Cryptography

CS 555
Week 5:
• Cryptographic Hash Functions
• HMACs
• Generic Attacks
• Random Oracle Model
• Applications of Hashing
Readings: Katz and Lindell Chapter 5, Appendix A.4
Spring 2021 1
Recap
• Authenticated Encryption + CCA-Security
• Encrypt and Authenticate [SSL]
• Authenticate then Encrypt [TLS] (Caution Required)
• Encrypt then Authenticate!

• Secure Communication
• Attacks: Reflection/Replay/Reordering + Defenses
• AES-GCM
• Cryptographic Hash Functions
• Definitional Challenges
2
 Week 5: Topic 1:
Cryptographic Hash
Functions

3
Keyed Hash Function Syntax
• Two Algorithms
• (Key-generation algorithm)
• Input: Random Bits R
• Output: Secret key
• (Hashing Algorithm)
• Input: key and message (unbounded length)
• Output: hash value

• Fixed length hash function

• with
• Example: and

4
Collision Experiment ()
s
x1,x2

{
𝑠 𝑠
𝐻𝑎𝑠h𝐶𝑜𝑙𝑙 𝐴 , Π (𝑛)= 1𝑖𝑓 𝐻 ( 𝑥1 ) =𝐻 ( 𝑥2 )
0 𝑜𝑡h𝑒𝑟𝑤𝑖𝑠𝑒

s=Gen(1𝑛; 𝑅)
Definition: (Gen,H) is a collision resistant hash function
if
5
Collision Experiment ()
s
For simplicity we will
x1,x2
sometimes just say that H
(or Hs) is a collision 1𝑖𝑓 𝐻 𝑠 ( 𝑥 ) =𝐻 𝑠 ( 𝑥 ) Key is not key secret
𝐻𝑎𝑠h𝐶𝑜𝑙𝑙 𝐴 , Π (𝑛)=
{
resistant hash function 0 𝑜𝑡h𝑒𝑟𝑤𝑖𝑠𝑒
1 2
(just random)

s=Gen(1𝑛; 𝑅)
Definition: (Gen,H) is a collision resistant hash function
if
6
Concrete Security ()
s
x1,x2

{
𝑠 𝑠
𝐻𝑎𝑠h𝐶𝑜𝑙𝑙 𝐴 , Π (𝑛)= 1𝑖𝑓 𝐻 ( 𝑥1 ) =𝐻 ( 𝑥2 )
0 𝑜𝑡h𝑒𝑟𝑤𝑖𝑠𝑒

s=Gen(1𝑛; 𝑅)
Definition: (Gen,H) is a collision resistant hash
function if
7
Theory vs Practice
• Most cryptographic hash functions used in practice are un-keyed
• Examples: MD5, SHA1, SHA2, SHA3, Blake2B
• Tricky to formally define collision resistance for keyless hash function
• There is a PPT algorithm to find collisions
• We just usually can’t find this algorithm 
• Guarantee for protocol using H
If we know an explicit efficient algorithm A
breaking our protocol then there is an efficient
blackbox reduction transforming A into an efficient
collision finding algorithm.

8
 Weaker Requirements for
Cryptographic Hash
• Target-Collision Resistance

s,x
x’

{
s s
Hash Tgt Coll A , Π (𝑛)= 1 if H ( x ′ ) =H (x)
0 otherwise

Question: Why is collision resistance stronger? 9

 Weaker Requirements for
Cryptographic Hash
• Preimage Resistance (One-Wayness)

s,
x

{
s
Hash PreImgRes A , Π (n) = 1 if H ( x )= y
0 otherwise

Question: Why is collision resistance stronger? 10

Merkle-Damgård Transform
• Most cryptographic hash functions accept fixed length inputs

• What if we want to hash arbitrary length strings?

Construction: Suppose (Gen,h) fixed length hash function from 2n bits

to n bits, define as follows

11
 Merkle-Damgård Transform
Construction: (Gen,h) fixed length hash function from 2n bits to n bits

=
1. Break x into n bit segments x1,..,xd (pad last block by 0’s)
2. (initialization)
3. For i = 1 to d

4. Output where encodes as an n-bit string

12
 Merkle-Damgård Transform
Theorem: If (Gen,h) is collision resistant then so is (Gen,H)

Proof: Show that any collision in Hs yields a collision in hs. Thus a PPT
attacker AH for (Gen,H) can be transformed into PPT attacker Ah for (Gen,h).

