lec6 - Hash functions What is a hash function Arbitrary...

Info iconThis preview shows pages 1–13. Sign up to view the full content.

View Full Document Right Arrow Icon
Hash functions
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
What is a hash function? Arbitrary length input, Fxed length output efFcient one-wayness, 2nd preimage resistance, collision resistance What else?
Background image of page 2
Probability Recall that MD5 outputs 128-bit bitstrings. What is the probability that MD5(“a”)=0cc175b9c0f1b6a831c399e269772661 ? Answer: 1 (I tested it yesterday.)
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
A random function? A hash function is a deterministic function, usually with a published succinct algorithm. As soon as Ron Rivest Fnalized his design, everything is determined and there’s nothing really random about it!
Background image of page 4
Heuristically random? But we still regard hash functions more or less ‘random’. The intuition is like: A hash function ‘mixes up’ the input too throughly, so for any x, unless you explicitly compute H(x), you have no idea about any bit of H(x) any better than pure guess
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Heuristically random? We want more or less: Even if x & x’ are different in 1 bit, H(x) & H(x’) should be independent (input is thoroughly mixed) The best way to learn anything about H(x) is to compute H(x) directly Knowing other H(y) doesn’t help
Background image of page 6
How to design a hash function Phase 1: Design a ‘compression function’ Which compresses only a single block of Fxed size to a previous state variable Phase 2: ‘Combine’ the action of the compression function to process messages of arbitrary lengths Similar to the case of encryption schemes
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Merkle-Damgård scheme The most popular and straightforward method for combining compression functions
Background image of page 8
Merkle-Damgård scheme h(s, x): the compression function s: ‘state’ variable in {0,1} n x: ‘message block’ variable in {0,1} m s 0 =IV, s i =h(s i-1 , x i ) H(x 1 ||x 2 ||. ..||x n )=h(h(. ..h(IV,x 1 ),x 2 )...,x n )=s n
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Merkle-Damgård strengthening In the previous version, messages should be of length divisible by m, the block size a padding scheme is needed: x||p for some string p so that m | len(x||p) Merkle-Damgård strengthening: encode the message length len(x) into the padding string p
Background image of page 10
Strengthened Merkle-Damgård
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Collision resistance If the compression function is collision resistant, then strengthened Merkle- Damgård hash function is also collision resistant Collision of compression function: f(s, x)=f(s’, x’) but (s, x) (s’, x’)
Background image of page 12
Image of page 13
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 10/21/2011 for the course CSCI 5471 taught by Professor Staff during the Spring '08 term at Minnesota.

Page1 / 52

lec6 - Hash functions What is a hash function Arbitrary...

This preview shows document pages 1 - 13. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online