12/29/23

Hash Functions
u A hash function H accepts a variable-length block of data M as input and
produces a fixed-size hash value
Course : 18AIC307T & Cryptography and u h = H(M)
Principal object is data integrity
Network Security u

u The kind of hash function needed for security applications is referred to as a

UNIT 4 : Cryptographic Hash Functions & Digital Signatures cryptographic hash function
Faculty : Ms. NITHYASRI A, u Cryptographic hash function
u An algorithm for which it is computationally infeasible to find either:
Assistant Professor
(a) a data object that maps to a pre-specified hash result (the one-way property)

Department of Artificial Intelligence

(b) two data objects that map to the same hash result (the collision-free property)

MKCE

1 2

Applications of cryptographic hash

functions
u Message Authentication

u Digital signature
u Other applications

3 4

u The essence of the use of a hash function for message authentication is as

Message Authentication follows.

§ The sender computes a hash value as a function of the bits in the message and
u Message authentication is a mechanism or service used to verify the integrity of
transmits both the hash value and the message.
a message.
§ The receiver performs the same hash calculation on the message bits and compares
u Message authentication assures that data received are exactly as sent (i.e., this value with the incoming hash value.
contain no modification, insertion, deletion, or replay). § If there is a mismatch, the receiver knows that the message (or possibly the hash value)
has been altered (Figure a).
u In many cases, there is a requirement that the authentication mechanism
assures that purported identity of the sender is valid.

u When a hash function is used to provide message authentication, the hash

function value is often referred to as a message digest .

5 6

1
 12/29/23

u The hash function must be transmitted in a secure fashion. That is, the hash
function must be protected so that if an adversary alters or replaces the message, it
is not feasible for adversary to also alter the hash value to fool the receiver. This

type of attack is shown in Figure b.

u In this example, Alice transmits a data block and attaches a hash value. Darth
intercepts the message, alters or replaces the data block, and calculates and
attaches a new hash value. Bob receives the altered data with the new hash value
and does not detect the change. To prevent this attack, the hash value generated
by Alice must be protected.

7 8

A variety of ways in which a hash code can be used to provide message authentication, as
follows:

a) The message plus concatenated hash code is encrypted using symmetric encryption.
Because only A and B share the secret key, the message must have come from A and has
not been altered. The hash code provides the structure or redundancy required to achieve b) Only the hash code is encrypted, using symmetric encryption. This reduces the
authentication. Because encryption is applied to the entire message plus hash code, processing burden for those applications that do not require confidentiality.

confidentiality is also provided.

9 10

d) Confidentiality can be added to the approach of method (c) by encrypting the

entire message plus the hash code.
c) It is possible to use a hash function but no encryption for message
authentication. The technique assumes that the two communicating parties

share a common secret value S. A computes the hash value over the
concatenation of M and S and appends the resulting hash value to M. Because
B possesses S, it can recompute the hash value to verify. Because the secret

value itself is not sent, an opponent cannot modify an intercepted message and
cannot generate a false message.

11 12

2
 12/29/23

Digital Signatures b) If confidentiality as well as a digital signature is desired, then the message plus
u In the case of the digital signature, the hash value of a message is encrypted with a user's private key. the private-key-encrypted hash code can be encrypted using a symmetric
secret key. This is a common technique.
u Anyone who knows the user's public key can verify the integrity of the message that is associated with

the digital signature.

u In this case an attacker who wishes to alter the message would need to know the user's private key.
There are two types how a hash code is used to provide a digital signature:

a. The hash code is encrypted, using public-key encryption and using the sender's private key. This Other applications

provides authentication. It also provides a digital signature, because only the sender could have
u to create a one-way password file
produced the encrypted hash code. In fact, this is the essence of the digital signature technique.
u store hash of password not actual password
u for intrusion detection and virus detection
u keep & check hash of files on system

u pseudorandom function (PRF) or pseudorandom number generator (PRNG)

13 14

Requirements and Security Requirements for a Cryptographic Hash Function H

u x is the preimage of h for a u Occurs if we have x ≠ y and

hash value h = H(x) H(x) = H(y)
u Is a data block whose hash u Because we are using hash
function, using the function functions for data integrity,
H, is h
collisions are clearly
u Because H is a many-to-one undesirable
mapping, for any given hash
value h, there will in
general be multiple
preimages