Suppose that AH finds a collision i.e., distinct x and x’ such that

(note x and x’ may have different lengths)

13
 Merkle-Damgård Transform
Theorem: If (Gen,h) is collision resistant then so is (Gen,H)

Proof: Suppose that . We will extract a collision for .

Case 1: L=|x|=|x’|=L’ (proof for case two is similar)

No  Found collision
Yes?

14
 Merkle-Damgård Transform
Theorem: If (Gen,h) is collision resistant then so is (Gen,H)

Proof: Suppose that

Case 1: L=|x|=|x’|=L’ (proof for case two is similar)

No  Found collision
Yes?

15
 Merkle-Damgård Transform
Theorem: If (Gen,h) is collision resistant then so is (Gen,H)

Proof: Suppose that

Case 1: |x|=|x’| (proof for case two is similar)

If for some i we have then we will find a collision

But x and x’ are different so we must have for some !

16
 Merkle-Damgård Transform
Theorem (Concrete Version): If (Gen,h) is -collision resistant then (Gen,H)
is is -collision resistant for where

Analysis: Run attacker AH to get pair x and x’ (time t), then compute
(resp. ) values to extract collision.

No  Found collision
Yes?

17
 Week 5: Topic 2:
HMACs and Generic
Attacks

18
MACs for Arbitrary Length Messages
MacK(m)=
• Select random n/4 bit string r
• Let for i=1,…,d
• (Note: encode i and as n/4 bit strings)
• Output

Theorem 4.8: If ’ is a secure MAC for messages of fixed length n, above

construction is secure MAC for arbitrary length messages.

20
MACs for Arbitrary Length Messages
Disadvantages: Lose
Mac (m)=
Disadvantage 1: Long Strong-MAC Guarantee
K
random n/4 bit string r (Multiple valid MACs of
output
• Select
• Let for i=1,…,d same message)
• (Note: encode i and as n/4 bit strings)
• Output

Theorem 4.8: If ’ is a secure MAC for messages of fixed length n, above

Randomized Construction (no
construction is secure MAC for arbitrary length messages.
canonical verification). Disadvantage?

21
Hash and MAC Construction
Start with , a secure MAC for messages of fixed length, and (Gen H,H) a collision
resistant hash function and define

Theorem 5.6: is a secure MAC for arbitrary length message assuming that is a
secure MAC and (GenH,H) is collision resistant.

Note: If is canonical then is canonical.

22
Hash and MAC Construction
Start with (Mac,Vrfy) a MAC for messages of fixed length and (Gen H,H) a collision
resistant hash function

Theorem 5.6: Above construction is a secure MAC.

Proof Intuition: If attacker successfully forges a valid MAC tag t’ for unseen message m’
then either
• Case 1: for some previously requested message mi
• Case 2: for every previously requested message mi
23
Hash and MAC Construction
Theorem 5.6: Above construction is a secure MAC.

Proof Intuition: If attacker successfully forges a valid MAC tag t’ for

unseen message m’ then either
• Case 1: for some previously requested message mi
• Attacker can find hash collisions!
• Case 2: for every previously requested message mi
• Attacker forged a valid new tag on the “new message”
• Violates security of the original fixed length MAC

24
Hash and MAC Construction
Start with (Mac,Vrfy) a MAC for messages of fixed length and (GenH,H) a collision resistant hash function

Theorem 5.6 (Concrete Version): If is and (GenH,H) is collision resistant then is

Proof Intuition: When A succeeds we either get a hash collision (case 1) or a forgery (case 2)
we could violate for
Simulate attacker A
when attacker makes a query we
1. compute and
2. forward to oracle to get back
A’s tag yields a forgery for new message with probability at least
Similar argument Iwe could violate collision resistance for
Therefore, A succeeds with probability at most
25
Recap
• Definition of Collision Resistant Hash Functions (Gen,H)
• Definitional challenges
• Gen(1n) outputs a public seed.

