Presentation is loading. Please wait.

Presentation is loading. Please wait.

One Way Functions Motivation Complexity Theory Review, Motivation

Published byΛυσιστράτη Σπηλιωτόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "One Way Functions Motivation Complexity Theory Review, Motivation"— Presentation transcript:

1 One Way Functions Motivation Complexity Theory Review, Motivation
One Way Functions: collision, pre-images SHA-1 One Way Functions CSCI284 Spring 2004 GWU

2 Advanced Cryptography: CSCI 297?
Theory of secrecy: hard problems and crypto Elliptic curves Electronic Cash and Electronic Voting PRNGs Not much Cryptanalysis, Shannon secrecy 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

3 The problems crypto addresses
Confidentiality/secrecy/privacy How to keep a message secret so it can be read only by a chosen person Use encryption Integrity How to determine a string of symbols has not been changed since it was created ? 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

4 CS284/Spring04/GWU/Vora/One-Way Functions
Integrity Alice sends message x to Bob. She fears Oscar will manipulate it along the way, and Bob will get an incorrect message. She could encrypt it using a key Oscar did not have, but even so, when Bob decrypts the manipulated ciphertext, he gets an incorrect plaintext But maybe she could tell Bob something else about the message so he would know if something was terribly wrong: parity, last bit, a particular bit, etc. 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

5 In general, she could use a hash function
h: X  Y y = h(x) |X| > |Y| i.e.  x, x’ s.t x  x’ and h(x) = h(x’) Used in storage tables E.g.: h(x) = last bit, parity, smallest prime factor 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

6 Example 1: h(x) stored in secure location, not sent with x
Bob somehow gets the value of h(x) and stores it safely so that the attacker cannot change it. Because h(x) is smaller (fewer bits) than x, telling Bob h(x) beforehand is different from telling him the message itself. When he receives h, he checks h(x). If it tallies with what he has, he assumes that x was not changed along the way. 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

7 Example 2: h(x) sent with x
Both Bob and Alice can create h(x) given x Alice sends (x, h(x)) Bob receives (x’,y’), he checks if y’ = h(x’). If so, he assumes x’ is what Alice sent 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

8 In either case, what can the attacker do?
If he can compute h(x), he can: try to find x’ s.t. h(x) = h(x’). If he knows h, and can influence Alice, he can try to get her to send an x that she likes such that h(x) = h(x’) for an x’ he likes. If he doesn’t, he hopes for the best. 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

9 Hence require an h “secure” in the following ways:
Secure wrt second image requires that the following problem is “difficult”: Given an xX, find x’ X s.t x’  x but h(x’) = h(x) Secure wrt collision requires that the following problem is “difficult”: Find x, x’ X s.t x’  x but h(x’) = h(x) The above should be true even if h(x1), h(x2).. h(xn) are known 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

10 In general, h is a secure-hash, or a one-way function
Easy to compute in one direction, hard in the other. Is the following h secure wrt second image and collision? h: Zn X Zn  Zn h(x, y) = ax + by mod n h(x, y) = ax2 + by2 mod n 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

11 CS284/Spring04/GWU/Vora/One-Way Functions
Easy? How does one define easy to compute? Using computational complexity theory By requiring a large time for the computation on any computer given a particular computational model For example, the probabilistic polynomial-time model 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

12 Algorithm Find Pre-Image(h, y, q)
choose any X0  X, | X0 | = q for each x  X0 if h(x) = y return (x) endfor return(failure) What is the complexity of this algorithm? What is its probability of success? 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

13 Algorithm Find Second Pre-Image(h, x, q)
y  h(x) choose any X0  X\{x}, | X0 | = q-1 for each x0  X0 if h(x0) = y return (x0) endfor return(failure) What is the complexity of this algorithm? What is its probability of success? 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

14 Algorithm Find Collision (h, q)
choose any X0  X, | X0 | = q for each x  X0 yx  h(x) endfor for all pairs (x, x’) if yx = yx’ return (x, x’) return(failure) 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

15 Probability of success
For a lower bound, can assume that sizes of pre-images are about equal, so that one pre-image is not very large - if it were, it would be very easy to have a collision in that pre-image. M = |Y| probability of no collisions = q-1i=1(1 - i/M) probability of at least one collision: (using e-x/M  1 -x/M) 1 - q-1i=1(1 - i/M)  1 - e-q(q-1)/2M 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

16 CS284/Spring04/GWU/Vora/One-Way Functions
Allowed n, q For a given acceptable collision probability p, what is q in terms of M and p? p = 1 - q-1i=1(1 - i/M)  1 - e-q(q-1)/2M q  (2M ln(1/1-p)) For p = 0.5, q  1.17M if M = 365, q  23 and the probability of 2 people having the same birthday in a group of 23 people is more than 0.5 – Birthday attack/paradox 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

17 Complexities/Probability of success
Find Pre-Image Success Probability: 1-(1-1/M)q  q/M Complexity: (q) Find Second Pre-Image Success Probability: 1-(1-1/M)q-1  q/M Find Collision Success Probability: 1 - q-1i=1(1 - i/M)  1 - e-q(q-1)/2M Complexity: (q2) 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

18 Example: Traveling Salesman
Given a set of points and the cost of going from each to another, find a least cost path that covers all points n points Try all combinations T(n) = n! 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

19 CS284/Spring04/GWU/Vora/One-Way Functions
Definitions Polynomial time: When the worst-case running time of an algorithm is polynomial in the size of the input Exponential time: When the worst-case running time of an algorithm is exponential in the size of the input 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

20 Polynomial vs. Exponential
4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

21 Non-deterministic Polynomial: NP
When you can check that a solution is correct in polynomial time Example: Travelling Salesman, all polynomial-time algorithms, discrete log, roots of a polynomial 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

22 CS284/Spring04/GWU/Vora/One-Way Functions
SHA-1 Pad given string x so that it is of length a multiple of 512 bits. Call this string y = M1||M2||…||Mn Iteratively calculate the hash of y using a hash function (known as the compression function) for 512 bits (hash is of length 160 bits) What is complexity of a birthday attack? 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

23 CS284/Spring04/GWU/Vora/One-Way Functions
SHA-1 contd. current_hash = H0||H1||H2||H3||H4 for i=1, 2, ..n A||B||C||D||E|| = h(Mi, current_hash) H0+=A; H1+=B; … endfor 4/24/2019 CS284/Spring04/GWU/Vora/One-Way Functions

Download ppt "One Way Functions Motivation Complexity Theory Review, Motivation"

Similar presentations

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.

CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.

Similar presentations

Ads by Google