Upload
buikhanh
View
231
Download
2
Embed Size (px)
Citation preview
Hashing
Hash functions like MD5, SHA1, SHA256, SHA512, SHA3, ... areamongst the most widely-used cryptographic primitives.
Their primary purpose is collision-resistant data compression, but theyhave many other purposes and properties as well.
A good hash function is often treated like a magic wand ...
Mihir Bellare UCSD 2
Collision resistance (CR)
Definition: A collision for a function h : D → {0, 1}n is a pair x1, x2 ∈ Dof points such that h(x1) = h(x2) but x1 6= x2.
If |D| > 2n then the pigeonhole principle tells us that there must exist acollision for h.
Mihir Bellare UCSD 3
Collision resistance (CR)
Definition: A collision for a function h : D → {0, 1}n is a pair x1, x2 ∈ Dof points such that h(x1) = h(x2) but x1 6= x2.
If |D| > 2n then the pigeonhole principle tells us that there must exist acollision for h.
Mihir Bellare UCSD 4
Collision resistance (CR)
Definition: A collision for a function h : D → {0, 1}n is a pair x1, x2 ∈ Dof points such that h(x1) = h(x2) but x1 6= x2.
If |D| > 2n then the pigeonhole principle tells us that there must exist acollision for h.
We want that even though collisions exist, they are hard to find.
Mihir Bellare UCSD 5
Collision-resistance of a function family
The formalism considers a family H : Keys(H)× D → R of functions,meaning for each K ∈ Keys(H) we have a map HK : D → R defined byHK (x) = H(K , x).
Game CRH
procedure InitializeK
$← Keys(H)Return K
procedure Finalize(x1, x2)If (x1 = x2) then return falseIf (x1 6∈ D or x2 6∈ D) then return falseReturn (HK (x1) = HK (x2))
LetAdvcrH (A) = Pr
[CRA
H ⇒ true].
Mihir Bellare UCSD 6
Collision-resistance
Game CRH
procedure InitializeK
$← Keys(H)Return K
procedure Finalize(x1, x2)If (x1 = x2) then return falseIf (x1 6∈ D or x2 6∈ D) then return falseReturn (HK (x1) = HK (x2))
The Return statement in Initialize means that the adversary A gets K asinput. The key K here is not secret!
Adversary A takes K and tries to output a collision x1, x2 for HK .
A’s output is the input to Finalize, and the game returns true if thecollision is valid.
Mihir Bellare UCSD 7
Example
Let E : {0, 1}k × {0, 1}n → {0, 1}n be a blockcipher.Let H: {0, 1}k × {0, 1}2n → {0, 1}n be defined by
Alg H(K , x [1]x [2])
y ← EK (EK (x [1]) ⊕ x [2]); Return y
Let’s show that H is not collision-resistant by giving an efficient adversaryA such that AdvcrH (A) = 1.
Idea: Pick x1 = x1[1]x1[2] and x2 = x2[1]x2[2] so that
EK (x1[1]) ⊕ x1[2] = EK (x2[1]) ⊕ x2[2]
Mihir Bellare UCSD 8
Example
Let E : {0, 1}k × {0, 1}n → {0, 1}n be a blockcipher.Let H: {0, 1}k × {0, 1}2n → {0, 1}n be defined by
Alg H(K , x [1]x [2])
y ← EK (EK (x [1]) ⊕ x [2]); Return y
Let’s show that H is not collision-resistant by giving an efficient adversaryA such that AdvcrH (A) = 1.
Idea: Pick x1 = x1[1]x1[2] and x2 = x2[1]x2[2] so that
EK (x1[1]) ⊕ x1[2] = EK (x2[1]) ⊕ x2[2]
Mihir Bellare UCSD 9
Example
Alg H(K , x [1]x [2])
y ← EK (EK (x [1]) ⊕ x [2]); Return y
Idea: Pick x1 = x1[1]x1[2] and x2 = x2[1]x2[2] so that
EK (x1[1]) ⊕ x1[2] = EK (x2[1]) ⊕ x2[2]
adversary A(K )
x1 ← 0n1n ; x2[2]← 0n; x2[1]← E−1K (EK (x1[1]) ⊕ x1[2] ⊕ x2[2])
return x1, x2
Then AdvcrH (A) = 1 and A is efficient, so H is not CR.