• Merkle-Damgård construction to hash arbitrary length strings

• Proof of correctness

• Hash and MAC construction

• Proof of correctness

26
 MAC from Collision Resistant Hash
• Failed Attempt:
❑ 𝑠
𝑀𝑎𝑐 ⟨𝑘 , 𝑆 ⟩ ( 𝑚 ) =𝐻 ( 𝑘 ∥𝑚 )

Broken if uses Merkle-Damgård Transform. Let encode length of and encode

the length of

Why does this mean is broken?

27
 MAC from Collision Resistant Hash
• Failed Attempt:

Broken if uses Merkle-Damgård Transform. Let encode length of

Why does this mean is broken?

1. Attacker asks for
2. Attacker computes which is a forgery for the message

28
HMAC

29
HMAC

Both ipad and opad are fixed constants.

Why use key twice?

Allows us to prove security from weak collision resistance of Hs
30
HMAC Security

Theorem (Informal): Assuming that is weakly collision resistant and

that (certain other plausible assumptions hold) this is a secure MAC.

Weak Collision Resistance: Give attacker oracle access to (secret key k

remains hidden).

Attacker Goal: Find distinct m, m’ such that

31
HMAC in Practice
• MD5 can no longer be viewed as collision resistant

• However, HMAC-MD5 remained unbroken after MD5 was broken

• Gave developers time to replace HMAC-MD5
• Nevertheless, don’t use HMAC-MD5!
• HMAC-SHA1 still seems to be okay (temporarily), despite collision
• HMAC is efficient and unbroken
• CBC-MAC was not widely deployed because it is “too slow”
• Instead practitioners often used heuristic constructions (which were breakable)

32
Finding Collisions
• Ideal Hashing Algorithm
• Random function H from {0,1}* to {0,1}
• Suppose attacker has oracle access to H(.)
Can we do
• Attack 1: Evaluate H(.) on 2+1 distinct inputs. better?

33
 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm
• Random function H from {0,1}* to {0,1}
• Suppose attacker has oracle access to H(.)

• Attack 2: Evaluate H(.) on distinct inputs x1,…,xq.

34
 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm
• Random function H from {0,1}* to {0,1}
• Suppose attacker has oracle access to H(.)

• Attack 2: Evaluate H(.) on distinct inputs x1,…,xq.

𝑫𝟐

⏞
35
 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm
• Random function H from {0,1}* to {0,1}
• Suppose attacker has oracle access to H(.)

• Attack 2: Evaluate H(.) on distinct inputs x1,…,xq.

36
 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm
• Random function H from {0,1}* to {0,1}
• Suppose attacker has oracle access to H(.)

• Attack 2: Evaluate H(.) on distinct inputs x1,…,xq.

37
 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm
• Random function H from {0,1}* to {0,1}
for
• Suppose attacker has oracle access to H(.)

• Attack 2: Evaluate H(.) on distinct inputs x1,…,xq.

38
Recap
• Collision Resistant Hash Functions
• Merkle–Damgård Construction
• Applications to MACs
• Hash and MAC
• Failed MAC:
• HMAC
• Birthday Attack: Finds collision in time (and space )

• Reminder: Homework 2 Due Tonight

• Final Exam: Monday, May 3 at 10:30AM (FRNY B124)

39
 Birthday Attack for Finding Collisions
• Ideal Hashing Algorithm
• Random function H from {0,1}* to {0,1}
• Suppose attacker has oracle access to H(.)

• Attack 2: Evaluate H(.) on distinct inputs x1,…,xq.

• Store values in a hash table of size q
• Requires time/space
• Can we do better?

40
Floyd’s Cycle Finding Algorithm
• A cycle denotes a hash collision

• Occurs after O steps by birthday

paradox
• First attack phase detects cycle
X 4=𝐻 (x 3)
x5 x6
• Second phase identifies collision
x7
x 3 = H( x 2 )
x8
x2
x 12 x9
• Analogy: Cycle detection in linked list x1
x 11 x 10
• Can traverse “linked list” by computing H
x0 41
 Small Space Birthday Attack
• Attack 2: Select random , define
• and Claim: for some the collision is
• Repeat for i=1,2,…
Proof: Let C be length of cycle,
• now Let k= #steps before cycle
• If x=x’ then break 2i-k = i-k mod C  i= mod C
• and set and remember i Tortoise takes i-k steps inside cycle
Hare takes 2i-k total (equivalent to k backwards steps)
steps inside cycle,
• Repeat for j=1 to i looping around before Initially, for phase 2 we have
• If H(x) = H(x’) then output x,x’ ending in same place and after j=k-1 steps we
• Else x:= H(x), x’ = H(x) have
Now x= AND
and

