L24. Collision Resistant Hashing. apr 20 abhi shelat

Size: px

Start display at page:

Download "L24. Collision Resistant Hashing. apr 20 abhi shelat"

Oscar Gray
7 years ago
Views:

1 L Collision Resistant Hashing apr 20 abhi shelat

2 1-time existential unforgability even when given a signing oracle for 1 msg, an adversary cannot forge a signature for any message of its choosing Eve Alice

3 1-time existential unforgability even when given a signing oracle for 1 msg, an adversary cannot forge a signature for any message of its choosing Eve Alice m

4 let { f }n be a collection of owfs. Gen(1 n ):

5 let { f }n be a collection of owfs. Gen(1 n ): x 0 0 x 0 1 x 0 2 x 0 3 x 1 0 x 1 1 x 1 2 x 1 3

6 let { f }n be a collection of owfs. Gen(1 n ): x 0 0 x 0 1 x 0 2 x 0 3 f f f f x 1 0 x 1 1 x 1 2 x 1 3 f f f f

7 let { f }n be a collection of owfs. Gen(1 n ): x 0 0 x 0 1 x 0 2 x 0 3 f f f f x 1 0 x 1 1 x 1 2 x 1 3 secret key f f f f public key

8 let { f }n be a collection of owfs. Gen(1 n ): x 0 0 x 0 1 x 0 2 x 0 3 f f f f x 1 0 x 1 1 x 1 2 x 1 3 secret key f f f f public key Signsk(m):

9 let { f }n be a collection of owfs. Gen(1 n ): x 0 0 x 0 1 x 0 2 x 0 3 f f f f x 1 0 x 1 1 x 1 2 x 1 3 secret key f f f f public key Signsk(m): 0110

10 let { f }n be a collection of owfs. Gen(1 n ): x 0 0 x 0 1 x 0 2 x 0 3 f f f f x 1 0 x 1 1 x 1 2 x 1 3 secret key f f f f public key Signsk(m): x 0 0 x x 1 1 x 1 2

11 security proof let { f }n be a collection of owfs. Gen(1 n ): x 0 0 x 0 1 x 0 2 x 0 3 f f f f x 1 0 x 1 1 x 1 2 x 1 3 secret key f f f f public key Signsk(m): x 0 0 x x 1 1 x 1 2

12 anatomy of a 1-forger query response pk Forging Adversary forgery

13 anatomy of an inverter f(x) x one-way function inverter

14 how to use a 1-forger to make an inverter

15 f(x) x one-way function inverter x 0 0 x 0 1 x 0 3 x 1 0 x 1 1 x 1 2 x 1 3 x 0 0 x 0 3 x 1 1 x 1 2 query resp f f f(x) f f f f f Forging Adversary x 0 2 x 1 0 x 1 1 x 1 3

16 goal: sign long msgs

17 goal of a hash function many bits hash function h fewer bits

18 a hash function is a function such that h is easy to evaluate and r < d

19 useful in data structures public class test { public static void main(string[] args) { System.out.println(args[0].hashCode()); } } abhi$ java test HHHHHHHHHHHHHHHHHHHHGGGDD

20 collisions should be rare public class test { public static void main(string[] args) { System.out.println(args[0].hashCode()); } } abhi$ java test HHHHHHHHHHHHHHHHHHHHGGGDD abhi$ java test hello world

21 java hash function

22 java hash function it is thus easy to find a pair s1,s2 such that h(s1)= h(s2)

23 public class test { public static void main(string[] args) { System.out.println(args[0].hashCode()); } } abhi$ java test HHHHHHHHHHHHHHHHHHHHGGGDD

24 public class test { public static void main(string[] args) { System.out.println(args[0].hashCode()); } } abhi$ java test HHHHHHHHHHHHHHHHHHHHGGGDD abhi$ java test HHHHHHHHHHHHHHHHHHHHGGGCc

25 public class test { public static void main(string[] args) { System.out.println(args[0].hashCode()); } } abhi$ java test HHHHHHHHHHHHHHHHHHHHGGGDD abhi$ java test HHHHHHHHHHHHHHHHHHHHGGGCc D - c + 31( D - C ) = 0

26 hashing is also important for cryptographic applications finding a collision should be intractable

27 definition in addition to being easy to compute, it should be hard for a p.p.t. adversary to find a hash collision.

28 a collision resistant hash function is such that h is easy to evaluate and n < d and for all non-uniform p.p.t. A

29 a collision resistant hash function is such that h is easy to evaluate and n < d and for all non-uniform p.p.t. A

30 a collision resistant hash function is such that h is easy to evaluate and n < d and for all non-uniform p.p.t. A first problem: what if s1=s2

31 non-uniform advice a collision resistant hash function is such that h is easy to evaluate and n < d and for all non-uniform p.p.t. A

32 non-uniform advice a collision resistant hash function is such that h is easy to evaluate and n < d and for all non-uniform p.p.t. A there must exist a collision. the collision can be non-uniform advice.

33 new definition a family of collision resistant hash funcs is such that easy to sample a function i hi is easy to evaluate and n < d and for all non-uniform p.p.t. A and

34 general attacks

35 general attacks pick a pair x,y from domain if h(x)=h(y) and x = y output (x,y) else repeat

36 domain of size d range of size r

37 domain of size d range of size r

38 domain of size d range of size r

39 domain of size d s1 range of size r

40 domain of size d s1 s2... sr range of size r

41 domain of size d s1 s2... sr range of size r

42 domain of size d s1 s2... sr range of size r...

43 domain of size d s1 s2... sr range of size r

44 domain of size d s1 s2... sr range of size r

45 domain of size d s1 s2... sr range of size r

46 domain of size d s1 s2... sr range of size r

47 domain of size d s1 s2... sr range of size r

48 domain of size d s1 s2... sr range of size r

49 domain of size d s1 s2... sr range of size r

50 domain of size d s1 s2... sr range of size r

51 domain of size d s1 s2... sr range of size r

52 domain of size d s1 s2... sr range of size r

53 domain of size d s1 s2... sr range of size r

54 birthday attacks

55 birthday attacks pick q (distinct) x1,x2,...,xq from domain make list h(x1),...,h(xq) look for collision in list

56 q=2 birthday attacks

57 birthday attacks pick q (distinct) x1,x2,...,xq from domain make list h(x1),...,h(xq) look for collision in list q=2

58 birthday attacks pick q (distinct) x1,x2,...,xq from domain make list h(x1),...,h(xq) look for collision in list q=1 q=2

59 birthday attacks pick q (distinct) x1,x2,...,xq from domain make list h(x1),...,h(xq) look for collision in list q=1 q=2 q=3

60 birthday attacks

61 birthday attacks pick q (distinct) x1,x2,...,xq from domain make list h(x1),...,h(xq) look for collision in list

62 birthday attacks pick q (distinct) x1,x2,...,xq from domain make list h(x1),...,h(xq) look for collision in list pick and prob of collision is good

63 constructions crhf under the discrete log assumption

64 constructions crhf under the discrete log assumption

65 constructions crhf under the discrete log assumption

66 constructions crhf under the discrete log assumption

67 why is this cr? crhf under the discrete log assumption

68 why is this cr? crhf under the discrete log assumption suppose

69 why is this cr? crhf under the discrete log assumption suppose

70 why is this cr? crhf under the discrete log assumption suppose if b=b if then x=x

71 why is this cr? crhf under the discrete log assumption suppose if b=b if then x=x if collision, then b=b

72 why is this cr? crhf under the discrete log assumption suppose

73 why is this cr? crhf under the discrete log assumption suppose

74 why is this cr? crhf under the discrete log assumption suppose is the dlog of y w.r.t x

75 only compresses by 1 bit

76 merkle-damgard trick x0 x1 x2... xn

77 merkle-damgard trick x0 x1 x2... xn h: N+1 to N bits

78 merkle-damgard trick x0 x1 x2... xn h: iv N+1 to N bits

79 merkle-damgard trick x0 x1 x2... xn h: iv N+1 to N bits

80 merkle-damgard trick x0 x1 x2... xn iv h: N+1 to N bits h: N+1 to N bits

81 merkle-damgard trick x0 x1 x2... xn h: h: h: iv N+1 N+1... N+1 to to to N bits N bits N bits

82 merkle-damgard trick x0 x1 x2... xn h: h: h: iv N+1 N+1... N+1 to to to N bits N bits N bits

83 md4 md sha sha

84 md4 md bit 128 bit sha bit sha bit

85 md bit 1995 md bit 1998 sha bit 2005* sha bit

86 how to sign 1 long msg

87 how to sign many msgs

89 many msgs with less state

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each