INTRODUCTION TO 5.

Hash Functions And

MODERN
Applications.

CRYPTOGRAPHY
Based On Jonathan Katz
And Yehuda Lindell.
5.1 DEFINITIONS
Hash functions in cryptography are mathematical
algorithms that transform input data of arbitrary size into a
fixed-size numerical output, known as a hash value or digest.
It is also called Compression Function.
A cryptographic hash function (CHF) takes an input (or
message) and produces a unique, fixed-length string of
characters, representing the input data. This process makes
it computationally infeasible to reverse the function to
retrieve the original input, ensuring a one-way encryption.
Hash functions are simply functions that take inputs of some
length and compress them into short, fixed-length outputs.
The classic use of hash functions is in data structures, where
they can be used to build hash tables that enable O(1)
5.1.1 COLLISION
RESISTANCE
Collision resistance is a property of cryptographic hash
functions where it is hard to find two different inputs that
produce the same output.
​Specifically, a hash function H is considered collision-resistant
if, for any inputs a and b where a≠b, finding a pair such that
H(a)=H(b) is difficult and requires significant computational
effort.
A keyed hash function, denoted as Hs takes two inputs: a
secret key s and a string x. The result of this function is defined
as Hs(x)=H(s,x). The essential requirement for such functions
is that collisions should be hard to find for any randomly
generated key s.
DEFINITION 5.2
A hash function H=(Gen,H) is defined as collision
resistant if it limits the ability of adversaries to find
two different inputs that hash to the same output.
Specifically, for every probabilistic polynomial-time
adversary A, there exists a negligible function negl
such that:

