Sponge Construction and Blind Tag Guessing

Questions and Answers

During the absorbing phase of sponge construction, how does the size of 'r' (bits) affect the number of permutation calls, assuming the message length remains constant?

• Smaller 'r' results in fewer permutation calls.
• The number of permutation calls is directly proportional to 'r'.
• Larger 'r' results in fewer permutation calls. (correct)
• Larger 'r' results in more permutation calls.

If you know a message m and want to guess a tag t such that MAC_k(m) = t without knowing the key k, how does the length of the MAC tag in bits impact the probability of success?

• The probability decreases exponentially with the tag length. (correct)
• The probability increases exponentially with the tag length.
• The probability remains constant regardless of the tag length.
• The probability increases linearly with the tag length.

In the context of the Birthday Paradox, what is the primary objective when trying to find a collision regarding MAC (Message Authentication Code) values?

• Finding any two messages that produce the same MAC value. (correct)
• Finding a specific tag for a given message.
• Finding a message that produces a pre-determined MAC value.
• Finding a message with a MAC value equal to its hash.

According to the Birthday Paradox, how does the length of the MAC tag, denoted as t bits, influence the number of queries needed to find a collision?

The number of queries increases exponentially with t/2. (A)

Why is MD5 considered 'broken' in the context of cryptographic hash functions?

Practical collision attacks exist, making it insecure. (D)

What critical flaw led to SHA-1 being deemed insecure, similar to the issues found in MD5?

Practical collision attacks have been demonstrated. (A)

What distinguishes the SHA-2 series from SHA-1 in terms of cryptographic design and security objectives?

SHA-2 is a reinforced version of SHA-1, specifically redesigned to be more resistant to known attacks. (D)

What design feature of the Merkle-Damgård construction makes it susceptible to length-extension attacks?

Its method of sequentially processing input blocks based on the previous block's output. (D)

How does the Davies-Meyer construction function in the context of creating a compression function for hash algorithms?

It converts a block cipher into a compression function by XORing the encrypted input chaining variable with the input chaining variable itself. (C)

What is the critical implication of a cryptographic hash function being collision-resistant regarding its ability to prevent second preimage attacks?

Collision resistance does not necessarily imply second preimage resistance. (B)

In cryptographic terms, what does 'collision resistance' specifically ensure within a hashing algorithm?

It is computationally infeasible to find any two distinct inputs that produce the same hash value. (B)

How does 'second preimage resistance' in a cryptographic hash function differ fundamentally from 'collision resistance'?

Second preimage resistance is about finding a different input that collides with a given input, while collision resistance allows you to choose both inputs freely to find a collision. (A)

If a full Merkle-Damgård hash function, denoted as h, is considered collision-resistant, what condition must be true of its compression function F?

F must be collision-resistant. (B)

What is the essential difference between a cryptographic 'primitive' and a 'construction' in the context of building larger cryptographic systems?

A primitive is a basic building block designed to be used by other constructions, while a construction is a method to build something bigger from primitives. (A)

Why is SHA-2 classified as a cryptographic 'primitive' despite being internally built using the Merkle-Damgård construction?

SHA-2 is considered a primitive because it is used 'as-is' directly in protocols and applications without further construction by the user. (A)

According to the definitions provided, what is a Pseudorandom Permutation (PRP)?

A function that is computationally indistinguishable from a truly random permutation when given only forward queries. (D)

What are the key characteristics that define PRP (Pseudorandom Permutation) security?

The adversary only requires encryption, not decryption, and has access to the encryption function, but not necessarily the inverse. (C)

When is it essential to utilize SPRP (Strong Pseudorandom Permutation) security instead of just PRP?

When the inverse function (decryption) is used, as is common in MACs and certain modes of operation. (A)

Why does CBC-MAC (Cipher Block Chaining Message Authentication Code) directly necessitate access to decryption capabilities, as highlighted within the SPRP security model?

To facilitate the appropriate generation of message authentication tags, which depends on inverse operations. (A)

In the context of sponge construction phases, how is the output generated during the squeezing phase if the required output length (n) exceeds the bit rate (r)?

The permutation function is applied iteratively on the internal state to generate r bits at a time until the required n bits are produced. (D)

How is the value of $1/2^{48}$ related to the probability of success?

