Homework 2 Released
• Due: Tuesday, October 2nd at 3PM (beginning of class)
• Please Typeset Your Solutions (LaTeX, Word etc…)
• You may collaborate, but must write up your own solutions in your own words
1 Recap
• Message Authentication Codes • Integrity vs Confidentiality
• Example: Mack( ) = FK( ) • Extension to unbounded messages and pitfalls (block re-ordering, truncation) • CBC-MAC 𝑚𝑚 𝑚𝑚 • Authenticated Encryption + CCA-Security • Encrypt and Authenticate [SSL] • Authenticate then Encrypt [TLS] (Caution Required) • Encrypt then Authenticate! = c, Mac c where c = Enc ′ ′ 𝐾𝐾 𝐾𝐾𝑀𝑀 𝐾𝐾𝐸𝐸 𝐸𝐸𝐸𝐸𝐸𝐸 𝑚𝑚 𝑚𝑚 2 Caveat: Tricky Padding Issues arise if |m| is not a multiple of the block- CBC-MAC length. See textbook.
We will see a simpler MAC construction using hash functions 1 2 3 soon. 𝑚𝑚 𝑚𝑚 𝑚𝑚 𝑚𝑚
F (. ) K FK(. ) FK(. ) F (. ) = Mac ⨁ ⨁ ⨁K K Advantages over Previous Solution 𝜏𝜏 𝑚𝑚 • Both MACs are secure for i=1,…,d • Works for unbounded length messages = Mac • Canonical Verification (encode i and′ as n/4 bit strings) • Short Authentication tag Output𝑡𝑡𝑖𝑖 , 𝐾𝐾, …𝑟𝑟 ,∥ ℓ ∥ 𝑖𝑖 ∥ 𝑚𝑚𝑖𝑖 • Parallelizable ℓ 3 𝑟𝑟 𝑡𝑡1 𝑡𝑡𝑑𝑑 Recap: Authenticated Encryption
• Authenticated Encryption CCA-Security (by definition)
• Conceptual Distinction • CCA-Security the goal is secrecy (hide message from active adversary) • Authenticated Encryption: the goal is integrity + secrecy
• CCA-Security does not necessarily imply Authenticate Encryption • But most natural CCA-Secure constructions are also Authenticated Encryption Schemes • Some constructions are CCA-Secure, but do not provide Authenticated Encryptions, but they are less efficient.
4 Secure Communication Session
• Solution Protocol? Alice transmits c1 = EncK(m1) to Bob, who decrypts and sends Alice c2 = EncK(m2) etc… • Authenticated Encryption scheme is • Stateless • For fixed length-messages • We still need to worry about • Re-ordering attacks • Alice sends 2n-bit message to Bob as c1 = EncK(m1), c2 = EncK(m2) • Replay Attacks • Attacker who intercepts message c1 = EncK(m1) can replay this message later in the conversation • Reflection Attack • Attacker intercepts message c1 = EncK(m1) sent from Alice to Bob and replays to c1 Alice only
5 Secure Communication Session
• Defense • Counters (CTRA,B,CTRB,A) • Number of messages sent from Alice to Bob (CTRA,B) --- initially 0 • Number of messages sent from Bob to Alice (CTRB,A) --- initially 0 • Protects against Re-ordering and Replay attacks • Directionality Bit • bA,B = 0 and bB,A = 1 (e.g., since A < B)
• Alice: To send m to Bob, set c=EncK(bA,B CTRA,B m), send c and increment CTRA,B • Bob: Decrypts c, (if then reject), obtain∥ b CTR∥ m • If CTR CTRA,B or b bA,B then reject • Otherwise, output ⊥m and increment CTRA,B ∥ ∥ ≠ ≠
6 Galois Counter Mode (GCM)
• AES-GCM is an Authenticated Encryption Scheme • Bonus: Authentication Encryption with Associated Data • Ensure integrity of ciphertext • Attacker cannot even generate new/valid ciphertext! • Ensures attacker cannot tamper with associated packet data • Source IP • Destination IP • Why can’t these values be encrypted? • Encryption is largely parallelizable!
7 Cryptography CS 555
Week 5: • Cryptographic Hash Functions • HMACs • Generic Attacks • Random Oracle Model • Applications of Hashing Readings: Katz and Lindell Chapter 5, Appendix A.4
Fall 2017 8 Week 5: Topic 1: Cryptographic Hash Functions
9 Hash Functions H(x)=y
Long Input: Short Output: y s.t.
𝐱𝐱 𝐲𝐲 ≪ 𝐱𝐱 10 Pigeonhole Principle
“You cannot fit 10 pigeons into 9 pigeonholes”
11 Hash Collisions
By Pigeonhole Principle there must exist x and y s.t.
H(x) = H(y)
12 Classical Hash Function Applications
•Hash Tables • O(1) lookup*
•“Good hash function” should yield “few collisions”
* Certain terms and conditions apply
13 Collision-Resistant Hash Function
