Lecture 6 Cryptographic Hash Functions

Similar documents
Maps and Hash Tables. EECS 2011 Prof. J. Elder - 1 -

Maps, Hash Tables and Dictionaries

SECURE REMOTE VOTER REGISTRATION

An untraceable, universally verifiable voting scheme

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

Ronald L. Rivest MIT CSAIL Warren D. Smith - CRV

File Systems: Fundamentals

Electronic Voting Service Using Block-Chain

Batch binary Edwards. D. J. Bernstein University of Illinois at Chicago NSF ITR

Swiss E-Voting Workshop 2010

Cryptographic Voting Protocols: Taking Elections out of the Black Box

A matinee of cryptographic topics

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

Individual Verifiability in Electronic Voting

Exposure-Resilience for Free: The Hierarchical ID-based Encryption Case

Estonian National Electoral Committee. E-Voting System. General Overview

Johns Hopkins University Security Privacy Applied Research Lab

Survey of Fully Verifiable Voting Cryptoschemes

GI-Edition. Proceedings. Lecture Notes in Informatics. Robert Krimmer, Rüdiger Grimm (Eds.) 3 rd international Conference on Electronic Voting 2008

The Techology Law Team

Privacy of E-Voting (Internet Voting) Erman Ayday

Overview. Ø Neural Networks are considered black-box models Ø They are complex and do not provide much insight into variable relationships

Last Time. Bit banged SPI I2C LIN Ethernet. u Embedded networks. Ø Characteristics Ø Requirements Ø Simple embedded LANs

Towards Trustworthy e-voting using Paper Receipts

Protocol to Check Correctness of Colorado s Risk-Limiting Tabulation Audit

MSR, Access Control, and the Most Powerful Attacker

Uncovering the veil on Geneva s internet voting solution

Addressing the Challenges of e-voting Through Crypto Design

Local differential privacy

Comparison Sorts. EECS 2011 Prof. J. Elder - 1 -

Topics on the Border of Economics and Computation December 18, Lecture 8

Int. J. of Security and Networks, Vol. x, No. x, 201X 1, Vol. x, No. x, 201X 1

Declaration of Certification Practices Certificates of the General Council of Notaries

Information Technology (Amendment) Act, 2008

Paper-based electronic voting

We should share our secrets

Volume I, Appendix A Glossary Table of Contents

HASHGRAPH CONSENSUS: DETAILED EXAMPLES

Economic and Social Council

A MULTIPLE BALLOTS ELECTION SCHEME USING ANONYMOUS DISTRIBUTION

The Effectiveness of Receipt-Based Attacks on ThreeBallot

TERMS OF USE FOR PUBLIC LAW CORPORATION PERSONAL CERTIFICATES FOR AUTHENTICATION

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

WACOM esignature Solutions Compliance with European e-signature legislation

CLEAR SIGNATURES, OBSCURE SIGNS **

Towards Secure Quadratic Voting

Supreme Court of Florida

Year 1 Mental mathematics and fluency in rapid recall of number facts are one of the main aims of the new Mathematics Curriculum.

CS 5523: Operating Systems

Supreme Court of Florida

Priority Queues & Heaps

Netvote: A Blockchain Voting Protocol

CPSC 467b: Cryptography and Computer Security

Ø Project Description. Ø Design Criteria. Ø Design Overview. Ø Design Components. Ø Schedule. Ø Testing Criteria. Background Design Implementation

Electronic Voting: An Electronic Voting Scheme using the Secure Payment card System Voke Augoye. Technical Report RHUL MA May 2013

Declaration of Certification Practices Notarial Certificates

Auditability and Verifiability of Elec4ons Ronald L. Rivest

PRIVACY in electronic voting

Formal Verification of Selene with the Tamarin prover

Primecoin: Cryptocurrency with Prime Number Proof-of-Work

A vvote: a Verifiable Voting System

Blind Signatures in Electronic Voting Systems

Split-Ballot Voting: Everlasting Privacy With Distributed Trust

A Secure Paper-Based Electronic Voting With No Encryption

Voting System: elections

RECEIPT-FREE UNIVERSALLY-VERIFIABLE VOTING WITH EVERLASTING PRIVACY

Design and Prototype of a Coercion-Resistant, Voter Verifiable Electronic Voting System

Ad Hoc Voting on Mobile Devices

AnonStake: An Anonymous Proof-of-Stake Cryptocurrency via Zero-Knowledge Proofs and Algorand