This means that the probability of the adversary

successfully finding a collision (i.e., two different
inputs that generate the same hash output) is
• UNKEYED HASH
FUNCTIONS
Unkeyed cryptographic hash functions are a sub-type of the
cryptographic hash functions. They take input of variable length and
convert it into a fixed-length output, and the length depends on the type
of the function used. The function's output is also known
as MDC (modification detection code). MDC represents the digest of the
data sent as the input. We can further use it to detect any changes in
that data.
5.1.2 WEAKER NOTIONS OF
SECURITY
1.Collision Resistance. The Strongest Notion as
defined earlier.
2.Second Pre Image resistance. Informally given a
key s and a string x is infeasible for a probabilistic
polynomial time adversary to find x'≠x such that
Hª(x')=Hª(x).
3.Pre Image Resistance. Informally, given a key s and
string y=Hª(x) but not x for randomly chosen x, it is
infeasible for a probabilistic polynomial time
adversary to find x'≠x such that Hª
5.2 DOMAIN EXTENSION THE
MERKLE-DAMGARD TRANSFORM
Domain extension of the Merkle-Damgård transform
refers to the process of expanding a hash function that
originally operates on fixed-length input blocks to
accommodate arbitrary-length inputs.​
The Merkle-Damgård transform is a widely used method
for constructing hash functions. It transforms a fixed-size
compression function into a hash function suited for
variable-length inputs by using a padding scheme. This
method ensures that arbitrary-length inputs can be
processed by first breaking them down into fixed-size
blocks, which are then processed sequentially.
CONSTRUCTION 5.3
THE MERKLE-DAMGARD
TRANSFORM
5.3 HMAC HASH-BASED
MESSAGE AUTHENTICATION
CODE
HMAC (Hash-based Message Authentication Code) is a
specific type of message authentication code that involves a
cryptographic hash function and a secret cryptographic key,
used to verify both data integrity and authenticity of a
message.
The HMAC process involves several key steps. Initially, a
secret key is generated that is shared between the
communicating parties. This key is essential because it allows
both the sender and receiver to produce the same HMAC for
the same message, assisting in validating authenticity. The
formula for computing HMAC is expressed as:
CONSTRUCTION 5.7
HMAC PICTORIALLY
5.4 SMALL-SPACE BIRTHDAY
ATTACKS
The small-space birthday attack is an efficient algorithm designed
to find two distinct inputs x and x′ such that the outputs of a hash
function Hare equal, i.e., H(x)=H(x′).
BREAKDOWN OF
ALGORITHM
5.5 THE RANDOM ORACLE
MODEL
Definition: The Random Oracle Model (ROM) is an idealized
framework in cryptography where hash functions are treated as
random functions.
Purpose: Used to prove the security of cryptographic schemes in a
simplified environment, acting as a "black box" for hashing.
• Characteristics of Random Oracles:
Black Box Functionality: Responds to each unique query with a
random output selected from its output domain. Returns the same
output for repeated queries.
Interaction: All parties (honest and adversary) query the oracle.
Each query is private and does not reveal previous queries.
Advantages of the Random Oracle Model:
Simplifies Proofs: Provides a method to reason about security properties
of protocols .Allows for the use of standard cryptographic assumptions
alongside random functions.
Practical Validation: A ROM proof can expose design flaws in
cryptographic schemes. Many widely-used cryptographic protocols are
validated under this model (e.g., RSA, signatures).
The Two-Step Methodology:
Design and Prove Security in ROM:
Assumption: A random oracle exists.
Outcome: Security proofs show the system is secure against adversaries
operating in an idealized world.
Instantiate with a Real Hash Function: Replace the random oracle with a
specific cryptographic hash function (e.g., SHA-256).Hope that the
selected function behaves sufficiently like a random oracle to maintain
security.
 Limitations of the Random Oracle Model:
No Concrete Existence: Random oracles are theoretical; there’s no
actual implementation of a true random oracle.
Insecurity upon Instantiation: Some schemes secure in the ROM
become insecure when instantiated with any practical hash
function (proven by Canetti, Gold Reich, and Halevy).
Difficulty in Evaluation: The process of proving security in the ROM
may not translate to real-world applications.
 Applications in Cryptographic Protocols:
Pseudorandom Function Construction:
Example: Using a random oracle as a pseudorandom generator.
Collision Resistance: Random oracles demonstrate that if a
collision happens, its probability is negligible, mimicking true
randomness.
5.5.2 IS THE RANDOM-
ORACLE METHODOLOGY
SOUND?
Key Question: What does security in the random-oracle model guarantee
for real-world instantiations.
No definitive answer exists; the cryptographic community is divided on
interpretations of proofs in the random-oracle model.
Objections to the Model:
•Lack of Formal Justification: Proofs in the random-oracle model do not
confirm security against real-world implementations using specific hash
functions.
Limitations of Hash Functions: Concrete hash functions cannot replicate
true randomness of a random oracle; they can lead to predictable outputs
once their description is known. Adversaries can exploit knowledge of the
hash function to evaluate it independently, diminishing security
guarantees.
