fingerprints and trees additional applications for hash...
TRANSCRIPT
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Fingerprints and TreesAdditional Applications for Hash Functions
Foundations of CryptographyComputer Science Department
Wellesley College
Fall 2016
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Table of contents
Introduction
E�cient storage
Merkle trees
Password Hashing
Commitment Schemes
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Fingerprinting
• Virus scanners identifyviruses by storing a databasecontaining hashes of knownviruses.
• When an application oremail attachment isdownloaded, the scannerlooks up the its hash in thisdatabase.
• Overhead is feasible sinceonly a very short stringneeds to be recorded(and/or distributed) for eachvirus.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Deduplication
• When multiple users storethe same file in the cloud,only one copy is needed.
• Duplication is avoided byhaving the user first uploada hash of the file they wantto store.
• If the hash is already in thecloud, the cloud-storageprovider simply adds apointer to the existing file toindicate the this specificuser also stored the file.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Distributed databases
• Consider building a databasedistributed over a largenumber of peers thatsupport indexing andsearching.
• Peers query the database bysupplying a key and is givenin return the pair (key,value) that matches the key.
• Peers may also insert (key,value) pairs into thedatabase. How best to dothis?
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
My brother’s approach
1. Randomly scatter the (key,value) pairs across the peersand ...
2. ... have each peer maintaina list of the IP addresses ofall participating peers.
3. The querying peer looks intoevery bag, box, and drawer.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Distributed hash table
• Assign a unique integeridentifier in the range[0, 2n � 1] for some fixed nto each peer.
• Using a publicly availablehash function, assignintegers in the same rangeto each key.
• Assign each (key, value) tothe peer whose identifier is“closest*” to the hashed key.
*Say, the immediate successor of the key.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
For example, ...
• Suppose n = 4, so keys arein the range [0, 24 � 1] andthere are currently eightpeers: 1, 3, 4, 5, 8, 10, 12, 15.
• Where should the pair(11,Topper) go and howdoes Alice find it?
• Suppose Alice wants toinsert (key , value) into theDHT. How does shedetermine the peer closestto key?*
*Well, she could keep track of all the peers in the system?
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Circular distributed hash tables
• Peers are organized in acircle. Each peer keeps trackof its immediate predecessorand successor modulo 2n.
• Peer 3 finds the record withkey 11 by first passing amessage to peer 4, who ...
• When the message reachesthe responsible party, directcommunication takes place.
*These are not physical links, the peers form an abstract overlay network above
the“underlay” computer network.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Adding shortcuts
• Circular DHT is an elegant solution for reducing overlayinformation, but comes at a cost.
• An improvement is to add shortcuts, but there is a trade-o↵ betweenthe number of neighbors each peer has to track and the number ofmessage that the DHT needs to send to resolve a single query.
• When a peer receives a message that is querying for a key, itforwards the message to the neighbor which is closest the key.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Fingerprinting files
• A client retrieves herpreviously uploaded file, x ,from the cloud and wants tomake sure it has not beenaltered in the meantime.
• She could maintain a copyand compare.*
• An obvious solution is to usethe “fingerprinting”technique to store a shortdigest h := H(x) and check
that H(x 0)?
= h for thereturned file, x 0
*But that would defeat the purpose of the cloud.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
What happens when there are multiple files?
• We could simple hash eachfile, x
1
, . . . , xt independently,store the digests h
1
, . . . , ht ,then verify retrieved files asbefore.*
• Alternative, we could hashthat lot, h := H(x
1
, . . . , xtand store only h**.
• Merkle trees give a tradeo↵between these two extremes.
*But then client’s storage grows linearly in t.
**But there’s a downside here too.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Merkle trees
A Merkle tree computed over inputs x1
, . . . , xt is a binary tree of depthlog
2
t whose leaves are the inputs, and each internal node is the hash ofthe values of its two children.
