Cryptographic Hash Functions

and their applications

 What are they good for?

digital signature algorithm, such as RSA or DSA.

message authentication codes,
pseudo random number generators,
key derivation functions.”
 Some examples
• Signatures: sign(M) = RSA-1( H(M) )
• Message-authentication: tag=H(key,M)
• Commitment: commit(M) = H(M,…)
• Key derivation: AES-key = H(DH-value)
 Using hash functions
in Real Time applications
 Using “imperfect” hash functions
• Applications should rely only on “specific
security properties” of hash functions
– When weaknesses are found in hash function,
application more likely to survive
– E.g., MD5 is badly broken, but HMAC-MD5 is barely
scratched
 Security requirements
• Deterministic hashing Stronger

– Attacker chooses M, d=H(M)

• Hashing random messages
– M random, d=H(M)
• Hashing with a secret key
– Attacker chooses M, d=H(key,M)

Weaker
 Deterministic hashing
• Collision Resistance
– Attacker cannot find M,M’ such that H(M)=H(M’)
•
 Hashing random messages
• One-wayness
– Given d=H(M) for random M, attacker cannot
find M’ such that H(M’)=d

* Combinatorial, not cryptographic

 Hashing with a secret key
• Pseudo-Random Functions
– The mapping MH(key,M) for secret key
looks random to an attacker
• Universal hashing*

* Combinatorial, not cryptographic

 Application 1:
Digital signatures
• Hash-then-sign paradigm
– First shorten the message, d = H(M)
– Then sign the digest, s = SIGN(d)
 Application 2:
Message authentication
• Sender, Receiver, share a secret key
• Compute an authentication tag
– tag = MAC(key, M)
• Sender sends (M, tag)
• Receiver verifies that tag matches M
• Attacker cannot forge tags without key
Designing a hash function
 Design a compression function?
h h … h h

PROs: modular design, reduce to the “simpler

problem” of compressing fixed-length strings
– Many things are known about transforming
compression into hash
CONs: compressionhash has its problems
– It’s not free (e.g. message encoding)
– Some attacks based on the MD structure
• Extension attacks
• “Birthday attacks”
 Fugue-256
Initial State (30 words)

Process M1

New State

Iterate Mi

State

Final Processing

Output 8 words = 256 bits

 Things to Do with a Hash Function
• Hash long messages for signing
• Authentication protocols
• Stream ciphers
• Block ciphers
• MACs
• ...

CS470, A.Selcuk Hash Functions 16

 Authentication Protocol
Challenge-response authentication instead of a password
protocol:

Alice hello, ra Bob

H(K || ra), rb
H(K || rb)

Hash is used instead of block cipher encryption EK(ra), EK(rb), &

decryption.

CS470, A.Selcuk Hash Functions 17

 Stream Cipher
• CFB:
Oi = H(K || Ci-1)
Ci = Pi  Oi
Pi = Ci  Oi
• OFB:
Oi = H(K || Oi-1)
Ci = Pi  Oi
Pi = Ci  Oi
• CTR:
Ci = Pi  H(K || IV + i)
Pi = Ci  H(K || IV + i)

CS470, A.Selcuk Hash Functions 18

 Block Cipher

• Use the hash function as the f in a Feistel

structure.

• Luby & Rackoff (1988): Three rounds are

needed for security.

CS470, A.Selcuk Hash Functions 19

 Summary
• Hash functions are very useful
• We want them to behave “just like random
functions”
• Applications should be designed to rely on “as
strong as possible”
• how a hash function is built