Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 225 times |
Download: | 3 times |
Contents
• Digital signatures– Definition– Digital signatures – procedure– Digital signature with RSA– Signing enciphered messages– Signing and hashing
3/44
Hash functions - definition
• Let k, n be positive integers• A function f with n bit output and k
bit key is called a hash function if1. f is a deterministic function2. f takes 2 inputs, the first is of arbitrary
length and the second is of length k3. f outputs a binary string of length n
• Formally:
4/44
nk* ,,,:f 101010
Hash functions - definition
• The key k is assumed to be known/fixed, unlike in cipher systems
• If k is known/fixed, the hash function is unkeyed
• If k is secret the hash function is keyed• k is known/fixed in most of the
applications (e.g. digital signature schemes)
• k is kept secret in Message Authentication Codes (MACs)
5/44
Hash functions – security requirements• In order to be useful for
cryptographic applications, any hash function must satisfy at least 3 properties (3 “levels of security”) (1)1. One-wayness (or preimage resistance):
a hash function f is one-way if, for a random key k and an n -bit output string w, it is difficult for the attacker presented with k and w to find x such that fk (x )=w.
6/44
Hash functions – security requirements• Security requirements (2)
2. Second preimage resistance (or weak collision resistance): a hash function f is second preimage resistant if it is difficult for an attacker presented with a random key k and a random input string x to find y x such that fk (x )=fk
(y ).
7/44
Hash functions – security requirements• Security requirements (3):
3. (Strong) collision resistance: a hash function f is collision resistant if it is difficult for an attacker presented with a random key k to find x and y x such that fk (x )=fk (y ).
8/44
Hash functions – security requirements• The collision resistance implies the
second preimage resistance.• The second preimage resistance and
one-wayness are incomparable– The properties do not follow from one
another– Still, a hash function that would be one-
way but not second preimage resistant would be quite artificial
9/44
Hash functions – security requirements• In practice, collision resistance is the
strongest security requirement of all the three requirements– the most difficult to satisfy– the easiest to breach
• Breaking the collision resistance property is the goal of most attacks on hash functions.
10/44
Hash functions – other requirements• Certificational weakness– A good hash function should possess
avalanche property• changing a bit of input would approximately
change a half of the output bits
– No input bits can be reliably guessed based on the hash function’s local output (local one-wayness)
– Failure to satisfy these (and some other) properties is called certificational weakness.
11/44
Hash functions – other requirements• It is also required that a hash
function is feasible to compute, given x (and k ).
• This is the reason why some theoretically strong constructions of hash functions are not used extensively in practice.
12/44
Hash functions – other requirements• Example: so called algebraic hash
functions, based on the same difficult mathematical problems that are used in public key cryptography– Shamir’s function (factoring)– Chaum-vanHeijst-Pfitzmann’s function
(discrete log)– Newer designs: VSH (factoring), LASH
(lattice), Dakota (modular arithmetic and symmetric ciphers)
13/44
Hash functions - construction
• The Merkle-Damgård construction
– A classical hash function design
– Iterates a compression function
– A compression function
• takes a fixed length input
• outputs a fixed length (shorter) output.
14/44
Hash functions - construction
• In practice, symmetric cipher systems
are used as compression functions
(usually block ciphers).
• Let g =(x,k ) be a block cipher, where x is
the plaintext message, and k is the key.
• The length of the block x is n bits and the
length of the key k is m bits, m >n.
15/44
Hash functions - construction
• The hash function f to be
constructed
– has the (theoretically) unlimited input
length
– has the output bit length n
• The input string to the hash function
f is y.
16/44
Hash functions - construction
• Hash function iterations
– Pad y such that the length of the padded
input y ’ is the least possible multiple of
m.
– Let where yi {0,1}m .
– Let f0 be a fixed initialization vector of
length n (in bits).
– Then, for i =1,..., r, fi =g (fi -1, ).
– Finally, f =fr .17/44
'r
''' y||||y||yy 21
'iy
Hash functions - construction
• Remark:
– The padding algorithm and f0 depend on
the particular hash function.
• Schematic of the Merkle-Damgård
design
18/44
Hash functions - construction
• Advantages of using block ciphers as
compression functions
– Efficient, i.e. fast
– Usually already implemented
• Disadvantage
– Employing a strong block cipher in hash
function design does not guarantee a
good hash function.19/44
Hash functions - construction
• Examples of Merkle-Damgård
designs
– The MD (Message Digest) family of hash
functions (MD4, MD5), n =128.
– The NIST SHA (Secure Hash Algorithm)
family of hash functions (SHA-1 (n
=160), SHA-2 (i.e. SHA-256, SHA-512)).
• They all use custom block cipher
rounds.20/44
Hash functions - construction
• The speed of such a design depends
on the number of rounds of the block
cipher involved.
• Example
–MD4 – 3 rounds
–MD5 – 4 rounds – more secure
– But MD5 is 30% slower than MD4.
21/44
Hash functions - security
• Security of the most often used hash
functions, MD5 and SHA-1 has been
recently compromised – collisions
were found.
• They are now considered insecure.
