SlideShare a Scribd company logo

Hashfunction

Download as PPTX, PDF
L
Luis Goldster

t

Technology
1 of 35
Lect. 16- 17: Hash Functions and MAC
2 1. Introduction - Hash Function vs. MAC 2. Hash Functions  Security Requirements  Finding collisions – birthday paradox  Dedicated hash functions  SHA-1  Hash functions based on block ciphers Contents
3 1. Hash Functions vs. MAC
4  Hash Function Generate a fixed length “Fingerprint” for an arbitrary length message No Key involved Must be at least One-way to be useful  Applications Keyed hash: MAC/ICV generation Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator  Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA1, SHA2, RMD160, HAS160 Hash functions based on block ciphers: MDC(Manipulation Detection Code) Hash Functions H Message M Message Digest D D = H(M)
5  MAC  Generate a fixed length MAC for an arbitrary length message  A keyed hash function  Message origin authentication  Message integrity  Entity authentication  Transaction authentication  Constructions  Keyed hash: HMAC, KMAC  Block cipher: CBC-MAC  Dedicated MAC: MAA, UMAC Message Authentication Codes (MACs) MAC SEND MAC MAC Shared Secret Key
6 Comparison of Hash Function & MAC Hash function Arbitrary length message Hash fixed length MAC function Arbitrary length message MAC fixed length Secret key  Easy to compute  Compression: arbitrary length input to fixed length output  Unkeyed function vs. Keyed function
7 Symmetric Authentication (MAC) Secret key algorithm KAB Shared Secret key between Alice and Bob Secret key algorithm KAB yes no Message MAC transmit Message MAC MAC Alice Bob Shared Secret key between Alice and Bob
8 Digital Signature Hash function Alice’s Public keyyes no Message Signature transmit Message Signature Alice Bob Public key algorithm Alice’s Private key Hash value Hash function Hash value 1 Public key algorithm Hash value 2
9  MAC (Message Authentication Code)  Generated and verified by a secret key algorithm  Message origin authentication & Message integrity  Schemes  Keyed hash: HMAC  Block cipher: CBC-MAC, XCBC-MAC  Dedicated MAC: UMAC  Digital Signature  Generated and verified by a public key algorithm and a hash function  Message origin authentication & Message integrity  Non-repudiation  Schemes Hash + Digital signature algorithm RSA; DSA, KCDSA; ECDSA, EC-KCDSA MAC and Digital Signature
10 2. Hash Functions
11 Hash Functions – Requirements  Definition  Compression: arbitrary length input to fixed length output  Ease of computation  Security Properties  Preimage resistance (One-wayness) :  Given y, it is computationally infeasible to find any input x such that y = h(x)  2nd preimage resistance (Weak collision resistance) :  Given x, it is computationally infeasible to find another input x  x such that h(x) = h(x)  Collision resistance (Strong collision resistance) :  It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x)
12 Brute Force Attack on One-Way Hash Functions h mi h(mi) Given y, find m such that h(m) = y n bits h(mi) = y ? for i = 1, 2, . . . 2n Arbitrary message m Or m of the same meaning ?
13 Constructing Multiple Versions of the Same Message I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions  211 different messages of the same meaning
14 Finding Collision in Collision-Resistant Hash Functions h mi h(mi) Find any two distinct messages m, m such that h(m) = h(m). n bits for i = 1, 2, . . . 2m h mi h(mi) n bits How large m should be to get a match ?
15 Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher’s birthday ? (complexity breaking one-wayness) 365/2  188 2. Any two of the students share the same birthday ? (complexity breaking collision resistance) 1 – 365  364  . . .  (365-k+1) / 365k > 0.5  k  23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals ( 1) 2 ! 1 1 ( )! k k n k n e n k n      
16 One Million $ Hardware Brute Force Attack  One-Way Hash Functions (complexity = 2n) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 1017 years  Collision-Resistant Hash Functions (complexity = 2n/2) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 1017 years
