HASH FUNCTIONS Daniele Micciancio UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3, ... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant data compression, but they have many other purposes and properties as well. A good hash function is often treated like a magic wand ... Daniele Micciancio UCSD 2 Collision resistance (CR) n Definition: A collision for a function h : D ! f0; 1g is a pair x1; x2 2 D of points such that h(x1) = h(x2) but x1 6= x2. If jDj > 2n then the pigeonhole principle tells us that there must exist a collision for h. Daniele Micciancio UCSD 3 Collision resistance (CR) n Definition: A collision for a function h : D ! f0; 1g is a pair x1; x2 2 D of points such that h(x1) = h(x2) but x1 6= x2. If jDj > 2n then the pigeonhole principle tells us that there must exist a collision for h. Daniele Micciancio UCSD 4 Collision resistance (CR) n Definition: A collision for a function h : D ! f0; 1g is a pair x1; x2 2 D of points such that h(x1) = h(x2) but x1 6= x2. If jDj > 2n then the pigeonhole principle tells us that there must exist a collision for h. We want that even though collisions exist, they are hard to find. Daniele Micciancio UCSD 5 Collision-resistance of a function family The formalism considers a family H : Keys(H) × D ! R of functions, meaning for each K 2 Keys(H) we have a map HK : D ! R defined by HK (x) = H(K; x). Game CRH procedure Finalize(x1; x2) procedure Initialize If (x1 = x2) then return false K $ Keys(H) If (x1 62 D or x2 62 D) then return false Return K Return (HK (x1) = HK (x2)) Let cr h A i AdvH (A) = Pr CRH ) true : Daniele Micciancio UCSD 6 Collision-resistance Game CRH procedure Finalize(x1; x2) procedure Initialize If (x1 = x2) then return false K $ Keys(H) If (x1 62 D or x2 62 D) then return false Return K Return (HK (x1) = HK (x2)) The Return statement in Initialize means that the adversary A gets K as input. The key K here is not secret! Adversary A takes K and tries to output a collision x1; x2 for HK . A's output is the input to Finalize, and the game returns true if the collision is valid. Daniele Micciancio UCSD 7 Idea: Pick x1 = x1[1]x1[2] and x2 = x2[1]x2[2] so that EK (x1[1]) ⊕ x1[2] = EK (x2[1]) ⊕ x2[2] Example Let E: f0; 1gk × f0; 1gn ! f0; 1gn be a blockcipher. Let H: f0; 1gk × f0; 1g2n ! f0; 1gn be defined by Alg H(K; x[1]x[2]) y EK (EK (x[1]) ⊕ x[2]); Return y Let's show that H is not collision-resistant by giving an efficient adversary cr A such that AdvH (A) = 1. Daniele Micciancio UCSD 8 Example Let E: f0; 1gk × f0; 1gn ! f0; 1gn be a blockcipher. Let H: f0; 1gk × f0; 1g2n ! f0; 1gn be defined by Alg H(K; x[1]x[2]) y EK (EK (x[1]) ⊕ x[2]); Return y Let's show that H is not collision-resistant by giving an efficient adversary cr A such that AdvH (A) = 1. Idea: Pick x1 = x1[1]x1[2] and x2 = x2[1]x2[2] so that EK (x1[1]) ⊕ x1[2] = EK (x2[1]) ⊕ x2[2] Daniele Micciancio UCSD 9 Example Alg H(K; x[1]x[2]) y EK (EK (x[1]) ⊕ x[2]); Return y Idea: Pick x1 = x1[1]x1[2] and x2 = x2[1]x2[2] so that EK (x1[1]) ⊕ x1[2] = EK (x2[1]) ⊕ x2[2] adversary A(K) n n n −1 x1 0 1 ; x2[2] 0 ; x2[1] EK (EK (x1[1]) ⊕ x1[2] ⊕ x2[2]) return x1; x2 cr Then AdvH (A) = 1 and A is efficient, so H is not CR. Note how we used the fact that A knows K and the fact that E is a blockcipher! Daniele Micciancio UCSD 10 Exercise Let E: f0; 1gk × f0; 1gl ! f0; 1gl be a blockcipher. Let D be the set of all strings whose length is a positive multiple of l. Define the hash function H: f0; 1gk × D ! f0; 1gl as follows: Alg H(K; M) M[1]M[2] ::: M[n] M C[0] 0l For i = 1;:::; n do B[i] E(K; C[i − 1] ⊕ M[i]); C[i] E(K; B[i] ⊕ M[i]) Return C[n] Show that H is not CR by giving an efficient adversary A such that cr AdvH (A) = 1. Daniele Micciancio UCSD 11 Keyless hash functions We say that H: Keys(H) × D ! R is keyless if Keys(H) = f"g consists of just one key, the empty string. In this case we write H(x) in