lec6-4 - 2/23/10 What is a hash function? Hash functions...

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon
2/23/10 1 Hash functions What is a hash function? Arbitrary length input, Fxed length output efFcient one-wayness, 2nd preimage resistance, collision resistance What else? Probability Recall that MD5 outputs 128-bit bitstrings. What is the probability that MD5(“a”)=0cc175b9c0f1b6a831c399e269772661 ? Answer: 1 (I tested it yesterday.) A random function? A hash function is a deterministic function, usually with a published succinct algorithm. As soon as Ron Rivest Fnalized his design, everything is determined and there’s nothing really random about it!
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2/23/10 2 Heuristically random? But we still regard hash functions more or less ‘random’. The intuition is like: A hash function ‘mixes up’ the input too throughly, so for any x, unless you explicitly compute H(x), you have no idea about any bit of H(x) any better than pure guess Heuristically random? We want more or less: Even if x & x’ are different in 1 bit, H(x) & H(x’) should be independent (input is thoroughly mixed) The best way to learn anything about H(x) is to compute H(x) directly Knowing other H(y) doesn’t help How to design a hash function Phase 1: Design a ‘compression function’ Which compresses only a single block of Fxed size to a previous state variable Phase 2: ‘Combine’ the action of the compression function to process messages of arbitrary lengths Similar to the case of encryption schemes Merkle-Damgård scheme The most popular and straightforward method for combining compression functions
Background image of page 2
2/23/10 3 Merkle-Damgård scheme h(s, x): the compression function s: ‘state’ variable in {0,1} n x: ‘message block’ variable in {0,1} m s 0 =IV, s i =h(s i-1 , x i ) H(x 1 ||x 2 ||. ..||x n )=h(h(. ..h(IV,x 1 ),x 2 )...,x n )=s n Merkle-Damgård strengthening In the previous version, messages should be of length divisible by m, the block size a padding scheme is needed: x||p for some string p so that m | len(x||p) Merkle-Damgård strengthening: encode the message length len(x) into the padding string p Strengthened Merkle-Damgård Collision resistance If the compression function is collision resistant, then strengthened Merkle- Damgård hash function is also collision resistant Collision of compression function: f(s, x)=f(s’, x’) but (s, x) (s’, x’)
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2/23/10 4 Collision resistance
Background image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 13

lec6-4 - 2/23/10 What is a hash function? Hash functions...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online