a good hash function is hard to find, and vice versa
DESCRIPTION
Secure hash functions are the unsung heroes of modern cryptography.Introductory courses in cryptography often leave them out --- sincethey don't have a secret key, it is difficult to use hash functions bythemselves for cryptography. In addition, most theoreticaldiscussions of cryptographic systems can get by without mentioningthem. However, for secure practical implementations of public-keyciphers, digital signatures, and many other systems they areindispensable. In this talk I will discuss the requirements for asecure hash function and relate my attempts to come up with a "toy"system which both reasonably secure and also suitable for students towork with by hand in a classroom setting.TRANSCRIPT
Joshua Holden
Rose-Hulman Institute of Technology
A Good Hash Function is Hard to Find, and Vice Versa
This is a really long string of text which is going to be the input to our hash function.
01100011
A hash function is any function which takes an arbitrarily long string as input and gives a fixed-length output.
This is a really long string of text which is going to be the input to our hash function.
01100011
Input:
(“Message”)
Output:
(“Hash value”)
2
An example: Write the message in rows of five letters, convert to numbers, add down the columns modulo 26.
Input:
(“Message”)
Output:
(“Hash value”)
3
HELLO
MYNAM
EISAL
ICEXX
07 04 11 11 14
12 24 13 00 12
04 08 18 00 11
08 02 04 23 23
05 12 20 08 08
F M U I I
[Barr, Invitation to Cryptology]
M
A hash function is not:
4
an encoding.
h
M
M
A hash function is not:
5
an encoding. secret.
h
M
h
M
h
M
h
M
What is a hash function good for? Maybe to make sure a message hasn’t been altered.
Alice Bob
Hi, Bob, this is Alice.
00011100
Hi, Bob, this is Eve.
00011100
Hi, Bob, this is Eve.
00110001,
not 00011100
Eve
6
What is a hash function good for? Maybe to make sure a message hasn’t been altered.
Alice Bob
Hi, Bob, this is Alice.
00011100
Hi, Bob, this is Eve.
00011100
Hi, Bob, this is Eve.
00110001,
not 00011100
Eve
7
Hey!
But of course, Eve could change the hash value as well as the message.
Alice Bob
Hi, Bob, this is Alice.
00011100
Hi, Bob, this is Eve.
00110001
Hi, Bob, this is Eve.
00110001
Eve
8
?
Hash values by themselves only protect against unintentional changes.
Alice could prevent this by “digitally signing” the hash value.
Alice Bob
Hi, Bob, this is Alice.
00011100
Hi, Bob, this is Eve.
00011100
Hi, Bob, this is Eve.
00110001
Eve
9
Digitally signing a hash value is much more efficient than signing a whole message!
10
1. It should be fast to compute.
What properties do we want a hash function to have?
11
1. It should be fast to compute.
2. It should distribute hash values evenly.
What properties do we want a hash function to have?
M1 M2 M3 M4 M5 M6
h1 h2 h3
12
1. “One-way” a.k.a. “preimage-resistant”
But for cryptographic purposes a hash function should also be “cryptographically secure”.
h M
13
1. “One-way” a.k.a. “preimage-resistant”
2. “Second-preimage resistant”
But for cryptographic purposes a hash function should also be “cryptographically secure”.
h M
h M2
M1
14
1. “One-way” a.k.a. “preimage-resistant”
2. “Second-preimage resistant”
But for cryptographic purposes a hash function should also be “cryptographically secure”.
h M
h M2
M1
3. “Collision-resistant” h
M2
M1
One common way that real hash functions achieve these goals is with the Merkle-Damgård construction.
15
IV = Initialization vector
[Wikipedia]
f = Compression function
If the compression function is collision-resistant, then so is the hash function.
Some common hash functions that use the Merkle-Damgård construction:
16
By Ronald Rivest:
• MD4 (Message Digest algorithm 4)
• MD5 (an improved version of MD4)
[Wikipedia]
By NIST and the NSA:
• SHA (Secure Hash Algorithm)
• SHA-1 (slightly tweaked version of SHA)
• SHA-2 (significant revision of SHA-1)
The compression function of MD5 is fairly typical of all of these ciphers.
17
MD5 compression function
[Stallings, Cryptography and Network Security]
One “step” of the function
feedforward
16 “steps”
permutation
nonlinear function
message
word
round constant
diffusion
My goals for a new hash function:
18
1. Can be done without a computer in a class period.
My goals for a new hash function:
19
1. Can be done without a computer in a class period.
2. Reasonably secure.
My goals for a new hash function:
20
1. Can be done without a computer in a class period.
2. Reasonably secure.
3. Uses elements from “real” hash functions.
My goals for a new hash function:
21
1. Can be done without a computer in a class period.
4. “Optimized” for a four-function calculator.
2. Reasonably secure.
3. Uses elements from “real” hash functions.
Our first example doesn’t stack up too well.
22
HELLO
MYNAM
EISAL
ICEXX
07 04 11 11 14
12 24 13 00 12
04 08 18 00 11
08 02 04 23 23
05 12 20 08 08
F M U I I
1. Can be done without a computer in a class period? Yes.
2. Reasonably secure? No
The problem is that it’s too easy to work backwards from the hash to the preimage.
My first try: JHA (2000)
23
1. Can be done without a computer in a class period? Yes.
2. Reasonably secure? Not especially.
Preimages are not that easy, but second preimages and collisions are.
Hello my name is Alice
(7 x 8 – 3 x 10 + 42) modulo 17 = 8
hash = (7 x # of vowels – 3 x # of consonants + # of spaces2) modulo 17
My second try: JHA-1 (2010)
24
1. Can be done without a computer in a class period? Yes.
2. Reasonably secure? A little better.
Preimages are even harder, but second preimages and collisions are still not that hard.
Hello my name is Alice
5(7 x 8 – 3 x 10 + 42) modulo 17 = 9
hash = 5(7 x # of vowels – 3 x # of consonants + # of spaces2) modulo 17
My latest try: JHA-2 (2011), uses Merkle-Damgård.
25
IV = 76
Convert letters to numbers, each block is one letter (two digits)
Two-digit length of message
No special finalization
JHA-2 compression function:
26
New message block A B
+
x 7
+
Operations are modulo 100
diffusion*
permutation
feedforward
*Thanks to Michael Pridal-LoPiccolo!
An example:
27
H e l l o m y n a m e i s A l i c e
07 04 11 11 14 12 24 13 00 12 04 08 18 00 11 08 02 04 18
76
+ 07
83
x 7
81
18
+ 76
94
+ 04
.
.
.
feedforward
new block
new block
An example:
28
H e l l o m y n a m e
07 04 11 11 14 12 24 13 00 12 04
76 94 62 73 61 13 70 55 22 67 02 26
i s A l i c e
08 18 00 11 08 02 04 18
09 07 01 49 48 53 52 61
Hello, my name is Alice.
61
Hello, my name is Alice.
61
An example:
29
H e l l o m y n a m e
07 04 11 11 14 12 24 13 00 12 04
76 94 62 73 61 13 70 55 22 67 02 26
i s A l i c e
08 18 00 11 08 02 04 18
09 07 01 49 48 53 52 61
Hello, my name is Alice.
61
Hello, my name is Alice.
61
Hi,
Alice!
30
T h a n k s f o r
19 07 00 13 10 18 05 14 17
76 32 69 07 11 85 97 38 84 54
l i s t e n i n g
11 08 18 19 04 13 08 13 06 18
09 00 62 38 87 87 43 72 36 23
Bye!
http://www.rose-hulman.edu/~holden