Hash Functions Motivation Hash Functions: collision, pre-images SHA-1 CSCI284 Spring 2009 GWU
The problems crypto addresses Confidentiality/secrecy/privacy How to keep a message secret so it can be read only by a chosen person Use encryption Integrity How to determine a string of symbols has not been changed since it was created ? 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
CS284/Spring09/GWU/Vora/Hash Functions Integrity Alice sends message x to Bob. She fears Oscar will manipulate it along the way, and Bob will get an incorrect message. She could encrypt it using a key Oscar did not have, but is that overkill when she does not need to prevent Oscar from reading it? But maybe she could tell Bob something else about the message so he would know if something was terribly wrong: parity, last bit, a particular bit, etc. 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
In general, she could use a hash function h: X Y y = h(x) |X| > |Y| i.e. x, x’ s.t x x’ and h(x) = h(x’) Used in storage tables E.g.: h(x) = last bit, parity, smallest prime factor 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
CS284/Spring09/GWU/Vora/Hash Functions h(x) sent with x Both Bob and Alice can create h(x) given x Alice sends (x, h(x)) Bob receives (x’,y’), he checks if y’ = h(x’). If so, he assumes x’ is what Alice sent 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
In either case, what can the attacker do? If he can compute h(x), he can: try to find x’ s.t. h(x) = h(x’). If he knows h, and can influence Alice, he can try to get her to send an x that she likes such that h(x) = h(x’) for an x’ he likes. If he doesn’t, he hopes for the best. 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
Hence require an h “secure” in the following ways: Secure wrt second image requires that the following problem is “difficult”: Given an xX, find x’ X s.t x’ x but h(x’) = h(x) Secure wrt collision requires that the following problem is “difficult”: Find x, x’ X s.t x’ x but h(x’) = h(x) The above should be true even if h(x1), h(x2).. h(xn) are known 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
In general, h is a secure-hash It is also a one-way function: easy to compute in one direction, hard in the other. Is the following h secure wrt second image and collision? h: Zn X Zn Zn h(x, y) = ax + by mod n h(x, y) = ax2 + by2 mod n 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
CS284/Spring09/GWU/Vora/Hash Functions Easy? How does one define easy/difficult to compute? Using computational complexity theory By requiring a large time for the computation on any computer given a particular computational model For example, the probabilistic polynomial-time model 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
Algorithm Find Pre-Image(h, y, q) choose any X0 X, | X0 | = q for each x X0 if h(x) = y return (x) endfor return(failure) What is the complexity of this algorithm? What is its probability of success? 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
Algorithm Find Second Pre-Image(h, x, q) y h(x) choose any X0 X\{x}, | X0 | = q-1 for each x0 X0 if h(x0) = y return (x0) endfor return(failure) What is the complexity of this algorithm? What is its probability of success? 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
Algorithm Find Collision (h, q) choose any X0 X, | X0 | = q for each x X0 yx h(x) endfor for all pairs (x, x’) if yx = yx’ return (x, x’) return(failure) 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
Probability of success For a lower bound, can assume that sizes of pre-images are about equal, so that one pre-image is not very large - if it were, it would be very easy to have a collision in that pre-image. M = |Y| probability of no collisions = q-1i=1(1 - i/M) probability of at least one collision: (using e-x/M 1 -x/M) 1 - q-1i=1(1 - i/M) 1 - e-q(q-1)/2M 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
CS284/Spring09/GWU/Vora/Hash Functions Allowed n, q For a given acceptable collision probability p, what is q in terms of M and p? p = 1 - q-1i=1(1 - i/M) 1 - e-q(q-1)/2M q (2M ln(1/1-p)) For p = 0.5, q 1.17M if M = 365, q 23 and the probability of 2 people having the same birthday in a group of 23 people is more than 0.5 – Birthday attack/paradox 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
Complexities/Probability of success Find Pre-Image Success Probability: 1-(1-1/M)q q/M Complexity: (q) Find Second Pre-Image Success Probability: 1-(1-1/M)q-1 q/M Find Collision Success Probability: 1 - q-1i=1(1 - i/M) 1 - e-q(q-1)/2M Complexity: (q2) 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
CS284/Spring09/GWU/Vora/Hash Functions SHA-1 Pad given string x so that it is of length a multiple of 512 bits. Call this string y = M1||M2||…||Mn Iteratively calculate the hash of y using a hash function (known as the compression function) for 512 bits (hash is of length 160 bits) What is complexity of a birthday attack? 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions
CS284/Spring09/GWU/Vora/Hash Functions SHA-1 contd. current_hash = H0||H1||H2||H3||H4 for i=1, 2, ..n A||B||C||D||E|| = h(Mi, current_hash) H0+=A; H1+=B; … endfor 2/24/2019 CS284/Spring09/GWU/Vora/Hash Functions