17 f f f fIV=H0 H1 H2 Ht-1 Ht. . . b b b b n n n n n n Legend:  IV : Initial Value  Hi : i-th Chaining variable  Mi : i-th input block  f : Compression function  g : Output transformation (optional)  t : Number of input blocks  b : Block size in bits  n : Hash code size in bits g h(m) General Construction of a Secure Hash Function Message m 100…000 length M1 M2 M3 Mt Padding & length encoding
18 General Construction of a Secure Hash Function f Hi-1 Hi Mi b n n Entire hash Compression Function (fixed-size hash function) H0 = IV Hi = f (Hi-1, Mi) for 1  i  t H(m) = g(Ht) Fact(by Merkle-Damgård) Any collision-resistant compression function f can be extended to a collision-resistant hash function h
19 Typical Hash Padding Message m 100…000 length 64 bit integer (bit-length of message m)  Assume Block size = 512 bits (MD5, SHA1, RMD160, HAS160 …) Last 512-bit block Let r = |m| mod 512 If 512-r > 64 padding = 512-(r+64) bits else padding = 512-r+448 bits (two padding blocks)
20 Classification of Hash Functions Dedicated (Customized) Based on block ciphers Based on Modular Arith. MD2 MD4 MD5 SHA0 SHA1 RIPEMD-128 RIPEMD-160 HAS-160 MDC-1 MDC-2 MDC-4 MASH-1Broken Broken Broken Broken Reduced round Version broken SHA2 Weakness discovered
21 SHA (Secure Hash Algorithm) (1/2)  SHA was designed by NIST (national institute of standards and technology) & NSA (National Security Agency)  US standard for use with DSA signature scheme  The algorithm is SHA, the standard is SHS  Based on the design of MD4 and MD5 by R. Rivest MIT SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 * Federal Information Processing Standard
22 Algorithm and variant Output size (bits) Internal state siz e (bits) Block size (bits) Max me- ssage siz e (bits) Word size (bits) Rounds Operation Collisions found SHA-0 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes SHA-1 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes (252 attack (*)[ SHA-2 SHA-25 6/224 256/224 256 512 264 − 1 32 64 +,and,or, xor,shr,rot None SHA-51 2/384 512/384 512 1024 2128 − 1 64 80 +,and,or, xor,shr,rot None SHA (Secure Hash Algorithm) (2/2) * Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf.
23 SHA-1 Overview round 0 f1, ABCDE, Yq, K0, w0 round 1 f2, ABCDE, Yq, K1, w1 round 79 f80, ABCDE, Yq, K79, w79 A B C D E A B C D E    160 CVq+1 CVq A B C D E 160 Yq 512
24 SHA-1 round function EDCBA EDCBA Input buffer Output buffer ft CLS5 CLS30 Wt Kt Constants From message Boolean function Cyclic left shift
25 SHA-1 Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants Kt t = 0 ~ 19 Kt = 5 A 8 2 7 9 9 9 t = 20 ~ 39 Kt = 6 E D 9 E B A 1 t = 40 ~ 59 Kt = 8 F 1 B B C D C t = 60 ~ 79 Kt = C A 6 2 C 1 D 6 Boolean function ft t = 0 ~ 19 ft (B, C, D) = B · C + B · D t = 20 ~ 39 ft (B, C, D) = B  C  D t = 40 ~ 59 ft (B, C, D) = B · C + B · D + C · D t = 60 ~ 79 ft (B, C, D) = B  C  D
26 SHA-1 message inputs Yq 512-bit  32 w0 32 w1 32 w15 w16 wt w79  CLS1 w0 w13 w2 w8 CLS1 wt–16 wt–3 wt–14 wt–8 CLS1 w63 w76 w65 w71 CLS: Cyclic Left Shift
27 Step Operations of MD5 & SHA1 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr 0 1 19. . . . . . D C B A D C B A fr <<si + Mi Kr + + + 0 115 Big endian Little endian
28 Step Operations of SHA1 & HAS160 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr ABCDE ABCDE fr <<sr <<si + + + + Mi Kr 0 1 19 1 019 <<sr . . . . . .
29 Comparison of Popular Hash Functions Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94
30 Hash Functions Based on Block Ciphers: MDC1 Matyas-Meyer-Oseas Scheme g: a function mapping an input Hi to a key suitable for E, might be the identity function Compression function f Eg Hi MiHi-1 block size block size block size • Provably Secure under an appropriate black- box model • But produces too short hash codes for use in most applications
31 Hash Functions Based on Block Ciphers: MDC2 Compression function f Mi Hi EgHi-1 A B E g C D A D C B Hi-1  Hi 
Ex. of MD5 Collisions 32 Collision1.bin Collision2.bin Same MD5 Hashed Value !!
Practical Collision Attacks (MD5) • Colliding valid X.509 certificates – Lenstra, Wang, Weger, forged X.509 certificates, http://eprint.iacr.org/2005/067.pdf Same owner with different public keys (2048 bits) – Stevens, Lenstra, Weger, Eurocrypt 2007 8192-bit public key (8-block collision) – Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next page.) 33
X.509v3 Real and Fake Certificates 34
SHA-3 Project 35

