Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推荐该书正版。
4.10 Provide formal definitions for second pre-image resistance and pre-image resistance. Formally prove that any hash function that is collision resistant is second pre-image resistant, and that any hash function that is second pre-image resistant is pre-image resistant.
The second pre-image finding experiment:
- A key s s s is generated by running G e n ( 1 λ ) \mathsf{Gen}(1^\lambda) Gen(1λ). Pick x ← X x \gets \mathcal{X} x←X uniformly at random.
- The adversary A \mathcal{A} A is given s s s and x x x and outputs x ′ x' x′.
- A \mathcal{A} A wins the game iff x x x ≠ x ′ x' x′ and H s ( x ) = H s ( x ′ ) H^s(x) = H^s(x') Hs(x)=Hs(x′).
(Definition). A hash function
Π
=
(
G
e
n
,
H
)
\Pi = (\mathsf{Gen}, H)
Π=(Gen,H) is second pre-image resistant if for all probabilistic polynomial-time adversaries
A
\mathcal{A}
A there exists a negligible function
n
e
g
l
\mathsf{negl}
negl such that
P
r
[
A
wins
]
≤
n
e
g
l
(
λ
)
.
\mathrm{Pr} [ \mathcal{A} ~ \text{wins} ] \leq \mathsf{negl}(\lambda).
Pr[A wins]≤negl(λ).
注意,上述定义使用定义域符号
X
\mathcal{X}
X代替
{
0
,
1
}
∗
\{0, 1\}^*
{0,1}∗或者
{
0
,
1
}
ℓ
′
(
λ
)
\{0, 1\}^{\ell'(\lambda)}
{0,1}ℓ′(λ),不关心
Π
\Pi
Π是定长输入还是不定长输入。其次,
s
s
s的值已经给予
A
\mathcal{A}
A,它可以自己计算
H
s
(
⋅
)
H^s(\cdot)
Hs(⋅),无需额外提供谕言机
O
\mathcal{O}
O。
The pre-image finding experiment:
- A key s s s is generated by running G e n ( 1 λ ) \mathsf{Gen}(1^\lambda) Gen(1λ). Pick y ← { 0 , 1 } ℓ ( λ ) y \gets \{0, 1\}^{\ell(\lambda)} y←{0,1}ℓ(λ) uniformly at random.
- The adversary A \mathcal{A} A is given s s s and y y y and outputs x x x.
- A \mathcal{A} A wins the game iff H s ( x ) = y H^s(x) = y Hs(x)=y.
(Definition). A hash function
Π
=
(
G
e
n
,
H
)
\Pi = (\mathsf{Gen}, H)
Π=(Gen,H) is pre-image resistant if for all probabilistic polynomial-time adversaries
A
\mathcal{A}
A there exists a negligible function
n
e
g
l
\mathsf{negl}
negl such that
P
r
[
A
wins
]
≤
n
e
g
l
(
λ
)
.
\mathrm{Pr} [ \mathcal{A} ~ \text{wins} ] \leq \mathsf{negl}(\lambda).
Pr[A wins]≤negl(λ).
证明部分省略。
4.11 Let ( G e n 1 , H 1 ) (\mathsf{Gen}_1, H_1) (Gen1,H1) and ( G e n 2 , H 2 ) (\mathsf{Gen}_2, H_2) (Gen2,H2) be two hash functions. Define ( G e n , H ) (\mathsf{Gen}, H) (Gen,H) so that G e n \mathsf{Gen} Gen runs G e n 1 \mathsf{Gen}_1 Gen1 and G e n 2 \mathsf{Gen}_2 Gen2 to obtain keys s 1 s_1 s1 and s 2 s_2 s2, respectively. Then define H s 1 , s 2 ( x ) = H s 1 ( x ) ∥ H s 2 ( x ) H^{s_1, s_2}(x) = H^{s_1}(x) \| H^{s_2}(x) Hs1,s2(x)=Hs1(x)∥Hs2(x).
