Collision Resistance in Online Cryptography

Collision Resistance in Online Cryptography
Slide Note
Embed
Share

The concept of collision resistance in cryptography, taught by Dan Boneh in an online course. Understand how collision resistance plays a crucial role in ensuring the security of message integrity and MAC constructions. Learn about hash functions, secure MACs, protecting file integrity using collision-resistant hashes, and the importance of collision resistance for security. Dive deeper into the Generic Birthday Attack and its implications. Join this informative course to enhance your knowledge in the realm of cryptography.

  • Cryptography
  • Collision Resistance
  • Dan Boneh
  • MAC Constructions
  • Security
lil_liv
lil_liv Follow

Uploaded on Mar 10, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Online Cryptography Course Dan Boneh Collision resistance Introduction Dan Boneh

  2. Recap: message integrity So far, four MAC constructions: ECBC-MAC, CMAC : commonly used with AES (e.g. 802.11i) PRFs NMAC : basis of HMAC (this segment) PMAC: a parallel MAC randomized MAC Carter-Wegman MAC: built from a fast one-time MAC This module: MACs from collision resistance. Dan Boneh

  3. Collision Resistance Let H: M T be a hash function ( |M| >> |T| ) A collision for H is a pair m0 , m1 M such that: H(m0) = H(m1) and m0 m1 A function H is collision resistant if for all (explicit) eff algs. A: AdvCR[A,H] = Pr[ A outputs collision for H] is neg . Example: SHA-256 (outputs 256 bits) Dan Boneh

  4. MACs from Collision Resistance Let I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES) Let H: Mbig M Def: Ibig = (Sbig , Vbig ) over (K, Mbig, T) as: Sbig(k,m) = S(k,H(m)) ; Vbig(k,m,t) = V(k,H(m),t) Thm: If I is a secure MAC and H is collision resistant then Ibig is a secure MAC. Example: S(k,m) = AES2-block-cbc(k, SHA-256(m)) is a secure MAC. Dan Boneh

  5. MACs from Collision Resistance Sbig(k, m) = S(k, H(m)) ; Vbig(k, m, t) = V(k, H(m), t) Collision resistance is necessary for security: Suppose adversary can find m0 m1 s.t. H(m0) = H(m1). Then: Sbig is insecure under a 1-chosen msg attack step 1: adversary asks for t S(k, m0) step 2: output (m1 , t) as forgery Dan Boneh

  6. Protecting file integrity using C.R. hash Software packages: read-only public space package name package name package name F1 F2 Fn H(F2) H(F1) H(Fn) When user downloads package, can verify that contents are valid H collision resistant attacker cannot modify package without detection no key needed (public verifiability), but requires read-only space Dan Boneh

  7. End of Segment Dan Boneh

  8. Online Cryptography Course Dan Boneh Collision resistance Generic birthday attack Dan Boneh

  9. Generic attack on C.R. functions Let H: M {0,1}n be a hash function ( |M| >> 2n ) Generic alg. to find a collision in time O(2n/2) hashes Algorithm: 1. Choose 2n/2 random messages in M: m1, , m2n/2 (distinct w.h.p ) 2. For i = 1, , 2n/2 compute ti = H(mi) {0,1}n 3. Look for a collision (ti = tj). If not found, got back to step 1. How well will this work? Dan Boneh

  10. The birthday paradox Let r1, , rn {1, ,B} be indep. identically distributed integers. Thm: when n= 1.2 B1/2then Pr[ i j: ri = rj] Proof: (for uniform indep. r1, , rn ) Dan Boneh

  11. B=106 # samples n Dan Boneh

  12. Generic attack H: M {0,1}n . Collision finding algorithm: 1. Choose 2n/2 random elements in M: m1, , m2n/2 2. For i = 1, , 2n/2 compute ti = H(mi) {0,1}n 3. Look for a collision (ti = tj). If not found, got back to step 1. Expected number of iteration 2 Running time: O(2n/2) (space O(2n/2) ) Dan Boneh

  13. Sample C.R. hash functions: Crypto++ 5.6.0 [ Wei Dai ] AMD Opteron, 2.2 GHz ( Linux) digest size (bits) generic attack time function Speed (MB/sec) NIST standards 280 2128 2256 SHA-1 SHA-256 SHA-512 160 256 512 153 111 99 2256 Whirlpool 512 57 * best known collision finder for SHA-1 requires 251 hash evaluations Dan Boneh

  14. Quantum Collision Finder Classical algorithms Quantum algorithms Block cipher E: K X exhaustive search O( |K|1/2 ) O( |K| ) X Hash function H: M collision finder O( |T|1/2) O( |T|1/3 ) T Dan Boneh

  15. End of Segment Dan Boneh

  16. Online Cryptography Course Dan Boneh Collision resistance The Merkle-Damgard Paradigm Dan Boneh

  17. Collision resistance: review Let H: M T be a hash function ( |M| >> |T| ) A collision for H is a pair m0 , m1 M such that: H(m0) = H(m1) and m0 m1 Goal: collision resistant (C.R.) hash functions Step 1: given C.R. function for short messages, construct C.R. function for long messages Dan Boneh

  18. The Merkle-Damgard iterated construction m[0] m[1] m[2] m[3] ll PB H(m) IV h h h h H0 H1 H2 H3 H4 (fixed) Given h: T X T (compression function) we obtain H: X L T . Hi - chaining variables If no space for PB add another block 1000 0 ll msg len PB: padding block 64 bits Dan Boneh

  19. MD collision resistance Thm: if h is collision resistant then so is H. Proof: collision on H collision on h Suppose H(M) = H(M ). We build collision for h. IV = H0 , H1, , Ht , Ht+1 = H(M) IV = H0 , H1 , , H r, H r+1= H(M ) h( Ht, Mt ll PB) = Ht+1= H r+1 = h(H r, M r ll PB ) Dan Boneh

  20. Suppose Ht = Hr and Mt = Mrand PB = PB Then: h( Ht-1, Mt-1) = Ht = H t= h(H t-1, M t-1 ) Dan Boneh

  21. To construct C.R. function, suffices to construct compression function End of Segment Dan Boneh

  22. Online Cryptography Course Dan Boneh Collision resistance Constructing Compression Functions Dan Boneh

  23. The Merkle-Damgard iterated construction m[0] m[1] m[2] m[3] ll PB H(m) IV h h h h (fixed) Thm: h collision resistant H collision resistant Goal: construct compression function h: T X T Dan Boneh

  24. Compr. func. from a block cipher E: K {0,1}n {0,1}na block cipher. The Davies-Meyer compression function: h(H, m) = E(m, H) H mi > E Hi Thm: Suppose E is an ideal cipher (collection of |K| random perms.). Finding a collision h(H,m)=h(H ,m ) takes O(2n/2) evaluations of (E,D). Best possible !! Dan Boneh

  25. Suppose we define h(H, m) = E(m, H) Then the resulting h(.,.) is not collision resistant: to build a collision (H,m) and (H ,m ) choose random (H,m,m ) and construct H as follows: H =D(m , E(m,H)) H =E(m , D(m,H)) H =E(m , E(m,H)) H =D(m , D(m,H))

  26. Other block cipher constructions Let E: {0,1}n {0,1}n {0,1}n for simplicity Miyaguchi-Preneel: h(H, m) = E(m, H) H m (Whirlpool) h(H, m) = E(H m, m) m total of 12 variants like this Other natural variants are insecure: h(H, m) = E(m, H) m (HW) Dan Boneh

  27. Case study: SHA-256 Merkle-Damgard function Davies-Meyer compression function Block cipher: SHACAL-2 512-bit key > SHACAL-2 256-bit block 256-bit block Dan Boneh

  28. Provable compression functions Choose a random 2000-bit prime p and random 1 u, v p . For m,h {0, ,p-1} define h(H,m) = uH vm (mod p) Fact: finding collision for h(.,.) is as hard as solving discrete-log modulo p. Problem: slow. Dan Boneh

  29. End of Segment Dan Boneh

  30. Online Cryptography Course Dan Boneh Collision resistance HMAC: a MAC from SHA-256 Dan Boneh

  31. The Merkle-Damgard iterated construction m[0] m[1] m[2] m[3] ll PB H(m) IV h h h h (fixed) Thm: h collision resistant H collision resistant Can we use H(.) to directly build a MAC? Dan Boneh

  32. MAC from a Merkle-Damgard Hash Function H: X L T a C.R. Merkle-Damgard Hash Function Attempt #1: S(k, m) = H( k ll m) This MAC is insecure because: Given H( k ll m) can compute H( w ll k ll m ll PB) for any w. Given H( k ll m) can compute H( k ll m ll w ) for any w. Given H( k ll m) can compute H( k ll m ll PB ll w ) for any w. Anyone can compute H( k ll m ) for any m.

  33. Standardized method: HMAC (Hash-MAC) Most widely used MAC on the Internet. H: hash function. example: SHA-256 ; output is 256 bits Building a MAC out of a hash function: HMAC: S( k, m ) = H( k opad ll H( k ipad ll m ) ) Dan Boneh

  34. HMAC in pictures m[0] m[1] m[2] ll PB k ipad > IV h h h h > > > (fixed) k opad tag > h h > IV (fixed) Similar to the NMAC PRF. main difference: the two keys k1, k2 are dependent Dan Boneh

  35. HMAC properties Built from a black-box implementation of SHA-256. HMAC is assumed to be a secure PRF Can be proven under certain PRF assumptions about h(.,.) Security bounds similar to NMAC Need q2/|T| to be negligible ( q << |T| ) In TLS: must support HMAC-SHA1-96 Dan Boneh

  36. End of Segment Dan Boneh

  37. Online Cryptography Course Dan Boneh Collision resistance Timing attacks on MAC verification Dan Boneh

  38. Warning: verification timing attacks [L09] Example: Keyczar crypto library (Python) [simplified] def Verify(key, msg, sig_bytes): return HMAC(key, msg) == sig_bytes The problem: == implemented as a byte-by-byte comparison Comparator returns false when first inequality found Dan Boneh

  39. Warning: verification timing attacks [L09] m , tag k target msg m accept or reject Timing attack: to compute tag for target message m do: Step 1: Query server with random tag Step 2: Loop over all possible first bytes and query server. stop when verification takes a little longer than in step 1 Step 3: repeat for all tag bytes until valid tag found Dan Boneh

  40. Defense #1 Make string comparator always take same time (Python) : return false if sig_bytes has wrong length result = 0 for x, y in zip( HMAC(key,msg) , sig_bytes): result |= ord(x) ^ ord(y) return result == 0 Can be difficult to ensure due to optimizing compiler. Dan Boneh

  41. Defense #2 Make string comparator always take same time (Python) : def Verify(key, msg, sig_bytes): mac = HMAC(key, msg) return HMAC(key, mac) == HMAC(key, sig_bytes) Attacker doesn t know values being compared Dan Boneh

  42. Lesson Don t implement crypto yourself ! Dan Boneh

  43. End of Segment Dan Boneh

Related


Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

pendragon
2D Collision Detection in Game Development

2D Collision Detection in Game Development

brandon
Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

damari
Herbicide Resistance in Weeds: Insights and Management Strategies

Herbicide Resistance in Weeds: Insights and Management Strategies

theoden
Advanced Emergency Braking System (AEBS) Definition and Activation Guidelines

Advanced Emergency Braking System (AEBS) Definition and Activation Guidelines

aaravclark
Cloud Cryptography for Secure Data Processing

Cloud Cryptography for Secure Data Processing

vespera
Overview of Basic Security Properties and Cryptography Fundamentals

Overview of Basic Security Properties and Cryptography Fundamentals

kawhi
Introduction to Cryptography: The Science of Secure Communication

Introduction to Cryptography: The Science of Secure Communication

catt504
Foundations of Cryptography: MIT Course Overview and Key Concepts

Foundations of Cryptography: MIT Course Overview and Key Concepts

dherb
Dealing with Resistance in Counseling: Techniques and Strategies

Dealing with Resistance in Counseling: Techniques and Strategies

kase_448
Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

rago_a
Cryptographic Center in Novosibirsk: Advancements in Cryptography and Research

Cryptographic Center in Novosibirsk: Advancements in Cryptography and Research

lott995
The Relationship between Decisional Second-Preimage Resistance and Preimage Resistance in Cryptographic Hash Functions

The Relationship between Decisional Second-Preimage Resistance and Preimage Resistance in Cryptographic Hash Functions

jessabe
Foundations of Cryptography: Digital Signatures and Collision-Resistant Hash Functions

Foundations of Cryptography: Digital Signatures and Collision-Resistant Hash Functions

marschall_a
Foundations of Cryptography: Lecture 12 - Digital Signatures and Collision-Resistant Hash Functions

Foundations of Cryptography: Lecture 12 - Digital Signatures and Collision-Resistant Hash Functions

flacs
Privacy Address Requirements for Wireless Personal Area Networks

Privacy Address Requirements for Wireless Personal Area Networks

vkob
TCAS - Traffic Collision Avoidance System

TCAS - Traffic Collision Avoidance System

catalin
Introduction to Lattice-Based Cryptography and Linear Equations Solving

Introduction to Lattice-Based Cryptography and Linear Equations Solving

keo_lie
New Directions in Cryptography: Harta Dwijaksara, Yi Jae Park

New Directions in Cryptography: Harta Dwijaksara, Yi Jae Park

antwu
Antibiotics and Antimicrobial Resistance Mechanisms

Antibiotics and Antimicrobial Resistance Mechanisms

medidoc
Cryptography and Its Algorithms

Cryptography and Its Algorithms

rkar
Cryptography

Cryptography

schryver_v

More Related Content