Iterated hash functions - Computer Science

Transcription

Iterated hash functions - Computer Science
From compression to hash
Iterated hash functions
CS349 Cryptography
Department of Computer Science
Wellesley College
Comparison of security criteria
o
In order for a hash
function to be secure,
three problems should be
hard to solve: Preimage;
Second Preimage; and
Collision.
o
Which is the hardest, and
how do we tell?
Iterated hashes
15-2
1
Collision ≤T Second Preimage
Algorithm: CollisionToSecondPreimage(h)
external Oracle2ndPreimage
choose x Œ X uniformly at random
if (Oracle2ndPreimage(h, x)=x’ and (x≠x’) and (h(x’)=h(x))
then return (x, x’)
else return (failure)
*As a consequence, we say that the property of collision resistance implies
the property of second preimage resistance.
Iterated hashes
15-3
Iterated hashes
15-4
Collision Avoidance
o
Can Collision be reduced
to Preimage?
o
If so, we need only avoid
Collision to ensure against
all three security
problems.
2
Collision ≤T Preimage
Algorithm: CollisionToPreimage(h)
external OraclePreimage
choose x Œ X uniformly at random
y ¨ h(x)
if (OraclePreimage(h, y)=x’ and (x≠x’)
then return (x, x’)
else return (failure)
Iterated hashes
15-5
Proving Collision ≤T Preimage
Theorem. Suppose h: X Æ Y is a hash function where |X| and
|Y| are finite and |X| ≥ 2|Y|. Suppose OraclePreimage is a
(1, q) algorithm for Preimage, for the fixed hash function h.
Then CollisionToPreimage is a (1/2, q+1) algorithm for
Collision, for the fixed hash function h.
Proof. We compute the average-case probably of success for
CollisionToPreimage.
Iterated hashes
15-6
3
Equivalence relations
o
For x Œ X, define x ~ x1 of
h(x) = h(x1). We show
that ~ is an equivalence
relation.
o
Denote the equivalence
class of x under ~ by
[x] = {x1 Œ X : x ~ x1}.
o
Note that |[x]| is the
number of possible x1 that
could be returned by
OraclePreimage and
|[x]|-1 is the number
different from x.
Iterated hashes
15-7
Average-case probability of success
Pr[success] =
1
|[x] | -1
Â
| X | x ŒX |[x] |
=
1
| C | -1
Â
Â
| X | C ŒCx ŒC | C |
=
1
 | C | -1
| X | C ŒC
| X | - |Y |
|X |
| X | - | X | /2
≥
|X |
1
=
2
=
Since h is surjective,
there is one equivalence
class for each element
of Y.
Iterated hashes
15-8
†
4
Iterated hash functions
o
We study a particular
method for extending
compression functions to
hash functions with an
infinite domain.
o
Suppose
compress: {0,1}m+t Æ {0.1}m
is a compression function
where t ≥ 1.
Iterated hashes
15-9
Three main steps of an iterated hash
Preprocessing
Given input string x, where |x| ≥ m+t+1, construct string
y = y1 || y2 || . . . || yr,
where |yi| = t for 1 ≤ i ≤ r using a public algorithm.
Processing
Let IV be a public initial bitstring of length m. Compute
z0 ¨ IV
z1 ¨ compress(z0 || y1)
...
zr ¨ compress(zr-1 || yr).
Optional output transformation
Define h(x) = g(zr), where g : {0,1}m Æ {0,1}l is a public function.
Iterated hashes
15-10
5
The Merkle-Damgard construction
o
Suppose compress: {0,1}m+t Æ {0.1}m is a collision
resistant hash function. We use compress to construct
a collision resistant hash function h : X Æ {0,1}m, where
elements of X are bit strings of length m+t+1 or larger.
o
Express x Œ X as the concatenation
x = x1 || x2 || . . . || xk,
where
|x1| = |x2| = . . . = |xk-1| = t-1
and
|xk| = t - 1 - d
with 0 ≤ d ≤ t-2.
