Cryptographic Hash Functions and Message Authentication Codes

Reading: Chapter 4 of Katz & Lindell

1

A function mapping from a domain to a smaller range (thus not injective). Applic

ations: Fast lookup (hash tables) Error detection/correctio

n

Cryptography: c

r p

y t o

Hash function•

•

Others Different applications require different

graphi

kinds

of

c hash

hash

functio

funct

s

ns

ion .•

2

* *

: , | | | |. E.g., :{0,1} {0,1} , :{0,1} ,

:{0,1} {0,1} , . In the last case, is also called a . For c

Hash f

compression func

unct

tio

ons

nr

i :

Cryptographic hash function

nn

k l

h X Y X Yh h Z

h k lh

• → >

• → →

→ >••

( )

yptographic applications, ( ) is intended to be a fingerprint or digest of . A classical application is to store as

(username, password)

username, (pa to protect the secss recy of pasword)

h mm

h•

swords. For this application, what property is required of ?h•

3

if ( ) , is a pre-image of . Each hash value typically has multiple pre-images. Collision: a pair ( , ), , s.t. ( ) ( ).

A hash function is

Pre-image:

s aid

Security requirementsh m y m y

m m m m h m h m

h

=

′ ′ ′≠ =

•••

• to be: given a hash value , it is

computationally infeasible to f Pre-image resistant:

Second pind a pre-image of .

given a message , ire-image resista t is infeasible

:

nt

yy

m

Collision resistant:to find a second pre-image of ( ).

if it is infeasible to find a collision.y h m=

4

Loosely speaking,

Collision resistant Second pre-image resistant

Pre-image resistan

cryptograpDef hicinitio hash

t

A functi is n: on

•

•

⇒

⇒

a hash function that is collision resistant.

5

In practice, a fixed hash function is used. However, there is a technical difficulty in defining

collision-resistance for a hash funcfixed t

Hard to define collision-resistant hash functionsh•

•

*

ion . Try this "definition": A hash function :{0,1} {0,1} is

if for polynomial-time algorithm ,

Pr (1 ) successfully produ

collisio

ces a co

e

l

ve

li

n-resi

sion f

rst

or (

yant

n

h n

hh

A

A h negl n

→

≤

•

*,

,

).

Problem with this definition: For , {0,1} , , let denote the algorithm that prints ( , ). Each is a polynomial-time algor

ithm.

For any , an algorithm

m m

m m

m m m m Am m Ah

′

′

′ ′

∃

•

∈ ≠

′

that outputs a collision with prob 1.6

{ } * ( )

Instead of a hash function, we define a of hash functions : , whe

singlefamily

re :{0,1} {0,1} , to be collision-resistant i

Collision-resistant hash functions

l ns n sh s I h∈ →

•

f for all polynomial-time algorithms , there exists a negligible function such that

Pr (1 ) produces a collision for : ( ).

is a set of indexes. For instance, {0,

s ns n

n n

h

Anegl

A h s I negl n

I I

← ≤

=• 1} .

( ) is a fixed polynomial. For instance, ( ) .

n

l n l n n=•

7

Pr (1 ) produces a collision

Pr (1 ) produces a collision for :

= Pr[ ]

= the probability that succeeds in producing

expecte a coll

for

d ision

Remarks

s

n

s ns n

s I

h ns

hA h s I

s

A

A h∈

← •

⋅ ∑

for a randomly picked hash function . For different hash functions , may succeed with different

probabilities. A family of hash functions is collision-resistant if for every

polynomia

s

s

hh A•

•l-time adversary , its probability of

finding a collision is nege

lxpec

igited

ble.A

8

* :{0,1} {0,1} ?

Provably collision-resistclaw-

ant hash functions can be constructed f free pairs oro f o m

How to construct a family of collision-resistanthash functions

nsh

•

→

. (Section 10.2 of Delfs & Knebl)

In practice, hash functions are constructed from compression functions

:{0,1} {0,1}

ne-way permutations

Me by a process cal rklled

n r nf +

•

→

e-Damgard's construction.

9

*

*

Construct a function :{0,1} {0,1} from a function :{0,1} {0,1} .

1. For {0,1} , add

hashcompression

padding so that the length of the padded i

Merkle-Damgard constructionn

n r n

hf

m m

+

→

→

∈

1 2

0 1

s a multiple of . padding = 10...0 | |, where | | is the original length of . 2. Let padded , where | | . 3. Let IV and ( ) for 1 .

IV is a consta

k i

i i i

rm m m

m m m m m rv v vf m i k−

= == = ≤ ≤

nt, e.g., IV 0 . 4. The hash value ( ) .

n

kh m v=

=

m1 m2 m3 mk

f f f IV v0 v1 v2 vk … f h(m)

10

If is collision-resistant, then is collision-resistant.

We will show that if is collision-resistant, then is collision resistant. Specifical

Theorem

ly, if

:

Proof.( , ) is a collis

notnot

f h

h fm m′

1 1

1 1

ion for , we will construct a collision for . Consider two cases:

In this case, , and so ( , ) ( , ). But ( , | | | |.

) ( ) ( ) ( , ), a collision fok k k k k k

k k k k

hf

m m m v m vf m v h

mm h m f m

mv

′ ′ ′− −

′ ′− −

′ ′≠ ≠′ ′ ′= = =

′≠

1 1 1 1

r .

In this case, . Since ( ) ( ), there exists an such that ( , ) ( , ) but ( , ) ( , ), which is a col

| |

lision f

| |.

or .i i i i i i i i

f

k k h m h mi m v m v f m v v

mm

mf

f− − − −

′ ′= =′ ′ ′ ′≠

′==

11

f f f IV v0 v1 n2 vk … f

f f f IV … f

0v′ 1v′ 2v′ kv ′′

( )h m

( )h m′

( )If an adversary can find a collision , for ,then she can find a collision for .

m m hf

′

12

1 2 3 (padded) km m m m m ′′ ′ ′ ′=

1 2 3 (padded) km m m m m=

We have proved: If is collision-resistant, then is collision-resistant.

Since collision-resistance was defined for a family of hash functions, the

Th

above thereom sho

eorem:

uld b

Remark

f h•

•

{ }

{ }

e read as follows.

If is a family of collision-resistant compression

functions, and is constructed from by Merkle-Damgard, then is a family of colli

si

Th

on r

eore

e

m

sis

:

t

n

n

s s I

s s

s s I

f

h fh

∈

∈

•

ant hash functions.

13

( )

( )

*

*, , ,

, , , : , primes, 2 1,

, generators of

:

( , ) m d

o

A family of compression functions (skipped)

nq

q q pp q g h

x y

p q g h p q p q q nI

g h Z

f Z Z Z

x y g h p

= + = =

× →

→

14

1

*

Minimum requirement: must be large enough for to resist the birthda

Bi

y attack.

randomly generate a set rthday attac

:{0,1} {0

of messages

,1}

k,

:

How large should be?n

n h

h

m

n

•

•

→

{ }2

Birthday prob

, , , and check if ( ) ( ) for some .

Why is it called a birthday attack?

In a group of people, what is the probability that at least two of th

lem:em have a same birth

k i jm m h m h m i j

k

= ≠

•

•

Having the same birthday is a collisd ?

.ay

ion

15

{ }

[ ]

If objects are each assigned a random value in 1, 2, ..., , the is

1 2 1

probability of a collisi

1 1 (i.e., 1 Pr no collision )

1

on

1

Birthday attack's success rate

p

k N

N N N kN N N

iN

− − − += − ⋅ ⋅ ⋅ ⋅ −

= − −

•

1 1

1

1

1// ( 1)/2

1

Birthday paradox:

(note: 1 if 0 1)

1 1 1

with 365, 1 2 for as small

1 2 if

as 23

1. 1

.

7 .

i k

kx

ik

i Ni N k k N

i

x e x

e e e

N p k

p k N

≤ ≤ −

−−

=

−−− − −

=

•

− ≤ < <

∑≥ − = − = −

• = ≥

≥ ≥

∏

∏

16

[ ] [ ]

[ ][ ] [ ] [ ]

1 2

1 2

Define Pr Pr object collides with some object . The birthday attack's success probabili

ty satisfies:

Pr

Pr Pr Pr0 1 2 1

( 1)

o

22

F r

i

k

k

C

k

i j ip

p C C CC C C

kN N N Nk k pN

N

= <

= ∨ ∨ ∨≤ + + +

−≤ + + + +

•

−⇒

•

•

≥=

* a hash function :{0,1} {0,1} ,To resist the birthday attack, should be large enough that

generating messages is practic

ally infeasible.

Currently, a minimu

2 .

2 m of 12 e8 is r c

nn

pn

N

k N

h N→

≥

•=

•

≥

50 29

ommended.For 128, it will take 2 to have a successful rate of 2 . n k p −• = ≥ =

17

64

an NIST standard. using Merkle-Damgard construction. input message is divided into blocks with padding. padding = 10...0 , where {0,1} indicates | | in

The Secure Hash Algorithm (SHA-1)

mm

•••

• ∈

64

0 15

0 4

binary. thus, message length limited to | | 2 1. block = 512 bits = 16 words = . IV a constant of 160 bits = 5 words = . resulting hash value: 160 bits. underlying compre

mW W

H H

• ≤ −•• =•

•

160 512 160ssion function :{0,1} {0,1} , a series (80 rounds) of , , , , +, and Rotate on words ' & 's.

i i

f

W s H

+ →∧ ∨ ⊕ ¬

18

160 is big enough to resist birthday attacks . There is no mathematical proof for its collision resistance. In 2004, a collision for a 58-round SHA-1 was found.

for n

Ne r

o

we

w

Is SHA-1 secure?n•

•••

=

SHA's have been included in the standard: SHA-256, SHA-384, SHA-512.These are called the SHA

-2 family

.

19

Message Authentication Code

20

Bob receives a message from Alice, he wants to know (Data origin authentication) whether the message was

really sent by Alic

e.

(Data integrity) whether t h

Message authenticationm•

e message has been modified.

Two solutions: Alice attaches a (MAC)

to the message (using a symmetric key to compute the MAC).message authenti

Or

sh

cation

e attac

code

hes

a u signat

•

to the message (using an asymmetric key to compute the signature

re).

21

( )

Message authentication protocol: 1. Alice and Bob share a secret key . 2. To send a message , Alice computes a tag : ( ) and sends , to Bob.

3. On receiv

Basic idea of MAC

k

km t MAC m

m t

•

=

( )ing , , Bob checks whether ( ). If so, he accepts the message; otherwise, she dis

message authenticat

cards

ion co

it.

The ta de (MAg is called a . Security requirement: compu

C)t

km t t MAC m

t

′ ′ ′ ′=

•• ationally infeasible to forge a valid pair ( , ( )) without knowing the key . kx MAC x k

22

A MAC scheme is a triple ( , , ):Key generation algorithm : On input 1 , (1

) outputs a key {0,1} .

Tag generation algorithm : On input a key and a mes

sa

MAC Scheme

n n

n

G MAC VG G

kMAC k

•

←

( ) *

ge , outputs a tag . We write ( ).

( is the message space. Assume {0,1} or {0,1} .)Verification algorithm : On input a key , a message , and

a t

kl n

m M MAC t t MAC mM M M

V k m

∈ ←

= =

ag , algorithm outputs 1 (accepting as authentic) or 0 (not accepting).

, are probabilistic algorithms. is deterministic. Correctness requirement: for each

and

,

t V m

G MAC Vk K m M∈ ∈•

( ) , ( ) 1.k kV m MAC m =23

1. A key (1

We will consider the following type of attacks on M

) is generated.2. The adversary, say Eve, is given input 1 and oracle access

AC

to .

s.

She

Chosen-Message Attacks on MAC Schemes

n

nk

k GMAC

←

may ask the oracle to compute tags for messages of her choice. Let be the set of all queries Eve has made to the oracle.3. Eve finally generates a pair ( , ), with . (Eve tries to fo

Qm t m Q∉

rge a valid pair of message and tag. She succeeds if ( , ) 1.)

Remarks: Adversary: an adaptive chosen-message attacker. Forger exis

y: an forgery.tential

kV m t

•

=

24

Definition: A MAC scheme ( , , ) is existentially unforgeable under an adaptive chosen-message attack (or simply

MAC security: existential unforgeability under an adaptive chosen-message attack

G MAC V

( )( )

) if for allpolynomial-time adversaries , there exists a negligible function such that

Pr 1 1: {0,1} ( )

Note: produces a pair ( , ), wit

secure

h .

k n nk G

MAC

A negl

V A k negl n

A m t m Q

= ← ≤

∉

25

*

A general MAC scheme can handle messages of any length, i.e., {0,1} .

The job of constructing a secure MAC scheme would be easier if all inp

u m

t

Constructing secure length-restricted MAC

M•

=

•

( )

essages are restricted to a fixed length, say ( ). A MAC scheme with {0,1} is said to be an ( )-restricted

( )-restricted

MAC scheme. A secure MAC scheme can be construc

ted from an

l n

l nM l n

l n

=•

• ( )-bit pseudorandom function. Just let , where is an ( )-bit pseudorandom

( ) :

function with key .) (k kkMA

l nC m f m f l n

k=•

26

{ }( ) ( ) More precisely, let :{0,1} {0,1} | {0,1}

be a family of pseudorandom functions.

Construct an ( )-bit MAC scheme ( , , ) as follow

s: Key

generation: On inp ut 1

l n l n nn k n N

n

F f k

l n G MAC V

∈= → ∈

Π =

•

•

( )

, (1 ) outputs a random key {0,1} .

Tag generation: For key {0,1} and message {0,1} , let : ( ) : ( ).

Verification: On input ( , ),

let ( , ) :

n

nu

n l n

k k

k

Gk

k mt MAC m f m

m t V m t

←

∈ ∈= =

Theorem:

1 if (

Such

) 0 otherw

a MAC sch eme is secu

s

.

e

re

ikf m t

•

==

27

*

*

A general MAC scheme with {0,1} can be constructed using the paradim. To compute a tag for {0,1} ,

We first hash ha

to a bsh-then-authenti

cat

e

Hash-then-Authenticate: basic idea

Mt m

m

• =

∈

( )

hash *

lock {0,1} , using a collision-resistant hash function.

Then compute a tag from , using a secure ( )-bit length-restricted MAC scheme.

{0,1}

s

l n

h

m

t m l n

m

∈

∈ →

( )-bit MAC( )( )-bit {0,1}

k

l nl nl n fm t ∈ →

28

{ }

* ( )

Let : {0,1} be a family a hash

functions, where :{0,1} {0,1} .

Let ( , , ) be a ( )-bit restric

collisi

ted

on-resistant

secur e M C

A

Hash-then-Authenticate: Formal Definitionn

s n Nl n

s

h s

h

G MAC V l n

∈∈•

→

• Π =

( ) scheme with {0,1} . Construct a general MAC scheme ( , , ) as follows:

Key generation algorithm : On input 1 , (1 ) outputs a a hash key {0,1} and a MAC key

{

l n

n n

nu G

MG MAC V

G Gs k

=Π =•

← ←

( )*,

*

0,1} . Tag generation algorithm : On input key ( , ) and message

{0,1} , Let ( ) : ( ) .

Verification algorithm : On input key ( , ), message {0,1} ,

n

ks k s

MAC s k

m MAC m MAC h m

V s k m

∈ =

∈

( ) ( ), and tag , let , : ( ), .ks k st V m t V h m t=29

{ }

Theorem: If : {0,1} is collision-resistant and

( , , ) is secure, then the MAC scheme ( , , ) as constructed above is secure (i.e existenti

Hash-then-Authenticate: Security

ns n N

h s

G MAC VG MAC V

∈∈

Π =Π =

•

ally unforgeable under an adaptive chosen-message attack).

Remarks: The MAC scheme is secure, even if the hash key is known to the adversary.

The MAC key must be kept

s

k

Π•

hash ( )-bit MAC* ( )( )-bit {0,1} {0,1}

secret

.

s

k

hf

l nl nl nm m t∈ → ∈ →

30

hash function In the hash-then-authentic paradim, we need a collision-resistant

a . In practice, people like

pseudoran

to use ju

d

st a hash function

and om

or

func

ju

ti n

o

st a

MACs in practice

•

•pseudorandom function:

HMAC (hash-based MAC) CBC-MAC (pseudorandom function based MAC)

31

*

We wish to using a hash function, say :{0,1} {0,1} , which is constructed from a compression functio

ha

n

sh t

hen aut

:

hentica

{0,1} {0,1} by Merkel-Damgard. R

te

HMAC: basic idea (1)

n

n r n

hf + →

•

•

→

{ }

ecall that involves an IV (initialization vector). Using different IVs will result in different hash functions.

Let denote the hash function with IV .

Intuitively, : {0,1} is a fas

ns

h

h s

H h s

=

= ∈

•

•

{ }

mily of hash functions.

