Professional Documents
Culture Documents
08 Hash Functions
08 Hash Functions
Problem
Alice and Bob live far apart, each having a very large file. They would like to determine
whether the two files are identical but have a terrible internet connection, so they
cannot just send the files to compare them. How can they be sure whether the files are
identical?
1
An informal definition of hash functions
2
Generic attacks on a hash function
3
An attempt at defining collision resistance
TEST(𝑥, 𝑥 ′ ):
TEST(𝑥, 𝑥 ′ ):
if 𝑥 ≠ 𝑥 ′ and 𝐻 (𝑥) = 𝐻 (𝑥 ′ ): return true ∼
∼ return false
else: return false
4
A better definition
L𝐻
cr-real L𝐻
cr-fake
𝜆
𝑠 ← {0 , 1 }
𝑠 ← {0 , 1 }𝜆
getsalt():
getsalt():
return 𝑠
return 𝑠
test(𝑥, 𝑥 ′ ∈ {0 , 1 }∗ ):
test(𝑥, 𝑥 ′ ∈ {0 , 1 }∗ ):
if 𝑥 ≠ 𝑥 ′ and 𝐻 (𝑠, 𝑥) = 𝐻 (𝑠, 𝑥 ′ ): return true
return false
else: return false
5
Building a hash function
6
The Merkle-Damgård construction
MDℎ (𝑥):
mdpad𝑡 (𝑥):
𝑥1 ‖ ⋯ ‖𝑥𝑘+1 ∶= mdpad𝑡 (𝑥)
ℓ ∶= |𝑥|, as length-𝑡 binary number
𝑦0 ∶= 0 𝑛
while |𝑥| not a multiple of 𝑡:
for 𝑖 = 1 to 𝑘 + 1:
𝑥 ∶= 𝑥‖0
𝑦𝑖 ∶= ℎ(𝑦𝑖−1 ‖𝑥𝑖 )
return 𝑥‖ℓ
return 𝑦𝑘+1
mdpad(𝑥) = 𝑥1 𝑥2 𝑥3 𝑥4
𝑦0 ℎ ℎ ℎ ℎ ⋯
𝑦1 𝑦2 ℎ𝑦3
7
Example
On the blackboard.
8
Security of the Merkle-Damgård construction
Claim
Suppose ℎ is a compression function and MDℎ is the Merkle-Damgård construction
applied to ℎ. Given a collision 𝑥, 𝑥 ′ in MDℎ , it is easy to find a collision in ℎ.
Proof.
On the blackboard.
9
Creating a MAC from a hash function
Can we create a MAC from a hash function by keeping the salt secret?
The answer is “No” in general.
For the Merkle-Damgård construction there exists a length-extension attack: knowing
𝐻 (𝑥) allows you to predict the hash of any string that starts with mdpad(𝑥).
Demonstrate on blackboard.
10
What is the issue here?
11