Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 11 Cryptographic Hash Functions Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝陽科技大學資工系 Speaker: Fuw-Yi Yang 楊伏夷 伏夷非征番, 道德經 察政章(Chapter 58) 伏者潛藏也 道紀章(Chapter 14) 道無形象, 視之不可見者曰夷 Fuw-Yi Yang

Contents Hash Functions and Compression Functions Birthday Attack Compression Functions from Encryption Functions Hash Functions from Compression Functions SHA-1 Other Hash Functions An Arithmetic Compression Function Message Authentication Codes Fuw-Yi Yang

11.1 Hash functions and compression functions By a hash function, me mean a map h: *n, n  N. Thus hash functions map arbitrarily long strings to strings of fixed length. They are never injective. See next page Example 11.1.1 The map that sends b1…bk in {0, 1}* to b1…  bk is a hash function. Fuw-Yi Yang

11.1 Hash functions and compression functions A map f: XY is called injective if f(x) = f(y) implies x = y for all x, y  X, surjective if for any y  Y there is x  X with f(x) = y, bijective if it is injective and surjective. A bijective map is also called a bijection. If there is a bijection between two finite sets, then the sets have the same number of elements. Fuw-Yi Yang

11.1 Hash functions and compression functions Hash functions can be generated using compression functions. A compression function is a map h: mn, n, m  N, m > n. It maps strings of fixed length to strings of shorter length. Example 11.1.2 The map that sends b1…bm in {0, 1}m to b1…  bm is a compression function if m > 1. Fuw-Yi Yang

11.1 Hash functions and compression functions Cryptographic hash and compression functions must have properties that guarantee their security. We now describe these properties informally. Let h: *n be a hash function or h: mn a compression function. We denote the set * or m of arguments of h by D. If h is used in cryptography, then h(x) must be easy to compute for all xD. The function h is called a one-way function if it is infeasible to invert h; that is, to compute an inverse image x such that h(x) = s for a given image s. Fuw-Yi Yang

11.1 Hash functions and compression functions A collision of h is a pair (x, x) D2 for which x  x and h(x) = h(x). There are collisions of all hash functions and compression functions because they are not injective. The function h(x) is called weak collision resistant if it is infeasible to compute a collision (x, x) for a given xD. The function h(x) is called (strong) collision resistant if it is infeasible to compute any collision (x, x) of h. Fuw-Yi Yang

11.2 Birthday Attack We describe a simple attack on hash functions h: *n called the birthday attack. It attacks the strong collision resistance of h. The attack is based on the birthday paradox. See next two pages Fuw-Yi Yang

11.2 Birthday Attack Birthday paradox Birthday paradox: Suppose a group of people are in a room. What is the probability that two of them have the same birthday? Suppose there are n birthdays and that there are k people in the room. An elementary event is a tuple (b1, …, bk)  {1, 2, …, n}k. The birthday of the ith person is bi, 1  i  k, so we have nk elementary events. We assume that those elementary events are equally probable. Then the probability of an elementary events is 1/ nk. Let p be the probability that two people in the room have the same birthday. Then with probability q = 1 - p any two people have different birthdays. Next page Fuw-Yi Yang

11.2 Birthday Attack Birthday paradox Let E be the set of all vectors (g1, …, gk)  {1, 2, …, n}k whose entries are pairwise different. Then E models the Birthday paradox. Let |E| denote the number of element in E. Then |E| = (n - 0) (n - 1) … (n - (k - 1)) = and q = (n - 0) (n - 1) … (n - (k - 1)) / nk = = . Since 1 + x  ex holds for all real numbers, therefore (e-x = 1-x+x2/2!-x3/3!+…) q  = = e-k(k-1)/2n. If k  (1 + (1 + 8n ln 2)0.5) / 2, then q  0.5. see next page Fuw-Yi Yang

11.2 Birthday Attack Birthday paradox Assume that q = 0.5, then we have q = 0.5  e-k(k-1)/2n  ln (2-1) = ln e-k(k-1)/2n  ln 2 = k(k-1)/2n  k(k-1) = 2n ln 2 (ln 2 = 0.693)  k2 - k - 2n ln 2 = 0  k = [1 + (1 + 8n ln 2)0.5)] / 2 Or if k >> 1, k(k-1)  k2 = 2n ln 2 = 1.386 n k = (1.386 n)1/2 = 1.18 (n)1/2 Fuw-Yi Yang

11.2 Birthday Attack We describe a simple attack on hash functions h: *n (hence the result consists of ||n possible strings) called the birthday attack. It attacks the strong collision resistance of h. The attack is based on the birthday paradox. Assume that  is an alphabet. Then strings from * can be chosen such that the distribution on the corresponding hash values is the uniform distribution. If k strings in x  * are chosen, where k  (1 + (1 + 8 ||n ln 2)0.5) / 2, then the probability of two hash values being equal exceeds 0.5. Fuw-Yi Yang

