![Page 1: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/1.jpg)
1
Lecture5CryptographicHashFunctions
Read:Chapter5inKPS
![Page 2: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/2.jpg)
Purpose• CHF – one of the most important tools in moderncryptographyandsecurity
• CHF-s are used for many authentication, integrity,digitalsignaturesandnon-repudiationpurposes
• Not the same as “hashing” used in DB or CRCs incommunications
2
![Page 3: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/3.jpg)
3
CryptographicHASHFunctions• Purpose:produceafixed-size“fingerprint”ordigestofarbitrarilylong
inputdata
• Why?Toguaranteeintegrityofinput
• Propertiesofa“good”cryptographicHASHfunctionH():
1. Takesoninputofanysize2. Producesfixed-lengthoutput3. Easytocompute(efficient)4. Givenanyh,computationallyinfeasibletofindanyxsuchthatH(x)=h5. Foragivenx,computationallyinfeasibletofindy:H(y)=H(x)andy≠x6. Computationallyinfeasibletofindany(x,y)suchthatH(x)=H(y)andx≠y
![Page 4: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/4.jpg)
4
SamePropertiesRe-stated:• Cryptographicpropertiesofa“good”HASHfunction:• One-Way-ness(#4)• WeakCollision-Resistance(#5)• StrongCollision-Resistance(#6)
• Non-cryptographic properties of a “good” HASHfunction• Efficiency(#3)• FixedOutput(#2)• Arbitrary-LengthInput(#1)
![Page 5: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/5.jpg)
5
Construction• Ahashfunctionistypicallybasedonaninternalcompressionfunction
f()thatworksonfixed-sizeinputblocks(Mi)• Merkle-Damgardconstruction:• Afixed-size“compressionfunction”.• Eachiterationmixesaninputblockwiththepreviousblock’soutput
• SortoflikeaChainedBlockCipher
• Producesahashvalueforeachfixed-sizeblockbasedon(1)itscontentand(2)hashvalueforthepreviousblock
• “Avalanche”effect:1-bitchangeininputproduces“catastrophic”andunpredictablechangesinoutput
fIV
M1
f fh1 h
M2 Mn
h2 hn-1…
![Page 6: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/6.jpg)
6
SimpleHashFunctions• Bitwise-XOR
• Notsecure,e.g.,forEnglishtext(ASCII<128)thehigh-orderbitisalmostalwayszero
• CanbeimprovedbyrotatingthehashcodeaftereachblockisXOR-edintoit• Ifmessageitselfisnotencrypted,itiseasytomodifythemessageand
appendoneblockthatwouldsetthehashcodeasneeded• Anotherweakhashexample:IPHeaderCRC
![Page 7: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/7.jpg)
AnotherExample• IPv4headerchecksum• One’scomplementoftheone’scomplementsumoftheIP
header's16-bitwords
7
![Page 8: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/8.jpg)
8
TheBirthdayParadox
• probabilityofnocollisions:• P0=1*(1-1/n)*(1-2/n)*…*(1-(k-1)/n))==e(k(1-k)/2n)
• probabilityofatleastone:• P1=1-P0
• SetP1tobeatleast0.5andsolvefork:• k==1.17*SQRT(n)• k=22.3forn=365
So,what’sthepoint?
• Examplehashfunction:y=H(x)where:x=personandH()isBday()• yrangesoversetY=[1…365],letn=sizeofY,i.e.,numberofdistinctvaluesin
therangeofH()• Howmanypeopledoweneedto‘hash’tohaveacollision?• Or:whatistheprobabilityofselectingatrandomkDISTINCTnumbersfromY?
![Page 9: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/9.jpg)
9
“Birthday Paradox” Example: N = 106
![Page 10: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/10.jpg)
10
TheBirthdayParadox
m = log(n) = size of H ()
2m = 2m/2 trials mustbe computationallyinfeasible!
![Page 11: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/11.jpg)
11
HowLongShouldaHashbe?
