Successfully reported this slideshow.
Upcoming SlideShare
×

Hash Functions: lecture series by Ahto Buldas

4,053 views

Published on

This course is intended to give an overview of the nature of hash functions, their cryptographic and security properties and time-stamping as a practical usage for hash functions.
The first part of the lecture series gives an overview of what hash functions are. In the second part, we take a look at the cryptographic security requirements for hash functions. The third part of the series deals with the matter of security properties of hash functions.
In the fourth part, we explore hash functions which are provably secure but inefficient and hash functions which can be used practically. The fifth part in the series shows a practical application of hash functions on the example of time-stamping.
In the sixth and seventh part of the lectures, we look at security requirements for hash functions used in time-stamping and ways of proving how specific hash functions meet requirements for hash functions.
Lecturer Ahto Buldas is a professor at Tallinn University of Technology and University of Tartu, specializing in complexity theory, combinatorics, cryptography and data security. He has worked extensively with hash functions and their usage in timestamping and together with Margus Niitsoo in 2010 showed how global scale time-stamping can be used with 256-bit hash functions.

Published in: Education, Technology
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Hash Functions: lecture series by Ahto Buldas

1. 1. Lecture 1 on Hash Functions July 26, 2011 Lecture 1: Hash Functions: Short Identiﬁers for Large FilesWe introduce a problem of giving unique identiﬁers to (potentially) largeﬁles and study how short such identiﬁers can be. Hash functions are de-signed for giving standard ways of solving the problem.
2. 2. Lecture 1 on Hash Functions July 26, 2011 Hash FunctionsA hash function converts a large, possibly variable-sized amount of datainto a small datum (hash) that may serve as an index to an array.Hash functions are mostly used to accelerate table lookup or data compar-ison tasks—such as ﬁnding items in a database, detecting duplicated orsimilar records in a large ﬁle, ﬁnding similar stretches in DNA sequences,etc.With a hash function in use, we can check the presence of an item in adatabase with just one single lookup!The idea was proposed in the 1950s, but the design of good hash functionsis still a topic of active research. 2
3. 3. Lecture 1 on Hash Functions July 26, 2011 CollisionsA hash function may map two or more keys to the same hash value—thisis what we call a collision. In most applications, it is desirable to minimizethe occurrence of collisions, which means that the hash function must mapthe keys to the hash values as evenly as possible. 3
4. 4. Lecture 1 on Hash Functions July 26, 2011 Birthday ParadoxBirthday paradox: For randomly chosen 25 people, very likely we have twowith the same birthday.NB! This does NOT mean that if you are among those people, you will verylikely ﬁnd someone with the same birthday! 4
5. 5. Lecture 1 on Hash Functions July 26, 2011 How many different hash values do we need?How large hash values should we use for uniquely identifying N items?Answer: for a good hash function, we need about N 2 different hash values.If N = 2256 documents will be created all over the world during the ex-istence of mankind, we need about 2 · 256 = 512 output bits to identifythem uniquely.Eddington number : number of protons in the observable universe is about 1.57 · 1079 ≈ 136 · 2256 .This is still just a small fraction of all possible 40 byte sequences! 5
6. 6. Lecture 1 on Hash Functions July 26, 2011 Modeling Hash Functions With Random OraclesThe values of a good hash function are distributed as evenly as possible.A good hash function is modeled as a random function (a random oracle)—the computation of hash value is replaced with a uniformly random choice(all hash values occur with the same probability 1/M ). 6
7. 7. Lecture 1 on Hash Functions July 26, 2011 Bounds for Collision ProbabilitySay we have N ﬁles and the hash function has k output bits, i.e. thereare M = 2k possible hash values. If the hash function is modeled as arandom oracle, the probability P (N, M ) that all N ﬁles have different hashvalues has the following bounds: N (N − 1) − N (N −1) 1− ≤ P (N, M ) ≤ e 2M . 2MHomework exercise: Show that P (N, M ) can only decrease if the hashfunction deviates from random oracle, i.e. the output probabilities differ 1from M . 7
8. 8. Lecture 1 on Hash Functions July 26, 2011 A Useful Inequality from AnalysisWe used the inequality 1+x ≤ ex that holds for all real x. This also meansthat 1 − x ≤ e−x.The inequality holds because ex is convex and 1 + x is the tangent line ofex at x = 0. 8
