a good hash function is hard to find, and vice versa

Joshua Holden

Rose-Hulman Institute of Technology

A Good Hash Function is Hard to Find, and Vice Versa

This is a really long string of text which is going to be the input to our hash function.

01100011

A hash function is any function which takes an arbitrarily long string as input and gives a fixed-length output.

This is a really long string of text which is going to be the input to our hash function.

01100011

Input:

(“Message”)

Output:

(“Hash value”)

2

An example: Write the message in rows of five letters, convert to numbers, add down the columns modulo 26.

Input:

(“Message”)

Output:

(“Hash value”)

3

HELLO

MYNAM

EISAL

ICEXX

07 04 11 11 14

12 24 13 00 12

04 08 18 00 11

08 02 04 23 23

05 12 20 08 08

F M U I I

[Barr, Invitation to Cryptology]

M

A hash function is not:

4

an encoding.

h

M

M

A hash function is not:

5

an encoding. secret.

h

M

h

M

h

M

h

M

What is a hash function good for? Maybe to make sure a message hasn’t been altered.

Alice Bob

Hi, Bob, this is Alice.

00011100

Hi, Bob, this is Eve.

00011100


00110001,

not 00011100

Eve

6

What is a hash function good for? Maybe to make sure a message hasn’t been altered.

Alice Bob


00011100


00011100


00110001,

not 00011100

Eve

7

Hey!

But of course, Eve could change the hash value as well as the message.

Alice Bob


00011100


00110001


00110001

Eve

8

?

Hash values by themselves only protect against unintentional changes.

Alice could prevent this by “digitally signing” the hash value.

Alice Bob


00011100


00011100


00110001

Eve

9

Digitally signing a hash value is much more efficient than signing a whole message!

10

1. It should be fast to compute.

What properties do we want a hash function to have?

11

1. It should be fast to compute.

2. It should distribute hash values evenly.

What properties do we want a hash function to have?

M1 M2 M3 M4 M5 M6

h1 h2 h3

12

1. “One-way” a.k.a. “preimage-resistant”

But for cryptographic purposes a hash function should also be “cryptographically secure”.

h M

13


2. “Second-preimage resistant”


h M

h M2

M1

14


2. “Second-preimage resistant”


h M

h M2

M1

3. “Collision-resistant” h

M2

M1

One common way that real hash functions achieve these goals is with the Merkle-Damgård construction.

15

IV = Initialization vector

[Wikipedia]

f = Compression function

If the compression function is collision-resistant, then so is the hash function.

Some common hash functions that use the Merkle-Damgård construction:

16

By Ronald Rivest:

• MD4 (Message Digest algorithm 4)

• MD5 (an improved version of MD4)

[Wikipedia]

By NIST and the NSA:

• SHA (Secure Hash Algorithm)

• SHA-1 (slightly tweaked version of SHA)

• SHA-2 (significant revision of SHA-1)

The compression function of MD5 is fairly typical of all of these ciphers.

17

MD5 compression function

[Stallings, Cryptography and Network Security]

One “step” of the function

feedforward

16 “steps”

permutation

nonlinear function

message

word

round constant

diffusion

My goals for a new hash function:

18

1. Can be done without a computer in a class period.


19


2. Reasonably secure.


20



3. Uses elements from “real” hash functions.


21


4. “Optimized” for a four-function calculator.


3. Uses elements from “real” hash functions.

Our first example doesn’t stack up too well.

22

HELLO

MYNAM

EISAL

ICEXX

07 04 11 11 14

12 24 13 00 12

04 08 18 00 11

08 02 04 23 23

05 12 20 08 08

F M U I I

1. Can be done without a computer in a class period? Yes.

2. Reasonably secure? No

The problem is that it’s too easy to work backwards from the hash to the preimage.

My first try: JHA (2000)

23


2. Reasonably secure? Not especially.

Preimages are not that easy, but second preimages and collisions are.

Hello my name is Alice

(7 x 8 – 3 x 10 + 42) modulo 17 = 8

hash = (7 x # of vowels – 3 x # of consonants + # of spaces2) modulo 17

My second try: JHA-1 (2010)

24


2. Reasonably secure? A little better.

Preimages are even harder, but second preimages and collisions are still not that hard.

Hello my name is Alice

5(7 x 8 – 3 x 10 + 42) modulo 17 = 9

hash = 5(7 x # of vowels – 3 x # of consonants + # of spaces2) modulo 17

My latest try: JHA-2 (2011), uses Merkle-Damgård.

25

IV = 76

Convert letters to numbers, each block is one letter (two digits)

Two-digit length of message

No special finalization

JHA-2 compression function:

26

New message block A B

+

x 7

+

Operations are modulo 100

diffusion*

permutation

feedforward

*Thanks to Michael Pridal-LoPiccolo!

An example:

27

H e l l o m y n a m e i s A l i c e

07 04 11 11 14 12 24 13 00 12 04 08 18 00 11 08 02 04 18

76

+ 07

83

x 7

81

18

+ 76

94

+ 04

.

.

.

feedforward

new block

new block

An example:

28

H e l l o m y n a m e

07 04 11 11 14 12 24 13 00 12 04

76 94 62 73 61 13 70 55 22 67 02 26

i s A l i c e

08 18 00 11 08 02 04 18

09 07 01 49 48 53 52 61

Hello, my name is Alice.

61


61

An example:

29

H e l l o m y n a m e

07 04 11 11 14 12 24 13 00 12 04

76 94 62 73 61 13 70 55 22 67 02 26

i s A l i c e

08 18 00 11 08 02 04 18

09 07 01 49 48 53 52 61


61


61

Hi,

Alice!

30

T h a n k s f o r

19 07 00 13 10 18 05 14 17

76 32 69 07 11 85 97 38 84 54

l i s t e n i n g

11 08 18 19 04 13 08 13 06 18

09 00 62 38 87 87 43 72 36 23

Bye!

http://www.rose-hulman.edu/~holden

a good hash function is hard to find, and vice versa

Education