11.2 Birthday Attack Assume  = {0,1}, then k  (1 + (1 + 8 * 2n * ln 2)0.5) / 2 is sufficient to find two strings having the same hash value with probability greater than 0.5. By the table below, if we compute a little more than 2n/2 hash values, then the birthday attack will succeed with probability > 0.5. Today, n  128 or even n  160 is required to prevent the birthday attack. n (bit length of the hash values) 50 100 150 200 log2 k  n/2 (k  2n/2 ) 25.24 50.24 75.24 100.24 Fuw-Yi Yang

11.3 Compression Functions from Encryption Functions It is unknown whether collision resistant hash functions exists. It is also not known whether secure and efficient encryption schemes exist. It is, however, possible to construct a hash function that appears to be collision resistant as long as the encryption scheme is secure. We will describe this now. We use a cryptosystem with plaintext space, ciphertext space, and key space {0, 1}n. The encryption functions are ek: {0,1}n  {0,1}n, k  {0,1}n. The hash values have length n. To prevent the birthday attack, we choose n  128. Fuw-Yi Yang

11.3 Compression Functions from Encryption Functions Construct compression functions from encryption functions: The hash function h: {0,1}n  {0,1}n  {0,1}n can be defined as follows: h(k, x) = ek(x)  x h(k, x) = ek(x)  x  k h(k, x) = ek(x  k)  x h(k, x) = ek(x  k)  x  k As long as the cryptosystem is secure, those hash functions appear to be collision resistant. Unfortunately, no proof for this statement is known. Fuw-Yi Yang

11.4 Hash Functions from Compression Functions Iterated Hash Functions (Stinson p126) Compression functions: compress:{0,1}m+t  {0, 1)m, Input x is a bitstring, |x| > m + t, Construct a bitstring y, such that |y| = 0 mod t, (may be y = x || pad(x)) y = y1||y2||…||yr, |yi| = t for i = 1,2,…,r Let IV be a public initial value, |IV| = m, z0  IV, z1  compress (z0 || y1),… zr  compress (zr-1 || yr). Let g:{0,1}m  {0, 1)l be a public function, h(x) = g(zr). The iterated hash function constructed above is: h:∪{0,1}i {0, 1)l . i = m+t+1~∞ Fuw-Yi Yang

11.4 Hash Functions from Compression Functions Collision resistant compression functions can be used to construct collision resistant hash functions. This was shown by R. Merkle, and we now describe this idea. Let g: {0,1}m  {0,1}n, be a compression function and let r = m - n. Since g is a compression function, we have r > 0. A typical choice for n and r is n = 128 and r = 512. From g, we want to construct a hash function h: {0,1}*  {0,1}n. Let x  {0,1}*. We explain the computation of h(x) in the case r > 1. Fuw-Yi Yang

11.4 Hash Functions from Compression Functions We explain the computation of h(x) in the case r > 1. Example 11.4.1 Let r = 4, x = 111011. 1. y = 00 111011 111011  0011 1011 (add some leading 0s to x such that y = vr = 8) 2. z = 0011 1011 0000 0011 1011  0011 1011 0000 (append r zeros to y) 3. |x| = 6, u = 110B, |u| = 3, v = 110B (Append some zeros to u such that (r-1) divides |u|) 4. w = 1110B (in front of v and in front of each (r-1)jth, j = 1, 2,3 …, symbol of v, we insert a one.) 5. Append w to z, now x = 0011 1011 0000 1110, x = x1 x2… xt , xi  {0,1}r, 1  i  t. Fuw-Yi Yang

11.4 Hash Functions from Compression Functions We explain the computation of h(x) in the case r > 1. Now x is in the form, x = x1 x2… xt , xi  {0,1}r, 1  i  t. The hash value h(x) is computed iteratively. We set H0 = 0n. Then we determine Hi = g(Hi-1 || xi), 1  i  t. Finally, we set h(x) = Ht. It is shown that h is a collision resistant if g is collision resistant. ProofOmitted Fuw-Yi Yang

11.5 SHA-1 Stinson p134~135 Algorithm 4.8 SHA-1-PAD(x) Comment: |x| ≦264 – 1 d  (447 - |x| ) mod 512 l  the binary representation of |x| , where |l| = 64 y  x || 1 || 0d || l // y = M1 || M2 || …|| Mn // |Mi| = 512 for i = 1, 2, …, n // Mi = W0 || W1 || …||W15 // |Wi| = 32 for i = 0, 1, …, 15 // fi (B, C, D) = formula, ref to textbook, for i = 0, 2, …, 79 // Ki = some constants, ref to textbook , for i = 0, 2, …, 79 Fuw-Yi Yang

Stinson p134~135 Algorithm 4.1 SHA-1(x) external SHA-1-PAD global K0, …, K79 y  SHA-1-PAD(x) denote y = M1 || M2 || …|| Mn H0 = 67452301 H1 = EFCDAB89 H2 = 98BADCFE H3 = 10325476 H4 = C3D2E1F0 Fuw-Yi Yang