- Prove that if at least one of ( G e n 1 , H 1 ) (\mathsf{Gen}_1, H_1) (Gen1,H1) and ( G e n 2 , H 2 ) (\mathsf{Gen}_2, H_2) (Gen2,H2) is collision resistant, then ( G e n , H ) (\mathsf{Gen}, H) (Gen,H) is collision resistant.
- Determine whether an analogous claim holds for second pre-image resistance and pre-image resistant, respectively. Prove your answer in each case.
假设 ( G e n , H ) (\mathsf{Gen}, H) (Gen,H)不能抗碰撞,则有 ( x , x ′ ) (x, x') (x,x′)使得 H 1 s 1 ( x ) ∥ H 2 s 2 ( x ) = H 1 s 1 ( x ′ ) ∥ H 2 s 2 ( x ′ ) H_1^{s_1}(x) \| H_2^{s_2}(x) = H_1^{s_1}(x') \| H_2^{s_2}(x') H1s1(x)∥H2s2(x)=H1s1(x′)∥H2s2(x′),即 H 1 s 1 ( x ) = H 1 s 1 ( x ′ ) H_1^{s_1}(x) = H_1^{s_1}(x') H1s1(x)=H1s1(x′)且 H 2 s 2 ( x ) = H 2 s 2 ( x ′ ) H_2^{s_2}(x) = H_2^{s_2}(x') H2s2(x)=H2s2(x′),这相当于找到 ( G e n 1 , H 1 ) (\mathsf{Gen}_1, H_1) (Gen1,H1)的一对碰撞与 ( G e n 2 , H 2 ) (\mathsf{Gen}_2, H_2) (Gen2,H2)的一对碰撞,该结论与题设矛盾,故假设不成立,即 ( G e n , H ) (\mathsf{Gen}, H) (Gen,H)是抗碰撞的。
正式安全性规约证明需要证明如下式子成立:
P
r
[
A
wins
]
≤
P
r
[
(
A
wins
)
∧
(
H
1
抗碰撞
)
]
+
P
r
[
(
A
wins
)
∧
(
H
2
抗碰撞
)
]
≤
n
e
g
l
1
(
λ
)
+
n
e
g
l
2
(
λ
)
,
\mathrm{Pr}[ \mathcal{A} ~ \text{wins} ] \leq \mathrm{Pr}[ (\mathcal{A} ~ \text{wins}) \land (H_1 ~ \text{抗碰撞}) ] + \mathrm{Pr}[ (\mathcal{A} ~ \text{wins}) \land (H_2 ~ \text{抗碰撞}) ] \leq \mathsf{negl}_1(\lambda) + \mathsf{negl}_2(\lambda),
Pr[A wins]≤Pr[(A wins)∧(H1 抗碰撞)]+Pr[(A wins)∧(H2 抗碰撞)]≤negl1(λ)+negl2(λ),
此处省略正式安全性规约证明。
假设 ( G e n , H ) (\mathsf{Gen}, H) (Gen,H)不满足抗第二原象性,则给定 x x x能够找到 x ′ x' x′使得 H 1 s 1 ( x ) ∥ H 2 s 2 ( x ) = H 1 s 1 ( x ′ ) ∥ H 2 s 2 ( x ′ ) H_1^{s_1}(x) \| H_2^{s_2}(x) = H_1^{s_1}(x') \| H_2^{s_2}(x') H1s1(x)∥H2s2(x)=H1s1(x′)∥H2s2(x′),这相当于给定 x x x能够找到 ( G e n 1 , H 1 ) (\mathsf{Gen}_1, H_1) (Gen1,H1)的第二原象与 ( G e n 2 , H 2 ) (\mathsf{Gen}_2, H_2) (Gen2,H2)的第二原象,该结论与题设矛盾,故假设不成立,即 ( G e n , H ) (\mathsf{Gen}, H) (Gen,H)是满足抗第二原象性的。
具体地,需证明如下式子成立:
P
r
[
A
wins
]
≤
P
