- One-way: given a hash value h, it is computationally
infeasible to find an M such that
h=H(M).
- If this is not satisfied, it is trivial to find collisions, as
defined below. Moreover,
if the hash function is used only with a secret value (Fig. 8.5e), then an
attacker
with access to M and H(M) can easily find the secret value
S.
A collision is defined as the event that two messages M,
M' have identical hash values
h = H(M) = H(M'). Note that there will be infinitely many collisions
for a given hash value h.
The point is that it should be computationally infeasible to find
one.
- Weak collision resistance: For a given message
M, it is computationally infeasible to find
another message M' such that H(M) = H(M').
- If this is not satisfied, and if the hash value is encrypted (Fig.
8.5b and c), then an attacker
with access to (and ability to change) M and EK
(H(M)) can easily
- regenerate the unencrypted hash value (since the message is
available in plaintext)
- generate a fake message M' with the same hash value
H(M)=H(M')
- "authenticate" M' with the observed encrypted hash value
EK(H(M))
- Note that "computationally infeasible" in this case is on the
order of O(2m) operations, for an m-bit hash value,
since a brute force attack (involving trying different messages until a collision
with the target message is found) takes an
average of 2m-1 tries.
- Strong collision resistance: It is computationally
infeasible to find two messages M and M' such that
H(M) = H(M').
- If this is not satisfied, an attacker can launch the following
attack.
- Suppose that the legitimate sender is willing to sign
(by adding the encrypted m-bit hash value) a message M prepared
by the attacker.
- The attacker generates a set MOK of some
variations of M (with the same semantic content),
- by sneaky techniques (see, for example, Fig. 8.9?), and also
a set MFAKE of some variations.
of a fake message M' (that, presumably, the legitimate sender
would not have signed.)
- If the sizes (some) of the sets MOK
and MFAKE are large enough, then
there is a high probability that the attacker will find a collision between
the sets MOK and MFAKE
, that is a M in MOK and a M'
in MFAKE such that H(M) = H(M')
.
- Then, of course, the attacker will let the sender sign M
with EK(H(M)) , and later replace
the message M with M', while keeping the "signature" EK
(H(M)) with the fake message.
- By the birthday paradox, if the number some is approximately
0.83*2m/2, then the probability of collision is 0.5.
- Thus, modern hash functions have 160 bits