ICS 454
Principles of Cryptography
Secure Hashing
and DSS
Sultan Almuhammadi
Outline




One-way functions
Secure Hash function
Authentication (example)
Digital Signature Standards (DSS)
Definitions

One-way function f :AB



Given x  A, it is easy to compute f (x)
Given f (x), it is hard to compute x
Trapdoor one-way function




A one-way function f :A  B with a secret s, such that
Given x  A, it is easy to compute f (x)
Given f (x), it is hard to compute x
Given f (x) and s, it is easy to compute x
Examples

One-way function



Multipicative group Zp* with generator g
f (x) = gx mod p
Trapdoor one-way function



Multiplicative group Zn* where n = p.q for primes p,q
f (x) = x2 mod n
The secret is: (p and q)
Hash Function

Definition: one-way hash function h(x)



A one-way hash function operates on an input message
x of arbitrary length, and outputs a fixed-length hash
value h(x).
Given x, it is easy to compute h(x)
Given h(x), it is infeasible to compute x
Hash Function Properties



h can be applied to an input of any size
h produces a fixed-length output
One-way property: Easy to compute h(x), but infeasible
to compute x given h(x)

(Preimage resistance)
Collision resistance property:


Weakly collision-free: Given x, it is infeasible to find y  x,
such that h(x) = h(y)
(Second preimage resistance)
Strongly collision-free: It is infeasible to find any pair (x, y)
such that y  x and h(x) = h(y) (Collision resistance)
Secure Hashing

Definition: h is cryptographically secure if it is a
one-way collision-free hash function.



Note: Strong/weak collision resistance depends on the
sensitivity of the application
Given a message M, h(M) is called the hash value
of M , hash code, or the message digest.
Examples: SHA, MD4, MD5, Whirlpool
Security of Hash Functions

Effort Required for Brute-Force Attack (on average)
One way
2n-1
Weak collision resistance
2n-1
Strong collision resistance
2n/2
General Structure of
Secure Hashing
Secure Hash Algorithm (SHA)


Developed by National Institute of Standards and
Technology (NIST) in 1993.
In 1995, NIST published SHA-1




Based on MD4
Output: 160-bit hash value
In 2002, NIST defined 3 versions (SHA-256,
SHA-384, SHA-512) with hash value lengths:
256, 384, and 512.
In 2005, NIST approved the phase out of SHA-1
and moving to other versions of SHA by 2010.
MD4



MD stands for Message Digest and designed by
Ron Rivest
Output: 128-bit hash values
Design goals (claimed by Rivest)



Strongly collision-free (no attack is better than brutefoce)
The security is based on no assumption (like hardness
of factorization)
MD4 was cryptanalyzed shortly after publishing
and some parts were successfully attacked.
MD5




MD5 is an improved version of MD4
Output: 128-bit hash values
Ron Rivest made several improvements of MD5
over MD4
MD5 was cryptanalyzed but there is no practical
impact on the security of the hash function
Whirlpool


Based on the use of a block cipher for the
compression function (initially DES, later AES)
General drawbacks of using block cipher:





Block ciphers are invertible lack of randomness
Low performance due to slow block ciphers
Weakness due to regularities of block ciphers
Hash value length restriction due to block sizes: h  2b
Since the adoption of AES, Whirlpool overcomes
the above drawbacks.
Whirlpool

Advantages of using AES



Hash code length is 512 bits (same as SHA)
Resistant to usual attacks on block-cipher hashing
Good performance and compact implementation on
software and hardware
Applications of
Secure Hashing


Authentication
Digital Signature
Example: Authentication

Alice logs into a host computer



She identifies herself by a username and a password
The host computer stores a all username-password in a
a database and check for a match.
Authentication using secure hash functions



Alice sends her password to the host
The host hashes the password and compares the hash
value to the value it previously stored
If Eve steals the hash values, she still cannot log in,
since the hash function is one-way and collision-free.
Digital Signature Standard
(DSS)


Proposed by the National Institute of Standards
and Technology (NIST) in 1991
DSS uses a digital signature algorithm (DSA):





Designed to provide only the digital signature function
Cannot be used for encryption or key exchange
Must be a public-key technique (publicly verifiable)
Use the SHA for hashing the message
Example of digital signature approaches:


RSA Approach
DSS Approach
Digital Signature Approaches
(DSS vs. RSA)
Digital Signature Algorithm
(DSA)

NIST adopted DSA based on ElGamal digital
signature with the following parameters:






Prime p of length 512-1024 bits
160-bit prime q such that q | (p – 1)
g is of the form g = h(p-1)/q mod p
Private key: x, Public key: y = gx mod p
The signature (a, b) is computed by:
a = (gr mod p) mod q, for random r < q
b = (r-1 (SHA(M) + x.a)) mod q
The length of the signature (a, b) = 2 x 160 bits