** Summary **

Last time, we showed that combining a CPA-secure encryption with a secure MAC gives a CCA-secure encryption scheme. Today we shall see that such a combination has to be done carefully, or the security guarantee on the combined encryption scheme will not hold.

We then begin to talk about *cryptographic hash functions*, and their construction via the *Merkle-Damgård transform*.

**1. Combining Encryption and Authentication **

** 1.1. Encrypt-Then-Authenticate **

Let be an encryption scheme and be a MAC.

Last time we considered their *encrypt-then-authenticate* combination defined as follows:

**Construction **

- Key: a pair where is a key for and is a key for
- :
- return

- :
- if then return
- else return ‘ERROR’

and we proved that if is CPA-secure and is existentially unforgeable under a chosen message attack then is CCA-secure.

Such a result is not provable if and are combined in different ways.

** 1.2. Encrypt-And-Authenticate **

Consider the following alternative composition:

**Construction **

- Key: a pair where is a key for and is a key for
- :
- if then return
- else return ‘ERROR’

The problem with this construction is that a MAC can be secure even if is deterministic. (E.g. CBC-MAC.) But if the construction is instantiated with a deterministic , then it cannot even guarantee security for 2 encryptions (much less CPA-security or CCA security).

A more theoretical problem with this construction is that a MAC can be secure even if *completely gives away *, and in such a case is completely broken.

** 1.3. Authenticate-Then-Encrypt **

Finally, consider the following scheme:

**Construction **

- Key: a pair where is a key for and is a key for
- :
- return

- :
- if then return
- else return ‘ERROR’

The problem with this construction is rather subtle.

First of all, the major problem of the construction , in which we lost even security for two encryption, does not occur.

Exercise 1Show that if is CPA-secure and all have running time at most , then is CPA secure

It is possible, however, that is CPA-secure and is existentially unforgeable under chosen message attack, and yet is not CCA-secure.

**2. Cryptographic Hash Functions **

** 2.1. Definition and Birthday Attack **

Definition 1 (Collision-Resistant Hash Function)A function is a secure collision resistant hash function if and for every algorithm of complexity we have

The idea is that, for every key (or *seed*) we have a length-decreasing function . By the pigeon-hole principle, such functions cannot be injective. An efficient algorithm, however, cannot find *collisions* (pairs of inputs that produce the same output) even given the seed .

The main *security parameter* in a construction of collision-resistent hash functions (that is, the parameter that one needs to increase in order to hope to achieve larger and smaller ) is the output length .

It is easy to see that if has running time and output length then we can find collisions in time by computing values of in any order until we find a collision. (By the pigeon-hole principle, a collision will be found in attempts or fewer.)

If, specifically, we attack by trying a sequence of *randomly chosen* inputs until we find a collision, then we can show that with only attempts we already have a constant probability of finding a collision. (The presence of a collision can be tested by sorting the outputs. Overall, this takes time .) The calculation can be generalized to the following:

Exercise 2If is a secure collision resistant hash function computable in time , then

This should be contrasted with the case of pseudorandom generators and pseudorandom functions, where the security parameter is the seed (or key) length , and the only known generic attack is the one described in a previous exercise which gives

This means that if one wants a secure pseudorandom generator or function where, say, and , then it is somewhat plausible that a key of 128 bits might suffice. The same level of security for a collision-resistant hash function, however, requires a key of at least about 200 bits.

To make matters worse, attacks which are significantly faster than the generic birthday attack have been found for the two constructions of hash functions which are most used in practice: MD5 and SHA-1. MD5, which has , is completely broken by such new attacks. Implementing the new attacks on SHA-1 (which has ) is not yet feasible but is about 1,000 times faster than the birthday attack.

There is a process under way to define new standards for collision-resistant hash functions.

** 2.2. The Merkle-Damgård Transform **

In practice, it is convenient to have collision-resistant hash functions in which the input is allowed to be (essentially) arbitrarily long.

The Merkle-Damgård transform is a generic way to transform a hash function that has into one that is able to handle messages of arbitrary length.

Let a hash functions that compresses by a factor of two.

Then is defined as follows ( is a fixed -bit string, for example the all-zero string):

- Let be the length of
- divide into blocks of length , where
- for to :
- return

We can provide the following security analysis:

Theorem 2If is -secure and has running time , then has security when used to hash messages of length up to .