Recommended

A Comparative Analysis between SHA and MD5 algorithms
A Comparative Analysis between SHA and MD5 algorithms A Comparative Analysis between SHA and MD5 algorithms
A Comparative Analysis between SHA and MD5 algorithms Er Piyush Gupta IN ⊞⌘
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted DataNew York Technology Council
 
Rsa Signature: Behind The Scenes
Rsa Signature: Behind The Scenes Rsa Signature: Behind The Scenes
Rsa Signature: Behind The Scenes acijjournal
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and IsogeniesPriyanka Aash
 
Chapter 03 cyclic codes
Chapter 03 cyclic codesChapter 03 cyclic codes
Chapter 03 cyclic codesManoj Krishna Yadavalli
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
CRC JAVA CODE
CRC JAVA CODECRC JAVA CODE
CRC JAVA CODEsandeep101026
 

Recommended

A Comparative Analysis between SHA and MD5 algorithms
A Comparative Analysis between SHA and MD5 algorithms A Comparative Analysis between SHA and MD5 algorithms
A Comparative Analysis between SHA and MD5 algorithms Er Piyush Gupta IN ⊞⌘
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted DataNew York Technology Council
 
Rsa Signature: Behind The Scenes
Rsa Signature: Behind The Scenes Rsa Signature: Behind The Scenes
Rsa Signature: Behind The Scenes acijjournal
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Codes and Isogenies
Codes and IsogeniesCodes and Isogenies
Codes and IsogeniesPriyanka Aash
 
Chapter 03 cyclic codes
Chapter 03 cyclic codesChapter 03 cyclic codes
Chapter 03 cyclic codesManoj Krishna Yadavalli
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
CRC JAVA CODE
CRC JAVA CODECRC JAVA CODE
CRC JAVA CODEsandeep101026
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
Cryptography
CryptographyCryptography
CryptographyDavid Evans
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE ShivangiSingh241
 
Tele4653 l11
Tele4653 l11Tele4653 l11
Tele4653 l11Vin Voro
 
Bch codes
Bch codesBch codes
Bch codesGaurav Thakur
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Madhumita Tamhane
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
Information Theory and Coding Question Bank
Information Theory and Coding Question BankInformation Theory and Coding Question Bank
Information Theory and Coding Question Bankmiraclebabu
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-ittrameshvvv
 
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
Error Detection and Correction in SRAM Cell Using Decimal Matrix CodeError Detection and Correction in SRAM Cell Using Decimal Matrix Code
Error Detection and Correction in SRAM Cell Using Decimal Matrix Codeiosrjce
 
Hamming codes
Hamming codesHamming codes
Hamming codesGIGI JOSEPH
 
Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoDavid Hoen
 
Xml schema
Xml schemaXml schema
Xml schemaDavid Hoen
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceLuis Goldster
 
Decision tree
Decision treeDecision tree
Decision treeHarry Potter
 
Crypto passport authentication
Crypto passport authenticationCrypto passport authentication
Crypto passport authenticationHarry Potter
 
