Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)

Published byAlexander Hubert Roberts Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)"— Presentation transcript:

1

2 Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)

3 Hash Function Motivation Suppose Alice signs M –Alice sends M and S = [M] Alice to Bob (using an encryption key) –Bob verifies that M = {S} Alice –Is it OK to just send S? If M is big, [M] Alice is costly to compute Suppose instead, Alice signs h(M), where h(M) is much smaller than M –Alice sends M and S = [h(M)] Alice to Bob –Bob verifies that h(M) = {S} Alice

4 Crypto Hash Function Crypto hash function h(x) must provide –Compression  output length is small –Efficiency  h(x) easy to computer for any x –One-way  given a value y it is infeasible to find an x such that h(x) = y –Weak collision resistance  given x and h(x), infeasible to find y  x such that h(y) = h(x) –Strong collision resistance  infeasible to find any x and y, with x  y such that h(x) = h(y) –Lots of collisions exist, but hard to find one

5 Are There Collisions? Suppose that the hash function h hashes messages to 128 bits. Just for messages of length 150 bits, consider: –For all messages of length 150 bits (2 150 of them), there will be 2 (150-128) = 2 22 = 4,194,304 that will hash to a given value

6 Pre-Birthday Problem Suppose N people in a room How large must N be before the probability someone has same birthday as me is  1/2 –Solve: 1/2 = 1  (364/365) N for N –Find N = 253

7 Birthday Problem How many people must be in a room before probability is  1/2 that two or more have same birthday? –1  365/365  364/365    (365  N+1)/365 –Set equal to 1/2 and solve: N = 23 Surprising? A paradox? Maybe not: “Should be” about sqrt(365) since we compare all pairs x and y (See birthday calculations.xls)

8 Of Hashes and Birthdays If h(x) is N bits, then 2 N different hash values are possible sqrt(2 N ) = 2 N/2 Therefore, hash about 2 N/2 random values and you expect to find a collision Implication: secure N bit symmetric key requires 2 N  1 work to “break” while secure N bit hash requires 2 N/2 work to “break”

9 Non-crypto Hash (1) Data X = (X 0,X 1,X 2,…,X n-1 ), each X i is a byte Spse hash(X) = X 0 +X 1 +X 2 +…+X n-1 Is this secure? Example: X = (10101010,00001111) Hash is 10111001 – 10101010 + 00001111 – --------- – 10111001 But so is hash of Y = (00001111,10101010) Easy to find collisions, so not secure…

10 Non-crypto Hash (2) Data X = (X 0,X 1,X 2,…,X n-1 ) Suppose hash is –h(X) = nX 0 +(n-1)X 1 +(n-2)X 2 +…+1  X n-1 Is this hash secure? At least –h(10101010,00001111)  h(00001111,10101010) –h(10101010,00001111) = 2X0 + X1 – = 01010100 + 00001111 = 01010011 But hash of (00000001,00001111) is same as hash of (00000000,00010001) Not one-way, but this hash is used in the (non-crypto) application rsyncrsync

11 Non-crypto Hash (3) Cyclic Redundancy Check (CRC) Essentially, CRC is the remainder in a long division problem Good for detecting burst errors But easy to construct collisions CRC sometimes mistakenly used in crypto applications (WEP)

12 CRC Example Suppose the divisor in the CRC is 10011 Data is 10101011 CRC is – 10110110 10011 )101010110000 – 10011 – 11001 – 10011 – 10101 – 10011 – 11000 – 10011 – 10110 – 10011 – 1010

13 Popular Crypto Hashes MD5  invented by Rivest –128 bit output –Note: MD5 collision recently found SHA-1  A US government standard (similar to MD5) –160 bit output Many others hashes, but MD5 and SHA-1 most widely used Hashes work by hashing message in blocks

14 Crypto Hash Design Desired property: avalanche effect –Change to 1 bit of input should affect about half of output bits Crypto hash functions consist of some number of rounds Want security and speed –Avalanche effect after few rounds –But simple rounds Analogous to design of block ciphers

15 Tiger Hash “Fast and strong” Designed by Ross Anderson and Eli Biham  leading cryptographers Design criteria –Secure –Optimized for 64-bit processors –Easy replacement for MD5 or SHA-1

16 Tiger Hash Like MD5/SHA-1, input divided into 512 bit blocks (padded) Unlike MD5/SHA-1, output is 192 bits (three 64-bit words) –Truncate output if replacing MD5 or SHA-1 Intermediate rounds are all 192 bits 4 S-boxes, each maps 8 bits to 64 bits A “key schedule” is used

17 Tiger Outer Round F7F7 F9F9  W  cab cab F5F5 key schedule Input is X –X = (X 0,X 1,…,X n-1 ) –X is padded – Each X i is 512 bits There are n iterations of diagram at left –One for each input block Initial (a,b,c) constants Final (a,b,c) is hash Looks like block cipher! cab W W XiXi

18 Tiger Inner Rounds f m,0 f m.1 f m,2 f m,7 w0w0 w1w1 w2w2 w7w7 cab cab Each F m consists of precisely 8 rounds 512 bit input W to F m –W=(w 0,w 1,…,w 7 ) –W is one of the input blocks X i All lines are 64 bits The f m,i depend on the S-boxes (next slide)

