A Good Hash Function is Hard to Find,and Vice Versa                           This is a really long string of text which i...
A hash function is any function which takes an arbitrarilylong string as input and gives a fixed-length output.Input:(“Mes...
An example: Write the message in rows of five letters,convert to numbers, add down the columns modulo 26.Input:           ...
A hash function is not:            M             h            M        an encoding.4
A hash function is not:            M             h            M     M       M            M             h      h      h    ...
What is a hash function good for? Maybe to make sure amessage hasn’t been altered.          Alice               Eve       ...
What is a hash function good for? Maybe to make sure amessage hasn’t been altered.                                        ...
But of course, Eve could change the hash value as well asthe message.                                                     ...
Alice could prevent this by “digitally signing” the hashvalue.            Alice                      Eve               Bob...
What properties do we want a hash function to have?                   1. It should be fast to compute.10
What properties do we want a hash function to have?                   1. It should be fast to compute.                    ...
But for cryptographic purposes a hash function should alsobe “cryptographically secure”.          M          h      1. “On...
But for cryptographic purposes a hash function should alsobe “cryptographically secure”.          M          h       1. “O...
But for cryptographic purposes a hash function should alsobe “cryptographically secure”.          M          h       1. “O...
One common way that real hash functions achieve thesegoals is with the Merkle-Damgård construction.                       ...
Some common hash functions that use theMerkle-Damgård construction:[Wikipedia]     By Ronald Rivest:            By NIST an...
The compression function of MD5 is fairly typical of all ofthese ciphers.         16 “steps”                              ...
My goals for a new hash function:     1. Can be done without a computer in a class period.18
My goals for a new hash function:     1. Can be done without a computer in a class period.              2. Reasonably secu...
My goals for a new hash function:     1. Can be done without a computer in a class period.              2. Reasonably secu...
My goals for a new hash function:     1. Can be done without a computer in a class period.              2. Reasonably secu...
Our first example doesn’t stack up too well.                 HELLO           07   04   11   11   14                 MYNAM...
My first try: JHA (2000)     hash = (7 x # of vowels – 3 x # of consonants + # of spaces 2) modulo 17                     ...
My second try: JHA-1 (2010)     hash =   5(7 x # of vowels – 3 x # of consonants + # of spaces2)   modulo 17              ...
My latest try: JHA-2 (2011), uses Merkle-Damgård.           Convert letters to numbers, each block is one letter (two digi...
JHA-2 compression function:                         A        B     New message block                             +        ...
An example:     H   e   l   l   o   m   y   n   a   m        e   i   s   A   l   i    c   e     07 04 11 11 14 12 24 13 00...
An example:          H    e      l   l   o   m   y    n   a   m   e          07 04 11 11 14 12 24 13 00 12 04      76 94 6...
An example:          H    e      l   l   o   m   y    n   a   m   e          07 04 11 11 14 12 24 13 00 12 04      76 94 6...
T    h   a     n   k   s   f   o   r           19 07 00 13 10 18 05 14 17     76 32 69 07 11 85 97 38 84 54     l    i    ...
Upcoming SlideShare
Loading in …5
×

A Good Hash Function is Hard to Find, and Vice Versa

1,336 views

Published on

Secure hash functions are the unsung heroes of modern cryptography.
Introductory courses in cryptography often leave them out --- since
they don't have a secret key, it is difficult to use hash functions by
themselves for cryptography. In addition, most theoretical
discussions of cryptographic systems can get by without mentioning
them. However, for secure practical implementations of public-key
ciphers, digital signatures, and many other systems they are
indispensable. In this talk I will discuss the requirements for a
secure hash function and relate my attempts to come up with a "toy"
system which both reasonably secure and also suitable for students to
work with by hand in a classroom setting.

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,336
On SlideShare
0
From Embeds
0
Number of Embeds
40
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A Good Hash Function is Hard to Find, and Vice Versa

