Iterated hash functions - Computer Science
Transcription
Iterated hash functions - Computer Science
From compression to hash Iterated hash functions CS349 Cryptography Department of Computer Science Wellesley College Comparison of security criteria o In order for a hash function to be secure, three problems should be hard to solve: Preimage; Second Preimage; and Collision. o Which is the hardest, and how do we tell? Iterated hashes 15-2 1 Collision ≤T Second Preimage Algorithm: CollisionToSecondPreimage(h) external Oracle2ndPreimage choose x Œ X uniformly at random if (Oracle2ndPreimage(h, x)=x’ and (x≠x’) and (h(x’)=h(x)) then return (x, x’) else return (failure) *As a consequence, we say that the property of collision resistance implies the property of second preimage resistance. Iterated hashes 15-3 Iterated hashes 15-4 Collision Avoidance o Can Collision be reduced to Preimage? o If so, we need only avoid Collision to ensure against all three security problems. 2 Collision ≤T Preimage Algorithm: CollisionToPreimage(h) external OraclePreimage choose x Œ X uniformly at random y ¨ h(x) if (OraclePreimage(h, y)=x’ and (x≠x’) then return (x, x’) else return (failure) Iterated hashes 15-5 Proving Collision ≤T Preimage Theorem. Suppose h: X Æ Y is a hash function where |X| and |Y| are finite and |X| ≥ 2|Y|. Suppose OraclePreimage is a (1, q) algorithm for Preimage, for the fixed hash function h. Then CollisionToPreimage is a (1/2, q+1) algorithm for Collision, for the fixed hash function h. Proof. We compute the average-case probably of success for CollisionToPreimage. Iterated hashes 15-6 3 Equivalence relations o For x Œ X, define x ~ x1 of h(x) = h(x1). We show that ~ is an equivalence relation. o Denote the equivalence class of x under ~ by [x] = {x1 Œ X : x ~ x1}. o Note that |[x]| is the number of possible x1 that could be returned by OraclePreimage and |[x]|-1 is the number different from x. Iterated hashes 15-7 Average-case probability of success Pr[success] = 1 |[x] | -1  | X | x ŒX |[x] | = 1 | C | -1   | X | C ŒCx ŒC | C | = 1  | C | -1 | X | C ŒC | X | - |Y | |X | | X | - | X | /2 ≥ |X | 1 = 2 = Since h is surjective, there is one equivalence class for each element of Y. Iterated hashes 15-8 † 4 Iterated hash functions o We study a particular method for extending compression functions to hash functions with an infinite domain. o Suppose compress: {0,1}m+t Æ {0.1}m is a compression function where t ≥ 1. Iterated hashes 15-9 Three main steps of an iterated hash Preprocessing Given input string x, where |x| ≥ m+t+1, construct string y = y1 || y2 || . . . || yr, where |yi| = t for 1 ≤ i ≤ r using a public algorithm. Processing Let IV be a public initial bitstring of length m. Compute z0 ¨ IV z1 ¨ compress(z0 || y1) ... zr ¨ compress(zr-1 || yr). Optional output transformation Define h(x) = g(zr), where g : {0,1}m Æ {0,1}l is a public function. Iterated hashes 15-10 5 The Merkle-Damgard construction o Suppose compress: {0,1}m+t Æ {0.1}m is a collision resistant hash function. We use compress to construct a collision resistant hash function h : X Æ {0,1}m, where elements of X are bit strings of length m+t+1 or larger. o Express x Œ X as the concatenation x = x1 || x2 || . . . || xk, where |x1| = |x2| = . . . = |xk-1| = t-1 and |xk| = t - 1 - d with 0 ≤ d ≤ t-2. Iterated hashes 15-11 Iterated hashes 15-12 Merkle-Damgard Algorithm Merkle-DamGard(x) external compress comment: compress : {0,1}m+t Æ {0,1}m, where t ≥ 2 n ¨ |x| k ¨ ceiling[n/t-1)] d ¨ n - k(t - 1) for i ¨ 1 to k - 1 do yi ¨ xi yk ¨ xk || 0d yk+1 ¨ binary representation of d z1 ¨ 0m+1 || y1 g1 ¨ compress(z1) for i ¨ 1 to k do zi+1 ¨ gi || 1 || yi+1 gi+1 ¨ compress(zi+1) h(x) ¨ gk+1 return (h(x)) 6 The resulting hash is collision resistant Theorem. Suppose compress : {0,1}m+t Æ {0,1}m is a collision resistant function, where t ≥ 2. then the function • h: U{0,1} i Æ {0,1}m i= m +t +1 as constructed in the Merkle-Damgard algorithm is a collision resistant hash function. † Proof. Suppose that we can find x ≠ x’ such that h(x) = h(x’). We find a collision for compress in polynomial time. Iterated hashes 15-13 Case 1: |x| ≠ |x’| (mod t-1) In this case, the remainders after division by t-1 are not equal, that is d ≠ d’. We have compress(gk || 1 || yk+1) = gk+1 = h(x) = h(x’) = g’l+1 = compress(g’k || 1 || y’l+1 ), which is a collision for h because yk+1 ≠ yl+1. Iterated hashes 15-14 7 Case 2a: |x| = |x’| In this case, we have k = l and yk+1 = y’k+1 compress(gk || 1 || yk+1) = gk+1 = h(x) = h(x’) = g’k+1 = compress(g’k || 1 || y’k+1 ). If gk ≠ g’k, then we find a collision for compress, so assume gk = g’k. Then we have compress(gk-1 || 1 || yk) = gk = g’k = compress(g’k-1 || 1 || y’k ). Iterated hashes 15-15 Assuming no collisions, . . . We continue working backwards, until compress(0m+1 || y1) = g1 = g’1 = compress(0m+1 || y’1 ). If y1 ≠ y’1, then we find a collision for compress. Otherwise, yi = y’i for 1 ≤ i ≤ k+1, so y(x) = y(x’). This too is a problem. Why? Iterated hashes 15-16 8 Case 2b: |x|=|x’| (mod t-1) but |x|≠|x’| WLOG |x| > |x’|, so l ≥ k. Arguing as in case 2a, we obtain compress(0m+1 || y1) = g1 = g’l-k+1 = compress(g’l-k || 1 || yl-k+1 ). But the (m+1)st bits of 0m+1 || y1 and g’l-k || 1 || yl-k+1 are different. Collision time. Done! Iterated hashes 15-17 The Secure Hash Algorithm o SHA-1 is the current iterated hash of choice.* o SHA=1 requires |x| ≤ 264-1. The binary representation of |x| is padded on the left with zeroes to that its length is exactly 64 bits. *MD4, MD5 and SHA are ancestors, SHA-256, SHA-384 and SHA-512 soon to be descendants. Iterated hashes 15-18 9 SHA-1 padding is easy Algorithm: SHA-1-Pad(x) comment: |x| ≤ 264 - 1 d ¨ (447 - |x|) mod 512 l ¨ the binary representation of |x|, where |l| = 64 y ¨ x || 1 || 0d || l Iterated hashes 15-19 SHA-1 is not! o Define functions Ï (B Ÿ C) ⁄ ((ÿB) Ÿ D) if 0 £ t £ 19 Ô Ô B⊕C ⊕D if 20 £ t £ 39 f i (B,C,D) = Ì Ô(B Ÿ C) ⁄ (B Ÿ D) ⁄ (C Ÿ D) if 40 £ t £ 59 ÔÓ B⊕C ⊕D if 60 £ t £ 79 o Define constants Ï 5A82799 if 0 £ t £ 19 Ô Ô 6ED9EBA1 if 20 £ t £ 39 Ki = Ì Ô8F1BBCDC if 40 £ t £ 59 ÔÓ CA62C1D6 if 60 £ t £ 79 † Iterated hashes 15-20 † 10 The SHA-1 Cryptosystem Iterated hashes 15-21 11