9. 9. Lecture 1 on Hash Functions July 26, 2011 Upper BoundFor the upper bound, we use the observation that 1 2 N −1P (N, M ) = 1− · 1− · ... · 1 − M M M ≤ e−1/M · e−2/M · . . . · e−(N −1)/M = e−(1+2+...+N −1)/M = e−N (N −1)/2M .Explanation: We compute the hashes of the N ﬁles one by one, consid-ering each hash computation as a uniformly random selection of a hashvalue. Before the i-th selection, we already have i − 1 selected hash val-ues and the probability that the new hash is one of those is i−1 . M 9
10. 10. Lecture 1 on Hash Functions July 26, 2011 Lower BoundTo get a lower bound for P (N, M ), we ﬁrst observe that for any pair ofﬁles, the probability that they have the same hash is 1/M . As there areN (N − 1)/2 pairs, the probability of having a collision is upper boundedby N (N −1) and hence, 2M N (N − 1) P (N, M ) ≥ 1 − . 2M 10
11. 11. Lecture 1 on Hash Functions July 26, 2011 Examples √For large N ≈ M , we have 1 √ ≤ lim P ( M , M ) ≤ e−1/2 ≈ 0.6065306597 . 2 M →∞For the Birthday paradox, we set N = 25 and M = 365 and get P (N, M ) ≤ 0.4395878005 . 11
12. 12. Lecture 2 on Hash Functions July 26, 2011 Lecture 2: Cryptographic Security Requirements for Hash FunctionsWe study how to protect the uniqueness of identiﬁers against maliciousbehavior of users. Cryptographic hash functions are designed for thispurpose. We describe the main properties that are required from crypto-graphic hash functions: one-wayness, second pre-image resistance, andcollision resistance. We go through some examples to show where thesesecurity properties are needed in practice.
13. 13. Lecture 2 on Hash Functions July 26, 2011 Three Main Security PropertiesCryptographic hash functions are designed for having the following secu-rity properties:• One-wayness—hardness of ﬁnding a message given its hash.• Second pre-image resistance—hardness of modifying a message with-out changing its hash.• Collision-freeness—hardness of ﬁnding two different messages with thesame hash.Collision freeness is the strongest requirement of the three, because theadversary has the largest degree of freedom.Note that CRC32 does NOT meet any of the three requirements! It is in-tended to ﬁght against occasional errors, not malicious attacks. 13
14. 14. Lecture 2 on Hash Functions July 26, 2011 One-Wayness (or Pre-Image Resistance)Given a hash h(X) of a randomly chosen input X, it is hard to ﬁnd aninput X with the same output h(X ) = h(X). Here, X is not known tothe adversary! 14
15. 15. Lecture 2 on Hash Functions July 26, 2011 Second Pre-Image ResistanceGiven a randomly chosen input X, it is hard to ﬁnd a different input X = Xwith the same output h(X ) = h(X). Here, X is known to the adversary! 15
16. 16. Lecture 2 on Hash Functions July 26, 2011 Collision Resistance (or Collision-Freeness)It is hard to ﬁnd two distinct inputs X = X with the same output h(X ) =h(X). 16
17. 17. Lecture 2 on Hash Functions July 26, 2011 Examples for One-Wayness and Second Pre-Image ResistanceWe need one-wayness in a situation, where X contains secret data. Wehave to uniquely identify X but do not want that the identiﬁer reveals thecontents of X.We need second pre-image resistance if we want to protect a public doc-ument X from malicious modiﬁcations. For example, if we keep the hashh(X) of X in a safe place, it should be impossible to create a modiﬁeddocument X with the same hash, because then the modiﬁcations wereundetectable. 17
18. 18. Lecture 2 on Hash Functions July 26, 2011 Digital Signatures and Collision ResistanceWe create two contracts X and X with the same hash, where X is clearlyfavorable to us.We show X to our partner who then signs the hash h(X).Later, we show X in court with the partner’s signature on h(X ) = h(X)and claim that he/she accepted the conditions of X . 18
19. 19. Lecture 2 on Hash Functions July 26, 2011 Additional Remark about Digital SignaturesIt may seem that in the last example, we can overcome such a situation bystating (in law) that a signature that uses h is invalid whenever one comesup with a collision for h.However, this would lead to another way of deception. We prepare to con-tracts X and X , where X is the contract we actually sign and X is an-other contract with the same hash h(X ) = h(X) but which is much moreproﬁtable to us than X.Our intention is to deny having signed X by showing in court the otherversion X and claiming that X was actually the contract we wanted tosign. 19
20. 20. Lecture 3 on Hash Functions July 26, 2011 Lecture 3:Relations Between the Security Properties of Hash FunctionsIt turns out that some of the security properties for hash functions canbe derived from others. In this lecture, we prove mathematically that thecollision-resistance is the strongest requirement of the tree because it im-plies both the one-wayness and the second pre-image resistance.