Hash crypto
Hash cryptoHash crypto
Hash cryptoLuis Goldster
 
Building a-database
Building a-databaseBuilding a-database
Building a-databaseYoung Alista
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-modDavid Hoen
 

More Related Content

What's hot

Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE ShivangiSingh241
 
Tele4653 l11
Tele4653 l11Tele4653 l11
Tele4653 l11Vin Voro
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Madhumita Tamhane
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
Information Theory and Coding Question Bank
Information Theory and Coding Question BankInformation Theory and Coding Question Bank
Information Theory and Coding Question Bankmiraclebabu
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-ittrameshvvv
 
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
Error Detection and Correction in SRAM Cell Using Decimal Matrix CodeError Detection and Correction in SRAM Cell Using Decimal Matrix Code
Error Detection and Correction in SRAM Cell Using Decimal Matrix Codeiosrjce
 

What's hot (14)

Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 
Cryptography
CryptographyCryptography
Cryptography
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
DIGITAL COMMUNICATION: ENCODING AND DECODING OF CYCLIC CODE
 
Tele4653 l11
Tele4653 l11Tele4653 l11
Tele4653 l11
 
Bch codes
Bch codesBch codes
Bch codes
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
 
Information Theory and Coding Question Bank
Information Theory and Coding Question BankInformation Theory and Coding Question Bank
Information Theory and Coding Question Bank
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 
Rsa diffi-network security-itt
Rsa diffi-network security-ittRsa diffi-network security-itt
Rsa diffi-network security-itt
 
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
Error Detection and Correction in SRAM Cell Using Decimal Matrix CodeError Detection and Correction in SRAM Cell Using Decimal Matrix Code
Error Detection and Correction in SRAM Cell Using Decimal Matrix Code
 
Hamming codes
Hamming codesHamming codes
Hamming codes
 

Viewers also liked

Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_cryptoDavid Hoen
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practiceLuis Goldster
 
Crypto passport authentication
Crypto passport authenticationCrypto passport authentication
Crypto passport authenticationHarry Potter
 
Building a-database
Building a-databaseBuilding a-database
Building a-databaseYoung Alista
 
Introduction to prolog
Introduction to prologIntroduction to prolog
Introduction to prologDavid Hoen
 
Database introduction
Database introductionDatabase introduction
Database introductionLuis Goldster
 
Sql database object
Sql database objectSql database object
Sql database objectYoung Alista
 
Prolog programming
Prolog programmingProlog programming
Prolog programmingYoung Alista
 
Information retrieval
Information retrievalInformation retrieval
Information retrievalDavid Hoen
 
Xml stylus studio
Xml stylus studioXml stylus studio
Xml stylus studioJames Wong
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in cryptoDavid Hoen
 

Viewers also liked (20)

Introduction to security_and_crypto
Introduction to security_and_cryptoIntroduction to security_and_crypto
Introduction to security_and_crypto
 
Xml schema
Xml schemaXml schema
Xml schema
 
Crypto theory to practice
Crypto theory to practiceCrypto theory to practice
Crypto theory to practice
 
Decision tree
Decision treeDecision tree
Decision tree
 
Crypto passport authentication
Crypto passport authenticationCrypto passport authentication
Crypto passport authentication
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Building a-database
Building a-databaseBuilding a-database
Building a-database
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-mod
 
Text classification
Text classificationText classification
Text classification
 
Cryptography
CryptographyCryptography
Cryptography
 
Introduction to prolog
Introduction to prologIntroduction to prolog
Introduction to prolog
 
Database introduction
Database introductionDatabase introduction
Database introduction
 
Basic dns-mod
Basic dns-modBasic dns-mod
Basic dns-mod
 
Xml schema
Xml schemaXml schema
Xml schema
 
Sql database object
Sql database objectSql database object
Sql database object
 
Prolog programming
Prolog programmingProlog programming
Prolog programming
 
Information retrieval
Information retrievalInformation retrieval
Information retrieval
 