r
[
(
A
wins
)
∧
(
H
1
抗第二原象
)
]
+
P
r
[
(
A
wins
)
∧
(
H
2
抗第二原象
)
]
≤
n
e
g
l
1
(
λ
)
+
n
e
g
l
2
(
λ
)
,
\mathrm{Pr}[ \mathcal{A} ~ \text{wins} ] \leq \mathrm{Pr}[ (\mathcal{A} ~ \text{wins}) \land (H_1 ~ \text{抗第二原象}) ] + \mathrm{Pr}[ (\mathcal{A} ~ \text{wins}) \land (H_2 ~ \text{抗第二原象}) ] \leq \mathsf{negl}_1(\lambda) + \mathsf{negl}_2(\lambda),
Pr[A wins]≤Pr[(A wins)∧(H1 抗第二原象)]+Pr[(A wins)∧(H2 抗第二原象)]≤negl1(λ)+negl2(λ),
先证明 P r [ ( A wins ) ∧ ( H 1 抗第二原象 ) ] ≤ n e g l 1 ( λ ) \mathrm{Pr}[ (\mathcal{A} ~ \text{wins}) \land (H_1 ~ \text{抗第二原象}) ] \leq \mathsf{negl}_1(\lambda) Pr[(A wins)∧(H1 抗第二原象)]≤negl1(λ),假设有一个PPT敌手 A 1 \mathcal{A}_1 A1试图赢得 H 1 H_1 H1抗第二原象性挑战游戏,其编码如下,
- 从 C 1 \mathcal{C}_1 C1处得到 s 1 s_1 s1,计算 s 2 ← G e n 2 ( 1 λ ) s_2 \gets \mathsf{Gen}_2(1^\lambda) s2←Gen2(1λ),随机挑选 x ← X x \gets \mathcal{X} x←X,将 s 1 s_1 s1、 s 2 s_2 s2与 x x x交予 A \mathcal{A} A。
- 从 A \mathcal{A} A处得到 x ′ x' x′,若 x ′ x' x′不等于 x x x且 H 1 s 1 ( x ) = H 1 s 1 ( x ′ ) H_1^{s_1}(x) = H_1^{s_1}(x') H1s1(x)=H1s1(x′),则将 x ′ x' x′提交给 C 1 \mathcal{C}_1 C1,否则输出 ⊥ \perp ⊥。
假设
A
\mathcal{A}
A以不可忽略概率赢得
H
H
H抗第二原象性挑战游戏,分析
A
1
\mathcal{A}_1
A1赢得
H
1
H_1
H1抗第二原象性挑战游戏的概率:因定义域为
{
0
,
1
}
ℓ
′
(
λ
)
\{0, 1\}^{\ell'(\lambda)}
{0,1}ℓ′(λ),而值域为
{
0
,
1
}
ℓ
(
λ
)
\{0, 1\}^{\ell(\lambda)}
{0,1}ℓ(λ),由鸽巢原理可知,随机挑选的
x
x
x至少以
1
−
2
ℓ
(
λ
)
−
ℓ
′
(
λ
)
1 - 2^{\ell(\lambda) - \ell'(\lambda)}
1−2ℓ(λ)−ℓ′(λ)概率存在第二原象,令
y
=
H
1
s
1
(
x
)
y = H_1^{s_1}(x)
y=H1s1(x),其对应有
c
y
c_y
cy个原像,又由于
x
x
x是随机挑选,这
c
y
c_y
cy个原像被抽中的概率相同,则
P
r
[
x
=
x
′
]
=
1
/
c
y
\mathrm{Pr} [ x = x'] = 1 / c_y
Pr[x=x′]=1/cy,则
A
\mathcal{A}
A不会输出
⊥
\perp
⊥的概率至少为
(
1
−
2
ℓ
(
λ
)
2
ℓ
′
(
λ
)
)
⋅
c
y
−
1
c
y
,
(1 - \frac{2^{\ell(\lambda)}}{2^{\ell'(\lambda)}}) \cdot \frac{c_y - 1}{c_y},
(1−2ℓ′(λ)2ℓ(λ))⋅cycy−1,
上述式子乘以不可忽略函数仍然是不可忽略函数,已假设
A
\mathcal{A}
A以不可忽略概率赢得
H
H
H抗第二原象性挑战游戏,则
A
1
\mathcal{A}_1
A1以不可忽略概率赢得
H
1
H_1
H1抗第二原象性挑战游戏,这与条件
H
1
H_1
H1抗第二原象相矛盾,故假设不成立,