Intuition: Hard for computationally bounded attacker to find any pair , s.t. = 𝑥𝑥 𝑥𝑥푥 How to formalize this intuition? • Attempt 1: For all PPT A, 𝐻𝐻 𝑥𝑥 𝐻𝐻 𝑥𝑥푥 Pr 1 = , . = ( ) ( ) 𝑛𝑛 • The Problem: Let𝐴𝐴 , be 𝑥𝑥given𝑥𝑥푥 𝑠𝑠s.t.𝑡𝑡 𝐻𝐻 𝑥𝑥 = 𝐻𝐻 𝑥𝑥푥 ≤ 𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛 𝑛𝑛 , 1 = ( , ) ′ • We are assuming that𝑥𝑥 𝑥𝑥푥 |x| > |H(x)|.𝑛𝑛 𝐻𝐻Why?𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥 𝑥𝑥� • H(x)=x is perfectly collision resistant!𝐴𝐴 (but with𝑥𝑥 no𝑥𝑥푥 compression)
14 Keyed Hash Function Syntax
• Two Algorithms • Gen(1 ; ) (Key-generation algorithm) • Input:𝑛𝑛 Random Bits R • Output:𝑅𝑅 Secret key s • ( ) (Hashing Algorithm) •𝑠𝑠 Input: key and message m 0,1 (unbounded length) 𝐻𝐻• Output:𝑚𝑚 hash value ( ) 0,1 ∗ 𝑠𝑠 ∈ 𝑠𝑠 ℓ 𝑛𝑛 𝐻𝐻 𝑚𝑚 ∈ • Fixed length hash function 0,1 > • ′ with ℓ 𝑛𝑛 ′ 𝑚𝑚 ∈ ℓ 𝑛𝑛 ℓ 𝑛𝑛 15 Collision Experiment ( , ( ))
𝐻𝐻𝑎𝑎s𝑎𝑎푎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝐴𝐴 Π 𝑛𝑛 x1,x2
1 = , ( )= 0 𝑠𝑠 𝑠𝑠 𝑖𝑖𝑖𝑖 𝐻𝐻 𝑥𝑥1 𝐻𝐻 𝑥𝑥2 𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻�𝐴𝐴 Π 𝑛𝑛 � 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜�𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜 s = Gen(1 ; ) 𝑛𝑛 Definition: (Gen,H) is a collision resistant hash function if𝑅𝑅 (negligible) s. t Pr , ( )=1 ( ) ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 16 𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻�𝐴𝐴 Π 𝑛𝑛 ≤ 𝜇𝜇 𝑛𝑛 Collision Experiment ( , ( ))
𝐻𝐻𝑎𝑎s𝑎𝑎푎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝐴𝐴 Π 𝑛𝑛 For simplicity we will x ,x sometimes1 2 just say that H s Key is not key (or H ) is a collision1 = , ( )= secret (just resistant hash function0 𝑠𝑠 𝑠𝑠 𝑖𝑖𝑖𝑖 𝐻𝐻 𝑥𝑥1 𝐻𝐻 𝑥𝑥2 random) 𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻�𝐴𝐴 Π 𝑛𝑛 � 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜�𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜 s = Gen(1 ; ) 𝑛𝑛 Definition: (Gen,H) is a collision resistant hash function if𝑅𝑅 (negligible) s. t Pr , ( )=1 ( ) ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 17 𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻𝐻�𝐴𝐴 Π 𝑛𝑛 ≤ 𝜇𝜇 𝑛𝑛 Theory vs Practice
• Most cryptographic hash functions used in practice are un-keyed • Examples: MD5, SHA1, SHA2, SHA3 • Tricky to formally define collision resistance for keyless hash function • There is a PPT algorithm to find collisions • We just usually can’t find this algorithm
18 Weaker Requirements for Cryptographic Hash
• Target-Collision Resistance
s,x x’
1 if H = H x HashTgtColl , ( )= 0 otherwises s x′ A Π 𝑛𝑛 � s = Gen(1 ; ) 0,1𝑛𝑛 Question: Why is collision resistance stronger? 𝑛𝑛𝑅𝑅 19 𝑥𝑥 ∈ Weaker Requirements for Cryptographic Hash
• Preimage Resistance (One-Wayness)
s,
x 𝑦𝑦
1 if H x = y HashPreImgRes , (n)= 0 otherwises A Π � s = Gen(1 ; ) 0,1 𝑛𝑛( ) Question: Why is collision resistance stronger? ℓ 𝑛𝑛𝑅𝑅 20 𝑦𝑦 ∈ Merkle-Damgård Transform
• Most cryptographic hash functions accept fixed length inputs
• What if we want to hash arbitrary length strings?
Construction: (Gen,h) fixed length hash function from 2n bits to n bits
( 1, … , ) = … 0 1 𝑠𝑠 𝑠𝑠 𝑠𝑠 𝑠𝑠 𝑠𝑠 𝑠𝑠 𝑛𝑛 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑑𝑑 ℎ ℎ ℎ ℎ ℎ ∥ 𝑥𝑥 ∥ 𝑥𝑥𝑑𝑑−1 ∥ 𝑥𝑥𝑑𝑑 ∥ 𝑥𝑥
21 Merkle-Damgård Transform
Construction: (Gen,h) fixed length hash function from 2n bits to n bits
( ) = 1.𝑠𝑠 Break x into n bit segments x ,..,x (pad last block by 0’s) 𝐻𝐻 𝑥𝑥 1 d 2. = 0 (initialization) 3. For i = 1𝑛𝑛 to d 𝑧𝑧0 1. = i 𝑠𝑠 = 4. Output𝑧𝑧𝑖𝑖 ℎ 𝑧𝑧𝑖𝑖−1 ∥ 𝑥𝑥 where encodes as an n-bit string 𝑠𝑠 𝑧𝑧𝑑𝑑+1 ℎ 𝑧𝑧𝑑𝑑 ∥ 𝐿𝐿 𝐿𝐿 𝑥𝑥 22 Merkle-Damgård Transform
Theorem: If (Gen,h) is collision resistant then so is (Gen,H)
Proof: Show that any collision in Hs yields a collision in hs. Thus a PPT attacker for (Gen,H) can be transformed into PPT attacker for (Gen,h).
Suppose that ( ) = ( ) (note x and x’ may have different𝑠𝑠 lengths)𝑠𝑠 𝐻𝐻 𝑥𝑥 𝐻𝐻 𝑥𝑥′
23 Merkle-Damgård Transform
Theorem: If (Gen,h) is collision resistant then so is (Gen,H)