Nlp naive bayes
Nlp naive bayesNlp naive bayes
Nlp naive bayes
 
Xml stylus studio
Xml stylus studioXml stylus studio
Xml stylus studio
 
Key exchange in crypto
Key exchange in cryptoKey exchange in crypto
Key exchange in crypto
 

Similar to Hashfunction

20180503_hash_based.pptx
20180503_hash_based.pptx20180503_hash_based.pptx
20180503_hash_based.pptxnagalakshmig4
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Svetlin Nakov
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Svetlin Nakov
 
Hash Techniques in Cryptography
Hash Techniques in CryptographyHash Techniques in Cryptography
Hash Techniques in CryptographyBasudev Saha
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithmsYoung Alista
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithmsJames Wong
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithmsTony Nguyen
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithmsFraboni Ec
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithmsDavid Hoen
 
Hash& mac algorithms
Hash& mac algorithmsHash& mac algorithms
Hash& mac algorithmsHarry Potter
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)neonaveen
 

Similar to Hashfunction (20)

Secure hashing algorithm
Secure hashing algorithmSecure hashing algorithm
Secure hashing algorithm
 
20180503_hash_based.pptx
20180503_hash_based.pptx20180503_hash_based.pptx
20180503_hash_based.pptx
 
6.hash mac
6.hash mac6.hash mac
6.hash mac
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
 
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
Blockchain Cryptography for Developers (Nakov @ BlockWorld 2018, San Jose)
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
 
SHA
SHASHA
SHA
 
BCH Codes
BCH CodesBCH Codes
BCH Codes
 
27-SHA1.ppt
27-SHA1.ppt27-SHA1.ppt
27-SHA1.ppt
 
Hash Techniques in Cryptography
Hash Techniques in CryptographyHash Techniques in Cryptography
Hash Techniques in Cryptography
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithms
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithms
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithms
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithms
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithms
 
Hash mac algorithms
Hash mac algorithmsHash mac algorithms
Hash mac algorithms
 
Hash& mac algorithms
Hash& mac algorithmsHash& mac algorithms
Hash& mac algorithms
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
crypto1.ppt
crypto1.pptcrypto1.ppt
crypto1.ppt
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)
 

More from Luis Goldster

Ruby on rails evaluation
Ruby on rails evaluationRuby on rails evaluation
Ruby on rails evaluationLuis Goldster
 
Ado.net &amp; data persistence frameworks
Ado.net &amp; data persistence frameworksAdo.net &amp; data persistence frameworks
Ado.net &amp; data persistence frameworksLuis Goldster
 
Multithreading models.ppt
Multithreading models.pptMultithreading models.ppt
Multithreading models.pptLuis Goldster
 
Business analytics and data mining
Business analytics and data miningBusiness analytics and data mining
Business analytics and data miningLuis Goldster
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data miningLuis Goldster
 
Data mining and knowledge discovery
Data mining and knowledge discoveryData mining and knowledge discovery
Data mining and knowledge discoveryLuis Goldster
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherenceLuis Goldster
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cacheLuis Goldster
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching worksLuis Goldster
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsLuis Goldster
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysisLuis Goldster
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with javaLuis Goldster
 

More from Luis Goldster (20)

Ruby on rails evaluation
Ruby on rails evaluationRuby on rails evaluation
Ruby on rails evaluation
 
Design patterns
Design patternsDesign patterns
Design patterns
 
Lisp and scheme i
Lisp and scheme iLisp and scheme i
Lisp and scheme i
 
Ado.net &amp; data persistence frameworks
Ado.net &amp; data persistence frameworksAdo.net &amp; data persistence frameworks
Ado.net &amp; data persistence frameworks
 
Multithreading models.ppt
Multithreading models.pptMultithreading models.ppt
Multithreading models.ppt
 
Business analytics and data mining
Business analytics and data miningBusiness analytics and data mining
Business analytics and data mining
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data mining
 
Data mining and knowledge discovery
Data mining and knowledge discoveryData mining and knowledge discovery
Data mining and knowledge discovery
 
