Random Oracle Model & Hashing - Cryptography & Network Security

Hashing & Random Oracle Model Sadman Ahmmed | B150305029

TOC Document and Fingerprint Pigeonhole Principle Attacks on Random Oracle Model Checking Integrity Cryptographic Hash Function Criteria Random Oracle Model Birthday Paradox Applications

Problem of the day (message integrity) Alice X Oscar interfere x X > X’ X’

Solution (Hash Function) Alice X Oscar interfere x X > X’ X’ message x (arbitrary length) eg : 1TB hash value y = h(x) fixed length, eg : SHA-1 160 bits h( x ) y = h(x)h(x) != h(x’)

Cryptographic Hash Function 01 A function h maps arbitrary strings of data to fixed length output 02 Deterministic and public, but the mapping should look “random” h : {0, 1} ∗ → {0, 1} d 03 No secret key, all operations public, anyone can compute h, polytime computation. Example : MD4, MD5, SHA-1 document/message message digest/fingerprint/authentication tag

Random Oracle Model ‘h’ Ideal model of the hash function. we assume there exists an oracle h such that on input , x ∈ {0, 1}∗ yes Message Message Digest hello 1001 hi 1110 h : {0, 1} ∗ → {0, 1} 4 hello T H H T Hash Table x If x has seen before y returns h(x) it previously output yes generate deterministic random value no store output

Fact About ROC 01 Oracle cannot use formula or algorithm to create the digest Suppose oracle uses the formula h(M) = M mon n, M1 + M2 = M3 h(M3) = (M1+M2) mod n = M1 mod n + M2 mod n = [ h(M1) + h(M2) ] mod n should have some randomness. eg, secure bidding problem 03 In practice we use pseudo-random functions 02 Unfortunately, a random oracle does not exist since it requires infinite storage

Collision (Pigeonhole principle) Input Space : infinity Assume 4 bits length Hash Space : fixed Assume 4 bits length n pigeonhole > n+1 pigeons > at least 1 nole is occupied by 2 pigeons n pigeonhole > kn+1 pigeons > at least 1 nole is occupied by k+1 pigeons Digest should be shorter than the message, so there are some digests, correspond to more than one message. Eg, pigeonhole = 4, pigeons = 16 or n = 4, kn+1 = 16, so k is larger than 3. At least 1 digest corresponds to (k+1) messages. 22 = 424 = 16 Obj 1 Obj 2 Obj 3 Obj 4 Obj 5 . 0 1 2 3

Birthday Paradox How many people must be there in a room to make the probability 50% that at-least two people in the room have same birthday? Not easy to calculate 2 people share same rather 2 people not share the same birthday. Probability of 23 people not having same birthday = 365/365 x 364/365 x 363/365 x …… x (people 23) 343/365 = 364! / ( 342! X 36522 ) = .492703 > 49.3% Chance we do = 1 - .4927 = .507 > 50.7%

Alice Bob Oscar X try to decrypt X Done or undone interfere X X > X’ X’ Another Problem (One Way)

Alice Bob Oscar X Knows h( ) interfere X X > X’ X’ Solution h(x) h(x) != h(x’)

Preimage Attack Given y ∈ {0, 1} d it is hard to find an x such that h(x) = y aka. one way Can’t be done : lossless compression, check sum Preimage Resistance Cryptographic Hash Function Criteria Birthday Problem 1 What is the minimum number, k, of the students in a classroom such that it is likely that at least one student has a predefined birthday?

Preimage Attack Algorithm input: h, D Choose, any X0 ε x, |x0| = q for any message M[i] ε x if (h(M[i]) == D)return M[i] else return fail Probability that the hash of an M[i] match with D = 1/N Probability it does not match with D = 1 - 1/N Probability, none of q queries match with D = ( 1 - 1/N )q Success probability Pr[success] = 1 - ( 1 - 1/N )q e-x = 1 - x + x2/2! - x3/3! + x4/4! + …. According Taylor Series If N is large, replace 1-1/N = e-1/N pr [success] = 1 - e-q/N If probability 0.5, q = ln(0.5)N = 0.69 x 2n Attacks on Random Oracle Model

Example : A cryptographic hash function uses a digest of 64 bits. How many digests does Oscar need to create to find the original message with the probability more than 0.5? Suppose, Oscar can test 230 messages per second it takes ( 0.69 x 2 64 )/ 2 30 = 0.69 x 2 34 seconds, or more than 500 years. k ≈ 0.69 × 2n ≈ 0.69 x 2 64

Alice Bob Oscar X Found x’, h(x’) = h(x) X = give oscar 20$ X’ = give oscar 20000$ X’ TCR h(x) h(x) == h(x’)

Preimage Attack Cryptographic Hash Function Criteria Birthday Problem 2 What is the minimum number, k, of the students in a classroom such that it is likely that at least one student has the same birthday as the student selected by the professor? Given x it is hard to find x ' such that h(x) = h(x ' ) where x != x’ aka, Weak collision-resistance, target collision resistance Second Preimage Resistance

Preimage Attack Algorithm input: h, M Calculate D = h(M) Choose, any X0 ε x{M}, |x0| = q-1 for any message M[i] ε x if (h(M[i]) == D)return M[i] else return fail pr [success] = 1 - e-(q-1)/N If probability 0.5, q = ln(0.5)N + 1 = 0.69 x 2n + 1 Attacks on Random Oracle Model

Alice Bob Oscar x1 Found x1,x2, h(x1) = h(x2) CR, Digital Signature (x1, y)(x2, y)

Preimage Attack Cryptographic Hash Function Criteria Birthday Problem 3 What is the minimum number, k, of the students in a classroom such that it is likely that at least two students have the same birthday? It is hard to find any pair of inputs x, x ' such that h(x) = h(x ' ) where x != x’ aka , Strong collision-resistance Collision Resistance

Preimage Attack Algorithm input: h Choose, any x0 ε , |x0| = q for any message pair M[i], M[i`] ε x if (h(M[i]) == h(M[i`]))return M[i], M[i`] else return fail P (hash of M[0] and M[1] does not collide) = 1 - 1/N P (hash of M[0] and M[1] does not collide with M[3]) ( 1 - 1/N ) ( 1 - 2/N ) Probability of q hash value does cot collide (1- 1/N) (1 - 2/N) (1 - 3/N) ………………… ( 1 - (q-1)/N) q-1 q-1 Pr[ No Collisions] = Σ (1 - i/N) = Σ e -i/n = e -q2/N I=1 I=1 pr [collisions/success] = 1 - e -q2/N If probability 0.5, q = sqrt ( ln(0.5)N ) = 1.18 x sqrt(N) = 1.18 x 2n/2 [ N = 2n ] Attacks on Random Oracle Model

Example : A cryptographic hash function uses a digest of 64 bits. How many digests does Oscar need to create to find two messages with the same digest with the probability more than 0.5? Suppose, Oscar can test 220 messages per second it takes 1.18 × 212 seconds, or less than two hours k ≈ 1.18 x 2 n/2 ≈ 1.18 x 2 64/2 ≈ 1.18 x 2 32

● Password Storage ● File Authenticity ● Digital Signature, guarantees that the message came from a said source ● Commitments: In a secure bidding, Alice wants to bid value x, but does not want to reveal the bid until the auction is over. Alice then computes h(x), and publicize it, which serves as her commitment. When bidding is over, then she can reveal x, and x can be verified using h(x) Application

Random Oracle Model & Hashing - Cryptography & Network Security

In this document

More Related Content

What's hot

Similar to Random Oracle Model & Hashing - Cryptography & Network Security

More from Mahbubur Rahman

Recently uploaded

Random Oracle Model & Hashing - Cryptography & Network Security