hash functions
TRANSCRIPT
Hash FunctionsCS4501, Fall 2015
David Evans and Samee ZahurUniversity of Virginia
Hash("I, Alice, hereby pay Bob an amount of 23 mBTC")
= 7abc39d0 2e0194bc d7e93192 bcdfe412
Hash Functions in Signatures
= Signature algorithms require a fixed-size !
Hash Functions in Signatures
= Signature algorithms can use a fixed-size
Verifying Hashed Signatures
1. Compute 2. Run 3. Accept if passed
Cannot have collisions!
Hash("I, Alice, hereby pay Bob an amount of 23 mBTC")
= 7abc39d0 2e0194bc d7e93192 bcdfe412
Arbitrary Strings
Fixed-size numbers
Infinitely large set
Collisions Unavoidable
Finite set
Cannot have collisions!find
Common Hash Properties1. Collision resistance
“It is hard to find any two , such that”2. Second preimage resistance
“For given , it is hard to find such that ”3. Preimage resistance (such functions are also called one-way)
“For a given , it is hard to find any such that ”
1 2 3⇒ ⇒
Recap• Signing algorithms work on small inputs• We hash strings before signing them• We need collision-resistant hashes
The Birthday Problem
Find smallest number of people such that
Ways to pair 4 people
Ways to pair people
How many common pairs?
Using : =
I wish a year had more days …If we select items out of ,
number of repeats expected
We expect first repeat in trials
I was born on 0x8ca8294be…H(some input) looks like random -bitsHow many trials before we find collision?
-bit hashes have possible outputs. On the order of trials.
Real-life hash functionsName Output
Length (bits)Security status
MD5 128 Collisions foundSHA1 160 Can be broken in iterationsSHA2→ SHA-256
224-512→ 256
No known attacks
SHA3 224-512 No known attacks
Bitcoin typically uses SHA-256(SHA-256(transaction))
Hash-function life cycle
New function
proposed
Security evaluated
Function standardized
Theoretical attacks
proposed
Attacks improved and are practical
“Typical” timelinesMD5• First proposed: 1991• Published: 1992• First signs of trouble: 1996• Not collision resistant: 2004• Chosen-prefix collision: by 2007
SHA3• Competition started: 2007• Submission deadline: 2008• Elimination rounds: 2008-2010• 5 finalists announced: 2010• Kekkak algorithm selected as
winner: 2012
Digital signatures
Jason Benjamin
Bitcoin transaction ID
Deduplication
Password storage
Password Databases
Username Password
Jack.Clough 12password
Betty.Smith 8c2odkw
Username “Salt” Scrypt(password+salt)
Jack.Clough 150FE5Btiq… PaR6mPwHBj…
Betty.Smith t1Y1B67ulN… QrUaLRqFvc…
Insecure Better
Partial verificationA block is a group of transactions in the Bitcoin ledger.Straightforward way:
Verification requires me to inspect all 1000 transactions in the block.
Merkle Treeroot = 0x220c04634a…
p = H(a+b) = 0x2626113d5b…
q = H(c+d) = 0x305e321c3e…
H(T1) = a = 0x1763023d40…
H(T2) = a = 0x1c1c3a3831…
H(T3) = a = 0x2955461d31…
H(T4) = a = 0x160b445b5e…
Recap• Hash functions used in lots of places:• Signatures• Unique global IDs: bitcoin transaction, Dropbox files• Password databases• File downloads
• Birthday attacks: hashes with -bit output can be expected to collide in iterations• Weak hashes can be broken faster: don’t use MD5, avoid SHA-1• Merkle trees enable partial verification
Coming up…• Problemset 1 due tomorrow: (8:29 PM)• Ori has office hours today (5 PM – 6:30 PM)• Next class topic: Bitcoin mining