Chapter 7

Cryptographic Hash Functions

Learning Outcome
• Identify the properties of a hash function.
• Identify techniques for constructing a hash function.
• Security analysis of hash functions
• Birthday Attack
• An overview of different families of hash functions
Outline
• Applications of cryptographic
hash functions
• Security requirements for
cryptographic hash functions
• Hash functions based on
cipher block chaining
• Secure hash algorithm (SHA)
Introduction
• Hash functions are an important cryptographic primitive and are
widely used in protocols.
• Cryptographic hash functions are used for data integrity verification,
digital signatures, and password storage. These functions take an
input of variable length and produce a fixed-length output, known as
the hash value or digest.
• For a particular message, the message digest, or hash value, can be
seen as the fingerprint of a message.
• Hash functions do not have a key (keyless function) and it is a one
way function
• Hash functions are use in digital signatures and in message
authentication codes (MAC).
Cryptographic Hash Functions
• Most popular one is the MD4 (128 bits) developed by Ronald Rivest.
Known for its speed and efficiency but is considered weak against
collision attacks.
• MD4 is no longer secure, commonly used for checksums and non-
security applications due to vulnerabilities.
• MD5 was proposed by Rivest in 1991. MD5 produces a 128-bit hash
value but currently it is insecure. .
• MD5 is based on the principles of MD4.
Secure Hash Algorithms
The Secure Hash Algorithms are a family of cryptographic hash functions published by the National
Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard
(FIPS), including:
• SHA-0: A retronym applied to the original version of the 160-bit hash function published in 1993
under the name "SHA". It was withdrawn shortly after publication due to an undisclosed
"significant flaw" and replaced by the slightly revised version SHA-1.
• SHA-1: A 160-bit hash function which resembles the earlier MD5 algorithm. This was designed by
the National Security Agency (NSA) to be part of the Digital Signature Algorithm. Cryptographic
weaknesses were discovered in SHA-1, and the standard was no longer approved for most
cryptographic uses after 2010.
• SHA-2: A family of two similar hash functions, with different block sizes, known as SHA-256 and
SHA-512. They differ in the word size; SHA-256 uses 32-bit words where SHA-512 uses 64-bit
words. There are also truncated versions of each standard, known as SHA-224, SHA-384, SHA-
512/224 and SHA-512/256. These were also designed by the NSA.
• SHA-3: A hash function formerly called Keccak, chosen in 2012 after a public competition among
non-NSA designers. It supports the same hash lengths as SHA-2, and its internal structure differs
significantly from the rest of the SHA family.
 Hash Function: Application in Information Security.

• Data Integrity: Hash functions are used to ensure data integrity, which means that the
data has not been tampered with or corrupted. For example, when downloading a file,
the website may provide the hash of the file, and the user can verify the hash of the
downloaded file matches the hash provided by the website.
• Message Authentication Codes (MACs): Hash functions are used to create message
authentication codes (MACs), which are used to verify the authenticity of a message.
• Blockchain Technology: Hash functions are a crucial component of blockchain
technology, which is used in cryptocurrencies and other distributed ledger systems. In a
blockchain, each block is hashed, and the hash of each block is included in the next
block, creating a chain of blocks that cannot be altered without invalidating the entire
chain.
Requirements for a Cryptographic Hash Function H
 Pre-Image Resistance
• The property means that is should be quite hard to reverse a hash
function.

• This meant that if a hash function which for example h(A) = Z, then it
should be difficult to find any input value that hashes to Z.

• This property will protect against an attacker that only have a hash value Z
and is trying to find the input A.
 Second Pre-Image Resistance
• This property means that if an input and its hash are given, then
it should be a difficult process to find a different input with the
same hash.
• For example, if a hash function A for an input X produces hash
value A(X), then it should be difficult to find any other input
value B such that A(B) = A(X).
• This property of hash function will protect against an attacker
that has an input value and its hash and wants to replace it with
a different value as legitimate value in place of the original input
value.
 Collision Resistance
• Collision Free Hash Function: This property means it should be a difficult
process to find two different inputs of any length that result in the same
hash.
• For example, for a hash function A, it is hard to find any two different inputs X and B
such that A(X) = A(B).
• Since hash function is a compressing function with a fixed hash length, it is
impossible for a hash function not to have collisions. This property of
collision free only means that these collisions should be hard to find.
• This property makes it very hard for an attacker to find two input values
with the same hash.
• Also, if a hash function is collision-resistant then it also satisfy the second
pre-image resistant.
Hash Function Resistance Properties Required for Various Data Integrity
Applications

* Resistance required if attacker is able to mount a chosen message attack (CMA)

CRYPTOGRAPHIC HASH FUNCTION

• The input is padded out to an integer multiple of

some fixed length (e.g., 1024 bits), and the padding
includes the value of the length of the original
message in bits.

• The length field is a security measure to increase the

difficulty for an attacker to produce an alternative
message with the same hash value.

• The hash value must be transmitted in a secure

method.

• The hash value must be protected so that if an

adversary alters or replaces the message, it is not
feasible for the adversary to alter the hash value.
Hash Function for Message Authentication
Figure (a): Data Integrity
• Alice computes a hash value and transmits both the
hash value and the message to Bob.
• Bob performs the same hash calculation on the
message bits and compares this value with the
incoming hash value.
• If there is a mismatch, Bob knows that the message
has been altered.

Figure (b): Man-in-the-middle attack

• Alice transmits a data block and attaches a hash
value.
• Darth intercepts the message, alters or replaces the
data block, and calculates and attaches a new hash
value.
• Bob receives the altered data with the new hash
value and does not detect the change.
• To prevent this attack, the hash value generated by
Alice must be protected.
Comparison of SHA Parameters
General Structure of Secure Hash Code

An iterated hash function proposed by

Merkle and is the structure of most hash
functions in use today, including SHA.

• The hash function takes an input message and partitions it into L fixed-sized blocks of b bits each. If
necessary, the final block is padded to b bits. The final block also includes the value of the total length of
the input to the hash function.

• The hash algorithm involves repeated use of a compression function f, that takes two inputs (an n -bit
input from the previous step, called the chaining variable (CV) , and a b -bit block) and produces an n -bit
output.

• At the start of hashing, the chaining variable has an initial value that is specified as part of the algorithm.
The final value of the chaining variable is the hash value.
Message Digest Generation Using SHA-512
Step 1 Append padding bits. The message is padded
so that its length is 896 modulo 1024. Padding is
always added, even if the message is already of the
desired length. Thus, the number of padding bits is in
the range of 1 to 1024. The padding consists of a
single 1 bit followed by the necessary number of 0
bits.
Step 2 Append length. A block L of 128 bits is
appended to the message. It contains the length of
the original message (before the padding). The
outcome of the first two steps yields a message that
is an integer multiple of 1024 bits in length. The
expanded message is represented as the sequence of
1024-bit blocks M1 , M2 , . . . , MN , so that the total
length of the expanded message is N * 1024 bits.
Step 3 Initialize hash buffer. A 512-bit buffer is used
to hold intermediate and final results of the hash
function. The buffer can be represented as eight 64-
bit registers (a, b, c, d, e, f, g, h).
Step 4 Process message in 1024-bit (128-word)
blocks. The heart of the algorithm is a module F that
consists of 80 rounds.
Step 5 Output. After all N 1024-bit blocks have been
processed, the output from the Nth stage is the 512-
bit message digest.
Attack on Hash Function
Pre-image Attack

• Attacking a hash function means breaking one of the security

properties of the hash functions.
• It’s a type of brute force attack
• In this attack, the attacker will already have the hash value H().
• The attacker will then try to recover any message M such that H() =
H(M)
2 nd Pre-image attack
• Its also a type of brute force attack.
• In this attack, the attacker already obtain message M1 which could be
the Encrypted message.
• The attacker will then try to find another message M2 which could be
the plain text message.
• The attacker can confirm that M1 = M2 by checking the hash value.
• the hash value H(M1) should be equal to hash value H(M2).
Collision Attack
• This one is also a type of brute force attack.
• In this attack, the attacker do not have message M1 or message M2.
• The attacker will then try to find any two different messages M1 and
M2.
• The attacker can confirm the two different messages are the same by
checking their hash value.
• The hash value of H(M1) should be the same as hash value H(M2)
Birthday Attack
• A birthday attack exploits the birthday paradox to find two inputs that
produce the same hash value. The birthday paradox states that in a group
of people with at least 23 individuals, there is a greater than 50% chance
that two of them share the same birthday.
• Once the attacker finds two inputs that produce the same hash value, they
can create a collision attack, where they can substitute one input for the
other without changing the hash value. This can be dangerous because it
can allow an attacker to modify a message without being detected.
• To mitigate the risk of birthday attacks, for hash functions :
• Use a sufficiently long output length,
• The inputs should be randomly generated
• Use secure hash algorithm that are resistant to birthday attacks, such as SHA-3
 Concept of Birthday Attack
• Let’s assume a normal year has 365 days.
• Fill in a room with 23 people.
• So here “A” has 1/365 chance to share your birthday with another 22
people that means your probability is 22/365.
• If “A” birthday does not match, “B” will have a probability of 21/365 to have
its birthday matching with the remaining people in the room.
• Now if “B” also fails to get a match “C” will have a probability of 20/365 and
so on.
• If you add on all the possibilities of all the people in the room i.e.
22/365+21/365+20/365 and so on, you get a total probability of 50 %.
• Likewise to get a probability of 99.9% you need 70 people in the room, and
to get 100% probability you need 366 people.
Birthday Attack Scenario

• Consider an experiment where we take m balls and throw them randomly into a
series of w bins where w is much smaller than m.
• How many throws is there a greater than half chance one of the bins contains at
least two balls?
• How many messages do we need to randomly select before there is a greater than
half chance of a hash collision?
 Secure Hash Length
• Clearly, a very small hash value is a bad idea. A hash must be sufficiently long that finding collisions is
‘infeasible’.
• At average case, an attacker who can conduct by trial and error for hash computations and expect to
find a collision. So, the length of a practical hash function needs to be sufficiently long that this work
effort is deemed unacceptable.
• n-bit hash function requires an attacker to conduct an average of 2n/2 hash function computations
before they are more likely to find a collision.
• Modern hash functions tend not to be designed with hashes of less than 160 bits, and in fact much
longer hashes are widely recommended.

Attacker’s Hash Length

Effort
264 128
280 160
2112 224
2256 512
Other Attacks on Hash Functions

• Does not depend on the • An attack based on weaknesses

specific algorithm in a particular cryptographic
algorithm
• In the case of a hash function,
attack depends only on the bit • Seek to exploit some property of
length of the hash value the algorithm to perform some
attack other than an exhaustive
• Attack method is to pick values search
at random and try each one
until a collision occurs
Extra Learning Material

https://www.youtube.com/watch?v=PbFVTb7Pndc