  1. 1. A Good Hash Function is Hard to Find,and Vice Versa This is a really long string of text which is going toJoshua Holden be the input to our hash function.Rose-Hulman Institute ofTechnology 01100011
  2. 2. A hash function is any function which takes an arbitrarilylong string as input and gives a fixed-length output.Input:(“Message”) This is a really long string of text which is going to be the input to our hash function.Output: 01100011(“Hash value”)2
  3. 3. An example: Write the message in rows of five letters,convert to numbers, add down the columns modulo 26.Input: HELLO  07 04 11 11 14(“Message”) MYNAM  12 24 13 00 12 EISAL  04 08 18 00 11 ICEXX  08 02 04 23 23 05 12 20 08 08Output: F M U I I(“Hash value”) [Barr, Invitation to Cryptology]3
  4. 4. A hash function is not: M h M an encoding.4
  5. 5. A hash function is not: M h M M M M h h h an encoding. secret.5
  6. 6. What is a hash function good for? Maybe to make sure amessage hasn’t been altered. Alice Eve Bob Hi, Bob, this is Hi, Bob, this is Hi, Bob, this is Eve. Alice. Eve. 00011100 00011100 00110001, not 000111006
  7. 7. What is a hash function good for? Maybe to make sure amessage hasn’t been altered. Hey! Alice Eve Bob Hi, Bob, this is Hi, Bob, this is Hi, Bob, this is Eve. Alice. Eve. 00011100 00011100 00110001, not 000111007
  8. 8. But of course, Eve could change the hash value as well asthe message. ? Alice Eve Bob Hi, Bob, this is Hi, Bob, this is Hi, Bob, this is Eve. Alice. Eve. 00011100 00110001 Hash values by themselves only protect against 00110001 unintentional changes.8
  9. 9. Alice could prevent this by “digitally signing” the hashvalue. Alice Eve Bob Hi, Bob, this is Hi, Bob, this is Hi, Bob, this is Eve. Alice. Eve. 00011100 00011100 Digitally signing a hash value is much more 00110001 efficient than signing a whole message!9
  10. 10. What properties do we want a hash function to have? 1. It should be fast to compute.10
  11. 11. What properties do we want a hash function to have? 1. It should be fast to compute. 2. It should distribute hash values evenly. M1 M2 M3 M4 M5 M6 h1 h2 h311
  12. 12. But for cryptographic purposes a hash function should alsobe “cryptographically secure”. M h 1. “One-way” a.k.a. “preimage-resistant”12
  13. 13. But for cryptographic purposes a hash function should alsobe “cryptographically secure”. M h 1. “One-way” a.k.a. “preimage-resistant” M1 2. “Second-preimage resistant” M2 h13
  14. 14. But for cryptographic purposes a hash function should alsobe “cryptographically secure”. M h 1. “One-way” a.k.a. “preimage-resistant” M1 2. “Second-preimage resistant” M2 h M1 h 3. “Collision-resistant” M214
  15. 15. One common way that real hash functions achieve thesegoals is with the Merkle-Damgård construction. [Wikipedia] IV = Initialization vector f = Compression function If the compression function is collision-resistant, then so is the hash function.15
  16. 16. Some common hash functions that use theMerkle-Damgård construction:[Wikipedia] By Ronald Rivest: By NIST and the NSA: • MD4 (Message Digest • SHA (Secure Hash Algorithm) algorithm 4) • SHA-1 (slightly tweaked • MD5 (an improved version version of SHA) of MD4) • SHA-2 (significant revision of SHA-1)16
  17. 17. The compression function of MD5 is fairly typical of all ofthese ciphers. 16 “steps” message word nonlinear function diffusion round constant feedforward permutation MD5 compression function One “step” of the function [Stallings, Cryptography and Network Security]17
  18. 18. My goals for a new hash function: 1. Can be done without a computer in a class period.18
  19. 19. My goals for a new hash function: 1. Can be done without a computer in a class period. 2. Reasonably secure.19
  20. 20. My goals for a new hash function: 1. Can be done without a computer in a class period. 2. Reasonably secure. 3. Uses elements from “real” hash functions.20
  21. 21. My goals for a new hash function: 1. Can be done without a computer in a class period. 2. Reasonably secure. 3. Uses elements from “real” hash functions. 4. “Optimized” for a four-function calculator.21
  22. 22. Our first example doesn’t stack up too well. HELLO  07 04 11 11 14 MYNAM  12 24 13 00 12 EISAL  04 08 18 00 11 ICEXX  08 02 04 23 23 05 12 20 08 08 F M U I I 1. Can be done without a computer in a class period? Yes. 2. Reasonably secure? No The problem is that it’s too easy to work backwards from the hash to the preimage.22
  23. 23. My first try: JHA (2000) hash = (7 x # of vowels – 3 x # of consonants + # of spaces 2) modulo 17 Hello my name is Alice (7 x 8 – 3 x 10 + 42) modulo 17 = 8 1. Can be done without a computer in a class period? Yes. 2. Reasonably secure? Not especially. Preimages are not that easy, but second preimages and collisions are.23
  24. 24. My second try: JHA-1 (2010) hash = 5(7 x # of vowels – 3 x # of consonants + # of spaces2) modulo 17 Hello my name is Alice 5(7 x 8 – 3 x 10 + 42) modulo 17 = 9 1. Can be done without a computer in a class period? Yes. 2. Reasonably secure? A little better. Preimages are even harder, but second preimages and collisions are still not that hard.24
  25. 25. My latest try: JHA-2 (2011), uses Merkle-Damgård. Convert letters to numbers, each block is one letter (two digits) Two-digit length of message IV = 76 No special finalization25
  26. 26. JHA-2 compression function: A B New message block + Operations are modulo 100 diffusion* x7 permutation feedforward + *Thanks to Michael Pridal-LoPiccolo!26
  27. 27. An example: H e l l o m y n a m e i s A l i c e 07 04 11 11 14 12 24 13 00 12 04 08 18 00 11 08 02 04 18 76 + 07 new block 83 x 7 81 18 + 76 feedforward 94 + 04 new block . .27 .
  28. 28. An example: H e l l o m y n a m e 07 04 11 11 14 12 24 13 00 12 04 76 94 62 73 61 13 70 55 22 67 02 26 i s A l i c e 08 18 00 11 08 02 04 18 09 07 01 49 48 53 52 61 Hello, my name is Alice. Hello, my name 61 is Alice. 6128
  29. 29. An example: H e l l o m y n a m e 07 04 11 11 14 12 24 13 00 12 04 76 94 62 73 61 13 70 55 22 67 02 26 i s A l i c e 08 18 00 11 08 02 04 18 Hi, 09 07 01 49 48 53 52 61 Alice! Hello, my name is Alice. Hello, my name 61 is Alice. 6129
  30. 30. T h a n k s f o r 19 07 00 13 10 18 05 14 17 76 32 69 07 11 85 97 38 84 54 l i s t e n i n g 11 08 18 19 04 13 08 13 06 18 09 00 62 38 87 87 43 72 36 23 Bye! http://www.rose-hulman.edu/~holden30

×