21. 21. Lecture 3 on Hash Functions July 26, 2011 Relative Security Proofs by ReductionsTo prove relations between security properties, we use reductions.To prove that property P implies property Q, we use the contraposition:If there is an efﬁcient A that breaks Q, we construct an efﬁcient A thatbreaks P. 21
22. 22. Lecture 3 on Hash Functions July 26, 2011 Collision Resistance Implies Second Pre-Image Resistance.Every adversary A that ﬁnds second pre-images for h can be modiﬁed toa collision ﬁnding adversary A :• A ﬁrst generates a random input X and then• uses A to ﬁnd an X = X such that h(X ) = h(X). 22
23. 23. Lecture 3 on Hash Functions July 26, 2011 Collision Resistance Implies One-Wayness ...... if the hash function is sufﬁciently compressing. Every adversary A thatis able to invert h can be modiﬁed to a collision ﬁnding adversary A :• A generates a random X, computes y = h(X) and• uses A to ﬁnd X such that h(X ) = h(X).If h is sufﬁciently compressing then Pr[X = X] is small. Hence, A verylikely ﬁnds a collision when A is successful. 23
24. 24. Lecture 3 on Hash Functions July 26, 2011 Mathematical DetailsDirect computation of the success of A is not that trivial because X de-pends on X, and we cannot view X and X as independent random vari-ables. However, if the output value y is known and ﬁxed then X becomesindependent of X. Indeed, we can regenerate X with a uniform choicefrom the pre-image of y, and by doing so we do not change the distributionof X. Hence, the work of A is equivalent to the following (inefﬁcient!) pro-cedure:• Choose a uniformly random input Z and compute y = h(Z).• Choose a uniformly random X from the h-preimage of y.• Apply A to obtain X = A(y). 24
25. 25. Lecture 3 on Hash Functions July 26, 2011The steps 2 and 3 are independent random choices and hance the proba-bility C(y) that a collision is produced for y is: | h−1(y) | −1C(y) = Pr[A inverts y] · Pr[X = X ] = Pr[A inverts y] · | h−1(y) | 1 = Pr[A inverts y] · 1 − −1 . | h (y) | 24
26. 26. Lecture 3 on Hash Functions July 26, 2011The overall success δA of A is the average of this probability: 1δA = Pr[y] · C(y) = Pr[y] · Pr[A inverts y] · 1 − −1 y y | h (y) | 1 = Pr[y] · Pr[A inverts y] − Pr[A inverts y] · Pr[y] · −1 y y | h (y) | δA 1/N 1 = δA − · Pr[A inverts y] N y ≤M M ≥ δA − , Nwhere δA is the success probability of A, and N, M are the input set sizeand the output set size, respectively. 24
27. 27. Lecture 3 on Hash Functions July 26, 2011 Insufﬁciently Compressing Hash FunctionsInsufﬁciently compressing function can be collision-free but not one-way.If there exists a collision free hash function h [with (k − 2)-bit output] thenthere exists a function h that is collision-free but not one-way.We deﬁne h so that it returns a (k − 1)-bit output when given a k-bit input. 1 z, if x = 11z h (x) = 0 h(x), otherwise 25
28. 28. Lecture 3 on Hash Functions July 26, 2011• Finding collisions for h is as hard as ﬁnding collisions for h.• Inverting h is relatively easy, because with probability 1/4, a random xis of the form 11z and the output 1z of h completely reveals the input. 25
29. 29. Lecture 4 on Hash Functions July 26, 2011 Lecture 4: Provably Secure vs Practical Hash FunctionsWe study two main goals when constructing a hash function. Provably se-cure hash functions are more reliable but inefﬁcient. In practice, we usemore efﬁcient ad hoc designs, which have no guarantees against discover-ing more and more efﬁcient attacks. In this lecture, we present some basicideas how to construct provably secure hash functions. We also character-ize the practical hash functions and summarize how secure some of themare, considering the known attacks against them.
