# lec6-4 - What is a hash function Hash functions Arbitrary...

This preview shows pages 1–5. Sign up to view the full content.

2/23/10 1 Hash functions What is a hash function? Arbitrary length input, Fxed length output efFcient one-wayness, 2nd preimage resistance, collision resistance What else? Probability Recall that MD5 outputs 128-bit bitstrings. What is the probability that MD5(“a”)=0cc175b9c0f1b6a831c399e269772661 ? Answer: 1 (I tested it yesterday.) A random function? A hash function is a deterministic function, usually with a published succinct algorithm. As soon as Ron Rivest Fnalized his design, everything is determined and there’s nothing really random about it!

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
2/23/10 2 Heuristically random? But we still regard hash functions more or less ‘random’. The intuition is like: A hash function ‘mixes up’ the input too throughly, so for any x, unless you explicitly compute H(x), you have no idea about any bit of H(x) any better than pure guess Heuristically random? We want more or less: Even if x & x’ are different in 1 bit, H(x) & H(x’) should be independent (input is thoroughly mixed) The best way to learn anything about H(x) is to compute H(x) directly Knowing other H(y) doesn’t help How to design a hash function Phase 1: Design a ‘compression function’ Which compresses only a single block of Fxed size to a previous state variable Phase 2: ‘Combine’ the action of the compression function to process messages of arbitrary lengths Similar to the case of encryption schemes Merkle-Damgård scheme The most popular and straightforward method for combining compression functions
2/23/10 3 Merkle-Damgård scheme h(s, x): the compression function s: ‘state’ variable in {0,1} n x: ‘message block’ variable in {0,1} m s 0 =IV, s i =h(s i-1 , x i ) H(x 1 ||x 2 ||. ..||x n )=h(h(. ..h(IV,x 1 ),x 2 )...,x n )=s n Merkle-Damgård strengthening In the previous version, messages should be of length divisible by m, the block size a padding scheme is needed: x||p for some string p so that m | len(x||p) Merkle-Damgård strengthening: encode the message length len(x) into the padding string p Strengthened Merkle-Damgård Collision resistance If the compression function is collision resistant, then strengthened Merkle- Damgård hash function is also collision resistant Collision of compression function: f(s, x)=f(s’, x’) but (s, x) (s’, x’)

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
2/23/10 4 Collision resistance
This is the end of the preview. Sign up to access the rest of the document.
• Spring '08
• Staff
• hash function, Collision Resistance, Cryptographic hash function, compression function, Prof. Xiaoyun Wang, Multicollision attack

{[ snackBarMessage ]}

### Page1 / 13

lec6-4 - What is a hash function Hash functions Arbitrary...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online