A
\mathcal{A}
A赢得
H
H
H抗第二原象性挑战游戏的概率可忽略。
同样易证 P r [ ( A wins ) ∧ ( H 2 抗第二原象 ) ] ≤ n e g l 2 ( λ ) \mathrm{Pr}[ (\mathcal{A} ~ \text{wins}) \land (H_2 ~ \text{抗第二原象}) ] \leq \mathsf{negl}_2(\lambda) Pr[(A wins)∧(H2 抗第二原象)]≤negl2(λ)。
抗原象性证明类似。
4.12 Let ( G e n , H ) (\mathsf{Gen}, H) (Gen,H) be a collision-resistant hash function. Is ( G e n , H ^ ) (\mathsf{Gen}, \hat{H}) (Gen,H^) defined by H ^ s ( x ) = set H s ( H s ( x ) ) \hat{H}^s(x) \overset{\text{set}}{=} H^s(H^s(x)) H^s(x)=setHs(Hs(x)) necessarily collision resistant?
假设 ( G e n , H ^ ) (\mathsf{Gen}, \hat{H}) (Gen,H^)不能抗碰撞,则能够找到 ( x 1 , x 2 ) (x_1, x_2) (x1,x2)使得 H ^ s ( x 1 ) = H ^ s ( x 2 ) \hat{H}^s(x_1) = \hat{H}^s(x_2) H^s(x1)=H^s(x2)。记 h 1 = H s ( x 1 ) h_1 = H^s(x_1) h1=Hs(x1)与 h 2 = H s ( x 2 ) h_2 = H^s(x_2) h2=Hs(x2),此时分为两种情况:(1) h 1 h_1 h1和 h 2 h_2 h2要么相等;(2) h 1 h_1 h1和 h 2 h_2 h2要么不相等。对于情形(1),意味着 ( x 1 , x 2 ) (x_1, x_2) (x1,x2)是 ( G e n , H ) (\mathsf{Gen}, H) (Gen,H)的一对碰撞;对于情形(2),意味着 ( h 1 , h 2 ) (h_1, h_2) (h1,h2)是 ( G e n , H ) (\mathsf{Gen}, H) (Gen,H)的一对碰撞。上述无论哪一种情形,都能找到 ( G e n , H ) (\mathsf{Gen}, H) (Gen,H)的一对碰撞,与题设相矛盾,故假设不成立。
正式安全性规约证明时需要证明如下式子成立:
P
r
[
A
wins
]
=
P
r
[
(
A
wins
)
∧
(
h
1
is equal to
h
2
)
]
+
P
r
[
(
A
wins
)
∧
(
h
1
isn’t equal to
h
2
)
]
≤
n
e
g
l
1
(
λ
)
+
n
e
g
l
2
(
λ
)
。
\begin{aligned} \mathrm{Pr} [ \mathcal{A} ~ \text{wins} ] &= \mathrm{Pr} [ (\mathcal{A} ~ \text{wins}) \land (h_1 ~ \text{is equal to} ~ h_2)] + \mathrm{Pr} [ (\mathcal{A} ~ \text{wins}) \land (h_1 ~ \text{isn't equal to} ~ h_2)] \\ &\leq \mathsf{negl}_1(\lambda) + \mathsf{negl}_2(\lambda)。 \end{aligned}
Pr[A wins]=Pr[(A wins)∧(h1 is equal to h2)]+Pr[(A wins)∧(h1 isn’t equal to h2)]≤negl1(λ)+negl2(λ)。
4.15 For each of the following modifications to the Merkle-Damgard transform, determine whether the result is collision resistant or not. If yes, provide a proof; if not, demonstrate an attack.