• Manyinputmessagesyieldthesamehash• e.g.,1024-bitmessage,128-bithash• Onaverage,2896messagesmapintoonehash
• Withm-bithash,ittakesabout2m/2trialstofindacollision(with≥0.5probability)
• Whenm=64,ittakes232trialstofindacollision(doableinverylittletime)
• Today,needatleastm=160,requiringabout280trials(180isbetter)
![Page 12: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/12.jpg)
12
CHF from a Block Cipher
Rabin’sCHF:
§ Splitinputintokeyblocks:M1,…Mp§ Encryptaconstantplaintext(e.g.,0)withthisseq.ofkeys:
Hi=E(Mi,Hi-1),Mo=0
§ FinalciphertextHpisthehashoutput
![Page 13: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/13.jpg)
13
CHF from a Block Cipher
Davies-MeyerCHF:
§ Hi=Hi-1⊕E(Mi,Hi-1),Ho=0
§ CompressionfunctionissecureifEisasecureblockcipher
![Page 14: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/14.jpg)
14
HashFunctionExamplesSHA-1(weak)
MD5(defunct)
RIPEMD-160(unloved)J
Digestlength 160bits 128bits 160bits
Blocksize 512bits 512bits 512bits
#ofsteps 80(4roundsof20)
64(4roundsof16)
160(5pairedroundsof16)
Maxmsgsize 264-1bits ∞ ∞
Other(stronger)variantsofSHAareSHA-256andSHA-512See:http://en.wikipedia.org/wiki/SHA_hash_functions
![Page 15: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/15.jpg)
15
MD5• Author:R.Rivest,1992
• 128-bithash
• basedonearlier,weakerMD4(1990)
• Collisionresistance(B-dayattackresistance)
• only64-bit
• Outputsizenotlongenoughtoday(duetovariousattacks)
![Page 16: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/16.jpg)
16
MD5:MessageDigestVersion5
InputMessage
Output:128-bitDigest
![Page 17: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/17.jpg)
17
OverviewofMD5
![Page 18: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/18.jpg)
18
MD5Padding
• GivenoriginalmessageM,addpaddingbits“100…”suchthatresultinglengthis64bitslessthanamultipleof512bits.
• Appendoriginallengthinbitstothepaddedmessage
• Finalmessagechoppedinto512-bitblocks
![Page 19: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/19.jpg)
19
MD5:Padding
InputMessage
Output:128-bitDigest
Padding512bitBlock
InitialValue
1 2 3 4
FinalOutput
MD5 TransformationBlockbyBlock
![Page 20: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/20.jpg)
20
MD5Blocks
MD5
MD5
MD5
MD5
512:B1
512:B2
512:B3
512:B4
Result
![Page 21: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/21.jpg)
21
MD5Box
Initial128-bitvector
512-bitmessagechunks(16words)
128-bitresult
F(x,y,z)=(x∧y)∨(~x∧z)G(x,y,z)=(x∧z)∨(y∧~z)H(x,y,z)=x⊕y⊕zI(x,y,z)=y⊕(x∧~z)x↵y:xleftrotateybits
![Page 22: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/22.jpg)
22
MD5Process
• Asmanystagesasthenumberof512-bitblocksinthefinalpaddedmessage
• Digest:432-bitwords:MD=A|B|C|D
• Everymessageblockcontains1632-bitwords: m0|m1|m2…|m15
• DigestMD0initializedto:A=01234567,B=89abcdef,C=fedcba98,D=76543210
• Everystageconsistsof4passesoverthemessageblock,eachmodifyingMD;eachpassinvolvesdifferentoperation
![Page 23: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/23.jpg)
23
ProcessingofBlockmi-4Passes
ABCD=fF(ABCD,mi,T[1..16])
ABCD=fG(ABCD,mi,T[17..32])
ABCD=fH(ABCD,mi,T[33..48])
ABCD=fI(ABCD,mi,T[49..64])
mi
+ + + +
A B C D
MDi
MDi+1
Convention:
A–d0;B–d1
C–d2;D–d3Ti:diff.constant
![Page 24: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/24.jpg)
24
DifferentPasses...