Note how we used the fact that A knows K and the fact that E is ablockcipher!
Mihir Bellare UCSD 10
Exercise
Let E : {0, 1}k × {0, 1}l → {0, 1}l be a blockcipher. Let D be the set ofall strings whose length is a positive multiple of l .
Define the hash function H: {0, 1}k × D → {0, 1}l as follows:
Alg H(K ,M)
M[1]M[2] . . .M[n]← MC [0]← 0l
For i = 1, . . . , n doB[i ]← E (K ,C [i − 1] ⊕ M[i ]); C [i ]← E (K ,B[i ] ⊕ M[i ])
Return C [n]
Show that H is not CR by giving an efficient adversary A such thatAdvcrH (A) = 1.
Mihir Bellare UCSD 11
Keyless hash functions
We say that H: Keys(H)× D → R is keyless if Keys(H) = {ε} consists ofjust one key, the empty string.
In this case we write H(x) in place of H(ε, x) or Hε(x).
Practical hash functions like MD5, SHA1, SHA256, SHA512, SHA3, ...are keyless.
Mihir Bellare UCSD 12
SHA1
Alg SHA1(M) // |M| < 264
V ← SHF1( 5A827999 ‖ 6ED9EBA1 ‖ 8F1BBCDC ‖ CA62C1D6 , M )return V
Alg SHF1(K ,M) // |K | = 128 and |M| < 264
y ← shapad(M)
Parse y as M1 ‖M2 ‖ · · · ‖Mn where |Mi | = 512 (1 ≤ i ≤ n)
V ← 67452301 ‖ EFCDAB89 ‖ 98BADCFE ‖ 10325476 ‖ C3D2E1F0for i = 1, . . . , n do V ← shf1(K ,Mi ‖ V )
return V
Alg shapad(M) // |M| < 264
d ← (447− |M|) mod 512
Let ` be the 64-bit binary representation of |M|y ← M ‖ 1 ‖ 0d ‖ ` // |y | is a multiple of 512
return yMihir Bellare UCSD 13
shf1
Alg shf1(K ,B ‖ V ) // |K | = 128, |B| = 512 and |V | = 160
Parse B as W0 ‖W1 ‖ · · · ‖W15 where |Wi | = 32 (0 ≤ i ≤ 15)
Parse V as V0 ‖ V1 ‖ · · · ‖ V4 where |Vi | = 32 (0 ≤ i ≤ 4)
Parse K as K0 ‖ K1 ‖ K2 ‖ K3 where |Ki | = 32 (0 ≤ i ≤ 3)
for t = 16 to 79 do Wt ← ROTL1(Wt−3 ⊕Wt−8 ⊕Wt−14 ⊕Wt−16)
A← V0 ; B ← V1 ; C ← V2 ; D ← V3 ; E ← V4
for t = 0 to 19 do Lt ← K0 ; Lt+20 ← K1 ; Lt+40 ← K2 ; Lt+60 ← K3
for t = 0 to 79 do
if (0 ≤ t ≤ 19) then f ← (B ∧ C ) ∨ ((¬B) ∧ D)
if (20 ≤ t ≤ 39 OR 60 ≤ t ≤ 79) then f ← B ⊕ C ⊕ D
if (40 ≤ t ≤ 59) then f ← (B ∧ C ) ∨ (B ∧ D) ∨ (C ∧ D)
temp ← ROTL5(A) + f + E + Wt + LtE ← D ; D ← C ; C ← ROTL30(B) ; B ← A ; A← temp
V0 ← V0+A ; V1 ← V1+B ; V2 ← V2+C ; V3 ← V3+D ; V4 ← V4+E
V ← V0 ‖ V1 ‖ V2 ‖ V3 ‖ V4; return VMihir Bellare UCSD 14
Applications of hash functions
The killer-app is hashing before digitally signing, but we’ll discuss a fewothers:
• primitive in cryptographic schemes
• tool for security applications
• tool for non-security applications
Mihir Bellare UCSD 16
Password verification
• Client A has a password PW that is also held by server B
• A authenticates itself by sending PW to B over a secure channel(TLS)
APW PW - BPW
Problem: The password will be found by an attacker who compromises theserver.
