1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.

Slides:



Advertisements
Similar presentations
Lecture 5: Cryptographic Hashes
Advertisements

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Cryptography and Network Security Hash Algorithms.
By: Matthew Ng. SHA stands for Secure Hash Algorithm It is based off the Merkle-Dangard hash function There are 3 versions of it with one coming in 2012.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptographic Hash Functions and their many applications Shai Halevi – IBM Research USENIX Security – August 2009 Thanks to Charanjit Jutla and Hugo Krawczyk.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
HASH Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Hash and MAC Algorithms Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther Aldwairi.
IS 302: Information Security and Trust Week 5: Integrity 2012.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Chapter 21 Public-Key Cryptography and Message Authentication.
Hash and MAC Functions CS427 – Computer Security
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Cryptographic Hash Functions Credit: Prof.
Chapter 4 Message Authentication MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
1 Number Theory and Advanced Cryptography 6. Digital Signature Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Hash Algorithms see similarities in the evolution of hash functions & block ciphers –increasing power of brute-force attacks –leading to evolution in algorithms.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions.
PKCS #5: Password-Based Cryptography Standard
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Cryptographic Hash Functions
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Information Security and Management 11. Cryptographic Hash Functions Chih-Hung Wang Fall
Hash Algorithms Ch 12 of Cryptography and Network Security - Third Edition by William Stallings Modified from lecture slides by Lawrie Brown CIM3681 :
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Randomized Hashing: Secure Digital Signatures without Collision Resistance Shai Halevi and Hugo Krawczyk IBM Research
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Chapter 12 – Hash Algorithms
CS/ECE 578 Cyber Security Dr. Attila Altay Yavuz
Cryptographic Hash Functions Part I
ICS 454 Principles of Cryptography
CS/ECE 478 Introduction to Network Security Dr. Attila Altay Yavuz
Towards A Standard for Practical Hash-based Signatures
ICS 454 Principles of Cryptography
Cryptographic Hash Functions Part I
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
Presentation transcript:

1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research

2 Coping with Collisions Post-Wang Trauma (collision attacks):  A healthy reminder of our “ shaky foundations ” Applications threatened by collisions: mainly signatures What to do: avoid patches, build stronger hash funct ’ s  But do we know how? Our approach: “ Hope for the Best, Plan for the Worst ” BUILD APPLICATIONS ON AS WEAK AS POSSIBLE ASSUMPTIONS ON THE UNDERLYING HASH FUNCTIONS

3 Our Contribution We randomize the signature processing such that : Signatures remain secure even if off-line collision attacks against hash are successful Attacker needs to be able to mount a variant of the much harder “ second-preimage attack ” (on compr. f.) Off-line attacks useless: Per-signature attack (on line!)  Attack can start only when per-signature randomness revealed HASH FUNCTION AND SIGNING ALG UNCHANGED!!

4 Too Good To Be True? Simple message randomization scheme Provable reduction to “ second preimage resistance ” NIST: SP !  Internet Draft is coming (see our website)

5 RMX: Message Randomization Scheme From SIGN( Hash( M ) ) to SIGN( Hash( RMX(r,M) )). RMX(r,M) : M=(m 1,m 2, …,m L ), r  (r, m 1  r,m 2  r, …,m L  r). In signatures: M=(m 1,m 2, …,m L ), r  H(r, m 1  r,m 2  r, …,m L  r)  SIGN, r r chosen by signer at random w/each sig Input to signing algorithm (r transmitted with sig) m i and r of block length (eg 512)

6 HASH SIGN r HASH SIGN RMX M =(m 1, …,m L ) (r, m 1  r,, …,m L  r( M =(m 1, …,m L ) RMX: Preserving Hash-then-Sign

7 Merkle- Damgard. Hash H The RMX Scheme (one-pass blockwise processing) IV h h h h ● ● ● Hash(M) m1m1 m2m2 m L-1 mLmL m1m1 mLmL r r h h h h ● ● ● H(r,M) IV r    ~ r

8  RMX: simple front-end to existing hash-then-sign modules  No change to hash functions or signature algorithms  Compatible with block-wise processing of M-D functions  Random generation by signer only (e.g., certificate issuing vs verifying) 128 bits of randomness (up to a block, 512) Transporting r: application-dependent (like IV in CBC); E.g., X.509: r as a parameter under AlgorithmIdentifier Implementations: certificate signing (openssl, NSS/Firefox [B&S] ) XML: next (note: RMX can be applied to multilevel signing) Documented by NIST: SP (Internet Draft coming) Practical

9 Secure Substantial security increase for digital signatures  A fundamental shift in attack scenario: Off-line vs. On-line In particular: no inherent birthday, shorter outputs (truncation)  A much harder cryptanalytical task (~ SPR of compression function) Notes  Randomization never weakens: A SAFETY NET  Likely extension of useful life of hash functions, may prevent or mitigate catastrophic failure, more planning time upon weaknesses  Much like HMAC for MAC functions (btw, is HMAC good as RMX?)

10 Paper (Crypto ’ 06) Implementation experience Internet Draft

11 Note: Can the Signer Cheat? If H is CR then the signer cannot find collisions With RMX, if H is not CR, the signer (and only the signer!) may find r,r ’,M,M' s.t H(RMX(r,M))=H(RMX(r ’,M')) But this is no contradiction to non-repudiation  Signer is bound by any message with his signature (even if he shows two msgs with the same signature!)  NO contradiction to standard unforgeability definitions [GMR] Note: in RMX as long as H is CRHF then even the signer cannot find collisions (safety net!)

12 Note: Not any randomness… H r (M)=H(M||r): no help! needs collision resistance (same for r in the middle of msg) H r (M)=H(r||M): helps, but randomization fades on long msgs (contrast w/our scheme where r randomizes each block!) HMAC: H(r||H(r||M)) no better than previous

13 Randomized Hashing Implementation Java JCE Provider for java.security.Signature   No setParam for java.security.MessageDigest Apache XML Security library extensions  Signature Salt parameter passed as child of SignatureMethod  Transform Salt parameter passed as child of Transform

14 XML Signature Example Test Data <ds:CanonicalizationMethod Algorithm=" JYoVX6Pqdc/z/1k … dS1mE6FG5IikizQEJKafg6kVChc= xE/1oRdq+7z3KDAj9qh/GY/6SWQ= fDDekndStUhk8wvfPJNe8pj0T2ZHPx4ZJ06s4kOhSvYucQCyNKUQrAdSQds … heazCYHwZC5kiGI6eO3ZSLjypfdgeXu3uXJoN/VYlWrP51NoJ5wR9NOnzAxChufT5qi0 … AQAB

15 Adding Support for New SignatureMethod or DigestMethod Adding new JCE Signature Provider  Add one class derived from base; specify: Underlying Signature Provider (e.g. DSA) Associated MessageDigest block size (e.g. SHA1 = 20 bytes, MD5 = 16 bytes, etc.) Adding new Transform  Add one class derived from base; specify: Underlying MessageDigest Provider

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.