30. 30. Lecture 4 on Hash Functions July 26, 2011 The Idea of Provably Secure Hash FunctionsThe security of a hash function h can be based on a hard mathematicalproblem if we can prove that ﬁnding collisions for h is as hard as solvingthe problem.This gives us much stronger security than just relying on complex mixingof bits.A cryptographic hash function h has provable security against collision at-tacks if ﬁnding collisions is reducible to a problem P which is supposed notto be efﬁciently solvable. The function h is then called provably secure.Proof by Reduction: If ﬁnding collisions if feasible by algorithm A, we couldﬁnd and use an efﬁcient algorithm S (that uses A) to solve P , which is sup-posed to be unsolvable. That is a contradiction. Hence, ﬁnding collisionscannot be easier than solving P . 27
31. 31. Lecture 4 on Hash Functions July 26, 2011 Some Hard Mathematical Problems for Provably Secure HashingProvably secure hash functions are based on hard mathematical problemsthat are mostly related to well-known mathematical functions.Some problems, that are assumed not to be efﬁciently solvable:• Discrete Logarithm Problem: Given ax mod p, ﬁnd x, where p is a largeprime number.• Finding Modular Square Roots: Given a2 mod n, ﬁnd a, where n is ahard to factorize composite number.• Integer Factorization Problem: Given n = p · q, ﬁnd p and q, where p, qare two large primes. 28
32. 32. Lecture 4 on Hash Functions July 26, 2011 Example of a Provably Secure Hash FunctionModular exponent function: h(x) = ax mod n,where n is a hard to factor composite number, and a is a pre-speciﬁedbase value.A collision ax ≡ ax (mod n) reveals a multiple x − x of the order of a(in the multiplicative group of residues modulo n). Such information can beused to factor n assuming certain properties of a.Such an h is inefﬁcient because it requires 1.5 multiplications per input-bit. 29
33. 33. Lecture 4 on Hash Functions July 26, 2011 Design Principles for Practical Hash FunctionsPractical hash functions are combinations of bit operations which are hardto study, partly because of their ”ugly” mathematical properties.The avalanche criterion requires that if an input is changed slightly (forexample, ﬂipping a single bit) the output must change signiﬁcantly (e.g.,many output bits ﬂip). First used by Horst Feistel (1915-1990).The Strict avalanche criterion (SAC) is a generalization of the avalanchecriterion. It is satisﬁed if, whenever a single input bit is complemented,each of the output bits changes with probability 1 . Introduced by Webster 2and Tavares in 1985.The bit independence criterion (BIC)—two output bits should change inde-pendently when any single bit (not among these two) is inverted. 30
34. 34. Lecture 4 on Hash Functions July 26, 2011 ˚ Merkle-Damgard DesignA hash function must be able to process an arbitrary-length message intoa ﬁxed-length output. This is achieved by breaking the input up into blocks.The last block processed should also be unambiguously length padded. ˚This construction is called the Merkle-Damgard construction. Most widelyused hash functions, including SHA-1 and MD5, take this form. 31
35. 35. Lecture 4 on Hash Functions July 26, 2011 ˚Merkle-Damgard construction is as resistant to collisions as is its compres-sion function—every collision for the full hash function can be traced backto a collision in the compression function.The construction has certain inherent ﬂaws, including length-extension andgenerate-and-paste attacks, and cannot be parallelized.Many candidate hash functions in the current NIST competition are built ondifferent constructions. 31
36. 36. Lecture 4 on Hash Functions July 26, 2011Practical Hash Functions and their Known Strength 32
37. 37. Lecture 5 on Hash Functions July 26, 2011 Lecture 5:Time-stamping as an Application for Hash FunctionsTime-stamping is one of the areas where cryptographic hash functions areused. We introduce the basic concepts of time-stamping and describe howthe hash functions can be and are used to create efﬁcient practical designsfor secure time-stamping services.