19 Tiger Hash: One Round Each f m,i is a function of a,b,c,w i and m –Input values of a,b,c from previous round –And w i is 64-bit block of 512 bit W –Subscript m is multiplier –And c = (c 0,c 1,…,c 7 ) Output of f m,i is –c = c  w i –a = a  (S 0 [c 0 ]  S 1 [c 2 ]  S 2 [c 4 ]  S 3 [c 6 ]) –b = b + (S 3 [c 1 ]  S 2 [c 3 ]  S 1 [c 5 ]  S 0 [c 7 ]) –b = b  m Each S i is S-box: 8 bits mapped to 64 bits

20 Tiger Hash Key Schedule Input is X –X=(x 0,x 1,…,x 7 ) Small change in X will produce large change in key schedule output x 0 = x 0  (x 7  0xA5A5A5A5A5A5A5A5) x 1 = x 1  x 0 x 2 = x 2  x 1 x 3 = x 3  (x 2  ((~x 1 ) << 19)) x 4 = x 4  x 3 x 5 = x 5 +x 4 x 6 = x 6  (x 5  ((~x 4 ) >> 23)) x 7 = x 7  x 6 x 0 = x 0 +x 7 x 1 = x 1  (x 0  ((~x 7 ) << 19)) x 2 = x 2  x 1 x 3 = x 3 +x 2 x 4 = x 4  (x 3  ((~x 2 ) >> 23)) x 5 = x 5  x 4 x 6 = x 6 +x 5 x 7 = x 7  (x 6  0x0123456789ABCDEF)

21 Tiger Hash Summary (1) Hash and intermediate values are 192 bits 24 rounds –S-boxes: Claimed that each input bit affects a, b and c after 3 rounds –Key schedule: Small change in message affects many bits of intermediate hash values –Multiply: Designed to insure that input to S-box in one round mixed into many S-boxes in next S-boxes, key schedule and multiply together designed to insure strong avalanche effect

22 Tiger Hash Summary (2) Uses lots of ideas from block ciphers –S-boxes –Multiple rounds –Mixed mode arithmetic At a higher level, Tiger employs –Confusion –Diffusion

23 HMAC Can compute a MAC of the message M with key K using a “hashed MAC” or HMAC HMAC is an example of a keyed hash –Why do we need a key? How to compute HMAC? Two obvious choices –h(K,M) –h(M,K)

24 HMAC Should we compute HMAC as h(K,M) ? Hashes computed in blocks –h(B 1,B 2 ) = F(F(A,B 1 ),B 2 ) for some F and constant A –Then h(B 1,B 2 ) = F(h(B 1 ),B 2 ) Let M’ = (M,X) –Then h(K,M’) = F(h(K,M),X) –Attacker can compute HMAC of M’ without K Is h(M,K) better? –Yes, but… if h(M’) = h(M) then we might have h(M,K)=F(h(M),K)=F(h(M’),K)=h(M’,K)

25 The Right Way to HMAC Described in RFC 2104 Let B be the block length of hash, in bytes –B = 64 for MD5 and SHA-1 and Tiger ipad = 0x36 repeated B times opad = 0x5C repeated B times Then HMAC(M,K) = H(K  opad, H(K  ipad, M))

26 Hash Uses Authentication (HMAC) Message integrity (HMAC) Message fingerprint Data corruption detection Digital signature efficiency Anything you can do with symmetric crypto

27 Online Auction Suppose Alice, Bob and Charlie are bidders Alice plans to bid A, Bob B and Charlie C They don’t trust that bids will stay secret Solution? –Alice, Bob, Charlie submit hashes h(A), h(B), h(C) –All hashes received and posted online –Then bids A, B and C revealed Hashes don’t reveal bids (one way) Can’t change bid after hash sent (collision)

28 Spam Reduction Spam reduction Before I accept an email from you, I want proof that you spent “effort” (e.g., CPU cycles) to create the email Limit amount of email that can be sent Make spam much more costly to send

29 Spam Reduction Let M = email message Let R = value to be determined Let T = current time Sender must find R such that –hash(M,R,T) = (00…0,X), where –N initial bits of hash are all zero Sender then sends (M,R,T) Recipient accepts email, provided –hash(M,R,T) begins with N zeros

30 Spam Reduction Sender: hash(M,R,T) begins with N zeros Recipient: verify that hash(M,R,T) begins with N zeros Work for sender: about 2 N hashes Work for recipient: 1 hash Sender’s work increases exponentially in N Same work for recipient regardless of N Choose N so that –Work acceptable for normal email users –Work unacceptably high for spammers!

Download ppt "Computer Science 654 Lecture 1 : Hash Functions Professor Wayne Patterson Howard University Spring 2010 (Stamp Chapter 5)"

Similar presentations

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Chapter 5: Hash Functions++

Chapter 5: Hash Functions++
Part 1  Cryptography 1 Chapter 5: Hash Functions++ “I'm sure [my memory] only works one way.” Alice remarked. “I can't remember things before they happen.”

Part 1  Cryptography 1 Chapter 5: Hash Functions++ “I'm sure [my memory] only works one way.” Alice remarked. “I can't remember things before they happen.”
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.

CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.

Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

Similar presentations

Ads by Google