Proof: Suppose that ( ) = ( ) Case 1: |x|=|x’| (proof for case𝑠𝑠 two is similar)𝑠𝑠 𝐻𝐻 𝑥𝑥 𝐻𝐻 𝑥𝑥′ ( ) = = = ( ) = = 𝑠𝑠 𝑠𝑠 𝑠𝑠 ′ 𝑠𝑠 ′ ′ 𝐻𝐻 𝑥𝑥 𝑧𝑧𝑑𝑑 ℎ 𝑧𝑧𝑑𝑑−1 ∥ 𝑥𝑥𝑑𝑑 𝐻𝐻=?𝑥𝑥푥 𝑧𝑧𝑑𝑑 ℎ 𝑧𝑧𝑑𝑑−1 ∥ 𝑥𝑥𝑑𝑑 No Found collision ′ ′ Yes? 𝑑𝑑−1 𝑑𝑑 𝑑𝑑−1 𝑑𝑑 = 𝑧𝑧 ∥ 𝑥𝑥 𝑧𝑧 = ∥ 𝑥𝑥 = 𝑠𝑠 𝑠𝑠 ′ ′ ′ 24 𝑧𝑧𝑑𝑑−1 ℎ 𝑧𝑧𝑑𝑑−2 ∥ 𝑥𝑥𝑑𝑑−1 ℎ 𝑧𝑧𝑑𝑑−2 ∥ 𝑥𝑥𝑑𝑑−1 𝑧𝑧𝑑𝑑−1 Merkle-Damgård Transform
Theorem: If (Gen,h) is collision resistant then so is (Gen,H)
Proof: Suppose that ( ) = ( ) Case 1: |x|=|x’| (proof for case𝑠𝑠 two is similar)𝑠𝑠 𝐻𝐻 𝑥𝑥 𝐻𝐻 𝑥𝑥′ If for some i we have then we will find a collision ′ ′ 𝑖𝑖−1 𝑖𝑖 𝑖𝑖−1 𝑖𝑖 But x and x’ are different!𝑧𝑧 ∥ 𝑥𝑥 ≠ 𝑧𝑧 ∥ 𝑥𝑥
25 Week 5: Topic 2: HMACs and Generic Attacks
26 Keyed Hash Function Syntax
• Two Algorithms • Gen(1 ; ) (Key-generation algorithm) • Input:𝑛𝑛 Random Bits R • Output:𝑅𝑅Secret key s • ( ) (Hashing Algorithm) •𝑠𝑠Input: key and message m 0,1 𝐻𝐻• Output𝑚𝑚 : hash value ( ) 0,1 ∗ 𝑠𝑠 𝑠𝑠 ∈ ℓ 𝑛𝑛 𝐻𝐻 𝑚𝑚 ∈
27 MACs for Arbitrary Length Messages
MacK(m)= • Select random n/4 bit string r • Let = Mac for i=1,…,d • (Note: encode′ i and as n/4 bit strings) 𝑖𝑖 𝐾𝐾 𝑖𝑖 • Output𝑡𝑡 , , …𝑟𝑟, ∥ ℓ ∥ 𝑖𝑖 ∥ 𝑚𝑚 ℓ 1 𝑑𝑑 Theorem 4.8: If𝑟𝑟 𝑡𝑡’ is a secure𝑡𝑡 MAC for messages of fixed length n, above construction = (Mac, Vrfy) is secure MAC for arbitrary length messages. Π Π 28 MACs for Arbitrary Length Messages Disadvantages: Lose
MacDisadvantageK(m)= 1: Long Strong-MAC Guarantee • Selectoutput random n/4 bit string r (Multiple valid MACs of • Let = Mac for i=1,…,dsame message) • (Note: encode′ i and as n/4 bit strings) 𝑖𝑖 𝐾𝐾 𝑖𝑖 • Output𝑡𝑡 , , …𝑟𝑟, ∥ ℓ ∥ 𝑖𝑖 ∥ 𝑚𝑚 ℓ 1 𝑑𝑑 Theorem 4.8: If𝑟𝑟 𝑡𝑡’ is a secure𝑡𝑡 MAC for messages of fixed length n, above construction = (Mac, VrfyRandomized) is secure Construction MAC for arbitrary (no length messages. Π canonical verification). Disadvantage? Π 29 Hash and MAC Construction
Start with = Mac, Vrfy , a secure MAC for messages of fixed length, and (GenH,H) a collision resistant hash function and define Π , = Π′ ′ 𝑀𝑀 𝑠𝑠 𝑀𝑀𝑀𝑀𝑀𝑀 𝐾𝐾𝑀𝑀 𝑆𝑆 𝑚𝑚 𝑀𝑀𝑀𝑀𝑀𝑀𝐾𝐾 𝐻𝐻 𝑚𝑚 , , = , ′ 𝑠𝑠 𝐾𝐾𝑀𝑀 𝑆𝑆 𝐾𝐾𝑀𝑀 Theorem 5.6: is a 𝑉𝑉secure𝑉𝑉𝑉𝑉𝑉𝑉 MAC𝑚𝑚 for𝑡𝑡 arbitrary𝑉𝑉𝑉𝑉𝑉𝑉𝑉𝑉 length𝐻𝐻 message𝑚𝑚 𝑡𝑡 assuming that is a secure MAC and (GenH,H) is collision resistant. Π′ Π Note: If Vrfy , is canonical then Vrfy , , is canonical. ′ 𝑀𝑀 𝑀𝑀 𝐾𝐾 𝑚𝑚 𝑡𝑡 𝐾𝐾 𝑆𝑆 𝑚𝑚 𝑡𝑡 30 Hash and MAC Construction
Start with (Mac,Vrfy) a MAC for messages of fixed length and (GenH,H) a collision resistant hash function
, = ′ 𝑠𝑠 𝐾𝐾𝑀𝑀 𝑆𝑆 𝐾𝐾𝑀𝑀 Theorem 5.6: Above construction𝑀𝑀𝑀𝑀𝑀𝑀 𝑚𝑚 is a secure𝑀𝑀𝑀𝑀𝑀𝑀 MAC.𝐻𝐻 𝑚𝑚
Proof Intuition: If attacker successfully forges a valid MAC tag t’ for unseen message m’ then either
• Case 1: = for some previously requested message mi 𝑠𝑠 𝑠𝑠 for every previously requested message m • Case 2: 𝑖𝑖 i 𝐻𝐻𝑠𝑠 𝑚𝑚′ 𝐻𝐻𝑠𝑠 𝑚𝑚 𝑖𝑖 𝐻𝐻 𝑚𝑚� ≠ 𝐻𝐻 𝑚𝑚 31 Hash and MAC Construction
Theorem 5.6: Above construction is a secure MAC.
Proof Intuition: If attacker successfully forges a valid MAC tag t’ for unseen message m’ then either
• Case 1: = for some previously requested message mi • Attacker𝑠𝑠 can find 𝑠𝑠hash collisions! 𝐻𝐻 𝑚𝑚′ 𝐻𝐻 𝑚𝑚𝑖𝑖 • Case 2: for every previously requested message mi • Attacker𝑠𝑠 forged a valid𝑠𝑠 new tag on the “new message” 𝑖𝑖 • Violates𝐻𝐻 security𝑚𝑚� ≠ of𝐻𝐻 the𝑚𝑚 original fixed length MAC 𝒔𝒔 𝑯𝑯 𝒎𝒎�
32 Recap
• Definition of Collision Resistant Hash Functions (Gen,H) • Definitional challenges • Gen(1n) outputs a public seed.
• Merkle-Damgård construction to hash arbitrary length strings • Proof of correctness
• Hash and MAC construction • Proof of correctness
33 MAC from Collision Resistant Hash
• Failed Attempt:
, = 𝑠𝑠 𝑀𝑀𝑀𝑀𝑀𝑀 𝑘𝑘 𝑆𝑆 𝑚𝑚 𝐻𝐻 𝑘𝑘 ∥ 𝑚𝑚 Broken if uses Merkle-Damgård Transform. Let 3 encode length of 1 2 𝑠𝑠 = 0 , 𝐻𝐻 1 2 3 𝑚𝑚 1 2 𝑚𝑚3 ∥ 𝑚𝑚3 𝑠𝑠 =𝑠𝑠 𝑠𝑠 𝑠𝑠 𝑠𝑠 𝑛𝑛 𝑘𝑘 𝑆𝑆 , 1 2 3 𝑀𝑀𝑀𝑀𝑀𝑀 𝑚𝑚 ∥ 𝑚𝑚 ∥ 𝑚𝑚 ℎ ℎ ℎ𝑠𝑠 ℎ ℎ ∥ 𝑘𝑘 ∥ 𝑚𝑚 ∥ 𝑚𝑚 ∥ 𝑚𝑚 ∥ 𝐿𝐿 Why does this meanℎ 𝑀𝑀 𝑀𝑀𝑀𝑀 𝑘𝑘 𝑆𝑆 , 𝑚𝑚is ∥broken?𝑚𝑚 ∥ 𝐿𝐿
𝑴𝑴𝑴𝑴𝑴𝑴 𝒌𝒌 𝑺𝑺 34 HMAC
, = opad ipad 𝑠𝑠 𝑠𝑠 𝑀𝑀𝑀𝑀𝑀𝑀 𝑘𝑘 𝑆𝑆 𝑚𝑚 𝐻𝐻 𝑘𝑘⨁ipad? ∥ 𝐻𝐻 𝑘𝑘⨁ ∥ 𝑚𝑚
35 HMAC
, = opad ipad 𝑠𝑠 𝑠𝑠 𝑀𝑀𝑀𝑀𝑀𝑀 𝑘𝑘 𝑆𝑆 𝑚𝑚 𝐻𝐻 ipad𝑘𝑘⨁= inner∥pad𝐻𝐻 𝑘𝑘⨁ ∥ 𝑚𝑚 opad = outer pad
Both ipad and opad are fixed constants.
