1 Intro To Encryption Exercise 6

2 Problem Is every (weak) CRHF also a OWF

3 Solution No!!! Counter Example:  Suppose h is a weakly CRHF  Let h’(x)=x||h(x) No collisions in h’, clearly not a OWF. What about h’:{0,1} n  {0,1} l l<n.  Exercise

4 Problem Show a OWHF and distribution of passwords s.t. both unix and S/Key fail

5 Solution Let h(x) be a OWHF. Let h’(x) return:  0 if 3 final chars of x end with AAA  h(x) otherwise What kinds of an attack should ADV use?  For Unix Password Scheme  For S/Key password scheme

6 Problem Lets assume a SALT mechanism is proposed for the previous problem. How should you implement it using the proposed h’ without changing its internal design?

7 Solution h’’(x)=h’(x||salt) with salt being != AAA.

8 Problem Why does brute-force attack on Target Collision Resistant takes O(2 n ) guesses (not O(2 n/2 )-from bithday paradox)

9 Solution Since ADV picks x, x’ he may be able to find a collision with O(2 n/2 ). BUT!!! ADV does not know key k prior to his choice. The key is chose AFTER he chose. So? So ADV can’t efficiently calculate hashes for x, x’ because he does not know which hash function The user may choose. In other words for some key k f(x)=f(x’) but for other key k f(x)!=f(x’)

10 Problem Computer viruses modify executable program files to `infect` them. One common protection against viruses is to maintain, in read-only storage, a list containing a short `fingerprint` of each executable file, allowing the antivirus program to validate that an executable was not modified. Which of the hash function properties are necessary for computing the fingerprint?

11 Solution We need collision resistance features. Do we need Weakly, Strong or target collision resistance requirements?

12 Problem We wish to build hash functions from block ciphers. We wish Same function as WCRHF that is constructed as: h(x)=E x (0) [if we use a block cipher which allows arbitrary long keys] Does this construction provides WCRHF?

13 Solution No!!! Assume E k (x) is a block cipher. Assume E’ k1,k2 (x)=k1  E k2 (X).  Is this still a block cipher??? Prove!!! Let X=X 1 ||X 2 (without the limitation of generality) Let h(x 1 ||x 2 )=E’ x1,x2 (0)=x1  E x2 (0)

14 Solution Assume X= > X 1 =1001, X 2 =1100 Assume E 1100 (0)=1101 Let h(x)=1001  1101=0101 Let ADV A find a collision to X= with h(x)=0101 Let there be Y= > Y 1= 1000,Y 2= 1110 Y 2 ‘=E y2 (0)=0011. Y 1 ‘=h(x)  E y2’ (0)=0101  0011=0110

15 Solution For our construction: Let h(Y 1 ’||Y 2 )=Y 1 ’  E y2 (0). i.e. h( ). Y 1 ’  E y2 (0)=(h(x)  E y2’ (0))  E y2 (0)=h(x). i.e.: 0110  0011 = 0101.

16 Problem Alice and Bob communicate by phone. Assume they can identify each other’s voice, but a hacker, Eve, may eavesdrop on their communication. Alice wants to send a shared key to Bob, carried by Charlie, a completely reliable and trustworthy courier, which is unfortunately not known to Bob. We want Charlie to know some secret so it can prove his identity to Bob by exposing this secret We also don’t want Eve to impersonate as Charlie. Show how Alice can establish such a secret using (only) a one-way hash function.

17 Solution Alice hands charlie a voice print. She may say: “Hello Bob”. Charlie uses h as the OWF and uses: h(“Hello Bob” Alice ||”Hello Bob from Alice” charlie ) To establish a key.