38. 38. Lecture 5 on Hash Functions July 26, 2011 MotivationProving that a document (ﬁle) existed at certain time.Usage examples:• Intellectual property —knowing the earliest time stamp for an inventionwould be a strong argument for the authorship.• Revocation of signature keys—when a signature key has been revoked,it should still be possible to distinguish between the signatures createdbefore the revocation and those created after.Note that if you just having a time stamp for a document does not provethat you knew the contents of the documents at that time. Knowing a hashof a document does not imply the knowledge of contents.Time stamps are not intended to prove the ownership of information butrather the existence (i.e. that somebody or something had the contents). 34
39. 39. Lecture 5 on Hash Functions July 26, 2011 Trivial Solution with a Trusted ServerTrivial solution may be (and is) used which involves a trusted server, whoreceives hash values of documents from clients and signs them togetherwith current time. The main shortcomings of this solution are:• We have to trust the server completely; the server can never be assumedto be malicious.• If the signature key of the server accidentally becomes public, then allthe previous time stamps become useless. 35
40. 40. Lecture 5 on Hash Functions July 26, 2011 Hash and Publish SolutionA hash of a document (or a hash of a batch of documents) is published ina widely witnessed way like in newspapers or in public web-pages.This provides an irrefutable proof of existence of those documents at thetime of publishing. 36
41. 41. Lecture 5 on Hash Functions July 26, 2011 Merkle Tree: How to publish many hashes? 37
42. 42. Lecture 5 on Hash Functions July 26, 2011 Time Stamp = Hash ChainFor example, for Document 1, the time stamp contains:• hash 00, to establish a connection between Document 1 and hash 0.• hash 1, to establish a connection between hash 0 and root hash.Such time stamps are compact because the number of hashes in a timestamp is logarithmic in the number of leaves. 38
43. 43. Lecture 5 on Hash Functions July 26, 2011 Efﬁcient Hash and Publish with Merkle TreesA hash tree is created every second and the root hash values are publishedin a widely witnessed way. 39
44. 44. Lecture 6 on Hash Functions July 26, 2011 Lecture 6: Security Requirements for Hash Functions Used in Time-StampingWhat do we require from a secure time-stamping solution and what kind ofcryptographic hash functions do we need? It turned out that it is not easyto consistently formalize the concept of a secure time-stamping scheme.It also turned out that the three classical security requirements for hashfunctions are not exactly what we need in time-stamping schemes. Weexplain why the early attempts to formalize the security of time-stampingfailed and outline the consistent deﬁnitions that are known today.