Mihir Bellare UCSD 17
Password verification
• Client A has a password PW and server stores PW = H(PW ).
• A sends PW to B (over a secure channel) and B checks thatH(PW ) = PW
APW PW - BPW
Server compromise results in attacker getting PW which should not revealPW as long as H is one-way, which we will see is a consequence ofcollision-resistance.
But we will revisit this when we consider dictionary attacks!
Mihir Bellare UCSD 18
File comparision
• A has a large file FA and B has a large file FB . For example, musiccollections.
• They want to know whether FA = FB
• A sends FA to B and B checks whether FA = FB
AFA FA - BFB
Problem: Transmission could be slow.
Mihir Bellare UCSD 19
Compare-by-hash
• A has a large file FA and B has a large file FB and they want to knowwhether FA = FB
• A computes hA = H(FA) and sends it to B, and B checks whetherhA = H(FB).
AFA hA - BFB
Collision-resistance of H guarantees that B does not accept if FA 6= FB !
Mihir Bellare UCSD 20
Virus protection
An executable may be available at lots of sites S1, S2, . . . ,SN . Which onecan you trust?
• Provide a safe way to get the hash h = H(X ) of the correctexecutable X .
• Download an executable from anywhere, and check hash.
Mihir Bellare UCSD 21
Birthday attacks
Let H : {0, 1}k ×D → {0, 1}n be a family of functions with |D| > 2n. Theq-trial birthday attack finds a collision with probability about
q2
2n+1.
So a collision can be found in about q =√
2n+1 ≈ 2n/2 trials.
Mihir Bellare UCSD 22
Recall Birthday Problem
for i = 1, . . . , q do yi$←{0, 1}n
if ∃i , j (i 6= j and yi = yj) then COLL← true
Pr [COLL] = C (2n, q)
≈ q2
2n+1
Mihir Bellare UCSD 23
Birthday attack
Let H : {0, 1}k × D → {0, 1}n.
adversary A(K )
for i = 1, . . . , q do xi$← D ; yi ← HK (xi )
if ∃i , j (i 6= j and yi = yj and xi 6= xj) then return xi , xjelse return FAIL
Mihir Bellare UCSD 24
Analysis of birthday attack
Let H : {0, 1}k × D → {0, 1}n.
adversary A(K )
for i = 1, . . . , q do xi$← D ; yi ← HK (xi )
if ∃i , j (i 6= j and yi = yj and xi 6= xj) then return xi , xjelse return FAIL
What is the probability that this attack finds a collision?
adversary A(K )
for i = 1, . . . , q do xi$← D ; yi ← HK (xi )
if ∃i , j (i 6= j and yi = yj) then COLL← true
We have dropped things that don’t much affect the advantage andfocused on success probability. So we want to know what is
Pr [COLL] .
Mihir Bellare UCSD 25
Analysis of birthday attack
Birthday
for i = 1, . . . , q doyi
$←{0, 1}nif ∃i , j (i 6= j and yi = yj) then
COLL← true
Pr [COLL] = C (2n, q)
Adversary A
for i = 1, . . . , q doxi
$← D ; yi ← HK (xi )if ∃i , j(i 6= j and yi = yj) then
COLL← true
Pr [COLL] =?
Are the two collision probabilities the same?
Not necessarily, because
• on the left yi$←{0, 1}n
• on the right xi$← D ; yi ← HK (xi )
Mihir Bellare UCSD 26
Analysis of birthday attack
Birthday
for i = 1, . . . , q doyi
$←{0, 1}nif ∃i , j (i 6= j and yi = yj) then
COLL← true
Pr [COLL] = C (2n, q)
Adversary A
for i = 1, . . . , q doxi
$← D ; yi ← HK (xi )if ∃i , j(i 6= j and yi = yj) then
COLL← true
Pr [COLL] =?
Are the two collision probabilities the same?Not necessarily, because
• on the left yi$←{0, 1}n
• on the right xi$← D ; yi ← HK (xi )
Mihir Bellare UCSD 27
Analysis of birthday attack
We say that H : {0, 1}k × D → {0, 1}n is regular if every range point hasthe same number of pre-images under HK . That is if we let
H−1K (y) = {x ∈ D : HK (x) = y}
then H is regular if
|H−1K (y)| =
|D|2n
for all K and y . In this case the following processes both result in arandom output
Process 1y
$←{0, 1}nreturn y
Process 2x
$← D; y$← HK (x)
return y
Mihir Bellare UCSD 28
Analysis of birthday attack
If H: {0, 1}k × D → {0, 1}n is regular then the birthday attack finds acollision in about 2n/2 trials.
If H is not regular, the attack may succeed sooner.
So we want functions to be “close to regular”.
It seems MD4, MD5, SHA1, SHA2, SHA3,... have this property.
Mihir Bellare UCSD 29
Analysis of birthday attack
If H: {0, 1}k × D → {0, 1}n is regular then the birthday attack finds acollision in about 2n/2 trials.
If H is not regular, the attack may succeed sooner.
So we want functions to be “close to regular”.
It seems MD4, MD5, SHA1, SHA2, SHA3,... have this property.
Mihir Bellare UCSD 30
Birthday attack times
Function n TB
MD4 128 264
MD5 128 264
SHA1 160 280
SHA2-256 256 2128
SHA2-512 512 2256
SHA3-256 256 2128
SHA3-512 512 2256
TB is the number of trials to find collisions via a birthday attack.
Mihir Bellare UCSD 31
Compression functions
A compression function is a family h : {0, 1}k × {0, 1}b+n → {0, 1}n ofhash functions whose inputs are of a fixed size b + n, where b is called theblock size.
E.g. b = 512 and n = 160, in which case
h : {0, 1}k × {0, 1}672 → {0, 1}160
hKv
x
hK (x ‖ v)
Mihir Bellare UCSD 32
The MD transform
Design principle: To build a CR hash function
H : {0, 1}k × D → {0, 1}n
where D = {0, 1}≤264 :
• First build a CR compression functionh : {0, 1}k × {0, 1}b+n → {0, 1}n.
• Appropriately iterate h to get H, using h to hash block-by-block.
Mihir Bellare UCSD 33
MD setup
Assume for simplicity that |M| is a multiple of b. Let
• ‖M‖b be the number of b-bit blocks in M, and writeM = M[1] . . .M[`] where ` = ‖M‖b.
• 〈i〉 denote the b-bit binary representation of i ∈ {0, . . . , 2b − 1}.• D be the set of all strings of at most 2b − 1 blocks, so that‖M‖b ∈ {0, . . . , 2b − 1} for any M ∈ D, and thus ‖M‖b can beencoded as above.
Mihir Bellare UCSD 34
MD transform
Given: Compression function h : {0, 1}k × {0, 1}b+n → {0, 1}n.
Build: Hash function H : {0, 1}k × D → {0, 1}n.
Algorithm HK (M)m← ‖M‖b ; M[m + 1]← 〈m〉 ; V [0]← 0n
For i = 1, . . . ,m + 1 do v [i ]← hK (M[i ]||V [i − 1])Return V [m + 1]
hK0n
〈2〉M[2]M[1]
hK hK HK (M)
Mihir Bellare UCSD 35
MD preserves CR
Assume
• h is CR
• H is built from h using MD
Then
• H is CR too!
This means
• No need to attack H! You won’t find a weakness in it unless h has one
• H is guaranteed to be secure assuming h is.
For this reason, MD is the design used in many current hash functions.Newer hash functions use other iteration methods with analogousproperties.
Mihir Bellare UCSD 36
MD preserves CR
Theorem: Let h : {0, 1}k × {0, 1}b+n → {0, 1}n be a family of functionsand let H : {0, 1}k × D → {0, 1}n be obtained from h via the MDtransform. Given a cr-adversary AH we can build a cr-adversary Ah suchthat
AdvcrH (AH) ≤ Advcrh (Ah)
and the running time of Ah is that of AH plus the time for computing h onthe outputs of AH .
Implication:h CR ⇒ Advcrh (Ah) small
⇒ AdvcrH (AH) small
⇒ H CR
Mihir Bellare UCSD 37
How Ah works
Let (M1,M2) be the HK -collision returned by AH . The Ah will trace thechains backwards to find an hk -collision.