15 16

u Table lists the generally accepted requirements for a cryptographic hash function.

u The first three properties are requirements for the practical application of a hash function.
Attacks on hash functions
u The fourth property, preimage (for a hash value h = H(x), we say that x is the preimage of h)
u As with encryption algorithms, there are two categories of attacks on hash functions:
resistant, is the one-way property: it is easy to generate a code given a message, but virtually
1. brute-force attacks and
impossible to generate a message given a code. This property is important if the authentication
technique involves the use of a secret value. 2. Cryptanalysis

u The fifth property, second preimage resistant, guarantees that it is impossible to find an Ø A brute-force attack does not depend on the specific algorithm but depends only
alternative message with the same hash value as a given message. This prevents forgery when an
on bit length. In the case of a hash function, a brute-force attack depends only on
encrypted hash code is used.
the bit length of the hash value.
u A hash function that satisfies the first five properties in is referred to as a weak hash function.
Ø A cryptanalysis, in contrast, is an attack based on weaknesses in a particular
u If the sixth property, collision resistant, is also satisfied, then it is referred to as a strong hash
cryptographic algorithm.
function.

u A strong hash function protects against an attack in which one party generates a message for
another party to sign. The final requirement, pseudorandomness, has not traditionally been listed
as a requirement of cryptographic hash functions, but is more or less implied.

17 18

3
 12/29/23

Birthday Attacks Hash Function Cryptanalysis

u For a collision resistant attack, an adversary wishes to find two messages or data blocks
that yield the same hash function u As with encryption algorithms, cryptanalytic attacks on hash functions seek to
exploit some property of the algorithm to perform some attack other than an
u The effort required is explained by a mathematical result referred to as the birthday paradox
exhaustive search.
u How the birthday attack works:

u The source (A) is prepared to sign a legitimate message x by appending the appropriate m-bit u In recent years, have much effort, and some successes, in developing
hash code and encrypting that hash code with A’s private key cryptanalytic attacks on hash functions. Must consider the overall structure of a
u Opponent generates 2m / 2 variations x’ of x, all with essentially the same meaning, and stores the typical secure hash function, referred to as an iterated hash function.
messages and their hash values
u Opponent generates a fraudulent message y for which A’s signature is desired

u Two sets of messages are compared to find a pair with the same hash
u The opponent offers the valid variation to A for signature which can then be attached to the
fraudulent variation for transmission to the intended recipient
u Because the two variations have the same hash code, they will produce the same signature and the
opponent is assured of success even though the encryption key is not known

19 20

u This was proposed by Merkle and is the structure of most hash functions in use today.

u The hash function takes an input message and partitions it into L fixed-sized blocks of b bits each. If
necessary, the final block is padded to b bits.

u The final block also includes the value of the total length of the input to the hash function. The inclusion of the
length makes the job of the opponent more difficult.
u The hash algorithm involves repeated use of a compression function, f, that takes two inputs (an n-bit input
from the previous step, called the chaining variable, and a b-bit block) and produces an n-bit output. At the
start of hashing, the chaining variable has an initial value that is specified as part of the algorithm. The final
value of the chaining variable is the hash value. Often, b > n; hence the term compression.

u The motivation for this iterative structure stems from the observation by Merkle and Damgard that if the
compression function is collision resistant, then so is the resultant iterated hash function. Therefore, the
structure can be used to produce a secure hash function to operate on a message of any length.

u Cryptanalysis of hash functions focuses on the internal structure of f and is based on attempts to find efficient
techniques for producing collisions for a single execution of f. Once that is done, the attack must take into
account the fixed value of IV. The attack on f depends on exploiting its internal structure. The attacks that have
been mounted on hash functions are rather complex.