45. 45. Lecture 6 on Hash Functions July 26, 2011 An Early Attempt to Deﬁne a Security ConditionIn 1997, Haber and Stornetta proposed the following adversary A:• A sends requests x1, . . . , xm to a server, and after the server has cre-ated a hash tree and published the root hash r,• A comes up with x ∈ {x1, . . . , xm} and a hash chain from x to r. 41
46. 46. Lecture 6 on Hash Functions July 26, 2011 Inconsistency of the ConditionAdversary may send a request x1 = h(x, x ), so that x ∈ {x1, . . . , xm}.A hash chain from x1 to r can easily be extended for x by just adding astep that contains x and establishes a connection between x and x1.The security condition is violated, but nothing is back-dated. The requestx should be ”new” and not having involved in pre-computations. 42
47. 47. Lecture 6 on Hash Functions July 26, 2011 Unpredictable AdversariesAn improved security condition proposed by Buldas and Saarepera (2004)and reﬁned by Buldas and Laur (2006) assumes that the new request x ischosen (by the adversary) in a random way.More formally, it is assumed that the new request should be unpredictableeven having all data that the adversary had in the ﬁrst stage of the attack. 43
48. 48. Lecture 6 on Hash Functions July 26, 2011This means that any efﬁcient predicting algorithm Π that hash access to allcomputations of the ﬁrst stage of the adversary can guess the value of x(computed by the second stage of A) only with negligible probability. 43
49. 49. Lecture 6 on Hash Functions July 26, 2011Improved Condition with Unpredictable AdversariesTime-stamping scheme should be secure against all efﬁcient unpredictableadversaries A:• A sends requests x1, . . . , xm to server, and after the server has createda hash tree and published the root hash r,• A outputs an unpredictable request x and a hash chain from x to r. 44
50. 50. Lecture 6 on Hash Functions July 26, 2011As A is unpredictable, the condition x ∈ {x1, . . . , xm} is no more neces-sary. Moreover, this would be very hard to test in practice because the listof all requests is too large and cannot be examined by any real observer.Also, A may just send a one single request r to the service without reveal-ing how it is computed. Hence, the attack scenario reduces to:• A publishes r,• A comes up with an unpredictable request x together with a correct hashchain from x to r. 44
51. 51. Lecture 6 on Hash Functions July 26, 2011 Collision-Resistance is Still InsufﬁcientImproper computation of r may help to back-date new requests withoutexposing collisions.It might be possible to compute root hash values for very large hash treeswithout actually computing all nodes of the tree.If you know that 1 + 2 + . . . + 100 = 5050 this does not mean that youactually summed up all these integers—you might use the multiplicationinstead: 1 + 2 + . . . + 100 = 100·101 = 5050. 2Buldas and Saarepera (2004): if collision-resistant functions exist, thenthere is a collision-free hash function that enables back-dating random doc-uments. 45
52. 52. Lecture 6 on Hash Functions July 26, 2011 Hash Chain Limitations as a SolutionThe hash tree used for time-stamping should somehow be restricted (forexample, length limitations to hash chains, ﬁxed shape of the tree, etc.).First correct security proof for restricted schemes was given by Buldas andSaarepera (2004).For example, tn the Guardtime system, there are explicit length restrictionsfor hash chains:• Each hash step includes a length byte that represent the number of pre-ceding steps in the hash chain.• Veriﬁcation procedure checks, whether the length bytes are in increasingorder. 46
53. 53. Lecture 6 on Hash Functions July 26, 2011 Why Collision-Resistance and One-Wayness are Unnecessary?Say, we can ﬁnd a collision h(X) = h(X ) where X and X are twodifferent documents and obtain a time stamp for h(X).The fact that we also get a time stamp for X this way should not be con-sidered as an attack against the time-stamping scheme, because nothingis back-dated!The adversary can only get two time stamps for the price of one!Buldas and Laur (2006): if there exists a hash function h that is secure fortime-stamping schemes, then there is a hash function h that is secure fortime-stamping but is not collision-resistant and not even one-way. 47
54. 54. Lecture 6 on Hash Functions July 26, 2011Such a hash function h can be deﬁned as follows: y if x = y y h (x) = h(x) otherwisei.e. h is the same as h, except that h (yy) = y for any y.The point being that whenever there is a hash chain (produced by theadversary) that contains h -speciﬁc hash steps in the form h (yy) = y,then we can simply delete such steps without breaking the correctness(changing the output value) of the hash chain.Hence, the modiﬁcation h → h cannot be the cause of insecurity—if back-dating is easy with h then it is also easy with h. 47
55. 55. Lecture 7 on Hash Functions July 26, 2011 Lecture 7: Security Proofs for Time-StampingSecure time-stamping schemes require hash functions with security prop-erties that are not directly related to the three classical security goals forcryptographic hash functions: one-wayness, second pre-image resistance,and collision resistance. Hence, there are no guarantees that such func-tions are secure for time-stamping. In this lecture, we will see how to de-ﬁne restrictions in time-stamping schemes so that the classical securityproperties of hash become sufﬁcient for their used in the (restricted) time-stamping schemes. Based on the known research results in this area,we draw some conclusions about the security of practical time-stampingschemes.