Cache recap
Cache recapCache recap
Cache recap
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherence
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cache
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching works
 
Abstract data types
Abstract data typesAbstract data types
Abstract data types
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessors
 
Api crash
Api crashApi crash
Api crash
 
Object model
Object modelObject model
Object model
 
Abstraction file
Abstraction fileAbstraction file
Abstraction file
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysis
 
Abstract class
Abstract classAbstract class
Abstract class
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with java
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Hashfunction

  • 1. Lect. 16- 17: Hash Functions and MAC
  • 2. 2 1. Introduction - Hash Function vs. MAC 2. Hash Functions  Security Requirements  Finding collisions – birthday paradox  Dedicated hash functions  SHA-1  Hash functions based on block ciphers Contents
  • 4. 4  Hash Function Generate a fixed length “Fingerprint” for an arbitrary length message No Key involved Must be at least One-way to be useful  Applications Keyed hash: MAC/ICV generation Unkeyed hash: digital signature, password file, key stream / pseudo-random number generator  Constructions Iterated hash functions (MD4-family hash functions): MD5, SHA1, SHA2, RMD160, HAS160 Hash functions based on block ciphers: MDC(Manipulation Detection Code) Hash Functions H Message M Message Digest D D = H(M)
  • 5. 5  MAC  Generate a fixed length MAC for an arbitrary length message  A keyed hash function  Message origin authentication  Message integrity  Entity authentication  Transaction authentication  Constructions  Keyed hash: HMAC, KMAC  Block cipher: CBC-MAC  Dedicated MAC: MAA, UMAC Message Authentication Codes (MACs) MAC SEND MAC MAC Shared Secret Key
  • 6. 6 Comparison of Hash Function & MAC Hash function Arbitrary length message Hash fixed length MAC function Arbitrary length message MAC fixed length Secret key  Easy to compute  Compression: arbitrary length input to fixed length output  Unkeyed function vs. Keyed function
  • 7. 7 Symmetric Authentication (MAC) Secret key algorithm KAB Shared Secret key between Alice and Bob Secret key algorithm KAB yes no Message MAC transmit Message MAC MAC Alice Bob Shared Secret key between Alice and Bob
  • 8. 8 Digital Signature Hash function Alice’s Public keyyes no Message Signature transmit Message Signature Alice Bob Public key algorithm Alice’s Private key Hash value Hash function Hash value 1 Public key algorithm Hash value 2
  • 9. 9  MAC (Message Authentication Code)  Generated and verified by a secret key algorithm  Message origin authentication & Message integrity  Schemes  Keyed hash: HMAC  Block cipher: CBC-MAC, XCBC-MAC  Dedicated MAC: UMAC  Digital Signature  Generated and verified by a public key algorithm and a hash function  Message origin authentication & Message integrity  Non-repudiation  Schemes Hash + Digital signature algorithm RSA; DSA, KCDSA; ECDSA, EC-KCDSA MAC and Digital Signature
  • 11. 11 Hash Functions – Requirements  Definition  Compression: arbitrary length input to fixed length output  Ease of computation  Security Properties  Preimage resistance (One-wayness) :  Given y, it is computationally infeasible to find any input x such that y = h(x)  2nd preimage resistance (Weak collision resistance) :  Given x, it is computationally infeasible to find another input x  x such that h(x) = h(x)  Collision resistance (Strong collision resistance) :  It is computationally infeasible to find any two distinct inputs x and x such that h(x) = h(x)