• Differentfunctionsandconstants
• Differentsetofmi-s
• Differentsetsofshifts
![Page 25: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/25.jpg)
25
FunctionsandRandomNumbers
• F(x,y,z)==(x∧y)∨(~x∧z)• G(x,y,z)==(x∧z)∨(y∧~z)• H(x,y,z)==x⊕y⊕z• I(x,y,z)==y⊕(x∧~z)• Ti=int(232*abs(sin(i))),0<i<65
![Page 26: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/26.jpg)
26
Flame’s MS Windows MD5 Attack Chosen-prefixcoll.attack:Meaningfulinitialblocks,followedbyrandomblockstoobtaincollision
![Page 27: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/27.jpg)
27
SecureHashAlgorithm(SHA)
• Revisedin1995asSHA-1• Input:Upto264bits• Output:160bitdigest• 80-bitcollisionresistance
• Padwithatleast64bitstoresistpaddingattack• 1000…0||<messagelength>
• Processes512-bitblock• Initiate5x32bitMDregisters• Applycompressionfunction
• 4roundsof20stepseach• eachroundusesdifferentnon-
linearfunction• registersareshiftedandswitched
Ø SHA-0waspublishedbyNISTin1993
![Page 28: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/28.jpg)
28
DigestGenerationwithSHA-1
![Page 29: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/29.jpg)
29
SHA-1ofa512-BitBlock
![Page 30: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/30.jpg)
30
GeneralLogic
• Inputmessagemustbe<264bits• notareallimitation
• Messageprocessedin512-bitblockssequentially
• Messagedigest(hash)is160bits• SHAdesignissimilartoMD5,butalotstronger
![Page 31: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/31.jpg)
31
BasicSteps
Step1:PaddingStep2:Appendinglengthas64-bitunsignedStep3:InitializeMDbuffer:532-bit words:A|B|C|D|EA=67452301B=efcdab89 C=98badcfe D=10325476 E=c3d2e1f0
![Page 32: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/32.jpg)
32
BasicSteps...
• Step4:the80-stepprocessingof512-bitblocks:4rounds,20stepseach
• Eachstept(0<=t<=79):• Input:
• Wt–32-bitwordfromthemessage• Kt–constant• ABCDE:currentMD
• Output:• ABCDE:newMD
![Page 33: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/33.jpg)
33
BasicSteps...
• Only4per-rounddistinctiveadditiveconstants:• 0<=t<=19 Kt=5A827999• 20<=t<=39 Kt=6ED9EBA1• 40<=t<=59 Kt=8F1BBCDC• 60<=t<=79 Kt=CA62C1D6
![Page 34: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/34.jpg)
34
BasicSteps–ZoomingIn
A EB C D
A EB C D
+
+
+
+
ft
CLS30
CLS5Wt
Kt
![Page 35: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/35.jpg)
35
BasicLogicFunctions
Only3differentfunctionsRound Functionft(B,C,D)0<=t<=19 (B∧C)∨(~B∧D)20<=t<=39 B⊕C⊕D40<=t<=59 (B∧C)∨(B∧D)∨(C∧D)60<=t<=79 B⊕C⊕D
![Page 36: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/36.jpg)
36
TwistWithWt’s
• Additionalmixingusedwithinputmessage512-bitblock• W0|W1|…|W15=m0|m1|m2…|m15• For15<t<80:• Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3
• XORisaveryefficientoperation,butwithmultilevelshifting,itproducesveryextensiveandrandommixing!