42
 Small Space Birthday Attack
• Attack 2: Select random , define
• and
• Repeat for i=1,2,… Finds collision after
Osteps in
• now
• If x=x’ then break
expectation
• and set
• Repeat for j=1 to i
• If H(x) = H(x’) then output x,x’
• Else x:= H(x), x’ = H(x) Now x= AND

43
Small Space Birthday Attack
• Can be adapted to find “meaningful collisions” if we have a large message space O

• Example: with
• = Set of positive recommendation letters
• = Set of negative recommendation letters

• Goal: find , , such that H(z1) = H(z2)

• Can adapt previous attack by defining an injective mapping

• If then  Colliding inputs are both in S

44
Pre-Computation Attacks for Targeted
Collision
• Challenger: Picks random x and sends y=H(x) to attacker
• Attacker’s Goal: Find some x’ (not necessarily x) s.t. y=H(x’)
• Brute-Force Attack: Requires queries to H on average.
• Pre-Computation Attack: What if we know we will need to do this
multiple times?
• Pre-Processing Cost (one-time cost):
• Post-Processing Cost: (is this possible?)
• Applications:
• Targeted Hash Inversion, MAC forgery, Signature Forgery, Key-Recovery,
Password Cracking etc…
 Pre-Computation Attacks for Targeted
Collision
• Precomputation ( steps, memory)
2 𝑠
𝑠𝑝 1=𝑥
1
1
𝑠𝑝 2=𝑥 1 𝑠𝑝 𝑠 =𝑥 1

𝑥 =𝐻 (𝑥
1
2
1
1 ) 𝑥 =𝐻 (𝑥
2
2
2
1 ) … 𝑥 =𝐻(𝑥
𝑠
2
𝑠
1 )
… … …

𝑥 1
𝑖 +1 =𝐻 ( 𝑥 1
𝑖 ) 𝑥 2
𝑖 +1 =𝐻 ( 𝑥 2
𝑖 ) …
𝑥 𝑠
𝑖 +1 =𝐻 ( 𝑥 𝑠
𝑖 )
… … …
2 𝑠
1
𝑥 =𝑒 𝑝 1
𝑡
𝑥 =𝑒 𝑝 2
𝑡 𝑥 =𝑒 𝑝 𝑠
𝑡 46
 Pre-Computation Attacks for Targeted
Collision
• Precomputation ( steps, memory)
𝑗
𝑠𝑝 𝑗 =𝑥 1 • Goal: Find collision for target

… 𝑥 =𝐻(𝑥
𝑗
2 1
𝑗
) … 𝑦 0= 𝑦
…
𝑦 1= 𝐻 ( 𝑦 0 )
…
𝑥 𝑗
𝑖 +1 =𝐻 ( 𝑥 𝑖
𝑗
) … …
… 𝑦 𝑖=𝐻 ( 𝑦 𝑖 − 1)
𝑗 …
𝑥 =𝑒 𝑝 𝑗
𝑡 𝑦 𝑘=𝑒𝑝 𝑗 47
 Pre-Computation Attacks for Targeted
Suppose for some ,
Collision 

(takes t steps to recover from )

• Precomputation ( steps, memory)
𝑗
𝑠𝑝 𝑗 =𝑥 1 • Goal: Find collision for target
What We Hope is True:

𝑥 =𝐻(𝑥
𝑗
)
𝑗 chance that
 good
… 2 …,
for some
1 𝑦 0= 𝑦
…
𝑦 1= 𝐻 ( 𝑦 0 )
…
𝑥 𝑗
𝑖 +1 =𝐻 ( 𝑥 𝑖
𝑗
) … …
……
Not quite true…chains can intersect and
may not represent distinct points
𝑦 𝑖=𝐻 ( 𝑦 𝑖 − 1)
𝑗 …
𝑥 =𝑒 𝑝 𝑗
𝑡 𝑦 𝑘=𝑒𝑝 𝑗 48
Intersecting Chains
• Precomputation ( steps, memory)
𝑗 𝑗′
𝑠𝑝 𝑗 =𝑥 1 𝑠𝑝 𝑗 ′ =𝑥 1
Intersecting chains contain distinct
points.

