another Ron Rivest contribution
–
arbitrarily long input message
•
block size is 512 bits
–
128-bit hash value
has been used extensively, but its importance
is diminishing
–
brute force attacks
•
2
64
is not considered secure complexity any more
–
cryptanalytic attacks are reported

Important Hash Functions
SHA-1
–
Secure Hash Algorithm – 1
–
NIST standard
•
FIPS PUB 180-1
–
input size < 2
64
bits
–
hash value size 160 bits
•
brute force attacks are not so probable
–
2
80
is not-a-bad complexity
–
A Crypto 2005 paper explains an attack against strong
collision with 2^69 complexity
•
have raised concerns on its use in future applications
–
Later several other attacks are reported (some of them are
partial attaks)
–
Eventually a practical attack is reported by the team at
CWI Amsterdam and Google (approx. 2^63 complexity)
•
Paper at -
SHAttered.pdf
•
Link

Important Hash Functions
However, NIST had already (in 2002) published FIPS 180-2 to
standardize (SHA-2 family)
–
SHA-256, SHA-384 and SHA-512
–
for compatible security with AES
–
structure & detail is similar to SHA-1
–
but security levels are rather higher
–
224 bit (SHA-224) is later added in 2008 as FIPS 180-3
Note:
All sizes are measured in bits.
SHA-2

Important Hash Functions
SHA-3
–
In 2007, NIST announced a competition for the SHA-3, next generation
NIST hash function
–
Winning design was announced by NIST in October 2, 2012
–
The winner is
Keccak
by
by Guido Bertoni, Joan Daemen, Michaël
Peeters, and Gilles Van Assche
–
Different design principles than other SHAs
•
Called
Sponge
construction
–
However, standardization process is delayed (standard has been
published on August 5, 2015)
–
There had been
controversies
(read the wikipedia
page of SHA-3)
–
I am not sure if it is
going to replace
SHA-2

Digital Signatures
Mechanism for non-repudiation
Basic idea
–
use private key on the message to generate a piece
of information that can be generated only by yourself
•
because you are the only person who knows your private key
–
public key can be used to verify the signature
•
so everybody can verify
Generally signatures are created and verified
over the hash of the message
–
Why?

Generic Digital Signature Model

Digital Signature – RSA
approach
M: message to be signed
H: Hash function
E: RSA Private Key Operation
PR
a
: Sender’s Private Key
D: RSA Public Key Operation
PU
a
: Sender’s Public Key
E [PR
a
,H(M)]
Signature of A over M

Digital Signature – DSA approach
DSA: Digital Signature Algorithm
–
NIST standard - FIPS 186 - current revision is 186-4 (2013)
–
Key limit 512 – 1024 bits, only for signature, no encryption
•
Starting186-3, increased up to 3072
–
based on discrete logarithm problem
–
Message hash is not restored for verification (difference from RSA)
M: message to be signed
H: Hash function
Sig: DSA Signing Operation
PR
a
: Sender’s Private Key
Ver: DSA Verification Operation
PU
a
: Sender’s Public Key
s, r
Sender’s signature over M
PU
G
: Global Public Key components
s, r

Collision resistant hash functions
and digital signatures