Documente Academic
Documente Profesional
Documente Cultură
Dan Boneh
Collision
resistance
Introduction
Dan Boneh
(e.g. 802.11i)
PRFs
NMAC
randomized
MAC
Dan Boneh
Collision Resistance
Let H: M T be a hash function
Dan Boneh
Sbig(k,m) = S(k,H(m))
Vbig(k,m,t) = V(k,H(m),t)
Example:
S(k,m) = AES2-block-cbc(k, SHA-256(m)) is a
secure MAC.
Dan Boneh
Vbig(k, m, t) =
Dan Boneh
F1
F2
package name
Fn
read-only
public
space
H(F2)
H(F1)
H(Fn)
When user downloads package, can verify that contents are valid
H collision resistant
attacker cannot modify package without detection
no key needed (public verifiability), but requires read-only
space
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Collision
resistance
Generic birthday
attack
Dan Boneh
Algorithm:
1. Choose 2n/2 random messages in M:
( |M| >> 2n )
O(2n/2)
hashes
m1, , m2n/2
(distinct w.h.p )
Dan Boneh
Dan Boneh
B=106
# samples n
Dan Boneh
Generic attack
H: M {0,1}n .
Collision finding algorithm:
1. Choose 2n/2 random elements in M:
m1, ,
m2n/2
2. For i = 1, , 2n/2 compute
3. Look for a collision (ti = tj).
back to step 1.
ti = H(mi)
{0,1}n
Dan Boneh
SHA-1
SHA-256
SHA-512
153 280
111 2128
99 2256
NIST standards
Speed
Whirlpool
512
[ Wei Dai ]
( Linux)
digest
function size (bits)
160
256
512
Crypto++ 5.6.0
generic
(MB/sec) attack time
57 2256
best known collision finder for SHA-1 requires 251 hash evaluations
Dan Boneh
Classical
algorithms
Quantum
algorithms
O( |K| )
O( |K|1/2 )
O( |T|1/2 )
O( |T|1/3 )
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Collision
resistance
The MerkleDamgard
Paradigm
Dan Boneh
Dan Boneh
H0
m[1]
H1
m[2]
Given h: T X T
we obtain
variables
PB:
H2
m[3] ll PB
H4
(compression function)
H: XL T .
padding block
H3
H(m)
Hi - chaining
10000 ll msg
len
64 bits
If no space for PB
add another block
Dan Boneh
MD collision resistance
Thm: if h is collision resistant then so is H.
Proof: collision on H collision on h
Suppose H(M) = H(M).
= H0
= H0 ,
H1
, , Ht ,
H1 , , Hr,
Dan Boneh
ppose
Ht = Hr
and
Mt = Mr and PB = PB
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Collision
resistance
Constructing
Compression
Functions
Dan Boneh
Thm:
m[1]
m[2]
h collision resistant
m[3] ll PB
H(m)
H collision resistant
Dan Boneh
E: K {0,1}n {0,1}n
a block cipher.
h(H, m) = E(m,
mi
>
Hi
Best possible !!
Dan Boneh
Suppose we define
h(H, m) = E(m, H)
(HW)
Dan Boneh
SHACAL2
256-bit block
Dan Boneh
Provable compression
functions
Choose a random 2000-bit prime p and random 1
u, v p .
For m,h {0,,p-1}
vm (mod p)
define
h(H,m) = uH
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Collision
resistance
HMAC:
a MAC from SHA256
Dan Boneh
Thm:
m[1]
m[2]
h collision resistant
m[3] ll PB
H(m)
H collision resistant
Dan Boneh
S(k, m) = H( k ll m)
S( k, m ) = H( kopad ll H( kipad ll
Dan Boneh
HMAC in pictures
kipad
IV
(fixed)
>
m[0]
>
m[1]
>
m[2] ll PB
>
kopad
>
IV
(fixed)
>
tag
Dan Boneh
HMAC properties
Built from a black-box implementation of SHA-256.
HMAC is assumed to be a secure PRF
Can be proven under certain PRF assumptions
about h(.,.)
Security bounds similar to NMAC
Need q2/|T| to be negligible ( q << |T| )
In TLS:
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Collision
resistance
Timing attacks on
MAC
verification
Dan Boneh
Dan Boneh
target
msg
m , tag
accept or reject
Dan Boneh
Defense #1
Make string comparator always take same time
(Python) :
return false if sig_bytes has wrong length
result = 0
for x, y in zip( HMAC(key,msg) , sig_bytes):
result |= ord(x) ^ ord(y)
return result == 0
Can be difficult to ensure due to optimizing compiler.
Dan Boneh
Defense #2
Make string comparator always take same time
(Python) :
def Verify(key, msg, sig_bytes):
mac = HMAC(key, msg)
return HMAC(key, mac) == HMAC(key,
sig_bytes)
Attacker doesnt know values being compared
Dan Boneh
Lesson
Dan Boneh
End of Segment
Dan Boneh