place of H("; x) or H"(x). Practical hash functions like MD5, SHA1, SHA256, SHA512, SHA3, ... are keyless. Daniele Micciancio UCSD 12 SHA1 Alg SHA1(M) // jMj < 264 V SHF1( 5A827999 k 6ED9EBA1 k 8F1BBCDC k CA62C1D6 ; M ) return V Alg SHF1(K; M) // jKj = 128 and jMj < 264 y shapad(M) Parse y as M1 k M2 k · · · k Mn where jMi j = 512 (1 ≤ i ≤ n) V 67452301 k EFCDAB89 k 98BADCFE k 10325476 k C3D2E1F0 for i = 1;:::; n do V shf1(K; Mi k V ) return V Alg shapad(M) // jMj < 264 d (447 − jMj) mod 512 Let ` be the 64-bit binary representation of jMj y M k 1 k 0d k ` // jyj is a multiple of 512 return y Daniele Micciancio UCSD 13 shf1 Alg shf1(K; B k V ) // jKj = 128, jBj = 512 and jV j = 160 Parse B as W0 k W1 k · · · k W15 where jWi j = 32 (0 ≤ i ≤ 15) Parse V as V0 k V1 k · · · k V4 where jVi j = 32 (0 ≤ i ≤ 4) Parse K as K0 k K1 k K2 k K3 where jKi j = 32 (0 ≤ i ≤ 3) 1 for t = 16 to 79 do Wt ROTL (Wt−3 ⊕ Wt−8 ⊕ Wt−14 ⊕ Wt−16) A V0 ; B V1 ; C V2 ; D V3 ; E V4 for t = 0 to 19 do Lt K0 ; Lt+20 K1 ; Lt+40 K2 ; Lt+60 K3 for t = 0 to 79 do if (0 ≤ t ≤ 19) then f (B ^ C) _ ((:B) ^ D) if (20 ≤ t ≤ 39 OR 60 ≤ t ≤ 79) then f B ⊕ C ⊕ D if (40 ≤ t ≤ 59) then f (B ^ C) _ (B ^ D) _ (C ^ D) 5 temp ROTL (A) + f + E + Wt + Lt E D ; D C ; C ROTL30(B); B A ; A temp V0 V0 +A ; V1 V1 +B ; V2 V2 +C ; V3 V3 +D ; V4 V4 +E V V0 k V1 k V2 k V3 k V4; return V Daniele Micciancio UCSD 14 SHA1 calculator http://www.sha1-online.com/ Daniele Micciancio UCSD 15 Applications of hash functions The killer-app is hashing before digitally signing, but we'll discuss a few others: • primitive in cryptographic schemes • tool for security applications • tool for non-security applications Daniele Micciancio UCSD 16 Password verification • Client A has a password PW that is also held by server B • A authenticates itself by sending PW to B over a secure channel (TLS) APW PW - BPW Problem: The password will be found by an attacker who compromises the server. Daniele Micciancio UCSD 17 Password verification • Client A has a password PW and server stores PW = H(PW ). • A sends PW to B (over a secure channel) and B checks that H(PW ) = PW APW PW - BPW Server compromise results in attacker getting PW which should not reveal PW as long as H is one-way, which we will see is a consequence of collision-resistance. But we will revisit this when we consider dictionary attacks! Daniele Micciancio UCSD 18 File comparision • A has a large file FA and B has a large file FB . For example, music collections. • They want to know whether FA = FB • A sends FA to B and B checks whether FA = FB AFA FA - BFB Problem: Transmission could be slow. Daniele Micciancio UCSD 19 Compare-by-hash • A has a large file FA and B has a large file FB and they want to know whether FA = FB • A computes hA = H(FA) and sends it to B, and B checks whether hA = H(FB ). AFA hA - BFB Collision-resistance of H guarantees that B does not accept if FA 6= FB ! Daniele Micciancio UCSD 20 Virus protection An executable may be available at lots of sites S1; S2;:::; SN . Which one can you trust? • Provide a safe way to get the hash h = H(X ) of the correct executable X . • Download an executable from anywhere, and check hash. Daniele Micciancio UCSD 21 Birthday attacks Let H : f0; 1gk × D ! f0; 1gn be a family of functions with jDj > 2n. The q-trial birthday attack finds a collision with probability about q2 : 2n+1 p So a collision can be found in about q = 2n+1 ≈ 2n=2 trials. Daniele Micciancio UCSD 22 Recall Birthday Problem $ n for i = 1;:::; q do yi f0; 1g if 9i; j (i 6= j and yi = yj ) then COLL true Pr [COLL] = C(2n; q) q2 ≈ 2n+1 Daniele Micciancio UCSD 23 Birthday attack Let H : f0; 1gk × D ! f0; 1gn. adversary A(K) $ for i = 1;:::; q do xi D ; yi HK (xi ) if 9i; j (i 6= j and yi = yj and xi 6= xj ) then return xi ; xj else return FAIL Daniele Micciancio UCSD 24 Analysis of birthday attack Let H : f0; 1gk × D ! f0; 1gn.