 SUPPORT FOR THE
RANDOM ORACLE MODEL
Relevance in Cryptography: Despite its limitations, the
model has been influential due to its ability to design
efficient cryptographic schemes. Many practical public-
key cryptosystems rely on proofs in the random-oracle
model rather than the standard model.
Benefits of the Random-Oracle Model: Heuristic Value:
Proofs provide assurance that design flaws are unlikely,
with attacks likely arising from weaknesses in the
instantiated hash function. Operational Success: No
successful attacks reported against schemes securely
instantiated with appropriate hash functions.
5.6.1 FINGERPRINTING AND
DEDUPLICATION
Collision-Resistant Hash Functions (H):
•Serves as a unique identifier for files (hash/digest).
•A collision indicates that two different files have the same hash.
Applications:
Virus Fingerprinting:
•Virus scanners create a database of hashes for known viruses.
•When a new file is scanned, its hash is compared to the database.
•Only the hash (short string) is stored, minimizing overhead.
Data Deduplication:
•Eliminates duplicate data in cloud storage.
•Users upload a file's hash; if it exists, a pointer is
added instead of re-uploading.
•Saves communication and storage space through
efficient management.
Peer-to-Peer (P2P) File Sharing:
•Uses hashed identifiers for files in central server
tables.
•Facilitates file lookup without consuming excessive
memory.
5.6.2 MERKLE TREES
 Merkle trees provide a secure and efficient method for verifying
the integrity of multiple files uploaded to a server, allowing clients
to minimize storage requirements.​
A Merkle tree is a binary tree where:
•Leaves contain the hashes of individual files x1,x2,…,xt.
•Each internal node contains the hash of its two child nodes.
Advantages of Merkle Trees:
Space Efficiency:
•Instead of storing separate hashes for each file, only the root hash
of the Merkle tree is stored, reducing storage needs to a
logarithmic scale: log⁡(t).
Verification:
•To verify a specific file xi, the client needs only the root hash and
the hashes along the path from the leaf corresponding to xi up to
the root, significantly lowering the amount of data required for
verification.
Structure of a Merkle Tree:
Tree Construction:
•For t files, a binary tree is constructed with depth log⁡(t).
•The root of the tree (denoted as MTt) acts as a compact
representation of all file hashes.
Operation:
•The hash function H combines the hashes of child nodes, ensuring
the efficiency and integrity of the structure.
A MERKLE TREE:
5.6.3 PASSWORD HASHING
​Password hashing is a security process used to protect user
passwords by converting them into a fixed-size string of
characters, which is typically a hash value.​
Importance of Password Hashing
Password Protection:
•Storing passwords in clear text exposes the user to significant
risks; attackers can simply read the password from the hard
drive or servers.
•Hashing passwords (storing ℎpw=H(pw)) enhances security
by not exposing the original password.
Vulnerabilities in Password Hashing:
Risk of Preimage Attacks:
•If the password space ∣D∣ is small, attackers can easily enumerate all
potential passwords and verify with hashes.
•Preimage resistance does not guarantee security against specific
password distributions; it only states the difficulty of inverting hashes in a
uniform space.
Preprocessing Threat:
•Attackers can create large precomputed tables (rainbow tables) to crack
passwords efficiently, even for passwords drawn from larger spaces.
Mitigation Techniques:
Use of Slow Hash Functions:
•Implementing "slow" hash functions or multiple iterations (e.g., applying
H(I)(pw)) can significantly increase the time it takes for attackers to
attempt brute-force methods without hampering legitimate users.
5.6.4 KEY DERIVATION
The process of generating a secure, uniformly distributed secret
key from shared information (e.g., passwords or biometric data)
that may not be uniformly distributed.
Why Key Derivation is Needed:
Security Issues:
•Shared information as-is not secure for cryptographic use.
•Direct use may lead to weak, predictable keys.
Entropy Loss:
•Truncating or mapping shared secrets risks losing entropy,
compromising security.
•Example: A password of 28 uppercase letters (28 × 8 bits = 224
bits) truncated to 128 bits can lead to insufficient randomness.
Password Example:
•A password of 28 characters offers
26²8>2103combinations.
•ASCII encoding limits the actual key space: first 3
bits of each character fixed (010).
•Resulting key effectively has only about 75 bits of
entropy.
Conclusion:
•Need for a Robust Solution: Effective key derivation
functions are necessary to convert high-entropy,
non-uniform inputs into securely distributed keys
suitable for cryptographic applications.
5.6.5 COMMITMENT SCHEMES
A commitment scheme allows a party (the committer) to commit to a
message m by sending a commitment value com , while achieving two
important properties
Properties of Commitment Schemes:
•Hiding: The commitment com reveals nothing about the message m to any
observer before it is opened.
•Binding: Once com is sent, it is infeasible for the committer to produce two
different messages m and m′ that could both be opened from the same
commitment com.
Analogy:
•Digital Envelope:
•Think of a commitment scheme as sealing a message in an envelope:
•Privacy: The message remains hidden until the envelope is opened.
•Binding: Once sealed, it cannot be altered without detection.