CIS 5371 Cryptography
4b. Collision Resistant Hash Functions
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Collision Resistance
A collision in a function H is a pair of distinct
inputs x, x’ for which 𝐻 𝑥 = 𝐻 𝑥 ′ .
Collision resistance is trivial to achieve if
compression is not required (take for example
the identity function)
We shall be dealing with a family of hash
functions indexed by a key s.
H will take as input a key s and a string x and
output a string: 𝐻 𝑠 𝑥 ≝ 𝐻 𝑠, 𝑥 .
2
Definition 5.1, Hash Function
A hash function is a pair of probabilistic
polynomial-time algorithms (Gen, 𝐻) such that:
• 𝐆𝐞𝐧: takes input the security parameter 1𝑛 and
outputs a key 𝑠.
•
H : there is a polynomial 𝑙 such that 𝐻 takes as
input a key 𝑠 and a string 𝑥 ∈ {0,1}∗ and outputs a
string 𝐻 𝑠 𝑥 ∈ {0,1}𝑙(𝑛) .
3
A collision finding experiment
𝐇𝐚𝐬𝐡-𝐜𝐨𝐥𝐥(A,) (𝒏)
1. A ke𝑦 𝑠 is generated by running Gen 1𝑛 .
2. The adversary 𝐴 is given 𝑠 and outputs
a pair 𝑥, 𝑥′.
3. The output of the experiment i𝑠 1 if and only if
― 𝑥 ≠ 𝑥′, and
― 𝐻𝑠 𝑥 = 𝐻𝑠 𝑥′ .
4
Definition 4.12
Collision Resistant Hash Function
A hash function = (Gen, 𝐻) is collision resistant,
if for all probabilistic polynomial-time adversaries
𝐴, there is a negl function such that:
Pr[Hash-coll(A,) 𝑛 = 1] ≤ negl.
5
Weaker notions of security for
Hash Functions
1. Collision resistance. The strongest notion, as
defined earlier.
2. Second pre-image resistance. Informally, given a
key s and a string 𝑥 it is infeasible for a
probabilistic polynomial-time adversary to find
𝑥′ ≠ 𝑥 such that 𝐻 𝑠 𝑥 ′ = 𝐻 𝑠 𝑥 .
3. Pre-image resistance. Informally, given a key s and
a string 𝑦 = 𝐻 𝑠 𝑥 (but not 𝑥) for a randomly
chosen 𝑥, it is infeasible for a probabilistic
polynomial-time adversary to find 𝑥′ ≠ 𝑥 such that
𝐻 𝑠 𝑥 ′ = 𝑦.
6
Weaker notions of security for
Hash Functions
1. Collision resistance  Second pre-image resistance
If given 𝑥 the adversary can find 𝑥′ ≠ 𝑥 such that
𝐻 𝑠 𝑥 ′ = 𝐻 𝑠 𝑥 , then the adversary can find a pair
𝑥′ ≠ 𝑥 with 𝐻 𝑠 𝑥 ′ = 𝐻 𝑠 𝑥 .
2. Second pre-image resistance  Pre-image resistance
If it were possible to invert 𝑦 and find an 𝑥′ such that
𝐻 𝑠 𝑥 ′ = 𝑦, then it would be possible to take a given
input 𝑥 , compute 𝐻 𝑠 (𝑥), and then invert 𝑦 = 𝐻 𝑠 𝑥
to find 𝑥′ ≠ 𝑥 such that 𝐻 𝑠 𝑥 ′ = 𝑦.
7
Generic birthday attack
Birthday problem
Let 𝐻: {0,1}∗ → {0,1}𝑙 be a hash function .
Assume that the values 𝑦 = 𝐻 𝑥 are uniformly
distributed in {0,1}𝑙 and independent .
Assume that 𝑞 arbitrary inputs 𝑥1 , … , 𝑥𝑞 𝜖 {0,1}∗ are
selected.
Then the probability that there is a collision using
𝑞 = Θ(2𝑙/2 ) hash evaluations is greater that ½.
The time taken is O(𝑙 ∙ 2𝑙/2 ).
(One has to sort outputs---assume that one can evaluate a hash function in
constant time.)
8
Improved birthday attack
Memory is a scarcer resource than time:
storing 𝑞 = Θ(2𝑙/2 ) hash evaluations is costly.
