Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
3.1. HASH FUNCTIONS 59<br />
A related application is password verification [125]: passwords are usually<br />
not stored in cleartext, for obvious reasons, but instead in hashed form. To<br />
authenticate a user, the password presented by the user is hashed <strong>and</strong> compared<br />
with the stored hash.<br />
Hash functions are also used in digital signature schemes [175, 139]: for both<br />
security <strong>and</strong> performance reasons, some signature schemes specify that only<br />
the hash <strong>of</strong> the message will be “signed”, <strong>and</strong> not the entire message. Hash<br />
functions can also be used in the generation <strong>of</strong> pseudor<strong>and</strong>om bits [153].<br />
3.1.2 Properties <strong>of</strong> hash functions<br />
Let h be an arbitrary hash function, h : D → R. We present here the three<br />
potential properties (in addition to ease <strong>of</strong> computation <strong>and</strong> compression given in<br />
Definition 34), for h [153]:<br />
Preimage resistance<br />
given a hash y ∈ R, if the correspondant input is not known, it is computationally<br />
infeasible, i.e. it takes too long (hundreds <strong>of</strong> years) to compute<br />
using the fastest <strong>of</strong> super computers, to find any input x ∈ D such that<br />
h(x) = y. This concept is related to that <strong>of</strong> one way function.<br />
Second preimage resistance<br />
given an input x ∈ D, it is computationally infeasible to find another input<br />
x ′ ∈ D such that x ′ �= x <strong>and</strong> h(x ′ ) = h(x). This property is sometimes<br />
referred to as weak collision resistance.<br />
Collision resistance<br />
it is computationally infeasible to find two distinct inputs x, x ′ ∈ D such<br />
that h(x ′ ) = h(x). This property is sometimes referred to as strong collision<br />
resistance.<br />
We say that a hash function is vulnerable to respectively preimage attacks, second<br />
preimage attacks, <strong>and</strong> collision attacks if it lacks respectively preimage resistance,<br />
second preimage resistance <strong>and</strong> collision resistance property. We say also that<br />
a hash function is respectively one-way, second-preimage resistant <strong>and</strong> collision resistant<br />
hash function if it is a hash function as per definition 34 with respectively<br />
the following properties: preimage resistance, second preimage resistance <strong>and</strong><br />
collision resistance property.<br />
In [153], the authors showed the following relationships between properties<br />
<strong>of</strong> hash functions given above:<br />
• collision resistance implies second-preimage resistance <strong>of</strong> hash functions;<br />
• collision resistance does not guarantee preimage resistance;<br />
• preimage resistance does not guarantee second-preimage resistance.