Supreme Court of Florida

Secure Electronic Voting

A Linked-List Approach to Cryptographically Secure Elections Using Instant Runoff Voting

CLEAR SIGNATURES, OBSCURE SIGNS*

Voting Protocol. Bekir Arslan November 15, 2008

Priority Queues & Heaps

evoting after Nedap and Digital Pen

Probabilistic earthquake early warning in complex earth models using prior sampling

Voting with Unconditional Privacy by Merging Prêt-à-Voter and PunchScan

Sector Discrimination: Sector Identification with Similarity Digest Fingerprints

An Overview on Cryptographic Voting Systems

ECE250: Algorithms and Data Structures Trees

How Blockchain Technology is Revolu5onizing Business and the Law

This is a repository copy of Verifiable Classroom Voting in Practice.

A Bloom Filter Based Scalable Data Integrity Check Tool for Large-scale Dataset

Case 4:14-cv SOH Document 30 Filed 11/24/14 Page 1 of 10 PageID #: 257

Running head: ROCK THE BLOCKCHAIN 1. Rock the Blockchain: Next Generation Voting. Nikolas Roby, Patrick Gill, Michael Williams

CHAPTER 2 LITERATURE REVIEW

PRIVACY PRESERVING IN ELECTRONIC VOTING

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

Hoboken Public Schools. College Algebra Curriculum

Random Forests. Gradient Boosting. and. Bagging and Boosting

30 Transformational Design with Essential Aspect Decomposition: Model-Driven Architecture (MDA)

Aspect Decomposition: Model-Driven Architecture (MDA) 30 Transformational Design with Essential. References. Ø Optional: Ø Obligatory:

NP-Hard Manipulations of Voting Schemes

Prof. Dr. G. Vermeulen Montrasec International Experts Meeting JLS/2007/ISEC/514 - Brussels, 1 October 2009

Joint T10/T11 FC_TAPE AdHoc Meeting March 9, 1999 Harrisburg Pennsylvania Stewart Wyatt, HP, Secretary

Electronic Document and Electronic Signature Act Published SG 34/6 April 2001, effective 7 October 2001, amended SG 112/29 December 2001, effective 5

Game Theory. Jiang, Bo ( 江波 )

Josh Benaloh. Senior Cryptographer Microsoft Research

A Robust Electronic Voting Scheme Against Side Channel Attack

Transcription:

Lecture 6 Cryptographic Hash Functions 1 Purpose Ø CHF one of the most important tools in modern cryptography and security Ø In crypto, CHF instantiates a Random Oracle paradigm Ø In security, used in a variety of authentication and integrity applications Ø Not the same as hashing used in DB or CRCs in communications 2 1

Cryptographic HASH Functions Ø Ø Purpose: produce a fixed-size fingerprint or digest of arbitrarily long input data Why? To guarantee integrity Ø Properties of a good cryptographic HASH function H(): 1. Takes on input of any size 2. Produces fixed-length output 3. Easy to compute (efficient) 4. Given any h, computationally infeasible to find any x such that H(x) = h 5. For a given x, computationally infeasible to find y such that H(y) = H(x) and y<>x 6. Computationally infeasible to find any (x, y) such that H(x) = H(y) and x<>y 3 Same properties re-stated: v Cryptographic properties of a good HASH function: v One-way-ness (#4) v Weak Collision-Resistance (#5) v Strong Collision-Resistance (#6) v Non-cryptographic properties of a good HASH function v Efficiency (#3) v Fixed output (#1) v Arbitrary-length input (#2) 4 2

Construction Ø A hash function is typically based on an internal compression function f() that works on fixed-size input blocks (Mi) M 1 M 2 M n IV f h 1 f h 2 h n-1 f h Ø Sort of like a Chained Block Cipher v Produces a hash value for each fixed-size block based on (1) its content and (2) hash value for the previous block v Avalanche effect: 1-bit change in input produces catastrophic and unpredictable changes in output 5 Ø Bitwise-XOR Simple Hash Functions Ø Not secure, e.g., for English text (ASCII<128) the high-order bit is almost always zero Ø Can be improved by rotating the hash code after each block is XOR-ed into it Ø If message itself is not encrypted, it is easy to modify the message and append one block that would set the hash code as needed Ø Another weak hash example: IP Header CRC 6 3