  • 12. 12 Brute Force Attack on One-Way Hash Functions h mi h(mi) Given y, find m such that h(m) = y n bits h(mi) = y ? for i = 1, 2, . . . 2n Arbitrary message m Or m of the same meaning ?
  • 13. 13 Constructing Multiple Versions of the Same Message I state thereby that I borrowed $10,000 from confirm received ten thousand dollars Mr. Kris Gaj on October 15, 2001. This money Dr. Krzysztof 15 October amount of money should be returned to Mr. Gaj by November 30, 2001. is required to given back Dr. 30 November 11 different positions of similar expressions  211 different messages of the same meaning
  • 14. 14 Finding Collision in Collision-Resistant Hash Functions h mi h(mi) Find any two distinct messages m, m such that h(m) = h(m). n bits for i = 1, 2, . . . 2m h mi h(mi) n bits How large m should be to get a match ?
  • 15. 15 Birthday Paradox How many students there must be in a class for there be a greater than 50% chance that 1. One of the students shares the teacher’s birthday ? (complexity breaking one-wayness) 365/2  188 2. Any two of the students share the same birthday ? (complexity breaking collision resistance) 1 – 365  364  . . .  (365-k+1) / 365k > 0.5  k  23 In general, the probability of a match being found when k samples are randomly selected between 1 and n equals ( 1) 2 ! 1 1 ( )! k k n k n e n k n      
  • 16. 16 One Million $ Hardware Brute Force Attack  One-Way Hash Functions (complexity = 2n) n = 64 n = 80 n = 128 Year 2001 4 days 718 years 1017 years  Collision-Resistant Hash Functions (complexity = 2n/2) n = 128 n = 160 n = 256 Year 2001 4 days 718 years 1017 years
  • 17. 17 f f f fIV=H0 H1 H2 Ht-1 Ht. . . b b b b n n n n n n Legend:  IV : Initial Value  Hi : i-th Chaining variable  Mi : i-th input block  f : Compression function  g : Output transformation (optional)  t : Number of input blocks  b : Block size in bits  n : Hash code size in bits g h(m) General Construction of a Secure Hash Function Message m 100…000 length M1 M2 M3 Mt Padding & length encoding
  • 18. 18 General Construction of a Secure Hash Function f Hi-1 Hi Mi b n n Entire hash Compression Function (fixed-size hash function) H0 = IV Hi = f (Hi-1, Mi) for 1  i  t H(m) = g(Ht) Fact(by Merkle-Damgård) Any collision-resistant compression function f can be extended to a collision-resistant hash function h
  • 19. 19 Typical Hash Padding Message m 100…000 length 64 bit integer (bit-length of message m)  Assume Block size = 512 bits (MD5, SHA1, RMD160, HAS160 …) Last 512-bit block Let r = |m| mod 512 If 512-r > 64 padding = 512-(r+64) bits else padding = 512-r+448 bits (two padding blocks)
  • 20. 20 Classification of Hash Functions Dedicated (Customized) Based on block ciphers Based on Modular Arith. MD2 MD4 MD5 SHA0 SHA1 RIPEMD-128 RIPEMD-160 HAS-160 MDC-1 MDC-2 MDC-4 MASH-1Broken Broken Broken Broken Reduced round Version broken SHA2 Weakness discovered
  • 21. 21 SHA (Secure Hash Algorithm) (1/2)  SHA was designed by NIST (national institute of standards and technology) & NSA (National Security Agency)  US standard for use with DSA signature scheme  The algorithm is SHA, the standard is SHS  Based on the design of MD4 and MD5 by R. Rivest MIT SHA-0: FIPS PUB 180, 1993 SHA-1: FIPS Pub 180-1, 1995 bitwise rotation of message schedule of SHA-0 changed widely-used security applications and protocols such as TLS and SSL, PGP, SSH, S/MIME, and IPsec SHA-2: FIPS Pub 180-2, 2001 SHA-224, SHA-256, SHA-384, and SHA-512 Not so popular as SHA-1 * Federal Information Processing Standard
  • 22. 22 Algorithm and variant Output size (bits) Internal state siz e (bits) Block size (bits) Max me- ssage siz e (bits) Word size (bits) Rounds Operation Collisions found SHA-0 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes SHA-1 160 160 512 264 − 1 32 80 +,and,or, xor,rot Yes (252 attack (*)[ SHA-2 SHA-25 6/224 256/224 256 512 264 − 1 32 64 +,and,or, xor,shr,rot None SHA-51 2/384 512/384 512 1024 2128 − 1 64 80 +,and,or, xor,shr,rot None SHA (Secure Hash Algorithm) (2/2) * Cameron McDonald, Philip Hawkes and Josef Pieprzyk, SHA-1 collisions now 2^52, Eurocrypt 2009 Rump session, http://eurocrypt2009rump.cr.yp.to/ 837a0a8086fa6ca714249409ddfae43d.pdf.
  • 23. 23 SHA-1 Overview round 0 f1, ABCDE, Yq, K0, w0 round 1 f2, ABCDE, Yq, K1, w1 round 79 f80, ABCDE, Yq, K79, w79 A B C D E A B C D E    160 CVq+1 CVq A B C D E 160 Yq 512
  • 24. 24 SHA-1 round function EDCBA EDCBA Input buffer Output buffer ft CLS5 CLS30 Wt Kt Constants From message Boolean function Cyclic left shift
  • 25. 25 SHA-1 Initial values A = 6 7 4 5 2 3 0 1 B = E F C D A B 8 9 C = 9 8 B A D C F E D = 1 0 3 2 5 4 7 6 E = C 3 D 2 E 1 F 0 Constants Kt t = 0 ~ 19 Kt = 5 A 8 2 7 9 9 9 t = 20 ~ 39 Kt = 6 E D 9 E B A 1 t = 40 ~ 59 Kt = 8 F 1 B B C D C t = 60 ~ 79 Kt = C A 6 2 C 1 D 6 Boolean function ft t = 0 ~ 19 ft (B, C, D) = B · C + B · D t = 20 ~ 39 ft (B, C, D) = B  C  D t = 40 ~ 59 ft (B, C, D) = B · C + B · D + C · D t = 60 ~ 79 ft (B, C, D) = B  C  D
  • 26. 26 SHA-1 message inputs Yq 512-bit  32 w0 32 w1 32 w15 w16 wt w79  CLS1 w0 w13 w2 w8 CLS1 wt–16 wt–3 wt–14 wt–8 CLS1 w63 w76 w65 w71 CLS: Cyclic Left Shift
  • 27. 27 Step Operations of MD5 & SHA1 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr 0 1 19. . . . . . D C B A D C B A fr <<si + Mi Kr + + + 0 115 Big endian Little endian
  • 28. 28 Step Operations of SHA1 & HAS160 A B C D E A B C D E fr <<30 <<5 + + + + Mi Kr ABCDE ABCDE fr <<sr <<si + + + + Mi Kr 0 1 19 1 019 <<sr . . . . . .
  • 29. 29 Comparison of Popular Hash Functions Hash Func. MD5 SHA1 RMD160 HAS160 Digest size(bits) 128 160 160 160 Block size(bits) 512 512 512 512 No of steps 64(4x16) 80(4x20) 160(5x2x16) 80(4x20) Boolean func. 4 4(3) 5 4(3) Constants 64 4 9 4 Endianness Little Big Little Little Speed ratio 1.0 0.57 0.5 0.94
  • 30. 30 Hash Functions Based on Block Ciphers: MDC1 Matyas-Meyer-Oseas Scheme g: a function mapping an input Hi to a key suitable for E, might be the identity function Compression function f Eg Hi MiHi-1 block size block size block size • Provably Secure under an appropriate black- box model • But produces too short hash codes for use in most applications
  • 31. 31 Hash Functions Based on Block Ciphers: MDC2 Compression function f Mi Hi EgHi-1 A B E g C D A D C B Hi-1  Hi 
  • 32. Ex. of MD5 Collisions 32 Collision1.bin Collision2.bin Same MD5 Hashed Value !!
  • 33. Practical Collision Attacks (MD5) • Colliding valid X.509 certificates – Lenstra, Wang, Weger, forged X.509 certificates, http://eprint.iacr.org/2005/067.pdf Same owner with different public keys (2048 bits) – Stevens, Lenstra, Weger, Eurocrypt 2007 8192-bit public key (8-block collision) – Stevens etc. Crypto 2009 Pass the browser authentication, different owners, different public keys (See next page.) 33
  • 34. X.509v3 Real and Fake Certificates 34