Stinson p134~135 Algorithm 4.1 SHA-1(x) for i  1 to n do denote Mi = W0 || W1 || …||W15 for t 16 to 79 do Wt  ROTL1(Wt-3 ⊕Wt-8 ⊕ Wt-14 ⊕ Wt-16) A H0, B H1, C H2, D H3, E H4 for t 0 to 79 do temp  ROTL5(A)+ ft (B, C, D) + E + Wt + Kt ED, DC, C ROTL30(B), BA, Atemp H0  H0 + A, H1  H1 + B, H2  H2 + C H3  H3 + D, H4  H4 + E Return (H0 || H1 || H2 || H3 || H4) ROTLscircular left shift s positions Operation of + is with mod 232 Fuw-Yi Yang

11.5 SHA-1 A frequently used cryptographic hash function is SHA-1. It is used in the Digital Signature Standard (DSS). We describe SHA-1 in this section. Let x  {0,1}*. Assume that the length |x| of x is smaller than 264. The hash value of x is computed as follows. Example 11.5.1 Let x be 01100001 01100010 01100011 01100100 01100101. First, x is padded such that |x| is a multiple of 512. 1. y  x || 1, x: 01100001 01100010 01100011 01100100 01100101  y: 01100001 01100010 01100011 01100100 01100101 1 Fuw-Yi Yang

11.5 SHA-1 2. Append some zeros to x s.t. |y| = 512 k - 64 (assume |x| < 264. ) in this example, k = 1, we must append 448 - 41 zeros to y. Using hexadecimal form, y: 61 62 63 64 65 80  z: 61626364 65800000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 Fuw-Yi Yang

11.5 SHA-1 3. Append the length of x to z. |x| = 40D = 28H w: 61626364 65800000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000028 4. x = M1M2… Mt , Mi  {0,1}512, 1  i  t. Mi = W0W1… W15 , Wi  {0,1}32, 0  i  15. Compression function: ft: {0,1}32  {0,1}32  {0,1}32  {0,1}32 The hash value is SHA-1(x) = H0 H1 H2 H3 H4 Fuw-Yi Yang

11.5 SHA-1 4. x = M1M2… Mt , Mi  {0,1}512, 1  i  t. Mi = W0W1… W15 , Wi  {0,1}32, 0  i  15. Compression function: ft: {0,1}32  {0,1}32  {0,1}32  {0,1}32 5. Initial vectors: H0 H1 H2 H3 H4 = ABCDE = 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0 6. Wt = S1(Wt-3  Wt-8  Wt-14  Wt-16) , 16  t  79. 7. T = S5(A) + ft(B, C, D) + E + Wt + Kt, E = D, D = C, C = S36(B), B = A, A = T, 0  t  79. 8. H0 = A+ H0, H1 = B+ H1, H2 = C+ H2, H3 = D+ H3, H4 = E+ H4 9. The hash value is SHA-1(x) = H0 H1 H2 H3 H4 Fuw-Yi Yang

11.6 Other Hash Functions Hash function Block length Relative speed MD4 128 1.0 MD5 128 0.68 RIPEMD-128 128 0.39 SHA-1 160 0.28 RIPEMD-160 160 0.24 Fuw-Yi Yang

11.6 Other Hash Functions Hash function Block length Relative speed MD4 128 1.0 MD5 128 0.68 RIPEMD-128 128 0.39 SHA-1 160 0.28 RIPEMD-160 160 0.24 Fuw-Yi Yang

11.7 An Arithmetic Compression Function As we have mentioned earlier, there are no provably collision resistant compression functions. There is, however, a compression function that can be proven to be collision resistant if computing discrete logarithms in (Z/pZ)* is infeasible. It was invented by Chaum, van Heijst, and Pfitzmann. Let p be a prime number, q = (p-1)/2 also a prime number, a a primitive root mod p, and b randomly chosen in {1 2, …, p-1}. Consider the following map: h: {0, 1, …, q-1}2  {1 2, …, p-1}, (x1, x2)  ax1bx2 mod p. Fuw-Yi Yang

11.7 An Arithmetic Compression Function Example 11.7.1 Let p = 23, q = 11, a = 5, b = 4. Then h(5, 10) = 55 * 410 mod 23 = 5. Assume that ax1bx2 = ax3bx4 mod p ax1 - x3 = bx4 - x2 mod p ax1 - x3 = ay(x4 - x2) mod p  y = logab = (x1 - x3) / (x4 - x2) mod p-1. Fuw-Yi Yang

11.8 Message Authentication Codes Definition 11.8.1 A parameterized hash function is a family {hk: k  K}, K is the key space of h. A parameterized hash function is also called a message authentication code or MAC. Example 11.8.2 Consider the hash function g: {0, 1}*  {0, 1}4. It can be transformed into the MAC hk: {0, 1}*  {0, 1}4, x  g(x)  k with key space {0, 1}4. The following example shows how MACs can be used. Fuw-Yi Yang

11.8 Message Authentication Codes Example 11.8.3 Professor Alice sends a list with the names of all students who have passed the cryptography class via email to the college office. It is important that the college office be convinced that this email is authentic. For the proof of authenticity, a MAC {hk: k  K} is used. Alice and the college office exchange a secret key k  K. Together with her list x, Alice also sends the hash value y = hk(x) to the college office. Bob, the secretary, can also compute the hash value y = hk(x) of the received message x. He accepts x if y = y. Fuw-Yi Yang