1 cs 255 lecture 6 hash functions brent waters. 2 recap-notions of security what attacker can do...
Post on 21-Dec-2015
217 views
TRANSCRIPT
![Page 1: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/1.jpg)
1
CS 255 Lecture 6Hash Functions
Brent Waters
![Page 2: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/2.jpg)
2
Recap-Notions of Security
• What attacker can do•Random plaintext attack•Chosen plaintext attack•Chosen ciphertext attack
• Attacker’s Goal•Discover secret key•Decrypt a ciphertext, C*
•Distinguish two messages
![Page 3: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/3.jpg)
3
Recap- Notions of Security
• 3x3=9 possible notions of security
• Strongest system =Semantic security against CCAweakest adversary goal + most adversary power
![Page 4: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/4.jpg)
4
Recap- Semantic Securityof Counter Mode
1) Defined notion of security for block cipher --Indistinguishable from PRP --Formal definition game --Believe this is true for AES…
![Page 5: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/5.jpg)
5
Recap-
2) Prove that if cipher is indist. from Random Permutation then counter mode is semantically secure against CPA attack--Assume counter mode is not ) A breaks it
--Build algorithm B that uses algorithm A
--Want to show that A’s answer gives B information to play his game
![Page 6: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/6.jpg)
6
Why do we do this?
• Aren’t we assuming AES, 3DES secure anyway?
• Why not just make same assumption for mode X?
• Reduce to simplest assumptions possible
![Page 7: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/7.jpg)
7
Hash Functions
Hash function- h: {0,1} * \rightarrow {0,1}n
typically n ¼ 160 bits (will see why soon)
Hi, I recently….. …should be used
h(x)
01100100…1
![Page 8: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/8.jpg)
8
Properties
• Compression
• Pre-image resistanc: Given y=h(x) difficult to determine x’ s.t. h(x’)=y
• 2nd preimage resistance: Given x find x’ x s.t. h(x) = h(x’)
• Collision resistance: Find x’ x s.t. h(x)=h(x’)
![Page 9: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/9.jpg)
9
Relations
• If h is collision resistant then h is 2nd order pre-image resistant
• How do we show this?•Reduction—simple here
![Page 10: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/10.jpg)
10
Applications
• Show three applications and do one together
• For each one keep in mind what properties we need
![Page 11: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/11.jpg)
11
Password protection
pword=jeitlsePassword file
U1=…
U2=…
•What should we put in there?
•What if backup tape stolen?
•What property do we need
![Page 12: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/12.jpg)
12
Virus protection
• Worried virus might modify an application
• Small amount of trusted storage on USB token
• What properties do we need?
• Mirror sites distributing software
![Page 13: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/13.jpg)
13
Digital Signatures
• One party can sign a message M, many parties can verify
• Contract signing, code signing
• Raw signature scheme only signs messages ~160 bits
• What properties do we need?
![Page 14: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/14.jpg)
14
Birthday Attack for Collisions
• Let r1, … rj 2 [0,1…B]
• When n=1.2 sqrt(B) then Pr[9 i j: ri=rj]
Pr[9 i j: ri=rj]
=1-Pr[8 i j:ri rj] =1-(1-1/B)(1-2/B)...(1-(n-1)/B) =1-n-1 (1-i/B) ¼ 1- n-1e-i/B
=1-e1/2n2/B
=1-1/e.7 for n=1.2 sqrt(B)=1/2
![Page 15: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/15.jpg)
15
Lesson
• 80 bit hash implies 40 bit security (for collisions)
• Need 160 bit hash output
• For n integers have ¼ n^2 pairs each is a possibility for a collision
![Page 16: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/16.jpg)
16
Iterated Construction(Merkle-Damgard)
M1 M2 M3 M4 pad
IV f f f fH0 H1 H2 H3
1. f – Compression function
2. Hi – chaining variables
3. IV – Initial Value
![Page 17: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/17.jpg)
17
Iterated Construction(Merkle-Damgard)
M1 M2 M3 M4 pad
IV f f f fH0 H1 H2 H3
Padding: 100000 | length
Pad out last message block
Add one block with message length
![Page 18: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/18.jpg)
18
Collision resistance
• If compression function resistant then so is iterated construction
• Way we prove this is to show if we have M M’ and hash(M)=hash(M’) then we can find two
different inputs to compression function (x,y) and (x’,y’) such that f(x,y)=f(x,y)
-Note (x,y) (x’,y’) if x x’ or y y’
![Page 19: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/19.jpg)
19
Collision Resistance
• Suppose h(M)=h(M’)
• IV=H0, H1,H2....Ht
• IV=H0’, H1’, H2’...Hr’
Collision means Ht = Hr’
Case I:
• Suppose t r thenHt=Hr’ =f(Ht-1, t)=f(Hr-1’, r) ) collision!
![Page 20: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/20.jpg)
20
Collision Resistance
• Suppose h(M)=h(M’)
• M=M0, M1...Mt-1, M’=M0, M1,... Mr-1
• IV=H0, H1, H2....Ht
• IV=H0’, H1’, H2’...Hr’
Case 2: t r (Messages same # of blocks)Look at ith chaining variableHave Hi=Hi’ so f(Hi,Mi)=f(Hi’,Mi’)
if Mi Mi’ or if Hi Hi’ then have a collision
otherwise repeat observation for i-1 chaining var.However, 9 j: Mj Mj’ so must have a collision at
some point
![Page 21: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/21.jpg)
21
Block cipher construction
Matyas-Meyer
f(M,H)=E(M,g(h)) © M
EHi g
Mi
© Hi+1...
Thm: Suppose Ek(x) =E(X,K) is a collection of random permutations. Then finding a collision take 2n/2 evaluations of E. Best possible.
![Page 22: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/22.jpg)
22
Customized Hash functions
• Merkle-Damgard types—compression functionfaster than block ciphers
• MD4 128 Collisions found
• MD5 128 28.5MB/s Collisons found
• SHA-1 160 15.2MB/s
• SHA-2 160,256
• RIPEMD 160 12.6 Collisions found
![Page 23: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/23.jpg)
23
“Provable” hash functions
• Discrete log problem:Given ga mod p Output a
• f(a,b)=ga hb mod p
• Slow
![Page 24: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/24.jpg)
24
Paper submission project
• Professors/grad students submit papers to conferences electronically
• Strict deadlines: 9pm Jan. 29th
• People always wait to last minute – get flood of papers at end
• Graphics people send in videos – potentially GBs of data– no way server can handle them all
![Page 25: 1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen](https://reader030.vdocuments.mx/reader030/viewer/2022032522/56649d6b5503460f94a4a402/html5/thumbnails/25.jpg)
25
Solutions?
• Attacks?
• Properties