𝑥 =𝐻(𝑥
𝑗
2 1
𝑗
) … 𝑥 =𝐻 (𝑥
𝑗′
2
𝑗′
1 )
… 𝑗 … After initial intersection the

𝑗𝑥
= 𝑥 𝑗′
𝑥 =𝐻 (𝑥
𝑖+ 1 𝑗′ 𝑗′
) chains merge together 

= 𝐻 ( 𝑥𝑖 )
𝑗 𝑘 𝑘 𝑘
𝑥 𝑖 +1
…
𝑗 𝑗′
𝑥 =𝑒 𝑝 𝑗
𝑡
… 𝑥 =𝑒 𝑝 𝑗 ′
𝑡 49
 Targeted Collision Attacks
Fact: If then chains contain distinct
• Precomputation ( steps, memory) points, but then
Pr[y in CHAIN]
2 𝑠
𝑠𝑝 1=𝑥
1
1
𝑠𝑝 2=𝑥 1 𝑠𝑝 𝑠 =𝑥 1

𝑥 =𝐻 (𝑥
1
2
1
1 ) 𝑥 =𝐻 (𝑥
2
2
2
1 ) … 𝑥 =𝐻(𝑥
𝑠
2
𝑠
1 )
… … …
Solution: Repeat T=O(t) times2 using
𝑥 1
𝑖 +1 𝑖 )
1 𝑥 2
= 𝐻 ( 𝑥different
𝑖 +1 = 𝐻 ( 𝑥
H1,…, HT where𝑖 ) …
𝑥𝑖 +1 = 𝐻 ( 𝑥𝑖 )
𝑠 𝑠

… s chains for each H …(sT chains total) …

j
2 𝑠
1
𝑥 =𝑒 𝑝 1
𝑡
𝑥 =𝑒 𝑝 2
𝑡 𝑥 =𝑒 𝑝 𝑠
𝑡 50
 Targeted Collision Attacks
• Precomputation ( steps, memory)
𝑗 𝑗
𝑠𝑝 1𝑗 =𝑥
1𝑗
1
𝑠𝑝 𝑗 =𝑥 1 𝑠𝑝 𝑗 =𝑥 1

𝑥 𝑗 ,1
2 =𝐻 1 ( 𝑥 1
𝑗 ,1
)𝑥
𝑗, 2
2 =𝐻 2 ( 𝑥 𝑗, 2
1 )… 𝑥 𝑗, 𝑇
2 =𝐻 𝑇 ( 𝑥 𝑗,𝑠
1 )
… … …

𝑥 𝑗 ,1
𝑖 +1 =𝐻1( 𝑥 𝑖
𝑗 ,1
)𝑥
𝑗, 2
𝑖 +1 =𝐻2 ( 𝑥 𝑖
𝑗, 2
)… 𝑥 𝑗, 𝑇
𝑖 +1 =𝐻𝑇 ( 𝑥 𝑖
𝑗,𝑠
)
… … …
𝑗, 2 𝑗, 𝑇
1𝑗 ,1
𝑥 =𝑒
=𝑒
𝑡 𝑝𝑝
1 𝑗 ,1
𝑥 𝑡 =𝑒 𝑝 𝑗 ,2 𝑥 𝑡 =𝑒 𝑝 𝑗 ,𝑇
51
 Repeat for each starting
Targeted
point withCollision 𝐻 𝑖 ( 𝑥 )= 𝐻
Attacks (𝐹 𝐾 ( 𝑥 ))
𝑖

• Precomputation ( steps, memory)

𝑗 𝑗
𝑠𝑝 1𝑗 =𝑥
1𝑗
1
𝑠𝑝 𝑗 =𝑥 1 𝑠𝑝 𝑗 =𝑥 1

𝑥 𝑗 ,1
2 =𝐻1( 𝑥 1
𝑗 ,1
)𝑥
𝑗, 2
2 =𝐻 2 ( 𝑥 𝑗, 2
1 )… 𝑥 𝑗, 𝑇
2 =𝐻 𝑇 ( 𝑥 𝑗,𝑠
1 )
… … …