Another example Ø IPv4 header checksum Ø One s complement of the one s complement sum of the IP header's 16-bit words 7 The Birthday Paradox v Example hash function: y=h(x) where: x=person and H() is Bday() v y ranges over set Y=[1 365], let n = size of Y, i.e., number of distinct values in the range of H() v How many people do we need to hash to have a collision? v Or: what is the probability of selecting at random k DISTINCT numbers from Y? v probability of no collisions: v P0=1*(1-1/n)*(1-2/n)* *(1-(k-1)/n)) == e (k(1-k)/2n) v probability of at least one: v P1=1-P0 v Set P1 to be at least 0.5 and solve for k: v k == 1.17 * SQRT(n) v k = 22.3 for n=365 So, what s the point? 8 4

The Birthday Paradox m = log(n) = size of H() 2 m = 2 m/2 trials must be computationally infeasible! 9 How long should a hash be? Ø Many input messages yield the same hash v e.g., 1024-bit message, 128-bit hash v On average, 2 896 messages map into one hash Ø With m-bit hash, it takes about 2 m/2 trials to find a collision (with >=50% probability) Ø When m=64, it takes 2 32 trials to find a collision (doable in very little time) Ø Today, need at least m=160, requiring about 2 80 trials 10 5

Digest length Hash Function Examples SHA-1 (weak) MD5 (defunct) RIPEMD-160 (unloved) J 160 bits 128 bits 160 bits Block size 512 bits 512 bits 512 bits # of steps 80 (4 rounds of 20) Max msg size 64 (4 rounds of 16) 160 (5 paired rounds of 16) 2 64-1 bits Other (stronger) variants of SHA are SHA-256 and SHA-512 See: http://en.wikipedia.org/wiki/sha_hash_functions 11 MD5 Ø Author: R. Rivest, 1992 Ø 128-bit hash based on earlier, weaker MD4 (1990) Ø Collision resistance (B-day attack resistance) only 64-bit Ø Output size not long enough today (due to various attacks) 12 6

MD5: Message Digest Version 5 Input message Output: 128-bit digest 13 Overview of MD5 14 7

MD5 Padding Ø Given original message M, add padding bits 100 such that resulting length is 64 bits less than a multiple of 512 bits. Ø Append original length in bits to the padded message Ø Final message chopped into 512-bit blocks 15 MD5: Padding 1 2 3 4 input Message 512 bit block Padding Initial Value MD5 Transformation block by block Output: 128-bit digest Final Output 16 8

MD5 Blocks 512: B 1 MD5 512:B 2 MD5 512: B 3 MD5 512: B 4 MD5 Result 17 MD5 Box 512-bit message chunks (16 words) Initial 128-bit vector F: (x y) (~x z) G: (x z) (y ~ z) H: x y z I: y (x ~z) x y: x left rotate y bits 128-bit result 18 9

MD5 Process Ø As many stages as the number of 512-bit blocks in the final padded message Ø Digest: 4 32-bit words: MD=A B C D Ø Every message block contains 16 32-bit words: m 0 m 1 m 2 m 15 v Digest MD 0 initialized to: A=01234567,B=89abcdef,C=fedcba98, D=76543210 v Every stage consists of 4 passes over the message block, each modifying MD; each pass involves different operation 19 Processing of Block m i - 4 Passes m i MD i ABCD=f F (ABCD,m i,t[1..16]) A B C D ABCD=f G (ABCD,m i,t[17..32]) ABCD=f H (ABCD,m i,t[33..48]) Convention: A d 0 ; B d 1 ABCD=f I (ABCD,m i,t[49..64]) C d 2 ; B d 3 T i :diff. constant MD i+1 + + + + 20 10

Different Passes... Ø Different functions and constants Ø Different set of m i -s Ø Different sets of shifts 21 Functions and Random Numbers Ø F(x,y,z) == (x y) (~x z) Ø G(x,y,z) == (x z) (y ~ z) Ø H(x,y,z) == x y z Ø I(x,y,z) == y (x ~z) Ø T i = int(2 32 * abs(sin(i))), 0<i<65 22 11

Secure Hash Algorithm (SHA) Ø SHA-0 was published by NIST in 1993 Ø Revised in 1995 as SHA-1 v Input: Up to 2 64 bits v Output: 160 bit digest v 80-bit collision resistance Ø Pad with at least 64 bits to resist padding attack v 1000 0 <message length> Ø Processes 512-bit block v Initiate 5x32bit MD registers v Apply compression function Ø 4 rounds of 20 steps each Ø each round uses different non-linear function Ø registers are shifted and switched 23 Digest Generation with SHA-1 24 12

