20
Research project 1
Continue definitional work
Whats the right definition for the task?
How do we make it formal?
21
Today
P

• What are these objects?
• What cryptographic properties do we like for them
  to have?
• How do we build them
• from blockciphers
• Moving Theory to Practice
• Go Faster!
• Be Harder!

P
22
Building a hash function
arbitrary length string
n-bit string
23
Merkle-Damgard construction
Me89,Da89
Compression function
M3
M1
M2
n
h1
h2
IV
h3 H (M)
k
k
Chaining value
Fixed initial value
MD Theorem if f is CR, then so is H
24
...
M1
M2
Mm
Mi
512 bits
for i 1 to m do
Wt
t-th word of Mi
0 t 15
( Wt-3 Å Wt-8 Å Wt-14 Å Wt-16 ) ltlt 1 16
t 79
A H0i-1 B H1i-1 C H2i-1 D
H3i-1 E H4i-1
for t 0 to 79 do
T A ltlt 5 gt (B, C, D) E Kt Wt
E D D C C B gtgt 2 B A A T
end
H0..4i-1
H0i A H0i-1 H1i B H1i-1 H2i
C H2i-1 H3i D H3i-1 H4i E
H4i-1
end
160 bits
return H0m H1m H2m H3m H4m
160 bits
160 bits
25
Building hash function from blockciphers
First of all, whats a blockcipher?
X
A blockcipher is a set of permutations over
strings of some fixed size (the blocksize),
where each permutation is named by a key.
E
K
YEK (X)
AES 128-bit blocksize 128-bit key
2128 permutations on 0,1128
26
Why build hash function from blockciphers?
In the beginning, there was DES

• weak keys causes design difficulties
• small blocksize Þ easier wins for adversary

(late 70s-early 90s) DES

• no known weak keys
• bigger blocksize Þ harder wins for adversary

(now) AES has changed the playing field
People have some sort of trust in blockciphers!
27
Blockcipher-based designs

• Rabins Hash R78

M1
M2
56
DES
DES
h0
H (M)
64
64
(Unpopular due to MITM preimage attack)
28
Lets build a compression function!
Akl83
(cipher-block-chaining hash)

• Is this collision-resistant?

No.
IV
0
0
EK(IV) Å EK(0)
IV
EK(EK(0))
EK(EK(0))
E
E
K
K
29
Lets try again
PGV93

• How about this?

IV Å 1
E1(1) Å IV
E0(0) Å IV
M1
M2
IV
IV
E
E
IV
IV
30
12 provably-secure compression functions
DM
MMO
31
Davies-Meyer compression function
PGV93,BRS02
Mi
512 bits
hi
hi-1
E
160 bits
Lets say I label the inputs this way look
familiar?
32
Mi
SHA-1 is blockcipher-based hash function!
Blockcipher 512-bit key, 160-bit block
for i 1 to m do
Wt
t-th word of Mi
0 t 15
( Wt-3 Å Wt-8 Å Wt-14 Å Wt-16 ) ltlt 1 16
t 79
A H0i-1 B H1i-1 C H2i-1 D
H3i-1 E H4i-1
for t 0 to 79 do
T A ltlt 5 gt (B, C, D) E Kt Wt
E D D C C B gtgt 2 B A A T
end
H0..4i-1
H0i A H0i-1 H1i B H1i-1 H2i
C H2i-1 H3i D H3i-1 H4i E
H4i-1
Davies-Meyers feedforward
33
Collision-resistance requires a key
M1
M2
HK (M)
IV 0128
Question whats the key to the hash function?
(remember its the thing you need to compute the
hash)
the blockcipher IS the key!
34
Collision Resistance in the Ideal Cipher Model
E
E -1
Pick the blockcipher from the set of all
blockciphers having k-bit keys and n-bit blocksize
K, x
K, y
-1
EK (y)
EK (x)
A
Alternatively, for each of the 2k keys K let EK
be a random, independent permutation
M, M
All security proofs for blockcipher-based hash
functions are done in this model
35
Why such a strong model?
Psuedorandom permutations accepted, but too weak
Effectively, a good PRP is computationally
indistinguishable from a truly random permutation
Security depends on a random, secret key
Fundamentally the wrong definition for a publicly
computable object!
36
Research project 2
Find new models and/or assumptions
What properties does a blockcipher need for
hashing?
How can we abstract them to models/assumptions?
Can we prove things?
37
Today
P

• What are these objects?
• What cryptographic properties do we like for them
  to have?
• How do we build them
• from blockciphers
• Moving Theory to Practice
• Go Faster!
• Be Harder!

P
P
38
Moving theory towards practice
(Go Faster!)
Mi
Mi1
E
E
hi
hi1
hi-1
Expensive operations
39
A generalized compression function
f1 and f2 are any deterministic functions
EK is a blockcipher with a fixed key
Iterating produces a highly-efficient hash
function
40
Main result of BCS05

• If you
• Limit the blockcipher keys to some small set
• Design a rate-1 compression function using any f1
  and f2 you like
• Iterate this compression function to get hash
  function H
• Use the strongest known model of a blockcipher
  (the ICM)
• Then
• There exists an information-theoretic adversary
  that finds a collision in H using at most n
  lg(n) oracle queries

41
What this doesnt Say

• We dont say what happens when
• Rate ? 1
• Rate ½ means two blockcipher calls per
  compression function
• Non-MD constructions are used
• Wires going all over the place?
• Computational limits are placed on the adversary
• ie, use a different computational model BSM?
• In particular, we dont say that every
  highly-efficient construction has a practical
  attack
• Instead we just show that you cannot find a
  security proof, if you stick to the normal model

42
Research project 3
Find secure, fixed-key, rate lt 1, iterated
constructions
(some progress being made)
43
Moving Theory to Practice
(Be Harder!)
Short hashes vulnerable to birthday attacks
Fix-up?
n bits
2n bits
n bits
HK1(M) HK2(M) G (K1,K2) (M)
ß
ß
?
Þ
n bits of CR
n/2 bits of CR
n/2 bits of CR
Nope.
Joux04
44
Multicollisions
Mm
M1
M2
n
h1
h2
hm-1
IV
hm H (M)

n
n
For m(2n/2) work, we can make 2m messages that
collide
45
Collisions in cascaded constructions
160 bits
160 bits
For G (K1,K2) (M) HK1(M) HK2(M)
1. Create 281-way multicollision under HK1
2. Hash these messages under HK2
Collision in G for work O(280) ltlt O(2160)
46
What about MDC-2?
Mi
Some recent results show this has
collision resistance of 274.9 ltlt 2128 in the
ideal cipher model
E
hi-1
hi
2n256 bits of output
E
gi-1
gi
47
Best double-length blockcipher-based construction
to date
Hirose06
E
gi-1
gi
mi-1
hi-1
E
hi
c

• Has n-2 bits of CR
• Requires 2n-bit blockcipher keys

(I believe one can do better)
48
Huge opportunities for research

• Continue definitional work
• Formalize near collisions, etc., work out
  relationships
• What are the right properties for specific tasks?
• Map out the theoretical landscape
• Ideal cipher model Þ proofs
• PRP assumption Þ no proofs
• Find secure, fixed-key, rate lt 1, iterated scheme
• Find secure double-length constructions (fixed
  key!?)
• Alternatives to the Merkle-Damgard paradigm

49
(No Transcript)