𝑥 𝑗 ,1
𝑖 +1 =𝐻1( 𝑥 𝑖
𝑗 ,1
)𝑥
𝑗, 2
𝑖 +1 =𝐻2 ( 𝑥 𝑖
𝑗, 2
)… 𝑥 𝑗, 𝑇
𝑖 +1 =𝐻𝑇 ( 𝑥 𝑖
𝑗,𝑠
)
… … …
𝑗, 2 𝑗, 𝑇
1𝑗 ,1
𝑥 =𝑒
=𝑒
𝑡 𝑝𝑝
1 𝑗 ,1
𝑥 𝑡 =𝑒 𝑝 𝑗 ,2 𝑥 𝑡 =𝑒 𝑝 𝑗 ,𝑇 52
 Targeted Collision Attacks
• Precomputation ( steps, memory) 𝐻 𝑖 ( 𝑥 )= 𝐻 ( 𝐹 𝐾 ( 𝑥 ) )
𝑖
𝑗 𝑗
𝑠𝑝 1𝑗 =𝑥
1𝑗
1
𝑠𝑝 𝑗 =𝑥 1 𝑠𝑝 𝑗 =𝑥 1

𝑥 𝑗 ,1
2 =𝐻 1 ( 𝑥 1
𝑗 ,1
)𝑥
𝑗, 2
=𝐻 𝑗, 2
2 Each Chains
2 … (𝑥
1 Contain: ) 𝑥 𝑗, 𝑇
=𝐻
distinct
2 𝑇 (𝑥
points
𝑗,𝑠
1 )
… … As long as …

𝑥 𝑗 ,1
𝑖 +1 =𝐻1( 𝑥 𝑖
𝑗 ,1
)𝑥
𝑗, 2
=𝐻 (𝑥
Untangling
𝑖 +1 𝑖 Chains:
𝑖 )
𝑗 ,2 …
𝑥𝑗, 𝑇
won’t remain =𝐻 (𝑥
𝑖 +1 tangled
𝑖 with
𝑖
𝑗, 𝑠
)
… … chains …
𝑗, 2  all chains cover points
𝑗, 𝑇
1𝑗 ,1
𝑥 =𝑒
=𝑒
𝑡 𝑝𝑝
1 𝑗 ,1
𝑥 𝑡 =𝑒 𝑝 𝑗 ,2 𝑥𝑡 =𝑒 𝑝 𝑗 ,𝑇 53
Post-Processing
Input: y 𝑦 0 ,𝑖 = 𝑦
For each // Compute T chains of length t
// Start each chain at 𝑦 1, 𝑖= 𝐻 𝑖 ( 𝑦 0 )
…
For each
//
𝑦 𝑗 , 𝑖=𝐻 𝑖 ( 𝑦 𝑗 −1 )
…
For each k’ such that
𝑦 𝑘 ,𝑖 =𝑒𝑝𝑘 ,𝑖 ′
// recompute chain at
For each
If return else
54
Post-Processing Observation 1: If y is on any of the chains
i.e., for some ,
 We will hit the endpoint

Input: y 𝑦 0 ,𝑖 = 𝑦
 We will find a pre-image of y

For each // Compute T chains of length t

// Start each chain at 𝑦 1, 𝑖= 𝐻 𝑖 ( 𝑦 0 )
…
For each
//
𝑦 𝑗 , 𝑖=𝐻 𝑖 ( 𝑦 𝑗 −1 )
…
For each k’ such that
𝑦 𝑘 ,𝑖 =𝑒𝑝𝑘 ,𝑖 ′
// recompute chain at
For each
If return else
55
 Observation 2: If when y is not on the
Post-Processing chain starting at then we waste t steps
checking this chain.

