- So far we have focused on a - domain PRF from a small domain PRF in order to construct a MAC , constructing large on long messages " " ↳ " Alternative : the itself ( hashi the ) and MAC the approach compress message e.g, message compressed representation
- : : - still two should not hash to the same value [otherwise trivial attack if Hlm ,) H (ma) then require unforgeabiity messages ,
on m MAC on MAC , is also Mz )
↳ - : if hash value is shorter than collisions exist so we can that are eitve messages, alway only require they hard to find
? → A hash function H M T is collision - if for efficient adversaries A . resistant Definition ,
= = : m ← = CRHFADVLA, Cmo .) A H (mo Hlm .) . 4) Pr ( , ) ) negl
As stated definition is : if IMI > ITI then there exists a collision mot mi so consider the , problematic , always , adversary and that has ME hard coded ME , m't , mi outputs ↳ we able it down Thus, some exists (even if not be to write ) adversary alway may explicitly ↳ " " we model the hash function as an additional . a or Formally , being parameterized by parameter leg , system parameter " " a key ) so adversary cannot output a hard- coded collision ↳ - In we have a . SHA 256 that does not include or , concrete function ) practice leg , security system parameters
↳ - to be to find a collision there are 256 can take believed hard even though infinitelyinany (SHA inputs of arbitrary length)
: MACf#lFs suppose we have the following "
- A MAC - T ( , ) with K Mo and sign verify key space , message space tag space ,
- tmho 4%3*2 ) leg , : → collision- resistant hash M Mo A function H ,
' = S k m S K H m) Define ( , ) ( , ( ) and
= V' Ck m t) VCK Html t , , , , )
= is a secure MAC is Then is a MAC . . TIMAC ( ) and a . secure , H CRHF Trine theorem Suppose sign Verify , Specifically, for efficient A there exist efficient adversaries and B such that every adversary , Bio ,
E MAC t MACAdv CA Trine ] Adr [Bo IMac] CRHFADVCB , ,H ] , , m be the case that A to a valid t on a . Then it must Profile Suppose manages produce forgery message ,
- t is a valid MAC on H (m) under IMAC
- ' ' = - If A the oracle on m t m where H (m ) H (m) then A breaks collision resistance of H queries signing ,
- ' ' - - If A never oracle on m where Hlm ) H (m) then it has never seen a MAC on Hlm ) under queries signing , breaks of IT IMac . Thus A MAC . , security
- - [ See Boneh for formal similar to above : introduce event for collision vs . not ] Shoup argument very just occurring occurring
above is and but not used in Constructing simple elegant , practice
- : both a secure MAC and a secure CRHF : more need software hardware Disadvantaged Implementation requires complex , multiple / implementations
- : CRHF is a and collision- is an offline attack (does not need to verification oracle) Disadvantaged keyless object finding query
with can collision- resistance ( hash size is small) Adversary substantial preprocessing power compromise especially if
→ : { we . we have a hash function H { 0,13L How a collision in H without Birthdayattacko-C.RS Suppose 0,15 . might find ( knowing anything more about H) : H t size hash . of ) . Htt) Hk , . (Ll D Approached Compute , , [ output space
↳ - there must be at least one collision runs in time 0 (Ll) By Pigeonhole Principle, " E : EQD and is . . collision found Approached Sample mi compute H(mi) Repeat until
How needed to find a collision? many samples
=
. s n r . ) . sets where . Take 1st . . . . ret Then, T#BirhdayParadx any Suppose , -t ) - ele
- - : r - Tn Prftitj ri ;] Z l e
: = = I - : Pref. Prftitj ri rj] Pr [ V-i±j ritrj]
- = ------I r .. . . Pr ¢ {runs Et .. . ris PrLrz¢{ 3) Er, ] Prfre { re . )
n- I
- - . = . I njftlnAnd . . . .
= i - Ii'll
"
. . e xeeo.is can now via a . :* . . for . .io expansion
¥ Zn = I - e number of people in a room I to have a common birthday
= - > when l71.242 Pr (collision : ri - For 1.21565 223 ] ] I . ( ] , Prftitj rj birthdays , ↳ but this Birthdays not uniformly distributed , only increases collision probability . [ this !] Try proving
tf = For hash functions with 90,13? we can use a attack to find collisions in time 2lb can even do it with range birthday ↳ constant ! For 128 - bit 2128 ) need be 256- bits ) space ( , we the to (hence security e.g , output SHALL " 's ↳ " Floyd cycle finding Quantum collision - can be done in 243 (cube root attack) more finding , though requires space ( algorithm ) T HMAC (most widely used MAC)
to a ? So do functions obtain secure MAC Will revisit of CRHFS . how we use hash after studying constructions
- - - hash functions ( MDS SHA I SHA 256) follow the Merkle : start from hash function on short Many cryptographic e.g. , , , Damgoard paradigm
and use it to build a collision- resistant hash function on a : messages long message
I. into blocks Split message
on short blocks . (hash function ) to 2 Iteratively apply compressional inputs message
. . . : 1¥ /¥_me h compression function
- : to . . variables , ite chaining padding introduced so last block is multiple of block → . output size ↳ must also include an encoding of the message
: - - - Hash functions are deterministic so IV is a fixed of the form 100 O Hss) , string length typically
- be - s (defined in the ) can be taken to all zeroes where ( > is a specification string , fixed-length binary representation
but to a custom value constructions blocks usually set in of message length in Recall : 100 - - ' O padding was used in the ANSI standard
if not to include the then enough space length,
: for SHA -256 extra block is added (similar to CBC encryption) X = {0,13256 = y
: → th → : - . h be a function. be the Theorem Suppose XXL X compression Let H Y X Merkle Damaged hash function
-- Then if his collision resistant - constructed from h. is also , , H collision resistant.