Why use key twice? Allows us to prove security from weak collision resistance of Hs
36 HMAC Security
, = opad ipad 𝑠𝑠 𝑠𝑠 Theorem𝑀𝑀 (Informal)𝑀𝑀𝑀𝑀 𝑘𝑘 𝑆𝑆 𝑚𝑚: Assuming𝐻𝐻 𝑘𝑘 ⨁that is∥ weakly𝐻𝐻 𝑘𝑘⨁ collision∥ resistant𝑚𝑚 and that (certain other plausible assumptions𝑠𝑠 hold) this is a secure MAC. 𝐻𝐻 Weak Collision Resistance: Give attacker oracle access to = (secret key k remains hidden). 𝑠𝑠 𝑓𝑓 𝑚𝑚 𝐻𝐻 𝑘𝑘 ∥ 𝑚𝑚 Attacker Goal: Find distinct m,m’ such that =
𝑓𝑓 𝑚𝑚 𝑓𝑓 𝑚𝑚′ 37 HMAC in Practice
• MD5 can no longer be viewed as collision resistant
• However, HMAC-MD5 remained unbroken after MD5 was broken • Gave developers time to replace HMAC-MD5 • Nevertheless, don’t use HMAC-MD5! • HMAC-SHA1 still seems to be okay (temporarily), despite collision • HMAC is efficient and unbroken • CBC-MAC was not widely deployed because it is “too slow” • Instead practitioners often used heuristic constructions (which were breakable)
38 Finding Collisions
• Ideal Hashing Algorithm • Random function H from {0,1}* to {0,1} • Suppose attacker has oracle access to H(.)ℓ Can we do • Attack 1: Evaluate H(.) on 2 +1 distinct inputs. better? ℓ
39 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm • Random function H from {0,1}* to {0,1} • Suppose attacker has oracle access to H(.)ℓ
/ • Attack 2: Evaluate H(.) on = 2 + 1 distinct inputs x1,…,xq. ℓ 2 +1 𝑞𝑞 Pr No Collision = Pr < . (xi) (xj)
= Pr ∀𝑖𝑖 𝑗𝑗𝑞𝑞 𝐻𝐻 ≠ 𝐻𝐻 , … , 𝑫𝑫𝟐𝟐 � 𝑃𝑃𝑃𝑃 𝑫𝑫𝒊𝒊�𝑫𝑫𝒊𝒊−𝟏𝟏 𝑫𝑫𝟐𝟐 𝑖𝑖=3 = , … , 40
𝑫𝑫𝒊𝒊 𝒆𝒆𝒆𝒆𝒆𝒆𝒆𝒆𝒆𝒆 𝒕𝒕𝒕𝒕𝒕𝒕𝒕𝒕 𝐻𝐻 𝑥𝑥𝑖𝑖 ≠ 𝐻𝐻 𝑥𝑥𝑖𝑖−11 𝐻𝐻 𝑥𝑥1 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm • Random function H from {0,1}* to {0,1} • Suppose attacker has oracle access to H(.)ℓ
/ • Attack 2: Evaluate H(.) on = 2 + 1 distinct inputs x1,…,xq. ℓ 2 +1 𝑞𝑞 Pr < . (xi) (xj) =
∀𝑖𝑖 𝑗𝑗 𝐻𝐻 | ≠ 𝐻𝐻 ,…, 𝟐𝟐 𝑫𝑫 / 2 1 1 𝟑𝟑 2𝟐𝟐 Pr 𝑫𝑫𝒒𝒒�2𝑫𝑫𝒒𝒒−𝟏𝟏 𝑫𝑫𝟐𝟐 1 × Pr 𝐻𝐻1𝑥𝑥 ≠𝐻𝐻 𝑥𝑥 × Pr1𝑫𝑫 𝑫𝑫 × × 1 ℓ 2 +1 2 2 2 41 − ℓ − ℓ ⋯ − ℓ Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm • Random function H from {0,1}* to {0,1} • Suppose attacker has oracle access to H(.)ℓ
/ • Attack 2: Evaluate H(.) on = 2 + 1 distinct inputs x1,…,xq. ℓ 2 +1 𝑞𝑞 1 2 3 2 / Pr < . (x ) (x ) = 1 1 1 1 … 1 i j 2 2 2 ℓ22 +1 1 ∀𝑖𝑖 𝑗𝑗 𝐻𝐻 ≠ 𝐻𝐻 exp− ℓ − ℓ − ℓ − ℓ 2 −𝑞𝑞 𝑞𝑞 − ℓ+1 ≈ 42 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm • Random function H from {0,1}* to {0,1} • Suppose attacker has oracle access to H(.)ℓ
/ • Attack 2: Evaluate H(.) on = 2 + 1 distinct inputs x1,…,xq. ℓ 2 +1 𝑞𝑞 1 2 3 2 / Pr < . (x ) (x ) = 1 1 1 1 … 1 i j 2 2 2 ℓ22 +1 1 42 1 ∀𝑖𝑖 𝑗𝑗 𝐻𝐻 exp≠ 𝐻𝐻 −< expℓ − ℓ = − <ℓ − ℓ 2 2 ℓ 2 −𝑞𝑞 𝑞𝑞 − − −2 ℓ+1 ℓ+1 ≈ 𝑒𝑒 43 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm • Random function H from {0,1}* to {0,1} • Suppose attacker has oracleexp access to H(.)ℓ < for > 2 ln + 1 −𝑞𝑞 𝑞𝑞−1 ℓ+1 ℓ+1 2/ • Attack 2: Evaluate H(.) on = 2 + 1 distinct𝜺𝜺 𝑞𝑞 inputs x1,…,xq.𝜺𝜺 ℓ 2 +1 𝑞𝑞 1 2 3 2 / Pr < . (x ) (x ) = 1 1 1 1 … 1 i j 2 2 2 ℓ22 +1 1 42 1 ∀𝑖𝑖 𝑗𝑗 𝐻𝐻 exp≠ 𝐻𝐻 −< expℓ − ℓ = − <ℓ − ℓ 2 2 ℓ 2 −𝑞𝑞 𝑞𝑞 − − −2 ℓ+1 ℓ+1 ≈ 𝑒𝑒 44 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm • Random function H from {0,1}* to {0,1} • Suppose attacker has oracle access to H(.)ℓ