It is used as the success probability per guess when the MAC tag is 48 bits long. (A)

Which characteristic makes Merkle–Damgård vulnerable to length-extension attacks?

The iterative mode of the encryption. (A)

What is the output size (digest) of the SHA-1 hash function?

160 bits (B)

What is the primary purpose of the Merkle-Damgård iteration mode in hash function design?

To build a variable-length hash function from a fixed-size compression function. (C)

What is the formula that describes the Davies-Meyer construction?

$F(h,m) = E_m(h) \oplus h$ (B)

The number of hash functions included in SHA-2 series is...

6 (C)

Given an input x, which of the following statements best describes second preimage resistance?

It is hard to find another input x´ ≠ x such that h(x) = h(x´). (B)

CBC-MAC requires....

access to decryption (B)

What is the digest size of MD5?

128 bits (C)

Flashcards

Absorbing phase in sponge construction

The input message is processed in blocks of r bits; each block undergoes a permutation once.

Squeezing phase in sponge construction

Output generated in r-bit chunks, applying the permutation for each needed output exceeding r.

Blind Tag Guessing

Guessing a message's tag without knowing the key, but not looking for a collision, aiming only to guess the correct tag for a given message.

Birthday Paradox in MACs

When trying to find any two messages m1, m2 that produce the same MAC tag.

MD5

Designed by Ron Rivest in 1991, produces a 128-bit digest, but is now considered broken due to collision attacks.

SHA-1

Inspired by MD5 but designed by the NSA, produces a 160-bit digest, but is no longer considered secure due to practical collision attacks.

SHA-2 Series

Reinforced versions of SHA-1 that includes six hash functions and varies from 224 to 512 bits.

Merkle-Damgård iteration mode

Splits the message into blocks and processes them sequentially, with each depending on the previous.

Compression function F

The core function used in Merkle-Damgård constructions, it's based on a block cipher-like structure.

Davies-Meyer Construction

A way to turn a block cipher into a compression function.

Collision Resistance

It's hard to find any two inputs that cause a has function to output the same result.

Second Preimage Resistance

Given a specific input, it is hard to find a different input that produces the same hash output.

Why collision resistance doesn't imply second preimage resistance

Collision resistance finds any two messages that collide freely, but second preimage resistance involves finding a second message that collides with a given one.

Primitive

A basic cryptographic building block designed for use by other constructions.

Construction

A method to build something bigger from primitives.

SHA-2 as a primitive

SHA-2 is a hash function that is already packaged and ready to use.

Pseudorandom Permutation (PRP)

A function that is computationally indistinguishable from a truly random permutation when given only forward queries.

Strong PRP(SPRP) security

Extends PRP by requiring the function to be indistinguishable even with access to encryption and decryption functions.