SHA-1 of a 512-Bit Block 25 General Logic Ø Input message must be < 2 64 bits v not a real limitation Ø Message processed in 512-bit blocks sequentially Ø Message digest (hash) is 160 bits Ø SHA design is similar to MD5, but a lot stronger 26 13

Basic Steps Step1: Padding Step2: Appending length as 64-bit unsigned Step3: Initialize MD buffer: 5 32-bit words: A B C D E A = 67452301 B = efcdab89 C = 98badcfe D = 10325476 E = c3d2e1f0 27 Basic Steps... Step 4: the 80-step processing of 512-bit blocks: 4 rounds, 20 steps each Each step t (0 <= t <= 79): v Input: Ø W t 32-bit word from the message Ø K t constant Ø ABCDE: current MD v Output: Ø ABCDE: new MD 28 14

Basic Steps... Ø Only 4 per-round distinctive additive constants: 0 <= t <= 19 K t = 5A827999 20<=t<=39 K t = 6ED9EBA1 40<=t<=59 K t = 8F1BBCDC 60<=t<=79 K t = CA62C1D6 29 Basic Steps Zooming in A B C D E CLS5 f t + + + W t CLS30 + K t A B C D E 30 15

Basic Logic Functions Ø Only 3 different functions Round Function f t (B,C,D) 0 <=t<= 19 (B C) (~B D) 20<=t<=39 B C D 40<=t<=59 (B C) (B D) (C D) 60<=t<=79 B C D 31 Twist With W t s Ø Additional mixing used with input message 512-bit block W 0 W 1 W 15 = m 0 m 1 m 2 m 15 For 15 < t <80: W t = W t-16 W t-14 W t-8 W t-3 Ø XOR is a very efficient operation, but with multilevel shifting, it produces very extensive and random mixing! 32 16

SHA-1 Versus MD5 Ø SHA-1 is a stronger algorithm: v A birthday attack requires on the order of 2 80 operations, in contrast to 2 64 for MD5 Ø SHA-1 has 80 steps and yields a 160-bit hash (vs. 128) - involves more computation 33 Summary: What are hash functions good for? 34 17

Message Authentication Using a Hash Function Use symmetric encryption such as AES or 3-DES Generate H(M) of same size as E() block Use E K (H(M)) as the MAC (instead of, say, DES MAC) Alice sends E K (H(M)), M Bob receives C,M decrypts C with k, hashes result H(D K (C)) =?= H(M ) Collision è MAC forgery! 35 Using Hash for Authentication Ø Alice to Bob: random challenge r A Ø Bob to Alice: H(K AB r A ) Ø Bob to Alice: random challenge r B Ø Alice to Bob: H(K AB r B ) Ø Only need to compare H() results 36 18

Using Hash to Compute MAC: integrity Ø Cannot just compute and append H(m) Ø Need Keyed Hash : v Prefix: Ø MAC: H(K AB m), almost works, but Ø Allows concatenation with arbitrary message: H( K AB m m ) v Suffix: Ø MAC: H(m K AB ), works better, but what if m is found such that H(m)=H(m )? v HMAC: Ø H ( K AB H (K AB m) ) 37 Hash Function MAC (HMAC) Ø Main Idea: Use a MAC derived from any cryptographic hash function v Note that hash functions do not use a key, and therefore cannot serve directly as a MAC Ø Motivations for HMAC: v Cryptographic hash functions execute faster in software than encryption algorithms such as DES v No need for the reverseability of encryption v No US government export restrictions (was important in the past) Ø Status: designated as mandatory for IP security v Also used in Transport Layer Security (TLS), which will replace SSL, and in SET 38 19

HMAC Algorithm Ø Compute H1 = H() of the concatenation of M and K1 Ø To prevent an additional block attack, compute again H2= H() of the concatenation of H1 and K2 Ø K1 and K2 each use half the bits of K Ø Notation: v K + = K padded with 0 s v ipad=00110110 x b/8 v opad=01011100 x b/8 Ø Execution: v Same as H(M), plus 2 blocks 39 Just for fun Using a Hash to Encrypt Ø (Almost) One-time pad: similar to OFB v compute bit streams using H(), K, and IV Ø b 1 =H(K AB IV),, b i =H(K AB b i-1 ), Ø c 1 = p 1 b 1,, c i = p i b i, Ø Or, mix in the plaintext v similar to cipher feedback mode (CFB) Ø b 1 =H(K AB IV),, b i =H(K AB c i-1 ), Ø c 1 = p 1 b 1,, c i = p i b i, 40 20

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback