This document discusses hashing and the random oracle model. It defines cryptographic hash functions as deterministic functions that map arbitrary strings to fixed-length outputs in a way that appears random. The random oracle model assumes an ideal hash function that behaves like a random function. The document discusses collision resistance, preimage resistance, and birthday attacks as they relate to finding collisions or preimages with a given hash function. It provides examples of calculating the number of messages an attacker would need to find collisions or preimages with different probabilities. The document concludes by listing some applications of cryptographic hash functions like password storage, file authenticity, and digital signatures.

1. Hashing &
Random Oracle Model
Sadman Ahmmed | B150305029

2. TOC
Document and Fingerprint
Pigeonhole Principle
Attacks on Random Oracle Model
Checking Integrity
Cryptographic Hash Function Criteria
Random Oracle Model
Birthday Paradox
Applications

3. Problem of the day (message integrity)
Alice
X
Oscar
interfere x
X > X’
X’

4. Solution (Hash Function)
Alice
X
Oscar
interfere x
X > X’
X’
message x (arbitrary length)
eg : 1TB
hash value y = h(x)
fixed length, eg : SHA-1 160 bits
h( x )
y = h(x)h(x) != h(x’)

5. Cryptographic Hash Function
01 A function h maps arbitrary strings of data to fixed length output
02 Deterministic and public, but the mapping should look “random”
h : {0, 1} ∗ → {0, 1} d
03 No secret key, all operations public, anyone can compute h, polytime
computation. Example : MD4, MD5, SHA-1
document/message message digest/fingerprint/authentication tag

6. Random Oracle Model ‘h’
Ideal model of the hash function. we assume there exists an
oracle h such that on input , x ∈ {0, 1}∗
yes
Message Message Digest
hello 1001
hi 1110
h : {0, 1} ∗ → {0, 1} 4
hello T H H T
Hash Table
x
If x has
seen before
y
returns h(x) it previously output
yes
generate deterministic random value
no store
output

7. Fact About ROC
01
Oracle cannot use formula or algorithm to create the digest
Suppose oracle uses the formula h(M) = M mon n, M1 + M2 = M3
h(M3) = (M1+M2) mod n = M1 mod n + M2 mod n = [ h(M1) + h(M2) ] mod n
should have some randomness. eg, secure bidding problem
03 In practice we use pseudo-random functions
02 Unfortunately, a random oracle does not exist since it requires infinite storage

8. Collision (Pigeonhole principle)
Input Space : infinity
Assume 4 bits length
Hash Space : fixed
Assume 4 bits length
n pigeonhole > n+1 pigeons > at least 1 nole is occupied by 2 pigeons
n pigeonhole > kn+1 pigeons > at least 1 nole is occupied by k+1 pigeons
Digest should be shorter than the message, so there are some digests, correspond to more
than one message. Eg, pigeonhole = 4, pigeons = 16 or n = 4, kn+1 = 16, so k is larger than 3.
At least 1 digest corresponds to (k+1) messages.
22 = 424 = 16
Obj 1
Obj 2
Obj 3
Obj 4
Obj 5
.
0
1
2
3

9. Birthday Paradox
How many people must be there in a room to make the probability 50% that at-least two people
in the room have same birthday?
Not easy to calculate 2 people share same rather 2 people not share the same birthday.
Probability of 23 people not having same birthday
= 365/365 x 364/365 x 363/365 x …… x (people 23) 343/365
= 364! / ( 342! X 36522 ) = .492703 > 49.3%
Chance we do = 1 - .4927 = .507 > 50.7%

10. Alice
Bob
Oscar
X
try to decrypt X
Done or undone
interfere X
X > X’
X’
Another Problem (One Way)

11. Alice
Bob
Oscar
X
Knows h( )
interfere X
X > X’
X’
Solution h(x) h(x) != h(x’)

12. Preimage Attack
Given y ∈ {0, 1} d
it is hard to find an x such that h(x) = y
aka. one way
Can’t be done : lossless compression, check sum
Preimage
Resistance
Cryptographic Hash Function Criteria
Birthday Problem 1 What is the
minimum number, k, of the students in
a classroom such that it is likely that at
least one student has a predefined
birthday?

