Hash Functions and MACs

Question 1

Explain what Preimage resistance is.

Answer 1

A function is preimiage resistant if it is very time consuming to find the input of the output.

Question 2

Explain what second preimage resistance is.

Answer 2

Given a hash function described as H(x)=y, it should be hard to find a value of x’ such that H(x’) = H(x) = y.
hard -> not thesible.

Question 3

Explain what collision resistance is.

Answer 3

Given a hash function H, it should be inthesible to find two values (x1, x2) such that H(x1) = H(x2).

Question 4

Explain what HI-CR security

Answer 4

Human ignorance collision resistant, means that it is not thesible for the adversary to win the collision resistant security game.

it obviously it possible to find collisions for any compression function, hence we assume human ignorance. This means it is not thesible to occur.

Question 5

When is padding required?

Answer 5

When a (hash) function takes a fixed length input value.

Question 6

Explain padding method 0, and why it is not practical.

Answer 6

Method 0 appends zeros to the end of your message:
m1 || 0*
This is not practical as the receiver will have no clue if padding was even applied and how many zeros were appended.

Question 7

Explain padding method 1, and if it is practical.

Answer 7

Method 1 appends a single 1, and then zeros to the end of your message:
m1 || 1 || 0*

It is practical, as we know can determine the lenght of the padding

Question 8

Explain padding method 2, and if it is practical.

Answer 8

Method 2 appends the 64 bit encoded length of the message |m| = L, if fills the space by inserting a single 1, and then zeros between the lenght and message. :
m1 || 1 || 0* || {L}^64

It is practical, as we know can determine the lenght of the padding, however at least 65 bits need to be padded.

Question 9

Explain padding method 3, and if it is practical.

Answer 9

Method 3 appends the 64 bit encoded length of the message |m| = L:
m1 ||0* || {L}^64

It is practical, as we know can determine the lenght of the padding, however at least 64 bits need to be padded.

Question 10

Explain padding method 4, and if it is practical.

Answer 10

Method 4 appends a single 1, and then zeros between the lenght and message. Then it concludes by appending a 1 again :
m1 || 1 || 0* || 1

It is practical, as we know can determine the lenght of the padding. And padding lenght only needs to be at least 2.

Question 11

What abreviation is MD

Answer 11

Merkle-Damgard construction

Question 12

What general problem does MD solve? And how does it achieve this?

Answer 12

Input message of function can now be of abritrary length.

It achieves this by deviding the input values into smaller blocks and performs sequential operations (with fixed input length) on these blocks, such that only the last block needs to be padded

Question 13

Explain the notation MD[f_k, s]

Answer 13

f is the sequential operation function used in the MD construction (with optional key k subscript). s is the initial state for the first operation (similar to IV)

f is public, k and s are secret.

Question 14

Explain how the birthday paradox can be applied to find collisions.

Answer 14

The birthday paradox states that when two elements are drawn from the Domain, that after sqrt(n) calls a collision could be expected.
This means that for an hash function with 128 bits output, only sqrt(2^128) = 2^64 calls would be needed. This suddenly becomes thesible to do so.

Question 15

How did Yuval propose meaningful birthdaying?

Answer 15

He proposes that we first need to find two meaningful message m1 and m2, and identify 2/n bits in each message that could be changed individually, witout changing the meaning of the message. Then we can randomly select a version of m1 and m2 in order to find a collision, as both domains have a size of 2^(n/2).

Question 16

What is naive implementation in birthdaying?

Answer 16

store 2^(n/2) possible messages for m1, and the same for m2. And check all 2 pairs for a match.

Question 17

What is a less naive implementation in birthdaying?

Answer 17

store 2^(n/2) possible messages for m1, and the same for m2. Store all hashes for m1, and see if the hash for m2 is in that list.

Question 18

Why is a keyed Hash function generally not safe using MD?

Answer 18

Note: MD is an unkeyed hash method, so key must be concatenated to message.

Lets asume fixed s and fixed function f and message m is known. If the adversary can ask the oracle t = MD[fk, s] (k || m || pad) then t is basically the state after all iterations. Hence the adversary it can construct m’ in the form m || pad || m’ such that it is able to construct the valid keyed hash of that message without knowing the key.

Question 19

Explain how NMAC works.

Answer 19

It uses two keys, k1 and k2, and applies nested hashing.
So the result of the “inner” hash function is used as input of the “outer” hash function.
MD[f, k2]( MD[f, k1] ( m ) ).

Important detail is that the key is concatenated after the message when hashed, such that no valid messages could be computed.
f ( m || pad || k1)

Question 20

How can HMAC be constructed from NMAC

Answer 20

HMAC _ k (m) = H( k XOR opad || H( k XOR ipad ||m ) )

Where H = MD[f, IV] with fixed f and fixed IV.

Question 21

Is a block cipher as MAC secure?

Answer 21

Generally no, due to padding issues:

consider known pairs (m, t) and (m’, t’).
Then we know that message m’’ = (m || (m1’ XOR t) || m’2 …) then m’’ has valid tag t’. Hence we’ve computed a collision.

Question 22

How can a secure MAC be created using block ciphers?

Answer 22

We encrypt the result of the blockcipher MAC with a second key.

EMAC (m) = encr(CBC-MAC (m, k1), k2)