Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 18.

Published byBriana Sharp Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 18."— Presentation transcript:

1 Cryptography Lecture 18

2 Hash functions

3 Recall: building a hash function
Two-stage approach Build a compression function h I.e., hash function for fixed-length inputs Build a full-fledged hash function (for arbitrary length inputs) from a compression function h We have already discussed how to do the second step (Merkle-Damgard transform)

4 Building a compression function
Davies-Meyer construction Others are also possible h(k, m) = Fk(m)  m m k F

5 Proof of security? Can prove collision resistance if we model the underlying block cipher F as an ideal cipher Stronger than the random-oracle model! Model block cipher F: {0,1}n x {0,1}n  {0,1}n as a collection of public, independent, random permutations I.e., for each key k, Fk is an independent, random permutation on {0,1}n

6 The ideal-cipher model
This is more than assuming F is a PRP Fk random even when k is known! No weak keys (i.e., Fk random even when k is not uniform) No related-key attacks (i.e., Fk and Fk’ are independent even when k, k’ are related) Formally, similar to the RO model In particular, the only way to evaluate F is via explicit oracle queries Attacker allowed to query F and F-1

7 Proof of security Claim: attacker making q queries finds a collision with probability  q2/2n (optimal) Proof Each query to F/F-1 reveals one value hi = h(ki ,mi) Moreover, each hi is (essentially) uniform and independent of all previous outputs So probability of finding a collision is (essentially) the same as for a birthday attack

8 SHA-2 Compression function based on Davies-Meyer
With “block cipher” specifically designed for SHA Hash function built from compression function using Merkle-Damgard

9 (Computational) number theory

10 Why now? We have not needed any number theory or “advanced math” until now Practical private-key cryptography is based on stream ciphers, block ciphers, and hash functions Lots of interesting and non-trivial crypto can be done without any number theory!

11 Why now? Reason 1: Culmination of “top-down” approach
For most cryptography, we ultimately need to assume some problem is hard The “lowest-level” assumptions we can make relate to problems in number theory These problems have often been studied a long time

12 Why now? Reason 2: The public-key setting
Public-key encryption requires number theory (in some sense)

13 Our goal Cover basic number theory quickly!
Cover the minimum needed for all the applications we will study Some facts stated without proof Can take entire class(es) devoted to this material Abstracting some of the ideas makes things easier to understand

14 Computational number theory
We will be interested in the computational difficulty of various problems Different from most of mathematics! The representation of mathematical objects is crucial for understanding the computational efficiency of working with them

15 Computational number theory
Measure running times of algorithms in terms of the input lengths involved For integer x, we have ǁxǁ = O(log x), x = O(2ǁxǁ) An algorithm taking input x and running in time O(x) is exponential time Efficient algorithm must run in time poly(ǁxǁ)

16 Computational number theory
Our goal: classify various problems as either “easy” or “hard” I.e., polynomial-time algorithms known or not We will not focus on optimizations, although these are very important in practice For “easy” problems: speed up cryptographic implementations For “hard” problems: need to understand concrete hardness for concrete security

17 Representing integers
Cryptography involves very large numbers! Standard (unsigned) integers (e.g., in C) are small, fixed length (e.g., 16 or 32 bits) For crypto, need to work with integers that are much longer (e.g., 2000 bits) Solution: use an array E.g., “bignum” = array of unsigned chars (bytes) May be useful to also maintain a variable indicating the length of the array Or, assume fixed length (which bounds the maximum size of a bignum)

18 Example: addition Now need to define all arithmetic operations on bignums Start by adding two bytes (e.g., bignum arrays of length 1) Note that C discards the overflow, i.e., it does addition modulo 28

19 Example: adding bytes AddWithCarry(char a, char b, char carry)
// carry is 0 or 1 If a < 27 and b < 27 res=a+b+carry, carry=0 If a < 27 and b ≥ 27 res=a+(b-27)+carry If res ≥ 27 res=res-27, carry=1 Else res=res+27, carry=0 If a ≥ 27 and b ≥ 27 res=(a-27)+(b-27)+carry, carry=1 Note a ≥ 27 iff msb(a)=1

20 Example: addition Add(bignum a, int L1, bignum b, int L2)
Use grade-school addition, using AddWithCarry entry-by-entry… Running time O(max{L1,L2}) = O(max{ǁaǁ,ǁbǁ}) If ǁaǁ=ǁbǁ=n then O(n) Is it possible to do better? No – must read input (O(n)) and write output (O(n))

21 Example: multiplication
What is the length of the result of a*b? ǁabǁ=O(log ab)=O(log a + log b) =O(ǁaǁ+ǁbǁ) Use grade-school multiplication… Running time O(ǁaǁǁbǁ) If ǁaǁ=ǁbǁ=n then O(n2) Can we do better? Surprisingly…yes! But we will not cover here…

22 Basic arithmetic operations
Addition / subtraction / multiplication can all be done efficiently Using grade-school algorithms (or better) Division-with-remainder can also be done efficiently Much less obvious!

23 Modular arithmetic Notation: a = b mod N  [a mod N] = [b mod N]
[a mod N] is the remainder of a when divided by N Note 0 ≤ [a mod N] ≤ N-1 a = b mod N  [a mod N] = [b mod N]

24 Modular arithmetic Note that [a+b mod N] = [[a mod N] + [b mod N] mod N] [a-b mod N] = [[a mod N] - [b mod N] mod N] and [ab mod N] = [[a mod N][b mod N] mod N] I.e., can always work with reduced intermediate values This can be used to speed up computations

25 Modular arithmetic Careful: not true for division!
I.e., [9/3 mod 6] = [3 mod 6] = 3 but [[9 mod 6]/[3 mod 6] mod 6] = 3/3 = 1 We will return to division later…

26 Modular arithmetic Modular reduction can be done efficiently
Use division-with-remainder Modular addition / subtraction / multiplication can all be done efficiently We will return to division later

27 Exponentiation Compute ab ? Instead, look at modular exponentiation
ǁabǁ = O(b · ǁaǁ) Just writing down the answer takes exponential time! Instead, look at modular exponentiation I.e., compute [ab mod N] Size of the answer < ǁNǁ How to do it? Computing ab and then reducing modulo N will not work…

Download ppt "Cryptography Lecture 18."

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Dan Boneh Intro. Number Theory Arithmetic algorithms Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Arithmetic algorithms Online Cryptography Course Dan Boneh.
Cryptography Lecture 14 Arpita Patra © Arpita Patra.

Cryptography Lecture 14 Arpita Patra © Arpita Patra.
1 Message Authentication using Message Digests and the MD5 Algorithm Message authentication is important where undetected manipulation of messages can.

1 Message Authentication using Message Digests and the MD5 Algorithm Message authentication is important where undetected manipulation of messages can.
Number-Theoretic Algorithms

Number-Theoretic Algorithms
Chapter 12 – Hash Algorithms

Chapter 12 – Hash Algorithms
Advanced Algorithms Analysis and Design

Advanced Algorithms Analysis and Design
B504/I538: Introduction to Cryptography

B504/I538: Introduction to Cryptography
Topic 26: Discrete LOG Applications

Topic 26: Discrete LOG Applications
MA/CSSE 473 Day 05 Factors and Primes Recursive division algorithm.

MA/CSSE 473 Day 05 Factors and Primes Recursive division algorithm.
Hash table CSC317 We have elements with key and satellite data

Hash table CSC317 We have elements with key and satellite data

Similar presentations

Ads by Google