• Consequence: the SHA-3 contest, the
proposals are due October 2008.22/44
Hash functions - applications
• Data integrity protection
– Digital signature schemes
• Authentication
–Message authentication codes (MACs)
– If MAC uses a hash function it is called
HMAC
– HMAC standard RFC2104 (Bellare-
Canetti-Krawczyk, 1996).23/44
Digital signatures - definition
• Digital signature
– A number dependent on some secret
known only to the signer and on the
contents of the signed message
–Must be verifiable in case of
• a signer repudiating a signature
• a fraudulent claimant
24/44
Digital signatures - definition
• Applications
– Authentication
– Data integrity protection and non-
repudiation
– Certification of public keys in large
networks.
25/44
Digital signatures - procedure
• Basic elements (1)
–M – the set of messages that can be
signed
– S – the set of signatures, e.g. binary
strings of fixed length
– SA – signing transformation for the entity
A
• SA is kept secret by A
• Used to create signatures from M
26/44
SM:S A
Digital signatures - procedure
• Basic elements (2)
– VA – verification transformation for the
A’s signatures
• Publicly known
• Used by other entities to verify signatures
created by A
27/44
false,trueSM:VA
Digital signatures - procedure
• Both SA and VA should be feasible to
compute
• It should not be computationally
feasible to forge a digital signature y
on a message x
– Given x, only A (i.e. Alice) should be
able to compute the signature y such
that VA(x,y )=true. 28/44
Digital signatures - procedure
• Signing a message x
– Alice uses the algorithm SA to compute
the signature over the message x
– Alice publishes (or sends to some
recipient) the message x, together with
the signature y =SA(x )
29/44
Digital signatures - procedure
• Verifying a signature of a message
published/sent by Alice
– Upon receiving the pair (x,y ), the verifier
uses the algorithm VA (publicly known) to
verify the integrity of the received
message x
– If VA (x,y )=true, the signature is verified.
30/44
Digital signatures - procedure
• It can be shown that asymmetric
ciphers can be used for digital
signature purposes
• To prevent forgery, it should be
infeasible for an attacker to retrieve
the secret information used for
signing – the transformation SA.31/44
Digital signature with RSA
• Alice signs the message x by using
the deciphering transformation
• Alice is the only one that can sign,
since dA is kept secret.
32/44
Ad nxy A mod
Digital signature with RSA
• Bob verifies the signature y received
from Alice by employing
encipherment of y using Alice’s
public key (eA,nA), i.e.
• If c =x, then the signature y is
verified.33/44
Ae nyc A mod
Digital signature with RSA - security
• Suppose Eve wants to sign her own
message x ’ with Alice’s signature y
(i.e. to forge Alice’s signature).
• Eve does not know dA, she only
knows Alice’s public key (eA,nA ).
34/44
Digital signature with RSA - security
• Direct verification, if Eve’s signed
document (x ’,y ) is to be verified
– This will fail, since c ≠x ’.
• Thus, what Eve needs is another
signature, y ’, such that
• Getting y ’ is a difficult problem.35/44
Ae nyc A mod
'mod' xny AeA
Digital signature with RSA - security
• Another possibility for Eve – she can
choose y ’ first and then generate
the message
• y ’ will then be easily verified, i.e.
such a forgery is successful.
• But then the probability that x ’ is
meaningful is very small.36/44
Ae nyx A mod''
Signing enciphered messages
• Suppose Alice wants to send a signed
enciphered message x to Bob.
– Alice computes her signature y =SA (x )
– Then Alice enciphers both x and y by
means of Bob’s public key
– The ciphertext z is transmitted to Bob.
37/44
Signing enciphered messages
• Deciphering and verification
– Bob deciphers z by means of his private
key and thus obtains (x,y )
– Then Bob uses Alice’s public verification
function VA to verify the Alice’s signature
y.
38/44
Signing and hashing
• Usually, public key ciphers are used
in digital signature schemes
• If the original message is signed, the
signature is at least as long as the
message – inefficient
39/44
Signing and hashing
• Another problem is that of Eve’s
ability to generate the signature and
then get the corresponding message
that may be meaningful, although
with small probability.
• Solution: sign hashed message.
40/44
Signing and hashing
• The hash function f is made public
• Starting with a message x, Alice first
computes f (x ), which is significantly
smaller than x
• Alice then computes y =SA(f (x ))
• Alice then sends (x,y ) to Bob.
41/44
• Verification process
– Bob computes f (x )
– Bob also computes VA (f (x ),y )
– If VA (f (x ),y ) =true, then Alice’s
signature is verified.
Signing and hashing
42/44
• Suppose Eve has (x,y =SA(f (x ))
• Eve would like to sign her own message
x ’ with Alice’s signature (i.e. to forge it)
• So she needs SA(f (x ’))=SA(f (x )), which
means she needs f (x ’)=f (x ). This is
difficult if f (x ) is second preimage
resistant.
Signing and hashing - security
43/44
• Moreover, it is highly unlikely that Eve
would be able to find two messages, x’
and x ’’ with the same hashes and
consequently signatures, if f is collision
resistant.
• So it is difficult for Eve to choose the
signature first and then get the
corresponding message.
Signing and hashing - security
44/44