Hash Function

  • View
    105

  • Download
    0

Embed Size (px)

DESCRIPTION

Hash Function. Contents. Hash Functions Dedicated Hash Functions Useful for lightweight authentication in RFID system Message Authentication Codes CBC-MAC Nested MAC Collusion Search Attacks SHA-3. Hash function. {0,1} d. d > r. h(). hash, hash code/value/result - PowerPoint PPT Presentation

Text of Hash Function

Chapter 4. Public Key Cryptography

1Hash FunctionHash FunctionsDedicated Hash FunctionsUseful for lightweight authentication in RFID systemMessage Authentication CodesCBC-MACNested MACCollusion Search AttacksSHA-32Contents

Compress a binary string with an arbitrary length into a fixed short message Important primitive for digital signature, integrity, authentication, etc.

3Hash functionh(){0,1}d{0,1}rd > rhash, hash code/value/result message digest, checksum, MIC,authentication tag, seal, compressiondigital fingerprint, imprint

3#4Configurationoriginal input, xappend padding bitsappend length blockcompression ft, f f gformatted input x=x1,x2,,xtH0=IVHi-1xiHihash function, houtput h(x)=g(Ht)Htpreprocessingiterative processingg : output transformation mapping, e.g., identity mapping

CompressionOne-waynessPrei-mage resistance: Given y, it is computationally infeasible to compute x with y=h(x)Second Pre-image resistance: Given x and h(x), it is computationally infeasible to compute x with h(x)=h(x) Collision-free (Prevent internal misuse): It is computational infeasible to find a pair (x, x), x x satisfying h(x)=h(x).EfficiencyEasy to compute h(x) for a given x.

5Requirements

Whether using key or notKeyed hash : MAC (Message Authentication Code)Un-keyed hash : MDC (Manipulation Detection Code)OWHF(One Way Hash Function)CFHF(Collision-Free Hash Function)

What purposeMACBlock Cipher-Based (DES-CBC MAC)Hash Function-Based(HMAC)MDC Dedicated Hash Functions (MD class, SHS, HAVAL)Block Cipher-Based (MDC-2, MDC-4)Modular Arithmetic: MASH-1, MASH-2

6Classification

Probability that 2 persons have the same birthday among r persons : pr(Assumption) each birthday is independent and uniform in the range 1 to m. pr=1-(m)r / mr =1- m! / mr(m-r)! e-r2/(2m) where, (m)r = m(m-1)(m-r+1)If r= m, pr 0.5 , e.g., m=365, r=23, pr>0.5 n-bit hash function will collide with probability 0.5 after (2n) times operation

7Birthday Paradox

Extend Compression ft to Hash ft so that the resulting hash ft to be collusion resistant if compression does. H0=IV, Hi=f(Hi-1,xi), 1it, h(x)=Ht8Merkle-Damgard ConstructionfffH0x1x2xtpaddinghashed codef : hs primitive hash function (a compression function)Hi : connection variable from i-1 to I

9Hash ft (MDC) by block cipherMatyas-Meyer-OseasDavies-MeyerMiyaguchi-Preneel EgHiHi-1xiH0=IVHi=Eg(Hi-1)(xi ) xi EHixiHi-1H0=IVHi=Exi(Hi-1 ) Hi-1 EgHi-1xiHiH0=IVHi=Eg(Hi-1)(xi ) xi Hi-1

Yield m-bit hash using n-bit block cipher with k-bit keyAll of them are secure assuming that a block cipher satisfies required randomness properties10Comparison Hash Function(n,k,m)Rate (k/m)Matyas-Meyer-Oseas(n,k,n)1Davis-Meyer(n,k,n)k/nMiyaguchi-Preneel(n,k,n)1MDC-2 (w/DES)(64,56,128)MDC-4(w/DES)(64,56,128)1/4

MASH: Modular Arithmetic Secure Hash algorithmWeakness: Efficiency (and Insecurity)

Quadratic CongruentialHi = (xi + Hi-1)2 mod N, H0=0where N=Mersenne prime 231-1Hi = (xi Hi-1)2 mod N xiHi = (xi Hi-1)e mod N11Hash by modular operation

12Dedicated Hash FunctionsMDx family: proposed by RivestMD4, Crypt 90MD5, RFC 1992SHA family: proposed by NISTSHA-0, FIPS-180, 1993SHA-1, FIPS-180-1, 1995SHA-2 (SHA-256/384/512), FIPS-180-2, 2002

Dedicated Hash Functions13Preprocessing a message, x1. Padding: d =(447 -|x|) mod 5122. Length of a message: n= |x| mod 264,|n|=64 bit3. M = x ||1||0d||n multiple of 512 where || denotes concatenation

* little-endian : W=224B4+216B3+28B2+B1 (B1: lowest address)

14MD4(I)

15MD4(II)Message BlockRound1

ABCDABCDRound2

Round3

1. A=(A+f(B,C,D)+X[0])