Cryptography and Hash Functions in Data Security

cryptography n.w
1 / 32
Embed
Share

"Explore the concepts of cryptography, random oracle model, hash functions, Merkle trees, fingerprinting, and outsourced storage for secure data protection. Learn how to leverage these techniques to safeguard information in an untrusted environment."

  • Cryptography
  • Data Security
  • Hash Functions
  • Merkle Trees
  • Outsourced Storage
rayaanacharya
rma_mc Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Cryptography Lecture 15

  2. Q and A; bring the written answers to TA before the class 1. What is random oracle model? Summarize it. 2. Hash function in the random oracle is powerful. It can be used to build all primitives we have seen so far. What are the constructions briefly? 3. Merkle trees are trade-offs between two extremes. What are the two extremes? Convince yourself why Merkle trees work

  3. Random Oracle Model and Other applications of hash functions

  4. Hash functions are ubiquitous Collision-resistance fingerprinting Used as a one-way function Key derivation

  5. Fingerprinting E.g., file integrity Assuming it is possible to get a reliable copy of H(x) for file x Note: different from integrity in the context of message-authentication codes

  6. Outsourced storage How to outsource files to an untrusted server? x x h=H(x) x H(x)=?h

  7. Outsourced storage x1, , xn x1, , xn hi =H(xi) i xi H(xi)=?hi O(n) client storage!

  8. Outsourced storage x1, , xn x1, , xn h =H(x1, , xn) i x1, , xn H(x1, , xn)=?h O(n |x|) communication!

  9. Outsourced storage x1, , xn x1, , xn h =H(H(x1), , H(xn)) i xi, h1, , hn H(h1, , H(xi), , hn)=?h |xi| + O(n) communication!

  10. Merkle tree x1 x2 x2 x3 x4 Only store the root! Verify O(log n) communication/computation!

  11. Outsourced storage Using a Merkle tree, we can solve the outsourcing problem with O(1) client storage and |x| + O(log n) communication

  12. Secure Deduplication At the server side Hash the content to derive the key k = H(m) Then use the key to encryption m to get C=Ek(m) Same m leads to the same c. Cannot achieve Chosen distribution attack security, guaranteeing security only when m is random enough.

  13. Password hashing Server stores H(pw) instead of pw Requires more than one-wayness of H See later discussion on random oracles Salting H( salt , pwd)

  14. Commitment Scheme M M C = Commit Receiver Sender Phase Hiding: M is hidden given C. Reveal Receiver Sender M Phase Binding: C can be only opened to M.

  15. Commitment Scheme Use case: auction Commit(m): c=H(r||m) Reveal(c): return r and m

  16. Key derivation Consider deriving a (shared) key from (shared) high-entropy information E.g., biometric data E.g., generating randomness Cryptographic keys must be uniform, but shared data is only high-entropy

  17. Min-entropy Let X be a distribution The min-entropy of X (measured in bits) is H (X) = - log maxx { Pr[X=x] } I.e., if H (X) = n, then the probability of guessing x sampled from X is (at most) 2-n Min-entropy is more suitable for crypto than entropy

  18. Key derivation Given shared information x (sampled from distribution X), derive shared key k=H(x) In what sense can we claim that k is a good (i.e., uniformly distributed) cryptographic key?

  19. Recall security goal (To Introduce Random Oracle Model) Main goal is collision resistance Want optimal birthday security Also want preimage resistance, 2nd-preimage resistance Want optimal security here as well Optimal measured relative to a random function Why not design H to be a random function ?

  20. The random-oracle (RO) model Treat H as a public, random function Then H(x) is uniform for any x unless the attacker computes H(x) explicitly by querying x

  21. Many applications One canonical example: key derivation

  22. The random-oracle (RO) model Treat H as a public, random function Then H(x) is uniform for any x unless the attacker computes H(x) but the attacker cannot do that (with high probability) if X has high min-entropy!

  23. The RO model Intuitively Assume the hash function is random Models attacks that are agnostic to the specific hash function being used Security in the real world as long as no weaknesses found in the hash function

  24. The RO model Formally Choose a uniform hash function as part of the security experiment Attacker can only evaluate H via explicit queries to an oracle Simulate H for the attacker as part of the security proof/reduction

  25. The RO model In practice Prove security in the RO model Instantiate the RO with a good hash function Hope for the best

  26. Pros and cons of the RO model Cons There is no such thing as a public hash function that is random Not even clear what this means formally Known counterexamples There are (contrived) schemes secure in the RO model, but insecure when using any real-world hash function Sometimes over-abused (arguably)

  27. Pros and cons of the RO model Pros No known example of natural scheme secure in the RO model being attacked in the real world If an attack is found, just replace the hash Proof in the RO model better than no proof at all Evidence that the basic design principles are sound

  28. PRF from Hash Function in the Random Oracle Model Fk(x) = H(k||x) Note that it does not use any computational assumption, but relies on H is a random oracle (which is already very strong).

  29. Hash Functions can do all major cryptographic functions Export law (historically) Encryption forbidden HMAC was designed to circumvent this Not just MAC As shown in building PRF And therefore all sorts of major functions

  30. Ideal-cipher model Stronger than the RO model! Model block cipher F: {0,1}n x {0,1}n {0,1}n as a collection of public, independent, random permutations I.e., for each key k, Fk is a random permutation on {0,1}n

  31. The ideal-cipher model This is more than assuming F is a PRP Fk random even when k is known! (No weak keys) (No related-key attacks) Formally, similar to the RO model In particular, the only way to evaluate F is via explicit oracle queries Attacker allowed to query F and F-1

  32. Building a hash function Two-stage approach Build a compression function (from a block cipher) I.e., collision-resistant hash function for fixed-length inputs Build a full-fledged hash function from a compression function Other approaches are possible

Related


No related presentations.

More Related Content