Blockchains Lecture 4.

Slides:



Advertisements
Similar presentations
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Advertisements

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptographic Hash Functions and Protocol Analysis
Lecture 2: Introduction to Cryptography
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
CS/ECE 578 Cyber Security Dr. Attila Altay Yavuz
Cryptographic hash functions
Cryptographic Hash Functions
Cryptographic Hash Function
Cryptographic Hash Functions
Topic 14: Random Oracle Model, Hashing Applications
최신정보보호기술 경일대학교 사이버보안학과 김 현성.
Topic 11: Authenticated Encryption + CCA-Security
Cryptographic Hash Functions Part I
Cryptography Lecture 13.
Cryptographic Hash Functions
Cryptography Lecture 12.
Cryptography Lecture 4.
ICS 454 Principles of Cryptography
Cryptography Lecture 19.
Cryptographic Hash Functions
Cryptography Lecture 6.
Cryptography Lecture 10.
CS/ECE 478 Introduction to Network Security
Message Authentication and Hash Functions
Cryptography Lecture 14.
Cryptography Lecture 11.
Data Integrity: Applications of Cryptographic Hash Functions
ICS 454 Principles of Cryptography
Lecture 4.1: Hash Functions: Introduction
Cryptographic Hash Functions Part I
Hash-based Primitives Credits: Dr. Peng Ning and Dr. Adrian Perrig
Cryptography Lecture 8.
Chapter -7 CRYPTOGRAPHIC HASH FUNCTIONS
Cryptography Lecture 14.
Cryptography Lecture 11.
Cryptography Lecture 9.
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
Cryptography Lecture 12.
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 14.
Hashing Hash are the auxiliary values that are used in cryptography.
Cryptography Lecture 13.
Cryptography Lecture 3.
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Cryptography Lecture 13.
Cryptography Lecture 15.
Cryptography Lecture 18.
Lecture 4: Hash Functions
Hash Function Requirements
CRYPTOGRAPHY & NETWORK SECURITY
Cryptography Lecture 15.
Presentation transcript:

Blockchains Lecture 4

Authenticated encryption

Secrecy + integrity? We have shown primitives for achieving secrecy and integrity in the private-key setting What if we want to achieve both?

Authenticated encryption An encryption scheme that achieves both secrecy and integrity

Constructions? Generic constructions Direct constructions Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate Direct constructions

Generic constructions Generically combine an encryption scheme and a MAC Useful when these are already available in some library Goal: the combination should be an authenticated encryption scheme when instantiated with any CPA-secure encryption scheme and any secure MAC

Generic constructions? Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate

Generic constructions? Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate

Encrypt then authenticate c, t k1, k2 k1, k2 m c  Enck1(m) t = Mack2(c) Vrfyk2(c, t) = 1? m = Deck1(c)

Authenticated encryption Encrypt-then-authenticate (with independent keys) is the recommended generic approach for constructing authenticated encryption

Direct constructions Other, more-efficient constructions have been proposed and are an active area of research and standardization E.g., OCB, CCM, GCM, SIV Others… Active competition: https://competitions.cr.yp.to/caesar.html

Secure sessions

Secure sessions? Consider parties who wish to communicate securely over the course of a session “Securely” = secrecy and integrity “Session” = period of time over which the parties are willing to maintain state Can use authenticated encryption…

Enck(m1) Enck(m2) k k Enck(m3)

Replay attack Enck(m1) Enck(m2) Enck(m1) k k

Re-ordering attack Enck(m1) Enck(m2) Enck(m2) Enck(m1) k k

Reflection attack Enck(m1) Enck(m2) k k Enck(m2)

Secure sessions These attacks (and others) can be prevented using counters/sequence numbers and identifiers

Enck(“Bob”| m1 | 1) Enck(“Bob” | m2 | 2) k k Enck(“Alice” | m3 | 1)

Secure sessions These attacks (and others) can be prevented using counters and identifiers Can also use a directionality bit in place of identifiers What about authenticated sessions? The same! Just use MAC instead of authenticated encryption

Hash functions

Hash functions (Cryptographic) hash function: deterministic function mapping arbitrary length inputs to a short, fixed-length output (sometimes called a digest) Hash functions can be keyed or unkeyed In practice, hash functions are unkeyed We will assume unkeyed hash functions for simplicity

Collision-resistance Let H: {0,1}*  {0,1}l be a hash function A collision is a pair of distinct inputs x, x’ such that H(x) = H(x’) H is collision-resistant if it is infeasible to find a collision in H

Hash functions in practice MD5 Developed in 1991 128-bit output length Collisions found in 2004, should no longer be used SHA-1 Introduced in 1995 160-bit output length Theoretical analysis indicates some weaknesses Very common; current trend to migrate to SHA-2 Collision found by brute force in 2017!

Hash functions in practice SHA-2 Supports 224, 256, 384, and 512-bit outputs No known weaknesses SHA-3/Keccak Result of a public competition from 2008-2012 Very different design than SHA-1/SHA-2

Applications to message authentication

Hash functions are ubiquitous Collision-resistance  “fingerprinting” Used as a one-way function Used as a “random oracle” Proof of work

HMAC Constructed entirely from (certain type of) hash functions MD5, SHA-1, SHA-2 Not SHA-3 Can be viewed as following the hash-and-MAC paradigm With (part of the) hash function being used as a pseudorandom function

Fingerprinting E.g., virus scanning E.g., deduplication

Fingerprinting E.g., file integrity Assuming it is possible to get a reliable copy of H(x) for file x Note: different from integrity in the context of message-authentication codes

Outsourced storage How to outsource files to an untrusted server? x x h=H(x) x H(x)=?h

Outsourced storage x1, …, xn x1, …, xn hi =H(xi) i xi H(xi)=?hi O(n) client storage!

Outsourced storage x1, …, xn x1, …, xn h =H(x1, …, xn) i x1, …, xn H(x1, …, xn)=?h O(n|x|) communication!

Outsourced storage x1, …, xn x1, …, xn h =H(H(x1), …, H(xn)) i xi, h1, …, hn H(h1, …, H(xi), …, hn)=?h |xi| + O(n) communication!

Merkle tree Only store the root! Verify… x1 x2 x2 x3 x4 Only store the root! Verify… O(log n) communication/computation!

Outsourced storage Using a Merkle tree, we can solve the outsourcing problem with O(1) client storage and |x| + O(log n) communication

Password hashing Server stores H(pw) instead of pw Requires more than one-wayness of H… See later discussion on random oracles Salting… H(”salt”, pwd)

(To Introduce Random Oracle Model) Main goal is collision resistance Want optimal birthday security “Optimal” measured relative to a random function Why not design H to be a “random function”?

The random-oracle (RO) model Treat H as a public, random function Then H(x) is uniform for any x…

Many applications One canonical example: key derivation

The random-oracle (RO) model Treat H as a public, random function Then H(x) is uniform for any x… …unless the attacker computes H(x)… …but the attacker cannot do that (with high probability) if X has high min-entropy!

The RO model Intuitively Assume the hash function “is random” Models attacks that are agnostic to the specific hash function being used Security in the real world as long as “no weaknesses found” in the hash function

The RO model In practice Prove security in the RO model Instantiate the RO with a “good” hash function Hope for the best…

Pros and cons of the RO model There is no such thing as a public hash function that “is random” Not even clear what this means formally Known counterexamples There are (contrived) schemes secure in the RO model, but insecure when using any real-world hash function Sometimes over-abused (arguably)

Pros and cons of the RO model No known example of “natural” scheme secure in the RO model being attacked in the real world If an attack is found, just replace the hash Proof in the RO model better than no proof at all Evidence that the basic design principles are sound

PRF from Hash Function in the Random Oracle Model Fk(x) = H(k||x) Note that it does not use any computational assumption, but relies on H is a random oracle (which is already very strong).

Hash Functions can do all major cryptographic functions Export law (historically) Encryption forbidden HMAC was designed to circumvent this Not just MAC As shown in building PRF And therefore all sorts of major functions