CS255Lecture6HashFunctions：CS255讲6hash功能.pptVIP

Jan. 11, 2001 SUCSES Project CS 255 Lecture 6Hash Functions Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen ciphertext attack Attacker’s Goal Discover secret key Decrypt a ciphertext, C* Distinguish two messages Recap- Notions of Security 3x3=9 possible notions of security Strongest system =Semantic security against CCA weakest adversary goal + most adversary power Recap- Semantic Securityof Counter Mode 1) Defined notion of security for block cipher --Indistinguishable from PRP --Formal definition game --Believe this is true for AES… Recap- 2) Prove that if cipher is indist. from Random Permutation then counter mode is semantically secure against CPA attack --Assume counter mode is not ) A breaks it --Build algorithm B that uses algorithm A --Want to show that A’s answer gives B information to play his game Why do we do this? Aren’t we assuming AES, 3DES secure anyway? Why not just make same assumption for mode X? Reduce to simplest assumptions possible Hash Functions Properties Compression Pre-image resistanc: Given y=h(x) difficult to determine x’ s.t. h(x’)=y 2nd preimage resistance: Given x find x’ ? x s.t. h(x) = h(x’) Collision resistance: Find x’ ? x s.t. h(x)=h(x’) Relations If h is collision resistant then h is 2nd order pre-image resistant How do we show this? Reduction—simple here Applications Show three applications and do one together For each one keep in mind what properties we need Password protection Virus protection Worried virus might modify an application Small amount of trusted storage on USB token What properties do we need? Mirror sites distributing software Digital Signatures One party can sign a message M, many parties can verify Contract signing, code signing Raw signature scheme only signs messages ~160 bits What properties do we need? Birthday Attack for Collisions Let r1, … rj 2 [0,1…B] When n=1.2 sqrt(B) then Pr[9 i ? j: ri=rj]