Meanwhile, is viewed as a family of pseudorandom functions

: {0,1}

where :{0,1} {0,1} , with ( ) ( ).

ns

r ns s

f

F f s

f f x f s x

•

= ∈

→ =

32

( )1 2 1

Hash H

1

ash*

2

HMAC is based on the idea:

{0,1} ( ) : ( ) padding

Note: two different keys are used as IV: and , each of length .

Unfortun

HMAC: basic idea (2)

s s s

s s n

m h m t f h m

•

•

•

∈ → → =

0

ately, a standard hash function (e.g., SHA-1) usually has a IV, say , which you cannot fi chax ee .d ngIV

m1 m2 m3 mk

f f f … f h(m) || padding

f 2s1s

tag 33

2s

1s

m1 m2 m3 mk

f f f … f h(m)||padding

f

2k

1k

f

f

IV0

IV0

( )1 2

Hash Has1

h*1 2

Then we have HMAC with keys ( , ) :

{0,1} ( ) : ( )

k km h mk k kt h h m∈ → → =

•

tag

34

( )1 2 1

1

2

Hash Hash*

1

2

{0,1} ( ) : ( )

So, we prepend an to with the output of .

Similarly, prepend an to with the output of .

Sp

HMAC: basic idea (3)

s s s

s

s

m h m t f h m

f h s f

f f s f

•

•

∈ → →

•

=

=

=

1 0 1

2 0 2

1 2

1 2

ecifically, we randomly choose , {0,1} , and let Then we have HMAC with keys

: ( , )

( , ) :

{0,1

: ( , )

rk ks f IV ks f IV k

k km

∈

∈

•

==

( )Hash Hash1 2 1

*} ( ) : ( )k k kh m t h h m→ → =

35

( )out in

in out

A FIPS standard for constructing MAC from a hash function . Conceptually, HMAC ( ) ( ) where and are two keys generated from . Various hash funct

HMAC

k m k k mk k k

hh h

•

=

•

( )

ions (e.g., SHA-1, MD5) may be used for . If we use , then HMAC is as follows:

SHA-1

HMAC ( ) ( ) where

is padded with 0's to

SHA

512 bit

-1

s36

SHA-1k

h

m k opad k ipad m

kipad

•

= ⊕ ⊕

=

36 36 (x036 repeated 64 times)

5c5c 5c (x05c repeated 64 times)opad =

36

Loosely speaking, HMAC is secure if the underlying compression function is collision-resistant (and hence the hash function is collision-resitant) and beha

Security of HMAC

fh

f

•

ves like a pseudorandom function.

37

The following constructions a

re n .

( ) : ( )

( ) : ( ) with

ot secure

IV

Insecure construction of MAC from a hash

k

k

MAC m h k m

MAC m h m k

•

=

= =

38

m = m1 m2 m3 ms

f f f IV … f h(m) k X X hk(m)

f hk(m) hk(m||ms+1)

ms+1

1

( ) ( ) with IV . (For simplicity, without

Insecure:

Easy to forge: ( , ( )),

p

add

where

ing)

k

s

k

m

M

h m

AC m h

m m

m k

m +

•

′′ =

=

•′

=

39

( )1 2

1

in CBC*hash MAC

A FIPS and ISO standard. Use a pseudorandom in CBC mode with a fixed public IV.

{0,1}

In practice, block ciphers (ps

function

eudoran

CBC-MAC

k kf fkm E m t

••

∈ → →

• dom ) are used, and IV 0 . Called DES CBC-MAC if the pseudorandom function is DES. Let :{0,1} {0,1} {0,1} be a block cipher.

block length

permutation

key length. Ther

s

n

n r nEnr

=•

• × →==

•

e are several variants of CBC-MAC.

40

1 2

1 2

Divide the input message into blocks: , where .

Generate two keys from the main key : : (1) and

: (2)

The ,

n

One variant of CBC-MAC

s i

k k

mm m m m m n

kk E k E

•

= =

•= =

•

( )( )2 1

1

2

0

1

*

CBC-MAC ( ) : CBC- . That is,

IV (typically 0 ); for 1 to do ( );

tag : ( )

Hash-then-authenticate:

{0,1} k

k k k

n

i k i i

k s

E

m E E m

ci s c E c m

E c

m

−

=

←← ← ⊕

=

•

∈ ( )1 2

1

in CBChash MAC kE

kE m t→ →41

{ }* CBC-MAC is secure if : {0,1} is a family of

pseudorandom functions (or permutations).

Security of CBC-MAC

k uE k• ←

42