Chapter 11 Cryptographic Hash Functions

SeoulTech UCS Lab 2014-1st

2015. 03. 23

(Daming Wu)

Email: [email protected]

• 11.1 Applications of Cryptographic Hash Functions

• 11.2 Two Simple Hash Functions

• 11.3 Requirements and Security

• 11.4 Hash Functions Based on Cipher Block Chaining

• 11.5 Secure Hash Algorithm (SHA)

• 11.6 SHA-3

2 Applications of Cryptographic Hash Functions

3 Hash Functions

• A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M). • The hash function goal is to ensure the integrity of the data. • A cryptographic hash function is an algorithm for computationally infeasible a) a data object maps to a pre-specified hash result(the one-way property) b) two data objects that map to the same hash result (the collision-free property)

P, L = padding plus length field 4 Message Authentication(1/2) verify the integrity and message authentication of a message.

5 Message Authentication(2/2)

6 Digital Signatures

• hash value of a message is encrypted with a user’s private key. • Anyone who knows the user’s public key can verify the integrity of the message that is associated with the digital signature. • Attacker alter the message need to know the user’s private key.

7 Other Applications

 to create a one-way password file

• store hash of password not actual password

 for intrusion detection and virus detection

• keep & check hash of files on system

 pseudorandom function (PRF) or pseudorandom number generator (PRNG)

8 Two Simple Hash Functions

9 Two Simple Hash Functions(1/2)

• One of the simplest hash functions is the bit-by-bit exclusive-OR (XOR) of every block.

Ci = bi1 ⊕ bi2 ⊕ … ⊕ bim Where

Ci = ith bit of the hash code, 1 ≤i ≤ n m = number of n-bit blocks in the input bij = ith bit in jth block ⊕ = XOR operation • Disadvantage Each n-bit hash value is equally likely.With more predictably formatted data, the function is less effective.

10 Two Simple Hash Functions(2/2)

• Improve perform a one-bit circular shift, or rotation , on the hash value after each block is processed. 1. Initially set the n-bit hash value to zero. 2. Process each successive n-bit block of data as follows: a. Rotate the current hash value to the left by one bit. b. XOR the block into the hash value. This has the effect of “randomizing” the input more completely and overcoming any regularities that appear in the input.

11 Requirements and Security

12 Requirements for a Cryptographic Hash Function H

13 Brute-Force Attacks

• Two categories of attacks: 1. brute-force attacks: depends only on the bit length of the hash value. 2. Cryptanalysis: attack based on weaknesses in a particular cryptographic algorithm. • Preimage or second Preimage attack: an adversary wishes to find a value y such that H(y) is equal to a given hash value h. For an m-bit hash value, the level of effort is proportional to 2m. • Collision Resistant Attacks attacker find two messages x and y, H(x) = H(y). For an m-bit hash value, the level of effort is proportional to 2m/2.

14 Cryptanalysis

• The way to measure the resistance is to compare its strength to the effort required for a brute- force attack. • An ideal hash algorithm greater than or equal to the brute-force effort.

CV0 = IV = initial n-bit value

CVi = f(CVi - 1, Yi - 1) 1 ≤ i ≤ L

H(M) = CVL

General Structure of Secure Hash Code 15 Hash Functions Based on Cipher Block Chaining

16 Requirements for a Cryptographic Hash Function H

• hash functions based on using a cipher block chaining technique, but without using the secret key.

• Divide a message M into fixed-size blocks M1, M2, ….. , MN • use a symmetric encryption system DES to compute the hash code G as

H0 = initial value

Hi = E(Mi, Hi - 1)

G = HN Similar to the CBC technique, no secret key. this scheme is subject to the birthday attack

17 Secure Hash Algorithm (SHA)

18 SHA Versions

SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

Message 160 224 256 384 512 digest size

Message size < 264 < 264 < 264 < 2128 < 2128

Block size 512 512 512 1024 1024

Word size 32 32 32 64 64

Number of steps 80 64 64 80 80

19 SHA-512 Overview

Message Digest Generation Using SHA-512

20 SHA-512 Compression Function

 heart of the algorithm

 processing message in 1024-bit blocks

 consists of 80 rounds

• updating a 512-bit buffer

• using a 64-bit value Wt derived from the current message block

• and a round constant based on cube root of first 80 prime numbers

21 SHA-512 Round Function

22 SHA-3

23 The Sponge Construction(1/2)

The sponge function is defined by three parameters: • f = the internal function used to process each input block3 • r = the size in bits of the input blocks, called the bitrate • pad = the padding algorithm The sponge specification proposes proposes two padding schemes • Simple padding: Denoted by pad10*, appends a single bit 1 followed by the minimum number of bits 0 • Multirate padding: Denoted by pad10*1, appends a single bit 1 followed by the minimum number of bits 0 followed by a single bit 1

24 The Sponge Construction(2/2)

Sponge Function Input and Output 25 SHA-3 Iteration Function f

26 Q&A

27 Thanks!