56. 56. Lecture 7 on Hash Functions July 26, 2011 Collision Extraction From Hash ChainsThe proof from Asiacrypt 2004 uses the following fact on hash functions:If there are two hash chains of the same shape that have different inputsx and x and the same output y, then having those two hash chains, it iseasy to extract a collision for the hash function.
57. 57. Lecture 7 on Hash Functions July 26, 2011 Two Chains with Different ShapeTwo chains from different shape do not necessarily produce a collision. Forexample, if they belong to one and the same tree:
58. 58. Lecture 7 on Hash Functions July 26, 2011 Outline of the Security Proof from Asiacrypt 2004The collision-ﬁnder A executes the ﬁrst stage of the adversary to producea published hash value r, and then executes the second stage twice inorder to have to successfully back-dated requests x and x with two hashchains of the same shape.
59. 59. Lecture 7 on Hash Functions July 26, 2011 Efﬁciency of the Collision FinderIf there are N allowed shapes for hash chains, and δ1,...,δN are the prob-abilities that A succeeds with a hash chain of the corresponding shape,then the overall success probability of A is δ = δ1 + ... + δN .As the values x and x are unpredictable, Pr[x = x ] is negligible. Hence,the success of the collision-ﬁnding adversary is about 2 2 δ1 + ... + δN 2 δ2 2 + ... + δ 2 = N · δ1 + ... + δN ≥ N ·δ ≈ δ1 = . N N N NAs the running time t of the collision ﬁnder A is about twice the runningtime of A, we have that the time-success ratio of A is: t t ≈ 2N · 2 , δ δwhich means that if we want to have a t/δ-secure time stamping scheme,we have to use a 2N · δt2 -secure hash function.
60. 60. Lecture 7 on Hash Functions July 26, 2011 An Improved ReductionA recently published security proof by Buldas and Niitsoo (2010) estab-lishes a security reduction in which (for having t/δ-security), the hash func- √ ttion must be about 14 · N · d1.5 -secure, i.e. t √ t ≈ 14 N · 1.5 , δ δwhich is much more efﬁcient than in the previous reductions.This is the ﬁrst security reduction that implies the security of global scaletime-stamping schemes that use 256-bit hash functions.
61. 61. Lecture 7 on Hash Functions July 26, 2011The collision-ﬁnding adversary executes the second stage of the collision-ﬁnding adversary m times (instead of two, as in the proof of Asiacrypt2004), with m = N where δ is the success of A. δ
62. 62. Lecture 7 on Hash Functions July 26, 2011 Conclusions for Practical SchemesWhat is N for practical schemes? It is not constant but grows over time.If a new tree of size C is produced every second, then N = τ · C, whereτ is the running time of the adversary, measured in seconds.In security proofs, however, the running time t of A is measured in compu-tational steps.World’s total computational power :It has been estimated that the compu-tational power of the whole world is close to 262 operations per seconds(from 2007). We assume that this has been grown to about P = 264.
63. 63. Lecture 7 on Hash Functions July 26, 2011It is natural to assume that t ≈ 264 · τ , and hence C·t N ≈ . PThe efﬁciency formulae for the two reductions are as follows: t ≈ 2C · t 2 (2004), δ P δ t ≈ 14 C · t 1.5 (2010) δ P δ
64. 64. Lecture 7 on Hash Functions July 26, 2011 Conclusions for Practical Schemes t tFor having a δ -secure time-stamping scheme, we have to use δ -securehash functions, which means that if they are secure (to the Birthday barrier)their output in bits should be t k ≈ 2 · log2 . δ tBy denoting c = log2 C and s = log2 δ , we deduce from the efﬁciencyformulae that: k ≈ 2(1 + c − 64 + 2s) = 2c + 4s − 126 (2004) c k ≈ 2(4 + 2 − 32 + 1.5s) = c + 3s − 56 (2010)
65. 65. Lecture 7 on Hash Functions July 26, 2011