Mihir Bellare UCSD 38
Case 1: ‖M1‖b 6= ‖M2‖b
Let x1 = 〈2〉||V1[2] and x2 = 〈1〉||V2[1]. Then
• hK (x1) = hK (x2) because HK (M1) = HK (M2).
• But x1 6= x2 because 〈1〉 6= 〈2〉.
Mihir Bellare UCSD 39
Case 2: ‖M1‖b = ‖M2‖b
x1 ← 〈2〉||V1[2] ; x2 ← 〈2〉||V2[2]If x1 6= x2 then return x1, x2
Else // V1[2] = V2[2]x1 ← M1[2]||V1[1] ; x2 ← M2[2]||V2[1]If x1 6= x2 then return x1, x2Else // V1[1] = V2[1]
x1 ← M1[1]||0n ; x2 ← M2[1]||0nReturn x1, x2
Mihir Bellare UCSD 40
Case 2: ‖M1‖b = ‖M2‖b
x1 ← 〈2〉||V1[2] ; x2 ← 〈2〉||V2[2]If x1 6= x2 then return x1, x2Else // V1[2] = V2[2]
x1 ← M1[2]||V1[1] ; x2 ← M2[2]||V2[1]If x1 6= x2 then return x1, x2Else // V1[1] = V2[1]
x1 ← M1[1]||0n ; x2 ← M2[1]||0nReturn x1, x2
Mihir Bellare UCSD 41
Case 2: ‖M1‖b = ‖M2‖b
x1 ← 〈2〉||V1[2] ; x2 ← 〈2〉||V2[2]If x1 6= x2 then return x1, x2Else // V1[2] = V2[2]
x1 ← M1[2]||V1[1] ; x2 ← M2[2]||V2[1]If x1 6= x2 then return x1, x2
Else // V1[1] = V2[1]x1 ← M1[1]||0n ; x2 ← M2[1]||0nReturn x1, x2
Mihir Bellare UCSD 42
Case 2: ‖M1‖b = ‖M2‖b
x1 ← 〈2〉||V1[2] ; x2 ← 〈2〉||V2[2]If x1 6= x2 then return x1, x2Else // V1[2] = V2[2]
x1 ← M1[2]||V1[1] ; x2 ← M2[2]||V2[1]If x1 6= x2 then return x1, x2Else // V1[1] = V2[1]
x1 ← M1[1]||0n ; x2 ← M2[1]||0nReturn x1, x2
Mihir Bellare UCSD 43
Case 2: ‖M1‖b = ‖M2‖b
x1 ← 〈2〉||V1[2] ; x2 ← 〈2〉||V2[2]If x1 6= x2 then return x1, x2Else // V1[2] = V2[2]
x1 ← M1[2]||V1[1] ; x2 ← M2[2]||V2[1]If x1 6= x2 then return x1, x2Else // V1[1] = V2[1]
x1 ← M1[1]||0n ; x2 ← M2[1]||0nReturn x1, x2
Mihir Bellare UCSD 44
Exercise
Let h: K × {0, 1}2b → {0, 1}b be a compression function. DefineH: K × {0, 1}4b → {0, 1}b as follows:
Alg H(K ,M)
M1 ‖M2 ← MV1 ← h(K ,M1); V2 ← h(K ,M2)V ← h(K ,V1 ‖ V2)return V
Above, by M1 ‖M2 ← M, we mean that M1 is the first 2b bits of M andM2 is the rest, so that |M1| = |M2| = 2b.
Show that if h is collision-resistant then so is H. Do this by stating andproving an analogue of the Theorem above.
Mihir Bellare UCSD 45
How are compression functions designed?
Let E : {0, 1}b × {0, 1}n → {0, 1}n be a block cipher. Let us definekeyless compression function h : {0, 1}b+n → {0, 1}n by
h(x‖v) = Ex(v) .
Question: Is H collision resistant?
We seek an adversary that outputs distinct x1‖v1, x2‖v2 satisfying
Ex1(v1) = Ex2(v2) .