![Page 37: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/37.jpg)
37
SHA-1VersusMD5
• SHA-1isastrongeralgorithm:• Abirthdayattackrequiresontheorderof280operations,incontrastto264forMD5
• SHA-1has80stepsandyieldsa160-bithash(vs.128)-involvesmorecomputation
• TodaycanuseSHA-2,butforlonger-termsecurityuseSHA-3
![Page 38: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/38.jpg)
38
SHA-3
§ PubliccompetitionbyNIST,similartoAES:§ NISTrequestforproposals(2007)§ 51submissions(2008)§ 14semi-finalists(2009)§ 5finalists(2010)§ Winner:Keccak(2012)
§ DesignedbyBertoni,Daemen,Peeters,VanAssche.§ Basedon“spongeconstruction”,acompletelydifferentstructure.
![Page 39: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/39.jpg)
39
Summary:Whatarehashfunctionsgoodfor?
![Page 40: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/40.jpg)
40
MessageAuthenticationUsingaHashFunction
UsesymmetricencryptionsuchasAESor3-DES
• GenerateH(M)ofsamesizeasE()block
• UseEK(H(M))astheMAC(insteadof,say,AES-basedMAC)
• AlicesendsEK(H(M)),M• BobreceivesC,M’decryptsCwithk,hashesresult
H(DK(C))=?=H(M’)
CollisionèMACforgery!
![Page 41: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/41.jpg)
41
UsingHashforAuthentication
AliceandBobshareasecretkeyKAB1. AliceèBob:randomchallengerA
2. BobèAlice:H(KAB||rA),randomchallengerB3. AliceèBob:H(KAB||rB)
OnlyneedtocompareH()results
![Page 42: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/42.jpg)
42
UsingHashtoComputeMAC:integrity
• CannotjustcomputeandappendH(m)• Need“KeyedHash”:• Prefix:
• MAC:H(KAB|m),almostworks,but…• Allowsconcatenationwitharbitrarymessage:
• H(KAB|m|m’)
• Suffix:• MAC:H(m|KAB),worksbetter,butwhatifm’isfoundsuchthatH(m)=H(m’)?
• HMAC:• H(KAB|H(KAB|m))
![Page 43: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/43.jpg)
43
HashFunction-basedMAC(HMAC)• MainIdea:UseaMACderivedfromanyCHF
• hashfunctionsdonotuseakey,thereforecannotbeuseddirectlyasaMAC
• MotivationsforHMAC:• Cryptographichashfunctionsexecutefasterinsoftwarethan
encryptionalgorithmssuchasDES• Noneedforthereverseabilityofencryption• NoUSgovernmentexportrestrictions(wasimportantinthepast)
• Status:designatedasmandatoryforIPsecurity• AlsousedinTransportLayerSecurity(TLS),whichwillreplaceSSL,and
inSET
![Page 44: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/44.jpg)
44
HMACAlgorithm
• ComputeH1=H()oftheconcatenationofMandK1
• Topreventan“additionalblock”attack,computeagainH2=H()oftheconcatenationofH1andK2
• K1andK2eachusehalfthebitsofK
• Notation:• K+=Kpaddedwith0’s• ipad=00110110xb/8• opad=01011100xb/8
• Execution:• SameasH(M),plus2blocks
![Page 45: Cryptographic Hash Functionssconce.ics.uci.edu/134-W18/slides/LEC5.pdf · 2018. 1. 23. · 6 Simple Hash Functions • Bitwise-XOR • Not secure, e.g., for English text (ASCII](https://reader035.vdocuments.mx/reader035/viewer/2022062509/60fe7546cd07a242cb1c7695/html5/thumbnails/45.jpg)
45
JustforFun…UsingaHashtoEncrypt
• SimulatedOne-TimePad:similartoOFB• Computekey-streamusingH(),K,andIV• b1=H(KAB|IV),…,bi=H(KAB|bi-1),…• c1=p1⊕b1,…,ci=pi⊕bi,…
• Or,mixintheplaintext• similartocipherfeedbackmode(CFB)• b1=H(KAB|IV),…,bi=H(KAB|ci-1),…• c1=p1⊕b1,…,ci=pi⊕bi,…