13. Preimage Attack
Algorithm
input: h, D
Choose, any X0 ε x, |x0| = q
for any message M[i] ε x
if (h(M[i]) == D)return M[i]
else return fail
Probability that the hash of an M[i] match with D = 1/N
Probability it does not match with D = 1 - 1/N
Probability, none of q queries match with D = ( 1 - 1/N )q
Success probability Pr[success] = 1 - ( 1 - 1/N )q
e-x = 1 - x + x2/2! - x3/3! + x4/4! + ….
According Taylor Series
If N is large, replace 1-1/N = e-1/N
pr [success] = 1 - e-q/N
If probability 0.5, q = ln(0.5)N = 0.69 x 2n
Attacks on Random Oracle Model

14. Example :
A cryptographic hash function uses a digest of 64 bits. How many
digests does Oscar need to create to find the original message
with the probability more than 0.5?
Suppose, Oscar can test 230 messages per second
it takes ( 0.69 x 2 64 )/ 2 30 = 0.69 x 2 34 seconds, or more than 500 years.
k ≈ 0.69 × 2n ≈ 0.69 x 2 64

15. Alice
Bob
Oscar
X
Found x’, h(x’) = h(x)
X = give oscar 20$
X’ = give oscar 20000$
X’
TCR h(x) h(x) == h(x’)

16. Preimage Attack
Cryptographic Hash Function Criteria
Birthday Problem 2 What is the minimum
number, k, of the students in a classroom
such that it is likely that at least one
student has the same birthday as the
student selected by the professor?
Given x
it is hard to find x ' such that h(x) = h(x ' ) where x != x’
aka, Weak collision-resistance, target collision resistance
Second Preimage
Resistance

17. Preimage Attack
Algorithm
input: h, M
Calculate D = h(M)
Choose, any X0 ε x{M}, |x0| = q-1
for any message M[i] ε x
if (h(M[i]) == D)return M[i]
else return fail
pr [success] = 1 - e-(q-1)/N
If probability 0.5, q = ln(0.5)N + 1 = 0.69 x 2n + 1
Attacks on Random Oracle Model

18. Alice
Bob
Oscar
x1
Found x1,x2, h(x1) = h(x2)
CR, Digital Signature
(x1, y)(x2, y)

19. Preimage Attack
Cryptographic Hash Function Criteria
Birthday Problem 3 What is the
minimum number, k, of the students in a
classroom such that it is likely that at
least two students have the same
birthday?
It is hard to find any pair of inputs x, x '
such that h(x) = h(x ' ) where x != x’
aka , Strong collision-resistance
Collision
Resistance

20. Preimage Attack
Algorithm
input: h
Choose, any x0 ε , |x0| = q
for any message pair M[i], M[i`] ε x
if (h(M[i]) == h(M[i`]))return M[i], M[i`]
else return fail
P (hash of M[0] and M[1] does not collide) = 1 - 1/N
P (hash of M[0] and M[1] does not collide with M[3])
( 1 - 1/N ) ( 1 - 2/N )
Probability of q hash value does cot collide
(1- 1/N) (1 - 2/N) (1 - 3/N) ………………… ( 1 - (q-1)/N)
q-1 q-1
Pr[ No Collisions] = Σ (1 - i/N) = Σ e -i/n = e -q2/N
I=1 I=1
pr [collisions/success] = 1 - e -q2/N
If probability 0.5, q = sqrt ( ln(0.5)N ) = 1.18 x sqrt(N)
= 1.18 x 2n/2 [ N = 2n ]
Attacks on Random Oracle Model

21. Example :
A cryptographic hash function uses a digest of 64 bits. How many
digests does Oscar need to create to find two messages with the
same digest with the probability more than 0.5?
Suppose, Oscar can test 220 messages per second
it takes 1.18 × 212 seconds, or less than two hours
k ≈ 1.18 x 2 n/2 ≈ 1.18 x 2 64/2 ≈ 1.18 x 2 32

22. ● Password Storage
● File Authenticity
● Digital Signature, guarantees that the message came from a said source
● Commitments: In a secure bidding, Alice wants to bid value x, but does not
want to reveal the bid until the auction is over. Alice then computes h(x), and
publicize it, which serves as her commitment. When bidding is over, then she
can reveal x, and x can be verified using h(x)
Application