Answer: NO, h is NOT collision-resistant, because the following adversaryA has Advcrh (A) = 1:
adversary A
x1 ← 0b ; x2 ← 1b ; v1 ← 0n ; y ← Ex1(v1) ; v2 ← E−1x2 (y)
Return x1‖v1 , x2‖v2
Mihir Bellare UCSD 46
How are compression functions designed?
Let E : {0, 1}b × {0, 1}n → {0, 1}n be a block cipher. Let us definekeyless compression function h : {0, 1}b+n → {0, 1}n by
h(x‖v) = Ex(v) .
Question: Is H collision resistant?
We seek an adversary that outputs distinct x1‖v1, x2‖v2 satisfying
Ex1(v1) = Ex2(v2) .
Answer: NO, h is NOT collision-resistant, because the following adversaryA has Advcrh (A) = 1:
adversary A
x1 ← 0b ; x2 ← 1b ; v1 ← 0n ; y ← Ex1(v1) ; v2 ← E−1x2 (y)
Return x1‖v1 , x2‖v2
Mihir Bellare UCSD 47
How are compression functions designed?
Let E : {0, 1}b × {0, 1}n → {0, 1}n be a block cipher. Let us definekeyless compression function h : {0, 1}b+n → {0, 1}n by
h(x‖v) = Ex(v) .
Question: Is H collision resistant?
We seek an adversary that outputs distinct x1‖v1, x2‖v2 satisfying
Ex1(v1) = Ex2(v2) .
Answer: NO, h is NOT collision-resistant, because the following adversaryA has Advcrh (A) = 1:
adversary A
x1 ← 0b ; x2 ← 1b ; v1 ← 0n ; y ← Ex1(v1) ; v2 ← E−1x2 (y)
Return x1‖v1 , x2‖v2Mihir Bellare UCSD 48
How are compression functions designed?
Let E : {0, 1}b × {0, 1}n → {0, 1}n be a block cipher. Let us definekeyless compression function h : {0, 1}b+n → {0, 1}n by
h(x‖v) = Ex(v)⊕ v .
The compression function of SHA1 is underlain in this way by a blockcipher E : {0, 1}512 × {0, 1}160 → {0, 1}160.
The compression function of SHA256 is underlain in this way by a blockcipher E : {0, 1}512 × {0, 1}256 → {0, 1}256.
Mihir Bellare UCSD 49
Cryptanalytic attacks
So far we have looked at attacks that do not attempt to exploit thestructure of H.
Can we do better than birthday if we do exploit the structure?
Ideally not, but functions have fallen short!
Mihir Bellare UCSD 50
Cryptanalytic attacks against hash functions
1993,1996 : collisions found in compression function md5 of MD5 in 216
time [dBBo,Do]. But these did not yield collisions for MD5.
2004, 2005 : collisions found in RIPEMD, SHA0 [WaFeLaYu].
2005, 2006: collisions can be found in MD5 in 1 minute [WaFeLaYu,LeWadW, Kl]
2015: collisions found in compression function sha1 of SHA1 [SKP]. Butthese do not yield collisions for SHA1.
2017 : collisions found for SHA1 in 263.1 time [SBKAM]https://shattered.io/.
2017: Google, Microsoft and Mozilla browsers stop accepting SHA1-basedcertificates.
Mihir Bellare UCSD 51
SHA2
The SHA256 and SHA512 hash functions are still viewed as secure,meaning the best known attack is the birthday attack.
These are based on the MD paradigm we discussed above.
Mihir Bellare UCSD 54
SHA3
National Institute for Standards and Technology (NIST) held a world-widecompetition to develop a new hash function standard.
Contest webpage:http://csrc.nist.gov/groups/ST/hash/index.html
Requested parameters:
• Design: Family of functions with 224, 256, 384, 512 bit output sizes
• Security: CR, one-wayness, near-collision resistance, others...
• Efficiency: as fast or faster than SHA2-256
Mihir Bellare UCSD 55
SHA3
Submissions: 64
Round 1: 51
Round 2: 14: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue,Grostl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein.
Finalists: 5: BLAKE, Grostl, JH, Keccak, Skein.
SHA3: 1: Keccak
Mihir Bellare UCSD 56