- - : . We A to h Prot Suppose we have a collision finding algorithm A for H use build a collision finding algorithm for ' ' = l. Run A to obtain a collision M and M ( HCM) HEMI and MFM ) .
' ' ------= - - M M . be and . . . . Let m Mu the Let to 2 M ma and M mimi mi blocks of -4 . tu and , , respectively , ,
- - - title ti be the corresponding chaining variables . ' = 3. Since it must be the case that HLM) HIM ) ,
- - = = ' - HIM) h Hu i mu htt - i mi) ) , ) , HIM
- t h . either ta i - c or mi then we have a collision If ti Mut , for
= - - M - and Mu and -i Since Mu an the M must Otherwise mi tu i ti . and mi include of of ! it , encoding length
- - = - : be the that U - V Now consider the second to last block in the construction with tu- I the- case . ( i , output ) ' = = = - . tu-i h (tu-z Mu h(the ma . ) tie , , c) ,
- - = - - - - the chain or Either we have a collision or tu tu z and mi i . down until have collision z Mu i Repeat we ' ' - we have that = so M - concluded mi all i and M which is contradiction . mi for , , a
: is to construction ( a tree to obtain a izable construction . Note Above . ) constructing sequential Easy adapt using parallel to construct a Sufficient now compressionfunction_ .
is to use a Typical approach block cipher.
: → - : → . F X Davies Kt Let Rx X be a block . X is then Davies-Meye.ro cipher The Meyer compression function h X
Mi Ek
- h : = x ① X ↳ (k , x) FCK , ) F EX other also : x = x ④ k ④ X variants h (k, ) FCK , ) i -)→f→ti Many possible - [used in whirlpool hash family] Need to be careful with design! ' ' - ' = - : : h F- K FCK h k x x is collision resistant h k X) (k ( , , xD) ( , ) FCK , ) not ( , ,
' -' ' - = ' h k x x) Ot k is - : = h F x to k Ot . h k ( , ) FCK not collision resistant ( x) ( K ( k FCK , ) k ) , , , )
we F an block (ie a then Davies- Then. If model as ideal random for choice of ) is cipher , truly permutation every key , Meyer
- collision resistant. n run- : 280 birthday attack time n attack ran in time 264 (100,000x faster)
- ⇒ : Block t Davies - t Merkle CRHFS 2020 : chosen - Conclusion cipher Meyer Damgoard ( January , prefix collision in -263.4 time !
- ← - t : SHA - 1 : SHACAL I block with Davies- Merkle no secure [first collision found in 2017 !] Examples- cipher Meyer Damgoard longer
- - - t : 2 - - SHA -256 SHACAL block with Davies Merkle SHA I used . son cipher Meyer Damgaord extensively leg , git, ,
software PGPIGPG , updates, signatures not use AES ? Why certificates ) → attacks show need - transition to - to too are 128 bits not bits so in 264 Block size small ! AES outputs , 256 ( attack finds collision time) birthday SHA-2 or SHA-3
-
means number bits iteration . Short keys small of message processed per
- to be when to , block fast saree Typically cipher designed using key encrypt many messages ↳ - In Merkle are used so alternate (AES schedule is ) Damgaord , different keys , design preferred key expensive
Recently : SHA- 3 family of hash functions standardized (2015) ↳ " " Relies on different structure ( function) underlying sponge ↳ - 2 - - much Both SHA and SHA 3 are believed to be secure (most systems use SHA -2 typically faster )
- or even better a domain PRF f , large
- Back to a a CRHF can we do it than t - domain MAC ? building secure MAC from more directly using CRHF small ↳ Main difficulty seems to be that CRHFS are keytess but MACS are keyed Idea: include the key as part of the hashed input
" " itself collision - resistance does not randomness on the By , provide any guarantees output ' '
↳ - - - = - - m m For instance if H is collision resistant then H ( ) Moll Hm , o H H ( ) is also collision resistant even H also , , though bits of teaks the first 10 ( blocks m ↳ Constructing a PRFIMAC from a hash function will require more than just collision resistance " " - : ideal Options Model hash function as an hash function that behaves like a fixed -rdyrandom✓ function (modeling heuristic called the random oracle model)
- : start with a concrete construction of a CRHF ( Merkle- or the construction) Qptiod e.g. , Damgoard sponge and reason about its properties ↳ we will take this approach