Ryan Henry I 538 /B 609 : Introduction to Cryptography
Ryan Henry 1 Tuesday’s lecture: Secure variants of CBC-MAC Hash functions Today’s lecture: Constructing hash functions HMAC Birthday attacks
Ryan Henry Assignment 3 is on Tuesday, October 13 2 (That’s one week from today!) Please seek help before 2:30pm on Friday! Thursday, October 15 (Assignment 4 will still be posted on Tuesday, October 13 and due on Tuesday, October 27!)
Ryan Henry Recall: Collision resistance 3 Challenger (C) Attacker (A) k ← Gen(1 s ) (m 0, m 1 ) 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv collision (A) := Pr[E] 1 s1 s
Ryan Henry Recall: Second preimage resistance 4 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 1 s1 s k Let E be the event that m 0 ≠ m 1 and H(k, m 0 ) = H(k, m 1 ) Define A’s advantage to be Adv 2-preimage (A) := Pr[E]
Ryan Henry Recall: Preimage resistance 5 Challenger (C) Attacker (A) k ← Gen(1 s ) m 1 s1 s k Let E be the event that H(k, m) = y Define A’s advantage to be Adv preimage (A) := Pr[E]
Ryan Henry (One-way) compression functions ▪I▪Intuitively, a (one-way) compression function is a keyed function h with three properties: –E–Efficient: There exists a PPT algorithm that evaluates h –C–Compression: h maps 2s-bit strings and to s-bit strings –O–One-way: Given an output of h, it is difficult to find any input that maps to that output Q: On average, how many inputs map to each output? A: About 2 s 6 ( T h i s i s t h e o p p o s i t e o f w h a t y o u w a n t f r o m n o n - c r y p t o g r a p h i c c o m p r e s s i o n f u n c t i o n s )
Ryan Henry Merkle-Damgård construction 7 m1m1...
Ryan Henry Davies-Meyer compression function 8 mimi z i-1 zizi Thm: If F is a PRF, then the Davies-Meyer compression function is collision resistant. In particular, finding a collision requires O(2 n/2 ) evaluations of F on average. F m i (z i-1 )
Ryan Henry Recall: Nested CBC-MAC (NMAC) 9 m1m1 k1k1 k1k1 k1k1... k2k2 Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key
Ryan Henry Hash-based MAC (HMAC) ▪ The most widely used MAC algorithm in practice ▪ H s is a collision-resistant (keyed) hash function ▪ k is the secret MAC key ▪ opad = 0x5c5c5c... 5c ▪ ipad = 0x block n blocks "outer" pad "inner" pad
Ryan Henry HMAC 11...
Ryan Henry Simpler HMAC constructions? Q: Is H(k 11 m) a secure MAC? A: No! (But why?) –S–Suppose H is constructed using Merkle-Damgård construction –G–Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) –J–Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well....sort of!? It's not as secure as HMAC! (But why?) –I–If H(m 0 ) = H(m 1 ) then H(m 0 11 k) = H(m 1 11 k) –W–Weakness in collision-resistance of H implies weakness in HMAC 12
Ryan Henry Simpler HMAC constructions? Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? –T–This is essentially HMAC without ipad and opad –P–Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit! –H–H(k 11 m 11 k) falls to "target prefix collision" attacks against H 13
Ryan Henry Generic birthday attack ▪L▪Let H: {0, 1} * → {0, 1} s and consider the following algorithm: –C–Choose N := (5/4) · 2 s/2 distinct messages, m 1,..., m N, each uniformly at random –F–For i = 1,..., N, compute y i := H(m i ) –I–If y i = y j for some i ≠ j, then output (m i, m j ) 14
Ryan Henry 15 Generic birthday attack = 1 - ( (2 s -1)/2 s ) ( (2 s -2)/2 s )... ( (2 s -N+1)/2 s ) = 1 - e -1/2 s ∑ i ≥ 1 - e -(N 2 /2)/2 s = 1 - e -((5/4 2 s/2 ) 2 /2)/2 s = 1-e -25/32 ≥ 0.54
Ryan Henry Generic birthday attack ▪O▪Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Adv collision (A) > 1/2 in O(s · 2 s/2 ) time (albeit with O(s · 2 s/2 ) storage Q: Is this a problem? A: No! (in theory); Possibly! (in practice) –R–Real hash functions have fixed-length outputs –N–Need to ensure that 2 s/2 work is infeasible....or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s·2 s/2 bits? A: Perhaps surprisingly, no! 16
Ryan Henry "Small-space" birthday attack ▪C▪Consider an attacker A that works as follows: 1. Choose a random initial value m 0 2. Set m := m 0 and m' := m 0 3. For i = 1, 2, 3,..., do the following –C–Compute m := H(m) and m' := H(H(m')) // now m = H (i) (m 0 ) and m' = H (2i) (m 0 ) –I–If m == m', break from loop 4. Set m' := m and m := m 0 5. For j = 1,..., i, do the following –I–If H(m) == H(m'), return (m, m') –E–Else, set m := H(m) and m' := H(m') // now m = H (j) (m 0 ) and m' = H (i+j) (m 0 ) 17 Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s·2 s/2 ) time using O(1) storage.
Ryan Henry That’s all for today, folks! 18