Iterated hashes
15-11
Iterated hashes
15-12
Merkle-Damgard
Algorithm Merkle-DamGard(x)
external compress
comment: compress : {0,1}m+t Æ {0,1}m, where t ≥ 2
n ¨ |x|
k ¨ ceiling[n/t-1)]
d ¨ n - k(t - 1)
for i ¨ 1 to k - 1
do yi ¨ xi
yk ¨ xk || 0d
yk+1 ¨ binary representation of d
z1 ¨ 0m+1 || y1
g1 ¨ compress(z1)
for i ¨ 1 to k
do zi+1 ¨ gi || 1 || yi+1
gi+1 ¨ compress(zi+1)
h(x) ¨ gk+1
return (h(x))
6
The resulting hash is collision resistant
Theorem. Suppose compress : {0,1}m+t Æ {0,1}m is a
collision resistant function, where t ≥ 2. then the
function
•
h:
U{0,1}
i
Æ {0,1}m
i= m +t +1
as constructed in the Merkle-Damgard algorithm is a
collision resistant hash function.
†
Proof. Suppose that we can find x ≠ x’ such that h(x) =
h(x’). We find a collision for compress in polynomial
time.
Iterated hashes
15-13
Case 1: |x| ≠ |x’| (mod t-1)
In this case, the remainders after division by t-1 are not
equal, that is d ≠ d’. We have
compress(gk || 1 || yk+1)
= gk+1
= h(x)
= h(x’)
= g’l+1
= compress(g’k || 1 || y’l+1 ),
which is a collision for h because yk+1 ≠ yl+1.
Iterated hashes
15-14
7
Case 2a: |x| = |x’|
In this case, we have k = l and yk+1 = y’k+1
compress(gk || 1 || yk+1)
= gk+1
= h(x)
= h(x’)
= g’k+1
= compress(g’k || 1 || y’k+1 ).
If gk ≠ g’k, then we find a collision for compress, so
assume gk = g’k. Then we have
compress(gk-1 || 1 || yk)
= gk
= g’k
= compress(g’k-1 || 1 || y’k ).
Iterated hashes
15-15
Assuming no collisions, . . .
We continue working backwards, until
compress(0m+1 || y1)
= g1
= g’1
= compress(0m+1 || y’1 ).
If y1 ≠ y’1, then we find a collision for compress.
Otherwise, yi = y’i for 1 ≤ i ≤ k+1, so y(x) = y(x’). This too is
a problem. Why?
Iterated hashes
15-16
8
Case 2b: |x|=|x’| (mod t-1) but |x|≠|x’|
WLOG |x| > |x’|, so l ≥ k. Arguing as in case 2a, we obtain
compress(0m+1 || y1)
= g1
= g’l-k+1
= compress(g’l-k || 1 || yl-k+1 ).
But the (m+1)st bits of 0m+1 || y1 and g’l-k || 1 || yl-k+1 are
different. Collision time.
Done!
Iterated hashes
15-17
The Secure Hash Algorithm
o
SHA-1 is the current
iterated hash of choice.*
o
SHA=1 requires |x| ≤ 264-1.
The binary representation
of |x| is padded on the left
with zeroes to that its
length is exactly 64 bits.
*MD4, MD5 and SHA are ancestors, SHA-256, SHA-384 and SHA-512
soon to be descendants.
Iterated hashes
15-18
9
SHA-1 padding is easy
Algorithm: SHA-1-Pad(x)
comment: |x| ≤ 264 - 1
d ¨ (447 - |x|) mod 512
l ¨ the binary representation of |x|, where |l| = 64
y ¨ x || 1 || 0d || l
Iterated hashes
15-19
SHA-1 is not!
o
Define functions
Ï (B Ÿ C) ⁄ ((ÿB) Ÿ D)
if 0 £ t £ 19
Ô
Ô
B⊕C ⊕D
if 20 £ t £ 39
f i (B,C,D) = Ì
Ô(B Ÿ C) ⁄ (B Ÿ D) ⁄ (C Ÿ D) if 40 £ t £ 59
ÔÓ
B⊕C ⊕D
if 60 £ t £ 79
o
Define constants
Ï 5A82799
if 0 £ t £ 19
Ô
Ô 6ED9EBA1 if 20 £ t £ 39
Ki = Ì
Ô8F1BBCDC if 40 £ t £ 59
ÔÓ CA62C1D6 if 60 £ t £ 79
†
Iterated hashes 15-20
†
10
The SHA-1 Cryptosystem
Iterated hashes
15-21
11