Cryptography:

Hash Function and MAC

 Intro
In many situations we do not wish to protect
the confidentiality of information.
We simply wish to ensure the integrity of
information.

9/06
 Hash Functions
A cryptographic hash
function is a function which
takes arbitrary length bit
strings as input and produces
a fixed length bit string as
output.

9/06
 Hash Functions
 Hash functions are used a lot in computer science, but
the crucial difference between a standard hash function
and a cryptographic hash function is that a cryptographic
hash function should at least have the property of being
one-way and collision resistant
(1) Preimage Resistant: It should be hard to find a message
with a given hash value.
(2) Collision Resistant: It should be hard to find two
messages with the same hash value.
(3) Second Preimage Resistant: Given one message it
should be hard to find another message with the same hash
value.
9/06
 (1) One-way Functions
Preimage Resistant
In other words given any string y from the
range of h, it should be computationally
infeasible to find any value x in the domain of
h such that

𝒉( 𝒙 )=𝒚

9/06
 (2) Collision Resistant
Strong Collision Resistance
A hash function is called collision resistant if it
is infeasible to find two distinct values and ,
such that.

𝒉( 𝒙 )=𝒉( 𝒙` )
Note that and are not give, which means for
all and values in the domain of the function

9/06
 Collision Resistant Problem
If the function has an output size of bits then
we expect to find a collision after iterations.
This should be compared with the number of
steps needed to find a preimage, which should
be for a well-designed hash function. Hence to
achieve a security level of 80 bits for a collision
resistant hash function we need roughly 160
bits of output.

9/06
 (3) Second Preimage Resistance
Weak Collision Resistance

This is the property that given it should be

hard to find an with

9/06
 Characteristics of Hash Function

9/06
 Hash function properties example

Assume denote a collision resistant hash

function with outputs of bit length . Now define
a new hash function with output size bits as
follows:

𝒉( 𝒙 )
{ 𝟎∨¿ 𝒙 𝒊𝒇 | 𝒙|=𝒏
𝟏∨¿ 𝒈 ( 𝒙 ) 𝑶𝒕𝒉𝒆𝒓𝒘𝒊𝒔𝒆

9/06
 Hash function properties example
𝒉( 𝒙 )
{ 𝟎∨¿ 𝒙 𝒊𝒇 | 𝒙|=𝒏
𝟏∨¿ 𝒈 ( 𝒙 ) 𝑶𝒕𝒉𝒆𝒓𝒘𝒊𝒔𝒆
The function is clearly collision resistant, as
we have assumed is collision resistant. But
the function is not preimage resistant (i.re., not
a one way function?) as one can invert it on
any value in the range which starts with a zero
bit. So even though we can invert the function
on some of its input we are unable to find
collisions.
9/06
 Hash Function Example
Suppose we are considering the function : for use as a
hash function, where
𝒙
𝒉 ( 𝒙 ) =𝒈 𝒎𝒐𝒅 𝒑

All of them: preimage resistance, second preimage

resistance, and collision resistance. (b) Only preimage
resistance and second preimage resistance. (c) Only
preimage resistance. (d) None of them.

9/06
 Hash Function Example
Suppose we are considering the function :
for use as a hash function, where
𝒙
𝒉 ( 𝒙 ) =𝒈 𝒎𝒐𝒅 𝒑

Is it preimage resistance?

Is it second preimage resistance?

Is it collision resistance (i.e., find any two

and such that )? It is a strictly stronger
condition than 2.
9/06
 Simple Hash function
parity, or longitudinal redundancy check
process one bit at a time
use XOR ( x )
C = b1 x b2 x b 3 x . . . x b n

input – arbitrary length message

size of processed block – one bit
output – one bit
9/06
 Hash Function Application
Password verification
Verifying the integrity of files or messages if
the user is sure about the originality of file.
HEVC example

9/06
Applications: Authentication

 Many users may login to a network

 Each user has a password
 The database can be read by everyone

 Problem: secure authentication

How to Authenticate Using OWF?

 Hash each password with a OWF.

One-Way Function
 Store only the hashed password.
 When this user tries to login…
 Hash the password she entered
 Compare to the stored password
MyPass1234 2iB>S\]1%^o


MyPass1234 2iB>S\]1%^o

17
Message Authentication Problem
 Message Authentication is concerned with:
 protecting the integrity of a message  MAC
 validating identity of originator  digital signature
 How to detect changes by adversary to message?
 Ancient solution :
 Sign and seal
 More technique: break to message part and
authenticator part (“tag”)
 How to do this digitally?
 Create a tag t(M) and send tag securely
Communication without
authentication
Very
easy..
Eve can simply
Eve change the message

M M’

Alice Bob

Shared key k to generate authenticate message

Integrity Protection with MAC
k=??,
MAC=??
Eve can not forge
Eve MAC when k is
unknown

M M’

MAC (k,M) MAC??

Alice Bob

Key : k Key : k

Shared key k to generate authenticate message

MAC Authentication (I)
MAC allows two or more mutually trusting
parties to authenticate messages sent
between members Only Alice and me
know k, one of us
Eve sent M.

If I do not send
M, then Alice
Alice Bob
must have
M sent it.
Key : k Key : k

MAC (k,M)
MAC Authentication (II)
MAC allows two or more mutually trusting
parties to authenticate messages sent
between members
Chris Only Alice, Chris,
Eve Doug and me know
k, one of us sent M.
Key : k

Alice Bob

M
Key : k Key : k

Doug MAC
(k,M)
Key : k
Integrity with Hash Forge M’ and
compute h(M’)

Eve
No shared key

M M’

h (M) h (M’)

Alice Bob

Can we simply send the hash with the message to serve message authentication ?
Ans: No, Eve can change the message and recompute the hash.
Using hash needs more appropriate procedure to guarantee integrity
Message Authentication Code
 A function of the message and a secret key that produces a
fixed-length value that serves as the authenticator
 Generated by an algorithm :
 generated from message + secret key : MAC = C(K,M)
 A small fixed-sized block of data
 appended to message as a signature when sent
 Receiver performs same computation on message and checks
it matches the MAC
MAC and Encryption
 As shown the MAC provides message authentication
 But encryption can also provides authentication!
 Why use a MAC?
sometimes only authentication is needed
sometimes need authentication to persist longer than the
encryption (eg. archival use)
 Note that a MAC is not a digital signature, MAC
based symmetric while DS based Asymmetric. i.e.,
Both the sender and the receiver share the
same key in MAC No DS.
MAC Properties
 A MAC is a cryptographic checksum
MAC = CK(M)
condenses a variable-length message M
using a secret key K
to a fixed-sized authenticator
 A many-to-one function
potentially many messages have same MAC
but finding these needs to be very difficult