/ • Attack 2: Evaluate H(.) on = 2 + 1 distinct inputs x1,…,xq. • Store values x , (x ) in a hash tableℓ 2 + 1of size q i i 𝑞𝑞 • Requires time/space O( ) = 2 • Can we do better?𝐻𝐻 ℓ 𝑞𝑞 𝑂𝑂
45 Floyd’s Cycle Finding Algorithm • A cycle denotes a hash collision • Occurs after O 2 / steps by birthday paradoxℓ 2 • First attack phase detects cycle • Second phase identifies collision
• Analogy: Cycle detection in linked list • Can traverse “linked list” by computing H 46 Small Space Birthday Attack
• Attack 2: Select random x0, define xi = (xi−1) • Initialize: x=x0 and xʹ=x0 • Repeat for i=1,2,… 𝐻𝐻 • x:=H(x) now x = xi • xʹ:=H(H(xʹ)) now = x2i • If x=x’ then break x′ • Reset x=x0 and set xʹ=x • Repeat for j=1 to i • If H(x) = H(x’) then output x,x’
• Else x:= H(x), x’ = H(x) Now x=xj AND = xi+j
x′
47 Small Space Birthday Attack
• Attack 2: Select random x0, define xi = (xi−1) • Initialize: x=x0 and xʹ=x0 • Repeat for i=1,2,… 𝐻𝐻 Finds collision after x = / • x:=H(x) now xi O 2 steps in • xʹ:=H(H(xʹ)) now = x 2i ℓ 2 • If x=x’ then break expectation x′ • Reset x=x0 and set xʹ=x • Repeat for j=1 to i • If H(x) = H(x’) then output x,x’
• Else x:= H(x), x’ = H(x) Now x=xj AND = xi+j
x′
48 Small Space Birthday Attack
• Can be adapted to find “meaningful collisions” if we have a large message space O 2 ℓ • Example: S = with = = 2 • = Set of positive recommendation letters ℓ−1 • = Set of negative𝑆𝑆1 ∪ 𝑆𝑆 2recommendation𝑆𝑆1 𝑆𝑆letters2 𝑆𝑆1 𝑆𝑆2 • Goal: find 1 , 2 , such that H(z1) = H(z2)
1 2 • Can adapt 𝑧𝑧previous∈ 𝑆𝑆 𝑧𝑧 attack∈ 𝑆𝑆 by assigning unique binary string b x 0,1 of length to each ℓ ∈ 𝑥𝑥 ∈ 𝑆𝑆 xi = (b xi−1 )
𝐻𝐻 49 Targeted Collision Attacks
• Precomputation ( × steps, 2 memory)
= = = 𝑡𝑡 𝑠𝑠 2 𝑠𝑠 𝑠𝑠 1 𝑠𝑠𝑠𝑠2 𝑥𝑥1 𝑠𝑠𝑠𝑠𝑠𝑠 𝑥𝑥1 𝑠𝑠𝑠𝑠1 𝑥𝑥1 = = … = 2 2 𝑠𝑠 𝑠𝑠 1 … 1 2 … 1 2 … 1 𝑥𝑥2 𝐻𝐻 𝑥𝑥1 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥 𝐻𝐻 𝑥𝑥 … = = = 2 2 1 … 1 𝑖𝑖+1 … 𝑖𝑖 𝑠𝑠 … 𝑠𝑠 𝑥𝑥𝑖𝑖+1 𝐻𝐻 𝑥𝑥𝑖𝑖 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑖𝑖+1 𝐻𝐻 𝑥𝑥𝑖𝑖 == = = 2 𝑠𝑠 50 11 𝑡𝑡 2 𝑡𝑡 𝑠𝑠 𝑥𝑥𝑥𝑥𝑡𝑡𝑡𝑡 𝑒𝑒𝑒𝑒𝑝𝑝𝑝𝑝11 𝑥𝑥 𝑒𝑒𝑝𝑝 𝑥𝑥 𝑒𝑒𝑝𝑝 Targeted Collision Attacks
• Precomputation ( × steps, 2 × memory) = Find collision for target = ( ) 𝑗𝑗 𝑡𝑡 𝑠𝑠 𝑠𝑠 • ℓGoal: 𝑠𝑠𝑠𝑠𝑗𝑗 𝑥𝑥1 … = … = 𝑦𝑦 𝐻𝐻 𝑥𝑥 𝑗𝑗 𝑗𝑗 2 … 1 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑦𝑦=0 𝑦𝑦 … … = … 1 0 𝑗𝑗 … 𝑗𝑗 𝑦𝑦 = 𝐻𝐻 𝑦𝑦 𝑥𝑥𝑖𝑖+1 𝐻𝐻 𝑥𝑥𝑖𝑖 … = 𝑦𝑦𝑖𝑖 𝐻𝐻 𝑦𝑦𝑖𝑖−1 = 51 𝑗𝑗 𝑥𝑥𝑡𝑡 𝑒𝑒𝑝𝑝𝑗𝑗 𝑦𝑦𝑘𝑘 𝑒𝑒𝑒𝑒𝑗𝑗 Suppose = for some , Targeted Collision Attacks 𝒋𝒋 𝒚𝒚 𝒙𝒙𝒊𝒊 𝒊𝒊 ≤ 𝒕𝒕 𝒋𝒋 ≤ 𝒔𝒔 = = 𝒋𝒋 𝒊𝒊−𝟏𝟏 Precomputation ( × steps, 2 × memory)(takes 𝒚𝒚t steps𝑯𝑯 to𝒙𝒙𝒊𝒊 −recover𝟏𝟏 𝑯𝑯 𝒔𝒔𝒔𝒔from𝒋𝒋 ) • 𝒋𝒋 𝒙𝒙𝒊𝒊−𝟏𝟏 𝒔𝒔𝒔𝒔𝒋𝒋 = Find collision for target = ( ) 𝑗𝑗 𝑡𝑡 𝑠𝑠 𝑠𝑠 • ℓGoal: 𝑗𝑗 1 𝑠𝑠𝑠𝑠 ×𝑥𝑥 > good chance that … = = ℓfor+𝟐𝟐 some… , 𝑦𝑦 𝐻𝐻 𝑥𝑥 𝒕𝒕 𝒔𝒔 𝟐𝟐𝒋𝒋 = 𝑗𝑗 𝒚𝒚 𝑗𝑗 𝒙𝒙𝒊𝒊 𝒊𝒊 ≤ 𝒕𝒕 𝒋𝒋 ≤ 𝒔𝒔 2 … 1 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑦𝑦=0 𝑦𝑦 … = … … 𝑦𝑦1 𝐻𝐻 𝑦𝑦0 𝑗𝑗 … Not… quite𝑗𝑗 true…chains can intersect and = 𝑥𝑥𝑖𝑖+1 may𝐻𝐻 not𝑥𝑥 represent𝑖𝑖 × distinct points … = 𝒕𝒕 𝒔𝒔 𝑦𝑦𝑖𝑖 𝐻𝐻 𝑦𝑦𝑖𝑖−1 = 52 𝑗𝑗 𝑥𝑥𝑡𝑡 𝑒𝑒𝑝𝑝𝑗𝑗 𝑦𝑦𝑘𝑘 𝑒𝑒𝑒𝑒𝑗𝑗 Intersecting Chains
