Hash Functions in Action

Lecture 10
Hashes and MAC
 Hash Functions

Main syntactic feature: Variable input length to Þxed length output

Primary requirement: collision-resistance
If for all PPT A, Pr[xby and h(x)=h(y)] is negligible in the
following experiment:
A³(x,y); h±H : Combinatorial Hash Functions
us ally

A³x; h±H; A(h)³y : Universal One-Way Hash Functions

pic
ed
Ty

h±H; A(h)³(x,y) : Collision-Resistant Hash Functions

h±H; Ah³(x,y) : Weak Collision-Resistant Hash Functions
Also often required: ÒunpredictabilityÓ
 Constructions
2-Universal Hash Function: e.g., ha,b(x) = chop(ax+b) over Þeld GF(2n)

CRHF: e.g., hG,g1,g2(x1,x2) = g1x1g2x2 (in G, a prime order DL group)

CRHF in practice: e.g., SHA 256, SHA3

SHA 256 (and many others) using a Merkle-DamgŒrd iterated hash

function, iterating a Þxed input-length compression function
m1 m2 mt t
IV

f f ... f f

T
 Today

Another combinatorial notion of a hash function

Almost XOR Universal (AXU) hash function family
Using hash functions for MAC
One-time MAC
Proper MACs (any number of times, variable length message)
With a PRF
GMAC (Also, recall CMAC, EMAC.)
Without a PRF
HMAC
 XOR-Universal Hash
Recall Combinatorial HF: A³(x,y); h±H. h(x)=h(y) w.n.p
2-Universal hash function family
"xby,w,z Prh±H [ h(x)=w, h(y)=z ] = 1/|range|2
XOR-Universal hash function family (range = {0,1}k, say)
"xby,z Prh±H [ h(x)·h(y) = z ] = 1/|range| A 2UHF is an XUHF

·-Almost XOR-Universal hash function family Converse not true

"xby,z Prh±H [ h(x)·h(y) = z ] f · [Exercise]

An example: For variable length input, m = (m1, É, mt), t k-bit blocks

h³(m) = m1 ³ + m2 ³2 + É + mt ³t + |m| ³t+1 Over GF(2k), addition is XOR

m deÞnes a polynomial Pm and h³(m) = Pm(³)

Prh±H [ h(m)·h(mÕ) = z ] = Pr³±GF(2k)[—(³) = z] f degree(—)/2k
where — is a non-zero polynomial of degree f max{|m|,|mÕ|}+1
Hashes for MAC
 One-time MAC
With 2-Universal Hash Functions
LL
ECA
R
Trivial (very inefÞcient) solution (to sign a single n bit message):
r10 r20 r30
Key: 2n random strings (each k-bit long) (ri0,ri1)i=1..n 1
r1 r21 r31
Signature for m1...mn be (rimi)i=1..n
Negligible probability that Eve can produce a signature on mÕbm
A much more efÞcient solution, using 2-UHF (and still no
computational assumptions):
Onetime-MACh(M) = h(M), where h±H, and H is a 2-UHF
Seeing hash of one input gives no information on hash of
another value
 MAC: Beyond One-Time
With Combinatorial Hash Functions and PRF
m1 m2 mt
· ·
Recall: MACs can be based entirely on PRFs
PRF is a MAC (on one-block messages) FK FK ... FK
CBC-MAC: Extends PRF to any Þxed length domain T

Can also make it work with variable input-length:

Derive K as FKÕ(t), where t is the number of blocks
Or, Use Þrst block to specify number of blocks
Or, output not the last tag T, but FKÕ(T), where KÕ is an
independent key (EMAC)
Or, XOR last message block with another key KÕ (CMAC)
h(M) not
Using hash & PRF (for Þxed length domains):
revealed

MACK,h*(M) = PRFK(h(M)) where h±H, and H is a 2-UHF

 MAC: Beyond One-Time
With Combinatorial Hash Functions and PRF
Using an ·-AXUHF & PRF (for variable length domains)
MACK,h*(M) = (r, PRFK(r)·h(M)) where h±H, H ·-AXUHF, r random
Forgery with a fresh r prevented by PRF.
Forgery reusing an r requires knowing h(M)·h(MÕ), given no
information about h (due to encryption with PRF)
GMAC, a NIST standard: With polynomial evaluation over GF(2k)
being the ·-AXUHF
Note that GMAC is randomised as it needs a nonce r
But not a problem when used as part of Authenticated
Encryption, which already needs a nonce
Galois Counter Mode (GCM): Authenticated encryption using encrypt
(AES in CTR mode) then MAC (GMAC).
Nonce r (with counter 0) used for GMAC, and PRFK(r+i) with i> 0,
for encryption. (Nonce itself is not MACÕed.)
 MAC: Beyond One-Time
With Cryptographic Hash Functions
Previous solutions required pseudorandomness

What if we should base it only on Þxed input-length MAC (not PRF)?

Why? ÒTo avoid export restrictions!Ó (Was a consideration in the

1990Õs). Also security/efÞciency

Candidate Þxed input-length MACs in practice that do not use a

block-cipher: compression functions (with key as IV)

MAC*K,h(M) = MACK(h(M)) where h±H, and H a weak-CRHF

h(M) may be
Weak-CRHFs can be based on OWF (unlike CRHF). revealed. Only
EfÞcient heuristic construction from compression oracle access to h
functions (again)
 MAC: Beyond One-Time
With Cryptographic Hash Functions
HMAC: Hash-based MAC KÕÕ M

Essentially built from a compression

m1 mt |m|
function f K1
IV

If keys K1, K2 independent (called ...

f f f f
NMAC), then secure MAC if: f is
a Þxed input-length MAC & the KÕ
Merkle-DamgŒrd iterated-hash is a IV
K2
weak-CRHF
f f
In HMAC (K1,K2) derived from (KÕ,KÕÕ),
in turn heuristically derived from a
T
single key K. If f is a (weak kind of)
PRF K1, K2 can be considered
independent
Hash Not a Random Oracle!
If H is a Random Oracle, then just H(K||M) will be a MAC

But if H is a Merkle-DamgŒrd iterated-hash function, then

there is a simple length-extension attack for forgery

Take MÕ = M || padM || X, where padM is a block encoding

|M| (used by the Merkle-DamgŒrd iterated-hash) and X is
arbitrary. Then, can compute H(K||MÕ) from H(K||M).

(That attack can be Þxed by preventing extension:

preÞx-free encoding)

Other suggestions like SHA1(M||K), SHA1(K||M||K) all turned

out to be ßawed too
 Today
A CRHF candidate from DDH
CRHF and UOWHF domain extension using Merkle trees
Merkle-DamgŒrd iterated hash function for full-domain hash
Hash functions for MACs
Hash-then-MAC
Using weak CRHF and Þxed input-length MAC
Underlying HMAC/NMAC: compression function in an
iterated-hash function assumed to be both a weak CRHF
and a Þxed input-length MAC
GHASH
Next: Digital Signatures