*Notes scribed by Joel Weinberger*

** Summary **

Last time, we showed that combining a CPA-secure encryption with a secure MAC gives a CCA-secure encryption scheme. Today we shall see that such a combination has to be done carefully, or the security guarantee on the combined encryption scheme will not hold.

We then begin to talk about *cryptographic hash functions*, and their construction via the *Merkle-Damgård transform*.

**1. Combining Encryption and Authentication **

** 1.1. Encrypt-Then-Authenticate **

Let be an encryption scheme and be a MAC.

Last time we considered their *encrypt-then-authenticate* combination defined as follows:

**Construction **

- Key: a pair where is a key for and is a key for
- :
- return

- :
- if then return
- else return ‘ERROR’

and we proved that if is CPA-secure and is existentially unforgeable under a chosen message attack then is CCA-secure.

Such a result is not provable if and are combined in different ways.

** 1.2. Encrypt-And-Authenticate **

Consider the following alternative composition:

**Construction **

- Key: a pair where is a key for and is a key for
- :
- if then return
- else return ‘ERROR’

The problem with this construction is that a MAC can be secure even if is deterministic. (E.g. CBC-MAC.) But if the construction is instantiated with a deterministic , then it cannot even guarantee security for 2 encryptions (much less CPA-security or CCA security).

A more theoretical problem with this construction is that a MAC can be secure even if *completely gives away *, and in such a case is completely broken.

** 1.3. Authenticate-Then-Encrypt **

Finally, consider the following scheme:

**Construction **

- Key: a pair where is a key for and is a key for
- :
- return

- :
- if then return
- else return ‘ERROR’

The problem with this construction is rather subtle.

First of all, the major problem of the construction , in which we lost even security for two encryptions, does not occur.

Exercise 1Show that if is CPA-secure and all have running time at most , then is CPA secure

It is possible, however, that is CPA-secure and is existentially unforgeable under chosen message attack, and yet is not CCA-secure.

Suppose that is such that, in , the first bit is ignored in the verification. This seems reasonable in the case that some padding is needed to fill out a network protocol, for example. Further, suppose is counter mode with a pseudo-random function, .

Take the encryption of with keys and for and , respectively. Pick a random . Then, by the definition of the encryption scheme in counter mode, the encryption of will be:

Consider this CCA attack. Let . The attacker sees

Take (or any of the other tags). Clearly, this is not the original message encryption, as a bit has been changed, so the Oracle will give you a decryption of it in a CCA attack. Since all that was modified in the ciphertext was the first bit, which was padding, the attacker has just used the Oracle to get the original message.

**2. Cryptographic Hash Functions **

** 2.1. Definition and Birthday Attack **

Definition 1 (Collision-Resistant Hash Function)A function is a secure collision resistant hash function if and for every algorithm of complexity we have

The idea is that, for every key (or *seed*) we have a length-decreasing function . By the pigeon-hole principle, such functions cannot be injective. An efficient algorithm, however, cannot find *collisions* (pairs of inputs that produce the same output) even given the seed .

The main *security parameter* in a construction of collision-resistent hash functions (that is, the parameter that one needs to increase in order to hope to achieve larger and smaller ) is the output length .

It is easy to see that if has running time and output length then we can find collisions in time by computing values of in any order until we find a collision. (By the pigeon-hole principle, a collision will be found in attempts or fewer.)

If, specifically, we attack by trying a sequence of *randomly chosen* inputs until we find a collision, then we can show that with only attempts we already have a constant probability of finding a collision. (The presence of a collision can be tested by sorting the outputs. Overall, this takes time .) The calculation can be generalized to the following:

Consider given . Define as picking random strings and generating their respective outputs from . We want to check the probability that contains a repeated value. However, it is easier to begin by checking the probability of whether the choices *do not* contain a collision, :

Note that this is a constant if .

(This calculation is called the “birthday paradox,” because it establishes that in a set of elements uniformly distributed, if you pick elements , where is uniformally distributed in the set and is independent, then there is a constant probability that . Specifically, in the case of birthdays, if there are people in a room, then there is a probability over that two of the people in the room have the same birthday.)

Exercise 2If is a secure collision resistant hash function computable in time , then

This should be contrasted with the case of pseudorandom generators and pseudorandom functions, where the security parameter is the seed (or key) length , and the only known generic attack is the one described in a previous exercise which gives

This means that if one wants a secure pseudorandom generator or function where, say, and , then it is somewhat plausible that a key of 128 bits might suffice. The same level of security for a collision-resistant hash function, however, requires a key of at least about 200 bits.

To make matters worse, attacks which are significantly faster than the generic birthday attack have been found for the two constructions of hash functions which are most used in practice: MD5 and SHA-1. MD5, which has , is completely broken by such new attacks. Implementing the new attacks on SHA-1 (which has ) is not yet feasible but is about 1,000 times faster than the birthday attack.

There is a process under way to define new standards for collision-resistant hash functions.

** 2.2. The Merkle-Damgård Transform **

In practice, it is convenient to have collision-resistant hash functions in which the input is allowed to be (essentially) arbitrarily long.

The Merkle-Damgård transform is a generic way to transform a hash function that has into one that is able to handle messages of arbitrary length.

Let a hash functions that compresses by a factor of two.

Then is defined as follows ( is a fixed -bit string, for example the all-zero string):

- Let be the length of
- divide into blocks of length , where
- for to :
- return

We can provide the following security analysis:

Theorem 2If is -secure and has running time , then has security when used to hash messages of length up to .

*Proof:*

Suppose that , given , has a probability of finding messages where and , where . Let us construct an algorithm which:

- Given , runs to find collisions for in . Assume that running takes time .
- Computes both . We know that this takes time on the order of , where is the time of running and assuming without loss of generality that since the Merkle-Damgård Transform, by definition, runs once for each of the blocks of and .
- Finds a collision of that is guaranteed to exist (we will prove this below) in the Merkle-Damgård algorithm. This will take the time of running the algorithm once for each message , which is on the order of , as above.

In order to show that there must be a collision in if there is a collision in , recall that the last computation of the algorithm hashes . We need to consider two cases:

- : By the definition of the problem, we have . The last step of the alrogithm for and generates, respectively, and . This is a collision of on different inputs.
- : This implies that and , as well. Because but , .
Let be the largest index where . If , then and are two (different) colliding strings because .

If , then that implies . Thus, and are two different strings whose hashes collide.

This shows that a collision in implies a collision in , thus guaranteeing for our proof that by executing each stage of the Merkle-Damgård Transform, we can find a collision in if there is a collision in .

Returning to algorithm , we now have established the steps necessary to find collisions of a hash function by finding collisions in . Note that by the definition of the problem, because it uses algorithm which finds collisions with probability , will also find collisions with probability . By the definition of a collision-resistant hash function, we also know that it must have time complexity .

Examining the steps of the algorithm, we know that the time complexity of is . From this, we solve for and get . Thus, we conclude that if finds a collision with probability , it is secure.

## 1 comment

Comments feed for this article

April 11, 2009 at 11:55 pm

Rezaشرکت مهندسی حارس هوشمند با فعالیت در زمینه امنیت اطلاعات و ارتباطات و همچنین حفاظت الکترونیک بازوی کمکی حراست ها و تولید کننده نرم افزار کنترل مراجعین می باشد.