Professional Documents
Culture Documents
1
1 Introduction
Cryptographic Hash functions have a vital signicance when discussed in
the context of Signature Schemes. In this section, a brief overview of Sig-
nature Schemes is provided, along with a discussion regarding the need for
employment of hash functions.
sig tx ver(x,y)
x y = sig(x) true
<x,y>
In the above gure, the sender prepares the message x, and generates the
signature y using the secret signing algorithm. He then transmits < x; y >
across the network. The receiver now uses the public verication algorithm
and ensures that y is indeed a valid signature for x for that sender.
An important aspect of signature schemes is the prevention of forgery.
Several signature schemes have been proposed and they include the ElGamal
2
scheme, the Digital Signature Standard and the Lamport Signature Scheme.
hash sign
Msg x h(x) digest z sig(z) signature y
As shown in the above gure, the message x is hashed using the public
hash function h, to get the digest z. The digest z is then signed using the
secret algorithm sig, to get the signature y. Next < x; y > are transmitted
across the channel. To verify, the receiver reconstructs z = h(x) (h is public)
and checks if ver(z; y) = true.
3
2 Desired Properties of Hash Functions
An important need that signature schemes must satisfy is that they must
prevent forgery of signatures. The use of hash functions must be such that
this aspect of signature schemes is not compromised. In the discussion that
follows, for concreteness, let us assume that Bob is sending a message to
Alice. Oscar is a forger, who tries to forge Bob's signature. Each kind of
forgery that Oscar can commit is discussed along with the property that hash
functions must possess to prevent such a forgery from taking place.
Forgery 1
Assume that Bob transmits < x; y >, z = h(x), y = sig(z).
Oscar nds x0; x0 6= x and h(x) = h(x0).
Then, Oscar transmits < x0; y > a forgery.
Property 1
A hash function h is weakly collision free if given a message x, it is compu-
tationally infeasible to nd x0 x0 6= x; h(x) = h(x0)
Forgery 2
Oscar nds some two x, x0, x 6= x0 and h(x) = h(x0). Oscar gives Bob x and
asks him to sign it obtaining y. Then, < x0; y > is a forgery by Oscar.
Property 2
A hash function h is strongly collision free if it is computationally infeasible
to nd x, x0 such that x 6= x0; h(x) = h(x0).
Forgery 3
In some signature schemes, it is possible to compute a signature on a random
z. Example, schemes where ver(z; y) involves computing z0 from y and veri-
fying if z0 = z. Then, Oscar nds x such that z = h(x). Then, < x; y > is a
valid forgery.
Property 3
A hash function h is one-way if given a message digest z, it is computationally
infeasible to nd x such that h(x) = z.
4
2.1 Relationship between the various properties
In the previous section, we have seen that it is important for hash functions
to be strongly collision free, weakly collision free as well as one-way. In this
section, we will nd a very intersting relationship between these three prop-
erties - namely that if a hash function is strongly collision free, it is then
one-way and weakly collision free too. The fact that a strongly collision free
hash function is also weakly collision free is obvious. We will now discuss
why a strongly collision free hash function is one-way.
1. Choose a random x 2 X .
2. Compute z = h(x).
3. Compute x1 = A(z).
4. If x1 6= x then
x1 and x collide under h
else Quit.
Clearly the above algorithm is a probabilistic algorithm of the Las Vegas
type, since it either nds a collision or returns no answer. It remains to com-
pute the probability of success.
For any x 2 X , dene xRx1 if h(x) = h(x1)
Clearly, R is an equivalence relation.
Dene [x] = fx1 2 X : xRx1g
Evidently, the number of equivalence classes is at most jZ j.
5
Let the set of all equivalence classes be C .
Clearly,
p(success) = (1=jX j)
X j[x]j 1
x2X j[x]j
= (1=jX j)
X X jcj 1
c2C x2c jcj
=
X
(1=jX j) (jcj 1)
c2C
jX jjX jjZ j
1=2
6
3 Case Studies of Hash Functions
In this section, we will study some of the landmark has functions that have
been propsed and are being used in practice.
Theorem 2 Given one collision for the CHP hash function h, the discrete
logarithm log can be computed eciently.
7
Suppose h : (Z2)m ! (Z2)t is a strongly collision free hash function, where
m t + 1. It is now possible to construct the strongly collision free hash
function h : [inf
i=m (Z2 ) .
i
5. g1 = h(0t+1jjy1).