• Precomputation ( × steps, 2 memory) Intersecting chains contain = = distinct points. 𝑗𝑗 𝑡𝑡 𝑠𝑠 𝑠𝑠 𝑗𝑗� ≪ 𝐬𝐬𝒕𝒕 𝑠𝑠𝑠𝑠𝑗𝑗 𝑥𝑥1 𝑠𝑠𝑠𝑠𝑗𝑗� 𝑥𝑥1 = … = 𝑗𝑗� 𝑗𝑗� 𝑗𝑗 … 𝑗𝑗 … 𝑥𝑥2 𝐻𝐻 𝑥𝑥1 𝑥𝑥2 𝐻𝐻 𝑥𝑥1 After initial intersection the = chains merge together = 𝑗𝑗� 𝑗𝑗� 𝑗𝑗 … 𝑗𝑗 𝑥𝑥𝑘𝑘 𝐻𝐻 𝑥𝑥𝑘𝑘 𝑥𝑥𝑖𝑖+1 𝐻𝐻 𝑥𝑥𝑖𝑖 = … = 𝑗𝑗 𝑗𝑗� 53 𝑥𝑥𝑡𝑡 𝑒𝑒𝑝𝑝𝑗𝑗 𝑥𝑥𝑡𝑡 𝑒𝑒𝑝𝑝𝑗𝑗� Targeted Collision Attacks
• Precomputation ( × steps, 2 memory)
= = = 𝑡𝑡 𝑠𝑠 2 𝑠𝑠 𝑠𝑠 1 𝑠𝑠𝑠𝑠2 𝑥𝑥1 𝑠𝑠𝑠𝑠𝑠𝑠 𝑥𝑥1 𝑠𝑠𝑠𝑠1 𝑥𝑥1 = = … = 2 2 𝑠𝑠 𝑠𝑠 1 … 1 2 … 1 2 … 1 𝑥𝑥2 𝐻𝐻 𝑥𝑥1 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥 𝐻𝐻 𝑥𝑥 … = = = 2 2 1 … 1 𝑖𝑖+1 … 𝑖𝑖 𝑠𝑠 … 𝑠𝑠 𝑥𝑥𝑖𝑖+1 𝐻𝐻 𝑥𝑥𝑖𝑖 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑖𝑖+1 𝐻𝐻 𝑥𝑥𝑖𝑖 == = = 2 𝑠𝑠 54 11 𝑡𝑡 2 𝑡𝑡 𝑠𝑠 𝑥𝑥𝑥𝑥𝑡𝑡𝑡𝑡 𝑒𝑒𝑒𝑒𝑝𝑝𝑝𝑝11 𝑥𝑥 𝑒𝑒𝑝𝑝 𝑥𝑥 𝑒𝑒𝑝𝑝 Targeted Collision Attacks
= • Precomputation ( × steps, 2 memory) 𝑖𝑖 = 𝑖𝑖 𝐾𝐾 = = 𝐻𝐻 𝑥𝑥 𝐻𝐻 𝐹𝐹 𝑥𝑥 𝑡𝑡 𝑠𝑠 2 𝑠𝑠 𝑠𝑠 1 𝑠𝑠𝑠𝑠2 𝑥𝑥1 𝑠𝑠𝑠𝑠𝑠𝑠 𝑥𝑥1 𝑠𝑠𝑠𝑠1 𝑥𝑥1 = = … = 2 2 𝑠𝑠 𝑠𝑠 1 … 1 2 …1 1 2 …1 1 𝑥𝑥2 𝐻𝐻1 𝑥𝑥1 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥 𝐻𝐻 𝑥𝑥 … = = = 2 2 1 … 1 𝑖𝑖+1 … 𝑖𝑖 𝑖𝑖 𝑠𝑠 … 𝑠𝑠 𝑥𝑥𝑖𝑖+1 𝐻𝐻𝑖𝑖 𝑥𝑥𝑖𝑖 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑖𝑖+1 𝐻𝐻𝑖𝑖 𝑥𝑥𝑖𝑖 == = = 2 𝑠𝑠 55 11 𝑡𝑡 2 𝑡𝑡 𝑠𝑠 𝑥𝑥𝑥𝑥𝑡𝑡𝑡𝑡 𝑒𝑒𝑒𝑒𝑝𝑝𝑝𝑝11 𝑥𝑥 𝑒𝑒𝑝𝑝 𝑥𝑥 𝑒𝑒𝑝𝑝 Targeted Collision Attacks
= • Precomputation ( × steps, 2 memory) 𝑖𝑖 = 𝑖𝑖 𝐾𝐾 = = 𝐻𝐻 𝑥𝑥 𝐻𝐻 𝐹𝐹 𝑥𝑥 𝑡𝑡 𝑠𝑠 2 𝑠𝑠 𝑠𝑠 1 𝑠𝑠𝑠𝑠2 𝑥𝑥1 𝑠𝑠𝑠𝑠𝑠𝑠 𝑥𝑥1 𝑠𝑠𝑠𝑠1 𝑥𝑥1 = Ensures= Chains Contain:… =distinct points 2 2 𝑠𝑠 𝑠𝑠 1 1 …1 1 2 …1 1 2 …1 1 𝑥𝑥2 𝐻𝐻 𝑥𝑥 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥 𝐻𝐻 𝑥𝑥 Ω 𝑠𝑠𝑠𝑠 = … = 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏 𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐𝑐�= 2 2 1 … 1 𝑖𝑖+Untangling1 … 𝑖𝑖 𝑖𝑖 Chains: If =𝑠𝑠 with… 𝑠𝑠 𝑖𝑖+1 𝑖𝑖 𝑖𝑖 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑖𝑖+1 𝐻𝐻𝑖𝑖 𝑥𝑥𝑖𝑖 𝑥𝑥 𝐻𝐻 𝑥𝑥 then (whp) 1 2 == = 𝑥𝑥𝑖𝑖 𝑥𝑥𝑗𝑗 = 𝑖𝑖 ≠ 𝑗𝑗 1 2 56 2 𝑠𝑠 11 𝑡𝑡 2 𝐻𝐻𝑖𝑖 𝑥𝑥𝑖𝑖 ≠ 𝐻𝐻𝑡𝑡 𝑗𝑗 𝑥𝑥𝑗𝑗 𝑠𝑠 𝑥𝑥𝑥𝑥𝑡𝑡𝑡𝑡 𝑒𝑒𝑒𝑒𝑝𝑝𝑝𝑝11 𝑥𝑥 𝑒𝑒𝑝𝑝 𝑥𝑥 𝑒𝑒𝑝𝑝 Suppose = for some , Targeted Collision Attacks 𝒋𝒋 𝒚𝒚 𝒙𝒙𝒊𝒊 𝒊𝒊 ≤ 𝒕𝒕 𝒋𝒋 ≤ 𝒔𝒔 = 𝒋𝒋 • Precomputation ( × steps, 2 × memory)(takes t 𝒚𝒚steps𝑯𝑯 to𝒊𝒊− 𝟏𝟏recover𝐹𝐹𝐾𝐾𝑖𝑖−1 𝒙𝒙𝒊𝒊−𝟏𝟏from ) 𝒋𝒋 𝒙𝒙𝒊𝒊−𝟏𝟏 𝒔𝒔𝒔𝒔𝒋𝒋 = Find collision for target = ( ) 𝑗𝑗 𝑡𝑡 𝑠𝑠 𝑠𝑠 • ℓGoal: 𝑠𝑠𝑠𝑠𝑗𝑗 𝑥𝑥×1 > good chance that = ℓfor+𝟐𝟐 some , 𝑦𝑦 𝐻𝐻 𝑥𝑥 … = 𝒕𝒕 𝒔𝒔 𝟐𝟐𝒋𝒋 … = 𝑗𝑗 𝒚𝒚 𝑗𝑗 𝒙𝒙𝒊𝒊 𝒊𝒊 ≤ 𝒕𝒕 𝒋𝒋 ≤ 𝒔𝒔 2 …1 1 𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑦𝑦=0 𝑦𝑦 … : … = for any … , 𝑭𝑭𝑭𝑭𝑭𝑭𝑭𝑭𝑭𝑭 𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷𝑷 1 1 0 𝑗𝑗 … (expect𝑗𝑗𝒋𝒋 about / ) 𝑦𝑦 𝐻𝐻 𝑦𝑦 𝒚𝒚 ≠ 𝒙𝒙𝒊𝒊 𝒊𝒊 ≤ 𝒕𝒕 𝒋𝒋 ≤ 𝒔𝒔 = 𝑥𝑥𝑖𝑖+1 𝐻𝐻𝑖𝑖−1 𝑥𝑥𝑖𝑖 𝟐𝟐 ℓ 𝑶𝑶 𝒔𝒔𝒕𝒕 /𝟐𝟐 … Running Time: 𝑖𝑖 𝑖𝑖−1 𝑖𝑖−1 = 𝟑𝟑 ℓ 𝑦𝑦 𝐻𝐻 𝑦𝑦 = 57 𝑗𝑗 𝑶𝑶 𝒔𝒔𝒕𝒕 𝟐𝟐 𝑥𝑥𝑡𝑡 𝑒𝑒𝑝𝑝𝑗𝑗 𝑦𝑦𝑘𝑘 𝑒𝑒𝑒𝑒𝑗𝑗 Targeted Collision Attacks
• Precomputation ( × steps, 2 × memory) = Find collision for target = ( ) 𝑗𝑗 𝑡𝑡 𝑠𝑠 𝑠𝑠 • ℓGoal: 𝑠𝑠𝑠𝑠𝑗𝑗 𝑥𝑥1 … ==2 = 2… = 𝑦𝑦 𝐻𝐻 𝑥𝑥 Set 2ℓ , ℓ 𝑗𝑗 +1𝑗𝑗 +1 Precomputation:2 …31 1 3 0 𝑥𝑥 𝐻𝐻 𝑥𝑥 Amortized𝑦𝑦= 𝑦𝑦 cost to find … 𝑠𝑠 𝑡𝑡 ℓ = 2 × … Space: 2ℓ … 21 targeted1 0 collisions 𝑗𝑗 … 𝑗𝑗 𝐎𝐎 𝟐𝟐 𝑦𝑦 ℓ 𝐻𝐻 𝑦𝑦 3 = Collision𝑥𝑥𝑖𝑖+1 Search:𝐻𝐻𝑖𝑖−1 𝑥𝑥𝑖𝑖 2 3 … 𝐎𝐎 ℓ 𝟐𝟐ℓ = 𝑦𝑦𝑖𝑖 𝐻𝐻𝑖𝑖−1 𝑦𝑦𝑖𝑖−1 𝟑𝟑 = 58 𝑗𝑗 𝑥𝑥𝑡𝑡 𝑒𝑒𝑝𝑝𝑗𝑗 𝑶𝑶 𝑦𝑦𝑘𝑘 𝑒𝑒𝑒𝑒𝑗𝑗 Applications
