- hash functions (structural cryptanalysis) (2 weeks) - birthday paradox (explain via "fish-in-the-lake" anecdote; if lake has n fish, you only need to catch O(sqrt(n)) of them) - parallel collision search - chaining attacks (e.g., meet-in-the-middle; see HAC) - time-space tradeoffs, hellman's algorithm - double-width hashes from single-width primitives - fft hashing - comp128 - dedicated constructions of prf's Review of the thought problem (autokey cipher): [Kind of attack] Indistinguishability Key recovery Ciphertext-only <= O(n) ??? Known-plaintext <= O(n) O(n^2 log n) Chosen-plaintext sqrt(n) O(n^2) Chosen-ciphertext 2 O(n^2) Birthday attack - a simple scenario - Suppose there are k different fish in a pond, and we're catching a fish at random, tagging it, and then throwing it back in - How many tries before we find the first repeated fish? sqrt(k) [birthday] - How many tries before we see 63% of the fish? k - How many tries before we've seen all fish? k log k [coupon collector] What's a hash function? h : {0,1}^* -> {0,1}^n Applications - Storing your password in /etc/passwd - How many bits of output are needed for 128-bit security? (128 bits) - Requirement - try #1: given y=h(x), can't find x. - not strong enough! if you can find x' with h(x')=y, can use x' as an alternate password to log in - preimage resistant: given h(x), can't find x' with h(x')=h(x) - best brute-force attack: try random x' until they coincide; needs 2^128 work - Will a CRC work? No. Not preimage-resistant. (What about a CRC with secret feedback polynomial? No; can't keep the polynomial secret.) - Detecting modification of files on hard drive - How many bits of output are needed for 128-bit security? (256 bits) - birthday attack! pick 2^{n/2} random messages, look for a pair that collide, store first file on disk; then can later change to the second file without detection - Contract signing: hash the message, and then apply a public-key signature - How many bits of output are needed for 128-bit security? (256 bits) - birthday attack! pick 2^{n/2} variations on "I buy your house for $500k" (add spaces, etc.); then pick 2^{n/2} variations on "I buy your house for $200k"; look for a collision between the two batches; then sign the result, and give it to seller, who verifies that we have committed to pay $500k; then after he signs over the title to us, we only pay him $200k, and when he hauls us into court, we show the judge the valid signature on the $200k offer. Security notions for hashes: - preimage resistance - 2nd preimage resistance: given x, can't find x'!=x with h(x)=h(x') - collision resistance - "pseudorandomness" Best you can hope for with a n-bit hash: - preimage resistance: 2^n work - collision resistance: 2^{n/2} work Hashing variable-length messages: - Merkle-Damgard hashing - It preserves preimage + collision resistance - What if we leave out the length block? => fixed-point attacks - What if we use CBC with non-secret key for hashing? i.e., C(h,m)=E(h+m) => correcting-block attacks - What if the compression function isn't preimage resistant? e.g., what if it is easily invertible? => meet-in-the-middle attack to invert hash with 2^{n/2} work (if inversion takes 2^s time, then mitm attack takes 2^{(n+s)/2} time: compute 2^{(n+s)/2} values forward, and 2^{(n-s)/2} values backward) - What if we repeat the message twice, then hash it with an invertible compression function? => Coppersmith's triple-birthday attack (CRYPTO'85) Black-box cryptanalysis and multipermutations - Show a FFT network - Show the "nonlinear" picture from Vaudenay & Schnorr's journal - idea of "resolution" Structural cryptanalysis of a S-N network - Show a picture of a 1.5-round cipher: - A layer of 16 parallel 8-bit random S-boxes - A layer with a random linear map - Another layer of 16 parallel 8-bit random S-boxes - What is its security under various guises? - public components => pre-image attacks are easy - secret components, random S-box functions => look for collisions in a single S-box in first layer: 2^4.5 messages - secret components, random bijective S-box functions => look at data path from Si in layer 1 to Sj in layer 2, and vary over all 256 inputs to Si; outputs from Sj will vary over all 256 values, or over 128 values twice, or 64 values four times each, or ...; gives a distinguishing attack - secret components, random bijective S-box functions, bijective linear map: => changing one byte in input is guaranteed to change all output bytes; gives a distinguishing attack - What if we change to using 2 parallel 64-bit S-boxes? - if linear map is chosen randomly (not forced to be bijective), there will be a 2^32 work attack with good probability based on considering datapath from Si to Sj and looking for collisions in layer 2 of this path - In general, for n-bit S-boxes and random linear map: - Let f be the datapath from Si to Sj - For a good hash function, f is a random function - For this construction, f is: - a random 1-to-1 (bijective) function (prob ~ .29), or - a random 2-to-1 function, or - a random 4-to-1 function, etc.