- Modify the construction so that the input length is not included at all (i.e., output z B z_B zB and not z B + 1 = h s ( z B ∥ L ) z_{B+1} = h^s(z_B \| L) zB+1=hs(zB∥L)).
- Modify the construction so that instead of outputting z = h s ( z B ∥ L ) z=h^s(z_B \| L) z=hs(zB∥L), the algorithm outputs z B ∥ L z_B \| L zB∥L.
- Instead of using a fixed I V IV IV, choose I V ← { 0 , 1 } n IV \gets \{0, 1\}^n IV←{0,1}n and define z 0 : = I V z_0 := IV z0:=IV. Then set the output to be I V ∥ h s ( z B ∥ L ) IV \| h^s(z_B \| L) IV∥hs(zB∥L).
- Instead of using an I V IV IV, just start the computation from x 1 x_1 x1. That is, define z 1 : = x 1 z_1 := x_1 z1:=x1 and then compute z i : = h s ( z i − 1 ∥ x i ) z_i := h^s(z_{i-1} \| x_i) zi:=hs(zi−1∥xi) for i = 2 , … , B + 1 i=2, \dots, B+1 i=2,…,B+1 and output z B + 1 z_{B+1} zB+1 as before.
- Instead of using a fixed I V IV IV, set z 0 : = L z_0 := L z0:=L and then compute z i : = h s ( z i − 1 ∥ x i ) z_i:=h^s(z_{i-1}\|x_i) zi:=hs(zi−1∥xi) for i = 1 , … , B i=1,\dots, B i=1,…,B and output z B z_B zB.
技巧点. THEOREM 4.14的证明分为2种情形:① L L L不等于 L ′ L' L′;或② L L L等于 L ′ L' L′。
第(1)小题,留意哈希值没有包含长度 L L L的任何信息,即直接输出 z B z_B zB。当 L L L不等于 L ′ L' L′时,失去了 h s ( z B ∥ L ) = h s ( z B ′ ∥ L ′ ) h^s(z_B \| L) = h^s(z'_B \| L') hs(zB∥L)=hs(zB′∥L′)这一关键点,Case 1无法正确规约(回顾书中原文),直觉上该方案是无法抗碰撞的。接下来具体分析,为何该方案无法抗碰撞。留意当 m m m长度不足 n n n的倍数时是需要用 0 0 0进行填充的,当没有约定长度 L L L时, m = 0 ℓ ( n ) − 1 m=0^{\ell(n)-1} m=0ℓ(n)−1与 m ′ = 0 ℓ ( n ) m'=0^{\ell(n)} m′=0ℓ(n)的哈希值 z B z_B zB和 z B ′ z'_B zB′是一样的(若加上 z B + 1 z_{B+1} zB+1,因长度 L L L的不同,最终两者的哈希值不同)。
第(2)小题,方案是抗碰撞的,注意THEOREM 4.14的证明分为2种情形,当将 L L L作为哈希值的一部分直接输出时,敌手的攻击只能对应THEOREM 4.14证明的第二种情形,即 L = L ′ L = L' L=L′(第一种情形直接不用再考虑,两个长度不同的消息,该方案生成的哈希值必然不同,该情形不会产生碰撞),已知该情形敌手成功伪造的概率可忽略,故该方案抗碰撞。该方案虽然抗碰撞,但是长度是原方案的2倍。
第(3)小题,方案是抗碰撞的,证明类似THEOREM 4.14的证明(书中原文已经提示The value z 0 z_0 z0 used in step 2 of Construction 4.13 is arbitrary and can be replaced by any constant.)。该方案虽然抗碰撞,但是生成随机变量太耗时了(密码学意义上的随机变量生成算法很耗时间)。
第(4)小题,方案是抗碰撞的,证明类似THEOREM 4.14的证明。
第(5)小题,方案是抗碰撞的。证明思路如下:
① 当
L
L
L不等于
L
′
L'
L′时,若
z
1
=
z
1
′
z_1 = z'_1
z1=z1′,直接找到
h
h
h的碰撞;否则,必存在
z
i
z_i
zi不等于
z
i
′
z'_i
zi′而
z
i
+
1
z_{i+1}
zi+1等于
z
i
+
1
′
z'_{i+1}
zi+1′,从而找到
h
h
h的碰撞,这与
h
h
h是抗碰撞的前提相矛盾。
② 当
L
L
L等于
L
′
L'
L′时,必存在
x
i
x_i
xi不等于
x
i
′
x'_i
xi′,对于
j
≥
i
−
1
j\geq i-1
j≥i−1,必然存在
z
j
z_j
zj不等于
z
j
′
z'_j
zj′而
z
j
+
1
z_{j+1}
zj+1等于
z
j
+
1
′
z'_{j+1}
zj+1′,从而找到
h
h
h的碰撞。
该方案抗碰撞,并且对于
h
:
{
0
,
1
}
2
ℓ
(
n
)
→
{
0
,
1
}
ℓ
(
n
)
h:\{0,1\}^{2\ell(n)}\to\{0,1\}^{\ell(n)}
h:{0,1}2ℓ(n)→{0,1}ℓ(n)貌似
H
H
H少了1次哈希运算,相比原方案会更优。但考虑如下情形:哈希函数
h
h
h的定义域为
{
0
,
1
}
ℓ
(
n
)
+
c
\{0,1\}^{\ell(n)+c}
{0,1}ℓ(n)+c,而
c
>
ℓ
(
n
)
c > \ell(n)
c>ℓ(n),此时原方案对比新方案,可以处理长度更大的消息,即
x
i
x_i
xi的比特串长度为
c
c
c,并且总长度
L
L
L的编码比特串长度为
c
c
c。
4.17 Before HMAC was invented, it was quite common to define a MAC by M a c k ( m ) = H s ( k ∥ m ) \mathsf{Mac}_k(m) = H^s(k\|m) Mack(m)=Hs(k∥m) where H H H is a collision-resistant hash function. Show that this is not a secure MAC when H H H is constructed via Merkle-Damgard transform.
Hint. Use M a c k ( m ) \mathsf{Mac}_k(m) Mack(m) to construct a valid tag on a particular longer message m ′ m' m′. Note that Merkle-Damgard appends the length of the message to the end of the (padded) input string, you’ll need to figure out how to get around that.
访问谕言机 O M a c ( ⋅ ) \mathcal{O}_{\mathsf{Mac}}(\cdot) OMac(⋅)得到消息 x = x 1 ∥ … ∥ x B x = x_1 \| \dots \| x_B x=x1∥…∥xB的标签 τ x \tau_x τx,由于 s s s公开,接下来可以对任意消息 m ∗ = x ∥ L x ∥ y m^* = x \| L_x \| y m∗=x∥Lx∥y计算一个有效的伪造 τ ∗ \tau^* τ∗(其中 y = y 1 ∥ … ∥ y c y=y_1 \| \dots \| y_c y=y1∥…∥yc)。HMAC通过在最后一层Hash中加入 k ⊕ o p a d k \oplus \mathsf{opad} k⊕opad,使得这样的攻击不存在。
5.13 Show how to find a collision in the Merkle tree construction if t t t is not fixed. Specifically, show how to find two sets of inputs x 1 , … , x t x_1, \dots, x_t x1,…,xt and x 1 ′ , … , x 2 t ′ x'_1, \dots, x'_{2t} x1′,…,x2t′ such that M T t ( x 1 , … , x t ) = M T 2 t ( x 1 ′ , … , x 2 t ′ ) \mathcal{MT}_t(x_1, \dots, x_t) = \mathcal{MT}_{2t}(x'_1, \dots, x'_{2t}) MTt(x1,…,xt)=MT2t(x1′,…,x2t′).
解题思路很简单,如下图: