CSE 4095
Digital Signatures and Hashing
8-1
Outline



Will introduce Diffie-Hellman based encryption
Digital Signatures (using ideas from DiffieHellman)
Hash Functions
8-2
Diffie-Hellman Key Exchange

First published public-key algorithm
 “New Directions in Cryptography,” 1976
A number of commercial products employ
this key exchange technique
 Purpose: key establishment
 Effectiveness: depends on the difficulty of
computing discrete logarithms

 Given gx mod p hard to determine x
8-3
Diffie-Hellman protocol

Alice and Bob want to construct a private key
over a public channel. Both agree on a public
prime p and generator g modulo p.
Alice
x,
gx
gx
Bob
gy
y, gy
Both parties compute: gxy mod p
Alice does (gy)x mod p
Bob does (gx)y mod p
8-4
Security of Diffie-Hellman Protocol
Discrete logarithm problem:
Given g, p, and gx mod p, find x
 Diffie-Hellman problem: Given g, p,
gx mod p, and gy mod p, find gxy mod p
 One way to solve DHP is to solve DLP

 Other ways? Not very likely (so far)

Solving DLP seems to be hard for large p
8-5
Person-in-the-middle attack
ga
Alice
gc
Eve
gd
Key1 = gad
Bob
gb
Key2 = gcb
Eve gets to listen to everything.
Diffie-Hellman isn’t secure unless you know
identity of other party
8-7
ElGamal

Invented in 1984
 T. Elgamal, “A public key cryptosystem and a
signature scheme based on discrete
logarithms”, Proc. of Crypto, 1984

Used in digital signature standard (DSS),
S/MIME email standard
8-9
ElGamal Encryption

Key generation:
 Parameters: (safe) prime p and generator g
 Private key: x
 Public key: p, g, y = gx mod p

Encryption (using public key):





Generate random k
r = gk mod p (k and r are ephemeral key pair)
s = yk · m mod p
Ciphertext c = (r, s)
Can think of
this as the
sender creating
a DiffieHellman pair
Decryption: m = s · r −x mod p,
s= yk m= rx m
r−x = g −kx = y−k mod p
8-11
ElGamal example

Key generation:
 p=19, g=10
 Private key: x=5
 Public key: p, g, y = 10 5 mod 19=3

Encryption (using public key) message m=17:





Generate random k, suppose k=6
r = gk mod p =106 mod 19=11
s = yk · m mod p =36 *17 mod 19 = 7*17 mod 19=5
Ciphertext c = (11, 5)
Decryption:
 m = s · r−x mod p = 5*(115 mod 19)-1 mod 19=5*7-1 mod 19
=5*11 mod 19=17
8-12
About ElGamal

Security relies on the discrete log problem and
not on factoring
 Find private key using public key
 Discover one time key k


Ciphertext twice as long as the plaintext
Secure random number generator required for k
 Non-deterministic encryption: the same plaintext will
always result in different ciphertexts
8-13
Digital Signatures


In a public key encryption we were providing
confidentiality, hiding a message from an observer
The goal of a digital signature is primarily to
provide integrity, be sure that no one has altered
a message
Alice’s
sk signing
K
A
key
plaintext
signing
plaintext,
algorithm signature
Alice’s
vk verification
Akey
plaintext, verification plaintext
signature algorithm
8-14
Exercise: Signature security

Consider possible security goals and adversary
powers for a signature scheme (similar to our
exercise for encryption)
8-15
Signature Security

Possible goals:
 Recover key
 Create new signature
for same message
 Create signature for
random message
 Create signature for
chosen message
Known as chosen message
unforgeability under chosen
message attack (EU-CMA)

Possible capabilities:
 See public key
 See a single signature
 See multiple signatures
for random messages
 See multiple signatures
for chosen messages
 See signatures for
adaptively chosen
messages
8-16
Constructing Digital Signatures



Possible to create a digital signature from the
factoring and discrete logarithm assumptions
Don’t assume that swapping encryption and
decryption will give you a digital signature
algorithm
Often requires use of a cryptographic hash
function (later this class)
8-17
Diffie-Hellman based Signature
Signing Input m, secret key skA=x (random value)
 Sample random value k
 Compute r = gk mod p
 Compute s = (H(m) - skA*r)/k mod p
 Output (r,s)
Verification: Input m, r, s, pkA =gx
 Check if gH(m) = pkAr*rs mod p
=gxr*gks = gxr*gk(H(m) - skA*r)/k=
= gxr*g(H(m) - x*r)=gH(m)
8-18
Current trends in asymmetric crypto







Both RSA and Diffie-Hellman are showing their
40 year age
Cryptanalytic attacks are getting better
Increasing key size frequently is difficult
(for usability reasons)
Quantum computers can efficiently break both
schemes
Still primary mechanisms on the internet
Timing and side-channels are major problems
Researchers are designing new systems that are
resistant to quantum computer attacks
8-19
Hash Functions




Used to compress length of data
Many different applications that require different
properties
Denoted H: {0,1}*-> {0,1}256 (may have different
length output 80,128, 512)
Should be easy to compute
8-20
Definitions of security

Also known as message digest

Preimage resistant (one-way property):
given H(m), but not m, it is find an m.
Second preimage resistant (weak collision
resistant): Given m1, it is difficult to find m2 s.t.
H(m2)=H(m1).
(Strong) Collision resistant: Computationally
infeasible to find m1, m2, s.t. H(m1)=H(m2)


8-21
Relationship of properties
Strong
collision
resistance

Weak
collision
resistance
One way
Each implication is proper (unless the input size is
small), there are:
weak collision resistant functions that aren’t strong
One-way resistant functions that aren’t weak
8-22
Brute force attacks

Why attack to strong collision is much easier?
8-23
Birthday “paradox”

How many people
does it take so that
the probability that
two of them share
the same birthday is
larger than 50%?
 23

•
0.6
0.5
0.4
0.3
0.2
0.1
0
Same
birthday
as me
Birthday
problem
0
20
40
Same birthday as me?
For hash function with n-bit output, it suffices to
test 1.2 x 2n/2 inputs to find a collision.
8-24
Length of hash function output

Due to birthday attack, the length of hash
outputs in general should double the key length
of block ciphers
 SHA-256, SHA-384, SHA-512 to match the new key
lengths (128,192,256) in AES
8-25
Construction: iterated hash
function
8-26
Iterated hash function


Partition message into L fixed-size b-bit blocks
Compression function f: take two inputs
 Chaining variable (n bits) from previous step
 b-bit block, b > n (compression)
 Can be constructed from block ciphers, must be
collision resistant

Motivation
 If the compression function is collision resistant, then
so is the iterated hash function
 Designing secure hash function reduces to designing
collision-resistant compression function that takes
fixed-size input
8-27
Merkle-Damgård construction
Message with padding
Initial
Value
Block l
Block 2
Block 3
Block nk
F
F
F
F
Hash
Given: compression function F: {0,1}n x {0,1}b {0,1} n; n-bit
constant IV
Input: message M
1. Break M into b-bit blocks, M1, …, Mk; add padding if necessary
2. Let Mk+1 be encoding of |M|
3. Let h0=IV
4. Let hi=F(hi-1,Mi), i=1,…, k+1, output hk+1
8-28
Commonly used hash functions
MD5
 SHA family

 SHA-0, SHA-1, SHA-2, and
SHA-3 (different construction paradigm)
 Whirlpool
 Tiger
 RIPEMD-128,160,256,320

 Improved version of RIPEMD
8-29
Compression Function of SHA2



Have 8 intermediate registers a,…, h
Kj are constants for the round and Wj are the
message
This function is computed 64 times (in SHA-256)
8-30
Attacks: MD5
MD4: 128 bits, 1990. Broken
 MD5: 128 bits, 1992. Wide Usage.
 Flaw found in 1996, collision attacks in
2004
 Current best attacks: Xie-Feng (2009) in
220
 Preimage attacks : still hard ~ 2123.4 (SasakiAoki)

8-31
Attack: the SHA Family


SHA-0: made a standard by NIST in 1993
 based on Merkle-Damgard design. 160 bits
 In 1998 collisions against SHA-0 were
demonstrated in 261 steps
SHA-1: US standard [NIST, FIPS PUB 180-1]
 160-bit message digest
 Collisions were found in 269 steps Wang, Yin, Yu,
Crypto 2005
 NIST requires federal agencies to move to SHA2 after 2010
 SHA-1 was considered broken
8-32
SHA-2
SHA-224, SHA-256, SHA-384, SHA-512
 Outputs 224, 256, 384, and 512 bits,
respectively
 No real security concerns, yet
 Similar design principle as SHA-1 (and
MD5)

8-33
SHA-3






2007: Request for submissions of new hash functions
2008: Submissions deadline. Received 64 entries.
Announced first-round selections of 51 candidates
2009: First SHA-3 candidate conference in Feb.
Announced 14 Second Round Candidates in July
2010: After one year public review of the algorithms,
the second SHA-3 candidate conference was held in
Aug. Announced 5 third-round candidates in Dec
2011: Public comment for final round
2012: October 2, NIST selected Keccak as SHA-3
8-34
Applications of hash functions
Password hashing
 Many other applications

 Message Integrity





Digital signature
Pseudo-random string generation/key derivation
Commitment
…
Message authentication codes (MAC)
can be built out of hash functions provide
“symmetric” signatures
8-35
Review of crypto functionality

Symmetric Encryption: provides confidentiality in the
setting where two parties share a cryptographic key
 Needs to be construction from block cipher, mode of operation
matters




Message authentication code: provides integrity in the
setting where two parties share a cryptographic key
Public-key encryption: provides confidentiality where
receiver’s identity is public
Digital signature: provides integrity when sender’s identity
is public
Hash function: provides fixed length representation of
data, hard to find collisions or preimages
8-36