6. for i : 1 ! k do gi+1 = h(gi jj1jjyi+1).
7. h(x) = gk+1 .
For the case where m = t + 1, a dierent construction is required as shown
below.
8
3.3 Practical Hash Functions
The hash functions discussed so far are too slow to be useful in practice. In
this section, we discuss the MD4, MD5 and the SHS schemes. The MD4 Hash
Function was proposed in 1990 by Rivest.
The MD4 function works as follows.
Given a bitstring x, M is constructed of length divisible by 512. This con-
struction includes padding zeroes, though the exact construction details are
more complicated. M is now broken into 32 bit words, and if N is the total
number of words, it is to be noted that N is divisible by 16. Having con-
structed M in this fashion, a 128 bit digest is now constructed. Groups of
sixteen words of M are formed. Each group goes through three rounds of
hashing. In each hashing round, one operation is performed on each of the
sixteen words of x. The steps may be summarized as follows. In the steps,
it is to be noted that A,B ,C and D are all registers, and the nal digest is
obtained by concatenating their contents.
1. Initialize A,B,C,D.(registers)
2. for i = 0 to N=16 1 do
3. for j = 0 to 15 do X [j ] = M [16i + j ]
4. AA = A; BB = B; CC = C; DD = D.
5. Hash Rounds 1,2,3
6. A = A + AA; B = B + BB; C = C + CC; D = D + DD.
Each hashing round, as mentioned earlier involves 16 steps. While an
enumeration of the steps is hardly instructional, the rst few steps of Hashing
Round 1 are alone provided below.
First few steps of HR1
A = (A + f (B; C; D) + X [0]) << 3
D = (D + f (A; B; C ) + X [1]) << 7
C = (C + f (D; A; B ) + X [2]) << 11
9
B = (B + f (C; D; A) + X [3]) << 19
:::
where, the function f is given by
f(x,y,z) = (x and y) or ((not x) and z).
It is to be noted that the steps listed above are cyclic. Importantly, all
the operations that are performed are boolean logical operations or addition
operations that are extremely simple and fast. The MD4 is consequently
extremely fast, and software implementations have attained speeds of 1.4
MBytes being hashed in 1 second.
However, it is dicult to say anything conclusive regarding the security
of the MD4 hash function as it is not based on a well-studied problem such
as the Discrete Logarithm or Factoring problem. Condence in the security
of the system can only be attained over time, as the system is studied and
not found to be insecure. Although the MD4 has not been broken, weakened
versions that omit either the rst or the third round have been broken without
much diculty.
A strengthened version of the MD5 has been proposed in 1991. The MD5
uses four rounds instead of three, but runs about 30% slower than the MD4.
The Secure Hash Standard is based on the same principles but is more
complicated and slower. It was adopted as a standard on May 11, 1993. The
SHS produces a 5-register(160-bit) digest, unlike the MD4 which produces
a 128 bit digest.
10
4 Timestamping of messages
One diculty with signature schemes is that a signing algorithm may be com-
promised. In the event of Oscar compromising Bob's signature scheme, an
important problem, even more serious than the fact that the signature scheme
had been compromised, is the fact that the authenticity of all messages signed
by Bob, including those he signed before Oscar compromised the scheme are
now called into question. Further, there is the possibility that Bob may dis-
own messages, which are actually his.
The reason these types of events can occur is that there is no way to de-
termine when a message is signed. This problem is tackled by timestamping
messages. A timestamp provides proof that a message was signed at a par-
ticular time. Thus if Bob's signing algorithm was compromised, it would not
invalidate any signatures he made previosuly.
We will discuss two ways of achieving timestamping.
First, Bob can make use of some public information pub based on some
information that could be available only today. For example, this informa-
tion could be based on news reports or share prices of that particular day
which could have not been known prior to that day. This information is used
by Bob along with any message sent that particular day. This information
is published by Bob the next day in a manner accessible to everyone. This
ensures that Bob did not compute the message after the day in question. In
this manner, Bob's message can be accurately located to within a day.
Second,If there is a trusted timestamp service available, Bob can send
his message to this service, which then appends the date and signs the entire
message. This is secure as long as the TSS is secure. More complicated
schemes have been suggested for the case where it is undesirable to trust the
TSS unconditionally.
11