Theorem 5.11. Let (sf GenH ,H) be a collision resistant, then
(sf GenH ,MT t)) is also collision resistant for any fixed t, where MT t
denotes the function that takes t input values x1
, . . . , xt , computes the
resulting Merkle tree, and outputs its root value.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
A solution to our problem using O(log2 t)communication
• The client computes h := MT t(x1, . . . , xt), uploads files x1, . . . , xtto the server, and stores h and t.
• At retrieval time, the server sends xi along with a proof ⇡i ofcorrectness consisting of the values of nodes in the Merkle treeadjacent to the path from xi to the root.
• The client uses these to recompute the path from xi to the root andverify that it equals h.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Password Hashing
• When a user types her passwordbefore she can use her laptop.
• To authenticate the user, someform of the user’s password mustbe stored on the laptop. If storedin the clear, an adversary whosteals the laptop can read theuser’s password o↵ the hard driveand login as her.
• This risk can be mitigated bystoring a hash, hpw = H(pw), ofthe password instead. When a userenters pw, the operating system
checks whether H(pk)?
= hpwbefore granting access.
*Our Linux system does just that. Hashes used to be stored openly in
/etc/passwd, but o↵-line attacks made that a very bad idea.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Attempts to bound the attacker’s chances
• Suppose the password is chosenfrom a relatively small space D,for example words from anEnglish dictionary(|D| ⇡ 80, 000).
• An attacker can then enumerateall possible passwordspw
1
, pw2
, . . . 2 D and checkwhether H(pwi ) = hpw .
• We would like to claim this isthe best they can do.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Randon oracle model to the rescue
• If H is modeled as a random oracle,we can formally prove thatrecovering pw from hpw requires|D|/2 evaluations on H, onaverage*.
• However, preprocessing can beused to generate large tables thatenable inversion faster thanexhaustive search.
• Even if passwords rare chosen as arandom combination of 8alphanumeric characters (giving apassword space of sizeN = 628 ⇡ 247.6, there is an attackusing time and space N2/3 that willbe highly e↵ective.
*Assuming pw is chosen uniformly from D.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Mitigating the threat of password cracking
• We could use “slow” hashfunctions or slow existing onesdown using multiple iterationsby computing H(I )(pw) forlarge I .
• Alternatively, we couldintroduce salt.
• When a user enters theirpassword, a long random values is generated unique to theuser and value(s, hpw) = H(r , pw) storedinstead of H(pw).
*Of course this comes at a cost to legitimate users.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Commitment schemes
A commitment scheme allows oneparty to “commit” to a message mby sending a commitment com suchthat:
• Hiding: the commitment revealsnothing about m.
• Binding: it is infeasible for thecommitter to output acommitment that can later be“opened” as two di↵erentmessage m,m0.
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Two experimentsThe commitment hiding experiment HidingA,Com(n):
1. Parameters params Gen(1n) are generated.
2. The adversary A is given input params, and outputs a pair ofmessage m
0
,m1
2 {0, 1}n.3. A uniform b {0, 1} is chosen and com Com(params,mb; r) is
computed.
4. The adversary A is given com and outputs a bit b0.
5. The output of the experiment is 1 if and only if b0 = b.
The commitment binding experiment BindingA,Com(n):
1. Parameters params Gen(1n) are generated.
2. The adversary A is given input params, and outputs(com,m, r ,m0, r 0)
3. The output of the experiment is 1 if and only if m 6= m0 andCom(params),m; r) = com = Com(params),m0; r 0).
Introduction Efficient storage Merkle trees Password Hashing Commitment Schemes
Secure commitment schemes
Definition 5.13. A commitment scheme is secure if for all PPTadversaries A there is a negligible function negl such that
Pr[HidingA,Com(n) = 1] 1
2+ negl(n)
andPr[BindingA,Com(n) = 1] negl(n).
Remark. It is possible to construct a secure commitment schemefrom a random oracle H. How?
Remark. Commitment schemes can be constructed withoutrandom oracles using one-way functions. But that is story foranother day.