Study Notes

• Sponge construction phases:
  • Absorbing phase: Input message absorbed in blocks of r bits, permutation applied to each block once, and the number of permutation calls is ceil(message_length / r).
  • Squeezing phase: Output generated r bits at a time by applying the permutation, but only if more output is needed (n > r).
• In sponge construction, r determines performance, where larger r means few permutation calls.
• Blind tag guessing:
  • You have a message m and want to guess tag t such that MACK(m) = t, without knowing the key K, and you want to avoid collisions, so you only hope to guess the correct tag for a given m.
  • If the MAC tag is t bits long (e.g., 48 bits), then the success probability per guess is 1/2^t (e.g. 1/2^48).
  • The security strength is t bits, not t/2.
• Birthday Paradox:
  • It applies when trying to find any two messages m1, m2 such that MACK(m1) = MACK(m2) (collision).
  • Not targeting a specific tag, just looking for any two that match.
  • The number of queries until a collision is approximately 2^(t/2), leading to a security strength of t/2 bits.
• MD5 (Ron Rivest, 1991):
  • Designed by Ron Rivest, one of the inventors of RSA, based on MD4, Produces a 128-bit digest.
  • It is known to be broken (collision attacks exist, not secure anymore).
• SHA-1 (NIST, 1995):
  • Inspired by MD5, but designed by the NSA, and it follows SHA-0, an earlier version.
  • Produces a 160-bit digest, and is no longer considered secure.
• SHA-2 Series (NIST, 2001 and 2008):
  • Reinforced versions of SHA-1 designed to resist known attacks, and includes 6 hash functions
  • Output lengths vary from 224 to 512 bits.
  • It is currently considered secure, but SHA-3 is now recommended for future-proofing.
• Internals of MD5, SHA-1 and SHA-2:
  • All use Merkle-Damgård iteration mode, which builds a variable-length hash function from a fixed-size compression function, by splitting the message into blocks and processing them sequentially.
  • Use compression function (F).
  • In SHA-1 and SHA-2, F is based on a block cipher-like structure using Davies-Meyer mode.
  • Davies-Meyer construction turns a block cipher into a compression function: F(h,m) = E_m(h) XOR h, where E_m(h) is the block cipher encryption of h using m as the key.
• Do MD5, SHA-1, and SHA-2 all use Merkle–Damgård?
  • Yes, and all three families follow the Merkle-Damgård paradigm making them vulnerable to length-extension attacks.
• Hash Algorithm Summary
  • MD5: 128 bits, uses Merkle-Damgård, Broken.
  • SHA-1: 160 bits, uses Merkle-Damgård, Broken.
  • SHA-2: 224-512 bits, uses Merkle-Damgård, secure (as of now).
• Collision resistance does not necessarily imply second preimage resistance.
• Definitions:
  • Collision resistance: It is hard to find any two inputs x != x' such that h(x) = h(x').
  • Second preimage resistance: Given a specific input x, it is hard to find a different input x != x such that h(x) = h(x').
• Collision resistance is about finding any two messages that collide – you get to choose both freely.
• Second preimage resistance is about being given a specific message initially, and then trying to find a second one that collides with it.
• Implication Hierarchy: Strongest to Weakest
  • Preimage resistance
  • Second preimage resistance
  • Collision resistance
• Collision resistance does not imply second preimage resistance, but second preimage resistance does imply collision resistance.
• Security guarantee of the Merkle–Damgård construction: If the compression function F is collision-resistant, then the full Merkle–Damgård hash function h is also collision-resistant.
• What's the difference between a primitive and a construction?
  • Primitive = a basic cryptographic building block, designed to be used by other constructions.
  • Construction = a method or recipe that builds something bigger (like a hash function, MAC, stream cipher, etc.) from primitives.
• SHA-2 Primitive:
  • Although SHA-2 (like SHA-256 or SHA-512) is built internally using a construction, from a higher-level perspective, SHA-2 is a hash function that is already packaged and ready to use.
  • Internally, SHA-2 uses constructions - but as a whole, it's a standardized hash function primitive used in protocols, applications, digital signatures, etc.
• SHA-2 is a primitive, meaning:
  • It is used directly in real-world protocols like TLS, Bitcoin, HMAC, etc.
  • It takes variable-length input and produces a fixed-length digest.
  • You don't "build" SHA-2 yourself (you use it as-is, as a black-box function with known security properties).
• When you build a hash function using the Merkle-Damgård construction, you are composing a new function from:
  • A compression function F
  • Padding
  • Iteration logic
• Merkle–Damgård construction is more like a recipe to make something, while SHA-2 is the store-bought product.
• "PRP (Pseudorandom Permutation Security)":
  • A pseudorandom permutation (PRP) is a function that is computationally indistinguishable from a truly random permutation when given only forward queries.
  • A block cipher E:{0,1}^k x {0,1}^n -> {0,1}^n is PRP if, for any efficient adversary, distinguishing between Ek(.) (where k is a secret key) and a random permutation is computationally infeasible.
  • The adversary has access to the encryption function Ek(x) (forward direction).
  • PRP security does not require that the adversary is given access to the inverse function Ek^-1(y).
  • PRP security does not require that the adversary is given access to the inverse.
• PRP example: Counter (CTR) mode and Output Feedback mode (stream modes).
• Secure PRP (SPRP) Security:
  • A strong SPRP extends PRP by requiring that the function is indistinguishable from a random permutation, only if the adversary os given access to both encryption and decryption funcions.
  • A block definition E:{0,1}^k x {0,1}^n -> {0,1}^n is SPRP, if for any efficient adversary with access to both Ek(.), Ek^-1(.), distinguishing it from a truly random permutation is computationally infeasible.
• When the inverse function (decryption) is used, which is common in MACs and some modes, SPRP security is needed.
  • CBC MAC requires access to decryption.
  • CMC, EMAC