01426 Cryptology 2

Lecture 8 — Hash functions

Luisa Siniscalchi & Tyge Tiessen

Fall 2023
DTU Compute, Technical University of Denmark
A faithful data fingerprint

Problem
Alice and Bob live far apart, each having a very large file. They would like to determine
whether the two files are identical but have a terrible internet connection, so they
cannot just send the files to compare them. How can they be sure whether the files are
identical?

1
An informal definition of hash functions

A hash function is a function 𝐻 ∶ {0 , 1 }∗ → {0 , 1 }𝑛 . It is expected to behave like a

“random” function. In particular it should be difficult

• to find a preimage 𝑥 given an image 𝑦 such that 𝐻 (𝑥) = 𝑦,

(preimage resistant)
• to find a second preimage 𝑥2 given another preimage 𝑥1 such that 𝐻 (𝑥2 ) = 𝐻 (𝑥1 ),
(2nd preimage resistant)
• to find two different preimages 𝑥1 and 𝑥2 such that 𝐻 (𝑥2 ) = 𝐻 (𝑥1 ).
(collision resistant)

2
Generic attacks on a hash function

Collision brute force

2nd preimage brute force
𝒜𝑐𝑟 ():
𝒜2𝑝𝑖 (𝑥):
for 𝑖 = 1, …:
while true:
𝑥𝑖 ← {0 , 1 }𝑚
𝑥 ′ ← {0 , 1 }𝑚
𝑦𝑖 ∶= 𝐻 (𝑥𝑖 )
𝑦 ′ ∶= 𝐻 (𝑥 ′ )
if there is some 𝑗 < 𝑖 with 𝑥𝑖 ≠ 𝑥𝑗 but 𝑦𝑖 = 𝑦𝑗 :
if 𝑦 ′ = 𝐻 (𝑥): return 𝑥 ′
return (𝑥𝑖 , 𝑥𝑗 )

How many steps do these attacks take on average?

3
An attempt at defining collision resistance

We expect a hash function 𝐻 to be secure if the following holds:

TEST(𝑥, 𝑥 ′ ):
TEST(𝑥, 𝑥 ′ ):
if 𝑥 ≠ 𝑥 ′ and 𝐻 (𝑥) = 𝐻 (𝑥 ′ ): return true ∼
∼ return false
else: return false

4
A better definition

We need to introduce an additional input to the hash function called salt.

Definition
A hash function 𝐻 is collision-resistant if L𝐻
cr-real
∼ L𝐻
cr-fake , where

L𝐻
cr-real L𝐻
cr-fake
𝜆
𝑠 ← {0 , 1 }
𝑠 ← {0 , 1 }𝜆
getsalt():
getsalt():
return 𝑠
return 𝑠
test(𝑥, 𝑥 ′ ∈ {0 , 1 }∗ ):
test(𝑥, 𝑥 ′ ∈ {0 , 1 }∗ ):
if 𝑥 ≠ 𝑥 ′ and 𝐻 (𝑠, 𝑥) = 𝐻 (𝑠, 𝑥 ′ ): return true
return false
else: return false

5
Building a hash function

A compression function is a function ℎ ∶ {0 , 1 }𝑛+𝑡 → {0 , 1 }𝑛 , where 𝑡 > 0.

We want to use this as a building block for a hash function.

6
The Merkle-Damgård construction

MDℎ (𝑥):
mdpad𝑡 (𝑥):
𝑥1 ‖ ⋯ ‖𝑥𝑘+1 ∶= mdpad𝑡 (𝑥)
ℓ ∶= |𝑥|, as length-𝑡 binary number
𝑦0 ∶= 0 𝑛
while |𝑥| not a multiple of 𝑡:
for 𝑖 = 1 to 𝑘 + 1:
𝑥 ∶= 𝑥‖0
𝑦𝑖 ∶= ℎ(𝑦𝑖−1 ‖𝑥𝑖 )
return 𝑥‖ℓ
return 𝑦𝑘+1

mdpad(𝑥) = 𝑥1 𝑥2 𝑥3 𝑥4

𝑦0 ℎ ℎ ℎ ℎ ⋯
𝑦1 𝑦2 ℎ𝑦3
7
Example

On the blackboard.

8
Security of the Merkle-Damgård construction

Claim
Suppose ℎ is a compression function and MDℎ is the Merkle-Damgård construction
applied to ℎ. Given a collision 𝑥, 𝑥 ′ in MDℎ , it is easy to find a collision in ℎ.

Proof.
On the blackboard.

9
Creating a MAC from a hash function

Can we create a MAC from a hash function by keeping the salt secret?
The answer is “No” in general.
For the Merkle-Damgård construction there exists a length-extension attack: knowing
𝐻 (𝑥) allows you to predict the hash of any string that starts with mdpad(𝑥).
Demonstrate on blackboard.

10
What is the issue here?

• This is not breaking collision resistance of the MD construction.

• The problem is that the final output is also a valid intermediate state.

We can fix this issue in two ways:

• Not leaking all of the internal state at the end.

• Doing a specific final step that is different from any internal steps.

11