Input: y 𝑦 =𝑦
Let be an indicator random variable for
the event that even though y is not on the
,𝑖
0chain
For each // Compute T chains of length t
// Start each chain at 𝑦 1, 𝑖= 𝐻 𝑖 ( 𝑦 0)
Let Z be total number of false positives
…
For each
//
𝑦 𝑗 , 𝑖=𝐻 𝑖 ( 𝑦 𝑗 −1 )
…
For each k’ such that
𝑦 𝑘 ,𝑖 =𝑒𝑝𝑘 ,𝑖 ′
// recompute chain at
For each
If return else
56
Post-Processing Let Z be total number of false positives

Input: y 𝑦 0 ,𝑖 = 𝑦
Total Running Time:
For each // Compute T chains of length t
// Start each chain at 𝑦 1, 𝑖= 𝐻 𝑖 ( 𝑦 0 )
If and then total running time is
…
For each
//
𝑦 𝑗 , 𝑖=𝐻 𝑖 ( 𝑦 𝑗 −1 )
…
For each k’ such that
𝑦 𝑘 ,𝑖 =𝑒𝑝𝑘 ,𝑖 ′
// recompute chain at
For each
If return else
57
 Targeted Collision Attacks
• Precomputation ( steps, memory)
𝑗
𝑠𝑝 𝑗 =𝑥 1 • Goal: Find collision for target

… 𝑥 𝑗
Set ,
2 = 𝐻 1 ( 𝑥 ) 𝑗
…
1 𝑦 0= 𝑦
…
Precomputation: 𝑦 1Total
=𝐻Cost1 ( 𝑦to
0 )find
… Space:
𝑥𝑖 +1 = 𝐻 𝑖 −1 ( 𝑥 𝑖 )…
𝑗 𝑗 …
targeted collisions is
Targeted Collision
… Search: =𝐻 𝑖 −1 ( 𝑦 𝑖 − 1 )
𝑦 𝑖just
𝑗 …
𝑥 =𝑒 𝑝 𝑗
𝑡 𝑦 𝑘=𝑒𝑝 𝑗 60
Applications
• Key-Recovery Attacks on Block Cipher
• Pre-Computation:
• Crack secret keys in total time with space
• Run prior attack with “hash function”
• for some random (fixed)
• Password Cracking
• Attacker is given ,…, for passwords with
• Goal: Recover passwords
• Can crack all passwords in total time with space
• Domain Challenge: with
• Define (pseudo)random mapping
• Run prior attack with “hash function” as
61
 Week 5: Topic 3:
Random Oracle Model + Hashing
Applications

62
When Collision Resistance Isn’t
Enough
• Example: Message Commitment
• Alice sends Bob: (e.g., predicted winner of NCAA Tournament)
• Alice can later reveal message (e.g., after the tournament is over)
• Just send r and m (note: r has fixed length)
• Why can Alice not change her message?
• Collision Resistance  Alice can’t find r’ and m’ s.t.
• In the meantime Bob shouldn’t learn anything about m

• Problem: Let (Gen,H’) be collision resistant then so is (Gen,H)

65
When Collision Resistance Isn’t
Enough
• Problem: Let (Gen,H’) be collision resistant then so is (Gen,H)

Note: An collision trivially yields a collision

• (Gen,H) definitely does not hide all information about input ()

• Conclusion: Collision resistance is not sufficient for message

commitment
66
The Tension
• Example: Message Commitment
• Alice sends Bob: (e.g., predicted winners of NCAA Final Four)
• Alice can later reveal message (e.g., after the Final Four is decided)
• In the meantime Bob shouldn’t learn anything about m

This is still a reasonable approach in practice!

• No attacks when instantiated with any reasonable candidate (e.g., SHA3)

• Cryptographic hash functions seem to provide “something” beyond
collision resistance, but how do we model this capability?
67
Random Oracle Model
• Model hash function H as a truly random function
• Algorithms can only interact with H as an oracle
• Query: x
• Response: H(x)
• If we submit the same query you see the same response
• If x has not been queried, then the value of H(x) is uniform

• Real World: H instantiated as cryptographic hash function (e.g., SHA3)

of fixed length (no Merkle-Damgård)
68
 Back to Message Commitment
• Example: Message Commitment
• Alice sends Bob: (e.g., predicted winners of NCAA Final Four)
• Alice can later reveal message (e.g., after the Final Four is decided)
• Just send r and m (note: r has fixed length)
• Why can Alice not change her message?
• In the meantime Bob shouldn’t learn anything about m

• Random Oracle Model: Above message commitment scheme is

secure (Alice cannot change m + Bob learns nothing about m)
• Security Definition + Proof later…
69
Random Oracle Model: Pros
• It is easier to prove security in Random Oracle Model

• Suppose we are simulating attacker A in a reduction

• Extractability: When A queries H at x we see this query and learn x (and can
easily find H(x))
• Programmability: We can set the value of H(x) to a value of our choice
• As long as the value is correctly distribute i.e., close to uniform
• Both Extractability and Programmability are useful tools for a
security reduction!