9
Improved birthday attack
Improved birthday attack
Let 𝐻: {0,1}∗ → {0,1}𝑙 be a hash function.
Select a random initial value 𝑥0 .
For 𝑖 > 0
Compute 𝑥𝑖 ∶= 𝐻(𝑥𝑖−1 ) and 𝑥2𝑖 ∶= 𝐻(𝐻 𝑥2
𝑖−1
).
If 𝑥𝑖 = 𝑥2𝑖 there is a collusion; else continue.
It can be shown that we get a collision with
probability roughly ½ in 𝑞 = Θ(2𝑙/2 ) steps.
10
Construction 4.12
The Merkle-Damgaard transform
(Gen, ℎ) is a fixed-length collision-resistant hash function
with inputs of length 2𝑙 𝑛 and outputs of length 𝑙 𝑛 .
A variable-length hash function (Gen, 𝐻) is constructed as
follows.
•
•
𝐆𝐞𝐧: on input 1𝑛 , output key 𝑠.
H : on input 𝑠 and 𝑥 ϵ {0,1}𝐿 , 𝐿 < 2𝑙(𝑛) do:
Set 𝐵: = 𝐿/𝑙, pad 𝑥 so that it can be parsed into 𝐵
blocks 𝑥1 , … , 𝑥𝐵 of length 𝑙.
Set 𝑥𝐵+1 ≔ 𝐿 (𝑙 bits).
2. Set 𝑧0 ≔ 0𝑙 .
3. For 𝑖 = 1, … , 𝐵 + 1, compute 𝑧𝑖 ≔ ℎ 𝑠 (𝑧𝑖−1 ||𝑥𝑖 ).
4. Output 𝑧𝐵+1 .
1.
11
The Merkle-Damgaard
transform
𝑥2
𝑥1
𝑧0
𝑥𝐵
ℎ𝑠
ℎ𝑠
𝑧1
...
𝑥𝐵+1 = 𝐿
ℎ𝑠
ℎ𝑠
𝑧𝐵
𝑧𝐵+1
(= 𝐻 𝑆 (𝑋))
12
Theorem 4.14
If (𝐺𝑒𝑛, ℎ) is collision-resistant then so is
(𝐺𝑒𝑛, 𝐻) .
13
Hash Functions and Applications
Hash-and-MAC
Let Π = (Mac,Vrfy) be a MAC for messages of length 𝑙(𝑛)
and Π𝐻 = (GenH , H) be a hash function with output
length 𝑙(𝑛). Construct MAC Π′ = (Gen’,Mac’,Vrfy’) for
arbitrary length messages as follows:
• Gen’: on input1𝑛 output uniform 𝑘 𝜖 {0,1}∗ and run GenH
(1𝑛 ) to get 𝑠. The Hash-and-Mac key is 𝑘, 𝑠 .
•
•
Mac’: on input 𝑘, 𝑠 and message m 𝜖 {0,1}∗ output
𝑡 ←Mack (Hs(m)) .
Vrfy’: on input a key 𝑘, 𝑠 , a message m 𝜖 {0,1}∗ and a
MAC tag t output 1 if and only if Vrfyk (H*(m), t)=1.
14
Hash Functions and Applications
HMAC
Let (GenH , H) be a hash function constructed using the
Merkle Damgaard transform to compression function
(GenH , ℎ) of length 𝑛 + 𝑛′. Let opad and ipad be fixed
constants of length 𝑛′. Define MAC as follows:
• Gen: on input1𝑛 run GenH (1𝑛 ) to get 𝑠. Choose uniform
𝑘 ϵ {0,1}𝑛′ . Output key is 𝑘, 𝑠 .
•
•
Mac: on input 𝑘, 𝑠 and message m 𝜖 {0,1}∗ output
𝑡 ≔ Mack (Hs(𝑘⨁opad)||Hs(𝑘⨁ipad||m)) .
Vrfy’: on input a key 𝑘, 𝑠 , a message m 𝜖 {0,1}∗ and a
MAC tag t output 1 if and only if
𝑡 = Mack (Hs(𝑘⨁opad)||Hs(𝑘⨁ipad)||m)) .
15
HMAC
k  ipad
IV
𝑚1
ℎ𝑠
ℎ𝑠
𝑘𝑖𝑛
...
ℎ𝑠
k  opad
IV
ℎ𝑠
ℎ𝑠
𝑘𝑜𝑢𝑡
𝑡