Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blockchains Lecture 4.

Published byYuliani Hadiman Modified over 5 years ago

Similar presentations

Presentation on theme: "Blockchains Lecture 4."— Presentation transcript:

1 Blockchains Lecture 4

2 Authenticated encryption

3 Secrecy + integrity? We have shown primitives for achieving secrecy and integrity in the private-key setting What if we want to achieve both?

4 Authenticated encryption
An encryption scheme that achieves both secrecy and integrity

5 Constructions? Generic constructions Direct constructions
Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate Direct constructions

6 Generic constructions
Generically combine an encryption scheme and a MAC Useful when these are already available in some library Goal: the combination should be an authenticated encryption scheme when instantiated with any CPA-secure encryption scheme and any secure MAC

7 Generic constructions?
Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate

8 Generic constructions?
Encrypt and authenticate Authenticate then encrypt Encrypt then authenticate

9 Encrypt then authenticate
c, t k1, k2 k1, k2 m c  Enck1(m) t = Mack2(c) Vrfyk2(c, t) = 1? m = Deck1(c)

10 Authenticated encryption
Encrypt-then-authenticate (with independent keys) is the recommended generic approach for constructing authenticated encryption

11 Direct constructions Other, more-efficient constructions have been proposed and are an active area of research and standardization E.g., OCB, CCM, GCM, SIV Others… Active competition:

12 Secure sessions

13 Secure sessions? Consider parties who wish to communicate securely over the course of a session “Securely” = secrecy and integrity “Session” = period of time over which the parties are willing to maintain state Can use authenticated encryption…

14 Enck(m1) Enck(m2) k k Enck(m3)

15 Replay attack Enck(m1) Enck(m2) Enck(m1) k k

16 Re-ordering attack Enck(m1) Enck(m2) Enck(m2) Enck(m1) k k

17 Reflection attack Enck(m1) Enck(m2) k k Enck(m2)

18 Secure sessions These attacks (and others) can be prevented using counters/sequence numbers and identifiers

19 Enck(“Bob”| m1 | 1) Enck(“Bob” | m2 | 2) k k Enck(“Alice” | m3 | 1)

20 Secure sessions These attacks (and others) can be prevented using counters and identifiers Can also use a directionality bit in place of identifiers What about authenticated sessions? The same! Just use MAC instead of authenticated encryption

21 Hash functions

22 Hash functions (Cryptographic) hash function: deterministic function mapping arbitrary length inputs to a short, fixed-length output (sometimes called a digest) Hash functions can be keyed or unkeyed In practice, hash functions are unkeyed We will assume unkeyed hash functions for simplicity

23 Collision-resistance
Let H: {0,1}*  {0,1}l be a hash function A collision is a pair of distinct inputs x, x’ such that H(x) = H(x’) H is collision-resistant if it is infeasible to find a collision in H

24 Hash functions in practice
MD5 Developed in 1991 128-bit output length Collisions found in 2004, should no longer be used SHA-1 Introduced in 1995 160-bit output length Theoretical analysis indicates some weaknesses Very common; current trend to migrate to SHA-2 Collision found by brute force in 2017!

25 Hash functions in practice
SHA-2 Supports 224, 256, 384, and 512-bit outputs No known weaknesses SHA-3/Keccak Result of a public competition from Very different design than SHA-1/SHA-2

26 Applications to message authentication

27 Hash functions are ubiquitous
Collision-resistance  “fingerprinting” Used as a one-way function Used as a “random oracle” Proof of work

28 HMAC Constructed entirely from (certain type of) hash functions
MD5, SHA-1, SHA-2 Not SHA-3 Can be viewed as following the hash-and-MAC paradigm With (part of the) hash function being used as a pseudorandom function

29 Fingerprinting E.g., virus scanning E.g., deduplication

30 Fingerprinting E.g., file integrity
Assuming it is possible to get a reliable copy of H(x) for file x Note: different from integrity in the context of message-authentication codes

31 Outsourced storage How to outsource files to an untrusted server? x x
h=H(x) x H(x)=?h

32 Outsourced storage x1, …, xn x1, …, xn hi =H(xi) i xi H(xi)=?hi
O(n) client storage!

33 Outsourced storage x1, …, xn x1, …, xn h =H(x1, …, xn) i x1, …, xn
H(x1, …, xn)=?h O(n|x|) communication!

34 Outsourced storage x1, …, xn x1, …, xn h =H(H(x1), …, H(xn)) i
xi, h1, …, hn H(h1, …, H(xi), …, hn)=?h |xi| + O(n) communication!

35 Merkle tree Only store the root! Verify…
x1 x2 x2 x3 x4 Only store the root! Verify… O(log n) communication/computation!

36 Outsourced storage Using a Merkle tree, we can solve the outsourcing problem with O(1) client storage and |x| + O(log n) communication

37 Password hashing Server stores H(pw) instead of pw
Requires more than one-wayness of H… See later discussion on random oracles Salting… H(”salt”, pwd)

38 (To Introduce Random Oracle Model)
Main goal is collision resistance Want optimal birthday security “Optimal” measured relative to a random function Why not design H to be a “random function”?

39 The random-oracle (RO) model
Treat H as a public, random function Then H(x) is uniform for any x…

40 Many applications One canonical example: key derivation

41 The random-oracle (RO) model
Treat H as a public, random function Then H(x) is uniform for any x… …unless the attacker computes H(x)… …but the attacker cannot do that (with high probability) if X has high min-entropy!

42 The RO model Intuitively Assume the hash function “is random”
Models attacks that are agnostic to the specific hash function being used Security in the real world as long as “no weaknesses found” in the hash function

43 The RO model In practice Prove security in the RO model
Instantiate the RO with a “good” hash function Hope for the best…

44 Pros and cons of the RO model
There is no such thing as a public hash function that “is random” Not even clear what this means formally Known counterexamples There are (contrived) schemes secure in the RO model, but insecure when using any real-world hash function Sometimes over-abused (arguably)

45 Pros and cons of the RO model
No known example of “natural” scheme secure in the RO model being attacked in the real world If an attack is found, just replace the hash Proof in the RO model better than no proof at all Evidence that the basic design principles are sound

46 PRF from Hash Function in the Random Oracle Model
Fk(x) = H(k||x) Note that it does not use any computational assumption, but relies on H is a random oracle (which is already very strong).

47 Hash Functions can do all major cryptographic functions
Export law (historically) Encryption forbidden HMAC was designed to circumvent this Not just MAC As shown in building PRF And therefore all sorts of major functions

Download ppt "Blockchains Lecture 4."

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.

EE515/IS523 Think Like an Adversary Lecture 4 Crypto in a Nutshell Yongdae Kim.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptographic Hash Functions and Protocol Analysis

Cryptographic Hash Functions and Protocol Analysis
Lecture 2: Introduction to Cryptography

Lecture 2: Introduction to Cryptography
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.

Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.

CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.

Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.

Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.

@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
CS/ECE 578 Cyber Security Dr. Attila Altay Yavuz

CS/ECE 578 Cyber Security Dr. Attila Altay Yavuz

Similar presentations

Ads by Google