• Key-Recovery Attacks on Block Cipher : × 0,1 0,1 • Pre-Computation: 𝑛𝑛 𝑛𝑛 2 s = 2 • Crack 𝑛𝑛 secret keys in total time 𝐸𝐸with𝒦𝒦 space → 2𝑛𝑛 • Run prior𝟑𝟑 attack with𝑂𝑂 “hash𝒦𝒦 function” H: 0,1 0,1 𝟑𝟑 • H = for some random (fixed)𝑶𝑶 𝒦𝒦 0,1𝑛𝑛 𝑛𝑛 𝑶𝑶 𝑛𝑛→ • Password𝐾𝐾 Cracking𝐸𝐸𝐾𝐾 𝑟𝑟 𝑟𝑟 ∈ • Attacker is given ,…, for passwords , … , with
• Goal: Recover passwords𝐻𝐻� 𝑥𝑥1 𝐻𝐻, …� 𝑥𝑥,𝑘𝑘 𝑥𝑥1 𝑥𝑥𝑘𝑘 ∈ 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫 • Can𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫 crack ≪all 𝒦𝒦= / passwords in total time with space s = / 1 𝑘𝑘 𝑥𝑥1 3 𝑥𝑥 • Domain Challenge:2𝑘𝑘3 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫 H : 0,1 with 𝑶𝑶 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫2 𝑶𝑶• 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫Define (pseudo)random′ mapping : 0,1 𝑛𝑛 𝑛𝑛 • Run prior attack with “hash𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫 function”→ H: 𝑛𝑛 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫as≪ H = H 𝜇𝜇 → 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫 ′ 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫 → 𝒫𝒫𝒫𝒫𝒫𝒫𝒫𝒫 𝑥𝑥 𝜇𝜇 𝑥𝑥 59 Week 5: Topic 3: Random Oracle Model + Hashing Applications
60 (Recap) Collision-Resistant Hash Function
Intuition: Hard for computationally bounded attacker to find x,y s.t. H(x) = H(y)
How to formalize this intuition? • Attempt 1: For all PPT A, Pr , 1 = , . = ( ) ( ) 𝑛𝑛 𝑥𝑥 𝑦𝑦 • The Problem: 𝐴𝐴Let x,y be given𝑥𝑥 𝑦𝑦s.t.𝑠𝑠 H(x)=H(y)𝑡𝑡 𝐻𝐻 𝑥𝑥 𝐻𝐻 𝑦𝑦 ≤ 𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛 𝑛𝑛 , 1 = ( , ) 𝑛𝑛 • We are assuming that |x| > |H(x)|.𝑥𝑥 𝑦𝑦 Why? • H(x)=x is perfectly collision resistant!𝐴𝐴 (but with𝑥𝑥 no𝑦𝑦 compression)
61 (Recap) Keyed Hash Function Syntax
• Two Algorithms • Gen(1 ; ) (Key-generation algorithm) • Input:𝑛𝑛 Random Bits R • Output:𝑅𝑅 Secret key s • ( ) (Hashing Algorithm) •𝑠𝑠 Input: key and message m 0,1 (unbounded length) 𝐻𝐻• Output:𝑚𝑚 hash value ( ) 0,1 ∗ 𝑠𝑠 ∈ 𝑠𝑠 ℓ 𝑛𝑛 𝐻𝐻 𝑚𝑚 ∈ • Fixed length hash function 0,1 > • ′ with ℓ 𝑛𝑛 ′ 𝑚𝑚 ∈ ℓ 𝑛𝑛 ℓ 𝑛𝑛 62 When Collision Resistance Isn’t Enough
• Example: Message Commitment • Alice sends Bob: Hs (e.g., predicted winner of NCAA Tournament) • Alice can later reveal message (e.g., after the tournament is over) • Just send r and m (note:𝑟𝑟 ∥ 𝑚𝑚 r has fixed length) • Why can Alice not change her message? • In the meantime Bob shouldn’t learn anything about m
• Problem: Let (Gen,H’) be collision resistant then so is (Gen,H)
1, … , = 1, … , 𝑠𝑠 ′𝑠𝑠 𝑑𝑑 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑥𝑥 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑥𝑥 ∥ 𝑥𝑥 63 When Collision Resistance Isn’t Enough
• Problem: Let (Gen,H’) be collision resistant then so is (Gen,H)
1, … , = 1, … , 𝑠𝑠 ′𝑠𝑠 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑑𝑑 𝐻𝐻 𝑥𝑥 𝑥𝑥𝑑𝑑 ∥ 𝑥𝑥𝑑𝑑 • (Gen,H) definitely does not hide all information about input ( 1, … , )
𝑥𝑥 𝑥𝑥𝑑𝑑 • Conclusion: Collision resistance is not sufficient for message commitment
64 The Tension • Example: Message Commitment • Alice sends Bob: Hs (e.g., predicted winners of NCAA Final Four) • Alice can later reveal message (e.g., after the Final Four is decided) • In the meantime Bob𝑟𝑟 shouldn’t∥ 𝑚𝑚 learn anything about m
This is still a reasonable approach in practice!
