Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig

Slides:



Advertisements
Similar presentations
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 4.2 BiBa.
Advertisements

CSC 774 Advanced Network Security
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advanced Security Constructions and Key Management Class 16.
CSC 774 Advanced Network Security
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
SPINS: Security Protocols for Sensor Networks Adrian Perrig Robert Szewczyk Victor Wen David Culler Doug TygarUC Berkeley.
DSAC (Digital Signature Aggregation and Chaining) Digital Signature Aggregation & Chaining An approach to ensure integrity of outsourced databases.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Computer Science CSC 774 Adv. Net. SecurityDr. Peng Ning1 CSC 774 Advanced Network Security Topic 4. Broadcast Authentication.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
The School of Electrical Engineering and Computer Science (EECS) CS/ECE 519/599 Applied Cryptography ADVANCED PRIMITIVES AND TOOLS Credits: Dr. Peng Ning.
Prepared by Dr. Lamiaa Elshenawy
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
Key management issues in PGP
Public-Key Cryptography ElGamal Public-Key Crypto-System
CS/ECE 578 Cyber-Security Dr. Attila Altay Yavuz
CS/ECE 578 Cyber Security Dr. Attila Altay Yavuz
Cryptographic Hash Function
CMSC 414 Computer and Network Security Lecture 15
Fundamental Concepts in Security and its Application Cloud Computing
Basic Network Encryption
Cryptography, part 2.
CS/ECE 578 Cyber-Security
Presented by: Dr. Munam Ali Shah
Topic 14: Random Oracle Model, Hashing Applications
Compact Energy and Delay-Aware Authentication
Cryptographic Hash Functions
ICS 454 Principles of Cryptography
SPINS: Security Protocols for Sensor Networks
CS/ECE 418 Introduction to Network Security
CS/ECE 478 Introduction to Network Security
CS/ECE 478 Network Security Dr. Attila Altay Yavuz
Cryptography Lecture 14.
BROADCAST AUTHENTICATION
CS/ECE 478 Introduction to Network Security Dr. Attila Altay Yavuz
SPHINCS: practical stateless hash-based signatures
Data Integrity: Applications of Cryptographic Hash Functions
Enabling Technology1: Cryptography
ICS 454 Principles of Cryptography
SPINS: Security Protocols for Sensor Networks
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Cryptography Lecture 14.
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
One Time Signature.
Essential Public Key Crypto Methods Credit: Prof. Dr. Peng Ning
Chapter 3 - Public-Key Cryptography & Authentication
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
Basic Network Encryption
Cryptology Design Fundamentals
Cryptography Lecture 15.
Outline A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001 Sensor.
Ensuring Correctness over Untrusted Private Database
CRYPTOGRAPHY & NETWORK SECURITY
Cryptography Lecture 27.
Blockchains Lecture 4.
Presentation transcript:

Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr. Attila Altay Yavuz Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig Dr. Attila A. Yavuz

Ki=F(Ki+1), F: hash function One-way Hash Chain Used for many network security applications S/Key Authenticate data streams Key derivation in crypto schemes Forward-security Commitments Good for authentication of the hash values Commitment Ki=F(Ki+1), F: hash function K4 F K3 K2 K1 K0 Kn= R

Properties of One-way Hash Chain Given Ki Anybody can compute Kj, where j<i It is computationally infeasible to compute Kl, where l > i, if Kl is unknown Any Kl disclosed later can be authenticated by verifying if Hl-i(Ki) = Kl Disclosing of Ki+1 or a later value authenticates the owner of the hash chain K4 F K3 K2 K1 K0 Kn= R

Using “Disposable” Passwords Simple idea: generate a long list of passwords, use each only one time attacker gains little/no advantage by eavesdropping on password protocol, or cracking one password Disadvantages storage overhead users would have to memorize lots of passwords! Alternative: the S/Key protocol based on use of one-way (e.g. hash) function

S/Key Password Generation Alice selects a password x Alice specifies n, the number of passwords to generate Alice’s computer then generates a sequence of passwords x1 = H(x) x2 = H(x1) … xn = H(xn-1) x1 H x2 x3 x4 x x (Password)

Generation… (cont’d) Alice communicates (securely) to a server the last value in the sequence: xn Key feature: no one knowing xi can easily find an xi-1 such that H(xi-1) = xi only Alice possesses that information

Limitations Value of n limits number of passwords need to periodically regenerate a new chain of passwords Does not authenticate server! Do not substitute bad seed password Just a tool enhance password systems

Chained Hashes More general construction than one-way hash chains Useful for authenticating a sequence of data values D0 , D1 , …, DN H* authenticates entire chain D0 DN-2 DN-1 … DN H* H0 HN-1 HN-2 H( DN-1 || HN-1 ) H(DN)

Merkle Hash Tree A binary tree over data values For authentication purpose The root is the commitment of the Merkle tree Known to the verifier. Example To authenticate k2, send (k2, m3,m01,m47) Verify m07= h(h(m01||h(f(k2)||m3)||m47)

Merkle Hash Tree (Cont’d) Hashing at the leaf level is necessary to prevent unnecessary disclosure of data values Authentication of the root is necessary to use the tree Typically done through a digital signature or pre-distribution Limitation All leaf values must be known ahead of time

Untrusted External Storage Problem: how can we store memory of a secure coprocessor in untrusted storage? Solution: construct Merkle hash tree over all memory pages Mallory’s Storage Secure Coprocessor Small persistent storage

One-Time Signatures Basis of all digital signatures Valuable tool to learn the principles Still, the fastest and most secure signature schemes! Quantum computer resistant! Caveat: Impractical for real-life applications They can be used as a “support unit”, seldomly Offline/online signatures Tailoring for application (e.g., smart-grid, vehicular)

One-Time Signatures Use one-way functions without trapdoor Efficient for signature generation and verification Caveat: can only use one time Example: 1-bit one-time signature P0, P1 are public values (public key) S0, S1 are private values (private key) S0 P0 S0 S0’ P S1 P1 S1 S1’

Lamport’s One-Time Signature Uses 1-bit signature construction to sign multiple bits S0 S0’ S0’’ S0* Sign 0 Private values P0 P0’ P0’’ P0* … Public values P1 P1’ P1’’ P1* S1 S1’ S1’’ S1* Sign 1 Private values Bit 0 Bit 1 Bit 2 Bit n

Hash to Obtain Random Subset (HORS) Merkle-Winternitz  Still impractical BiBa (ancestor of HORS, please read) Fast signature verification, but Signing cost is high HORS goal: Develop a one-time signature scheme with Fast signing and verification Still same signature sizes with Merkle-Winternitz

Initial Scheme: Based on One-way Functions Generalization of Bos and Chaum one-time signatures A distant variant of Lamport OTS! Key generation Generate t numbers of random l-bit values Let these be the private key: SK = (s1,…,st) Compute the public key PK = (v1,…,vt), where vi = f(si) and f() is a one-way function

Efficiency Analysis Key generation Signature generation Verification Requires t evaluations of the one-way function Secret key size = l*t bits Public key size = fl*t bits fl = length of the one-way function output Signature generation Time to find the m-th k-element subset of T Verification Time to sign + k one-way function operations

HORS Operations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.