70
Random Oracle Model: Pros
• It is easier to prove security in Random Oracle Model

• Provably secure constructions in random oracle model are often much

more efficient (compared to provably secure construction is “standard
model”

• Sometimes we only know how to design provably secure protocol in

random oracle model

71
Random Oracle Model: Cons
• Lack of formal justification
• Why should security guarantees translate when we instantiate
random oracle with a real cryptographic hash function?

• We can construct (contrived) examples of protocols which are

• Secure in random oracle model…
• But broken in the real world

72
Random Oracle Model: Justification
“A proof of security in the random-oracle model is significantly better
than no proof at all.”

• Evidence of sound design (any weakness involves the hash function

used to instantiate the random oracle)
• Empirical Evidence for Security
“there have been no successful real-world attacks on
schemes proven secure in the random oracle model”

73
Hash Function Application:
Fingerprinting
• The hash h(x) of a file x is a unique identifier for the file
• Collision Resistance  No need to worry about another file y with H(y)=H(y)

• Application 1: Virus Fingerprinting

• Application 2: P2P File Sharing

• Application 3: Data deduplication

74
 Tamper Resistant Storage

m1

H(m1) m1 ’

75
 Tamper Resistant Storage
File Index Hash
1 H(m1) Disadvantage: Too
many hashes to store
2 H(m2)
3 H(m3)

m1,m2,m3
Send file 1

m1 ’

76
Tamper Resistant Storage
Disadvantage: Need all
files to compute hash
m1,m2,m3

H(m1,m2,m3)

m1,m2,m3
Send file 1

m1 ’

77
 Merkle Trees

Theorem: Let (Gen, hs) be a collision resistant hash

function then is collision resistant.

𝐱𝟏 𝐱𝟐 78
Merkle Trees
• Proof of Correctness for data block 2

• Verify that root matches

• Proof consists of just log(n) hashes
• Verifier only needs to permanently store
only one hash value
80
Tamper Resistant Storage

Root: H1-4

m1,m2,m3,m4
Send file 2

m2’,h1,h3-4

81
Commitment Schemes
• Alice wants to commit a message m to Bob
• And possibly reveal it later at a time of her choosing
• Properties
• Hiding: commitment reveals nothing about m to Bob
• Binding: it is infeasible for Alice to alter message

82
Commitment Hiding ()
m0,m1
commit(r,mb)
b’

{
′
Hiding 𝐴 , 𝐶𝑜𝑚 (𝑛) = 1if 𝑏=𝑏
0 𝑜𝑡h𝑒𝑟𝑤𝑖𝑠𝑒

r = Gen(.)
Bit b

83
Commitment Binding ()
r0,r1,m0,m1

Binding 𝐴 ,𝐶𝑜𝑚 (𝑛)= {

1if commit ( r 0 , m 0 )=
0 𝑜𝑡h𝑒𝑟𝑤𝑖𝑠𝑒
commit ( r 1 , m 1 )

84
Secure Commitment Scheme
• Definition: A secure commitment scheme is hiding and binding
• Hiding

• Binding

85
Commitment Scheme in Random
Oracle Model
• Commit(r,m):=H(m|r)

• Reveal(c):= (m,r)

Theorem: In the random oracle model this is a secure commitment scheme.

Proof Intuition: Let BAD event that attacker queries for any message
m’ on any of q queries
• As long as the event BAD never occurs Bob learns nothing about
m (in an information theoretic sense)
• If r is a random n-bit string then
86
Commitment Hiding ()
m0,m1
H(r,mb)
b’

{
′
Hiding 𝐴 , 𝐶𝑜𝑚 (𝑛) = 1𝑖𝑓𝑏=𝑏
0 𝑜𝑡h𝑒𝑟𝑤𝑖𝑠𝑒

r = Gen(1n)
Bit b

87
Other Applications
• Password Hashing

• Key Derivation

88
Next Week
• Stream Ciphers
• Block Ciphers
• Feistel Networks
• DES, 3DES
• Read Katz and Lindell 6.1-6.2

89