• No attacks when instantiated with any reasonable candidate (e.g., SHA3) • Cryptographic hash functions seem to provide “something” beyond collision resistance, but how do we model this capability?
65 Random Oracle Model
• Model hash function H as a truly random function • Algorithms can only interact with H as an oracle • Query: x • Response: H(x) • If we submit the same query you see the same response • If x has not been queried, then the value of H(x) is uniform
• Real World: H instantiated as cryptographic hash function (e.g., SHA3) of fixed length (no Merkle-Damgård)
66 Back to Message Commitment
• Example: Message Commitment • Alice sends Bob: H (e.g., predicted winners of NCAA Final Four) • Alice can later reveal message (e.g., after the Final Four is decided) • Just send r and m (note:𝑟𝑟 ∥ 𝑚𝑚 r has fixed length) • Why can Alice not change her message? • In the meantime Bob shouldn’t learn anything about m
• Random Oracle Model: Above message commitment scheme is secure (Alice cannot change m + Bob learns nothing about m) • Information Theoretic Guarantee against any attacker with q queries to H
67 Random Oracle Model: Pros
• It is easier to prove security in Random Oracle Model
• Suppose we are simulating attacker A in a reduction • Extractability: When A queries H at x we see this query and learn x (and can easily find H(x)) • Programmability: We can set the value of H(x) to a value of our choice • As long as the value is correctly distribute i.e., close to uniform • Both Extractability and Programmability are useful tools for a security reduction!
68 Random Oracle Model: Pros
• It is easier to prove security in Random Oracle Model
• Provably secure constructions in random oracle model are often much more efficient (compared to provably secure construction is “standard model”
• Sometimes we only know how to design provably secure protocol in random oracle model
69 Random Oracle Model: Cons
• Lack of formal justification • Why should security guarantees translate when we instantiate random oracle with a real cryptographic hash function?
• We can construct (contrived) examples of protocols which are • Secure in random oracle model… • But broken in the real world
70 Random Oracle Model: Justification
“A proof of security in the random-oracle model is significantly better than no proof at all.”
• Evidence of sound design (any weakness involves the hash function used to instantiate the random oracle) • Empirical Evidence for Security “there have been no successful real-world attacks on schemes proven secure in the random oracle model”
71 Hash Function Application: Fingerprinting
• The hash h(x) of a file x is a unique identifier for the file • Collision Resistance No need to worry about another file y with H(y)=H(y)
• Application 1: Virus Fingerprinting
• Application 2: P2P File Sharing
• Application 3: Data deduplication
72 Tamper Resistant Storage
m1
H(m1) m1’
73 Tamper Resistant Storage File Index Hash
1 H(m1) Disadvantage: Too many hashes to store 2 H(m2)
3 H(m3)
m1,m2,m3 Send file 1
m1’
74 Tamper Resistant Storage Disadvantage: Need all files to compute hash
m1,m2,m3
H(m1,m2,m3)
m1,m2,m3 Send file 1
m1’
75 Merkle Trees
• Proof of Correctness for data block 2
• Verify that root matches • Proof consists of just log(n) hashes • Verifier only needs to permanently store only one hash value
76 Merkle Trees
Theorem: Let (Gen, hs) be a collision resistant hash function and let Hs(m) return the root hash in a Merkle Tree. Then Hs is collision resistant.
77 Tamper Resistant Storage
Root: H1-4
m1,m2,m3,m4 Send file 2
m2’,h 1,h3-4
78 Commitment Schemes
• Alice wants to commit a message m to Bob • And possibly reveal it later at a time of her choosing • Properties • Hiding: commitment reveals nothing about m to Bob • Binding: it is infeasible for Alice to alter message
79 Commitment Hiding (Hiding , ( ))
m0,m1 commit(r,mb)𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 b’ 𝑛𝑛
1 if = Hiding , ( )= 0 ′ 𝑏𝑏 𝑏𝑏 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 � 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜�𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜 r = Gen(.) Bit b (negligible) s. t 1 Pr Hiding , = 1 + ( ) ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 2 80 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 ≤ 𝜇𝜇 𝑛𝑛 Commitment Binding (Binding , ( ))
r0,r1,m0,m1 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛
1 if Binding ( )= commit(r0,m0)= commit(r1,m1) , 0 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 � 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜�𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜
(negligible) s. t Pr Binding , = 1 ( ) ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 81 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 ≤ 𝜇𝜇 𝑛𝑛 Secure Commitment Scheme
• Definition: A secure commitment scheme is hiding and binding • Hiding (negligible) s. t 1 Pr Hiding = 1 + ( ) ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴, ∃𝜇𝜇 2 • Binding 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 ≤ 𝜇𝜇 𝑛𝑛 (negligible) s. t Pr Binding , = 1 ( ) ∀𝑃𝑃𝑃𝑃𝑃𝑃 𝐴𝐴 ∃𝜇𝜇 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 ≤ 𝜇𝜇 𝑛𝑛 82 Commitment Scheme in Random Oracle Model • Commit(r,m):=H(m|r)
• Reveal(c):= (m,r)
Theorem: In the random oracle model this is a secure commitment scheme.
83 Commitment Hiding (Hiding , ( ))
m0,m1 H(r,mb) 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 b’ 𝑛𝑛
1 = Hiding , ( )= 0 ′ 𝑖𝑖𝑖𝑖𝑖𝑖 𝑏𝑏 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 � 𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜�𝑜𝑜𝑜𝑜𝑜𝑜𝑜𝑜 r = Gen(.) Bit b 1 ( ) ∀𝑃𝑃𝑃𝑃𝑃𝑃Pr Hiding𝐴𝐴 𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚, 𝑎𝑎𝑎𝑎 𝑚𝑚=𝑚𝑚𝑚𝑚𝑚𝑚1 𝑞𝑞 𝑛𝑛 +𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞 2 2 84 𝑞𝑞 𝑛𝑛 𝐴𝐴 𝐶𝐶𝐶𝐶𝐶𝐶 𝑛𝑛 ≤ 𝑟𝑟 Other Applications
• Password Hashing
• Key Derivation
85 Next Week
• Stream Ciphers • Block Ciphers • Feistel Networks • DES, 3DES • Read Katz and Lindell 6.1-6.2
86