21 22

Secure Hash Algorithm(SHA) Table

u SHA was originally designed by the National Institute of Standards and
Comparison of SHA Parameters
Technology (NIST) and published as a federal information processing standard
(FIPS 180) in 1993

u Was revised in 1995 as SHA-1

u Based on the hash function MD4 and its design closely models MD4

u Produces 160-bit hash values

u In 2002 NIST produced a revised version of the standard that defined three
new versions of SHA with hash value lengths of 256, 384, and 512

u Collectively known as SHA-2

Note: All sizes are measured in bits.

23 24

4
 12/29/23

SHA-512 LOGIC
u The algorithm takes as input a message with a maximum length of less than 2128 bits
and produces as output a 512-bit message digest.

u The input is processed in 1024-bit blocks.

The processing consists of the following steps:

• Step 1: Append padding bits, The message is padded so that its length is congruent to 896
modulo 1024 [length = 896(mod 1024)]. Padding is always added, even if the message is
already of the desired length. Thus, the number of padding bits is in the range of 1 to 1024.
The padding consists of a single 1 bit followed by the necessary number of 0 bits.

• Step 2: Append length. A block of 128 bits is appended to the message

• Step 3: Initialize hash buffer, A 512-bit buffer is used to hold intermediate and final results
of the hash function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f,
g, h).

• Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the
algorithm. This contains 80 rounds.

• Step 5: Output the final state value as the resulting hash

25 26

SHA-512 Compression Function

Ø heart of the algorithm
Ø processing message in 1024-bit blocks
Ø consists of 80 rounds
l updating a 512-bit buffer
l using a 64-bit value derived from the current message block
l and a round constant based on cube root of first 80 prime numbers

27 28

SHA-512 Round Function

SHA-512 Round Function
u The structure of each of the 80 rounds is shown in Figure. Each 64-bit word is
shuffled along one place, and in some cases manipulated using a series of simple
logical functions (ANDs, NOTs, ORs, XORs, ROTates), in order to provide the
avalanche & completeness properties of the hash function. The elements are:

Ch(e,f,g) = (e AND f) XOR (NOT e AND g)

Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)

∑(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)

∑(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)

+ = addition modulo 2^64

Kt = a 64-bit additive constant

Wt = a 64-bit word derived from the current 512-bit input block.

29 30

5
 12/29/23

Message Authentication Message Security Requirements

u Disclosure
u Sequence modification
u message authentication is concerned with: u Release of message contents
to any person or process not u Any modification to a
u protecting the integrity of a message possessing the appropriate sequence of messages
cryptographic key between parties, including
insertion, deletion, and
u validating identity of originator u Traffic analysis reordering
u non-repudiation of origin (dispute resolution) u Discovery of the pattern of u Timing modification
traffic between parties
u will consider the security requirements u Masquerade
u Delay
messages
or replay of

u Insertion of messages into u Source repudiation

the network from a
fraudulent source u Denial of transmission of
message by source
u Content modification
u Destination repudiation
u Changes to the contents of a
message, including insertion, u Denial of receipt of
deletion, transposition, and message by destination
modification

31 32

Message Authentication Functions Symmetric Message Encryption

Ø encryption can also provides authentication
three alternative functions used: Ø if symmetric encryption is used then:
receiver know sender must have created it
u hash function: A function that maps a message of any l
l since only sender and receiver now key used
length into a fixed-length hash value which serves as the l know content cannot of been altered

authenticator l if message has suitable structure, redundancy or a checksum to detect any changes

u message encryption: The ciphertext of the entire message

serves as its authenticator
u message authentication code (MAC):A function of the
message and a secret key that produces a fixed-length
value that serves as the authenticator

33 34

Public-Key Message Encryption

u if public-key encryption is used: Message Authentication Code (MAC)
u encryption provides no confidence of sender
u as shown the MAC provides authentication
u since anyone potentially knows public-key
u can also use encryption for secrecy
u however if

u sender signs message using their private-key u generally use separate keys for each

u then encrypts with recipients public key u can compute MAC either before or after encryption

u have both secrecy and authentication u is generally regarded as better done before

u again need to recognize corrupted messages u why use a MAC?

u but at cost of two public-key uses on message u sometimes only authentication is needed

u sometimes need authentication to persist longer than the encryption (eg. archival use)

u note that a MAC is not a digital signature

35 36