«
»

Encryption and authentication protocols

In case you missed it, a question I asked on this blog way back in lecture 4 has generated a bit of discussion (which I am glad to see!). I’ll try to come up with similar questions on other lectures…

This entry was posted on September 29, 2009 at 3:36 pm and is filed under other. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Encryption and authentication protocols”

  1. Anonymous Says:
    September 29, 2009 at 7:03 pm | Reply

    I am looking forward to them impatiently.
    In my opinion that kind of questions would be very helpful for learning. As you try to answer a question, your facing with new questions in your minds. Once you are believing that you solved them, if you think a little more, you are facing with new problems and questions. The only question is where is the end of this pleasant journey šŸ™‚

  2. osmugus Says:
    November 16, 2009 at 4:20 pm | Reply

    I think a have found a problem which is quite challenging and similarly important the one in Lecture 4. I think, understanding it helps to really understand hash functions. It may even be an example of a crypto pitfall if the evaluation below is correct.

    In this post (http://www.mail-archive.com/cryptography@metzdowd.com/msg11041.html), a hash construction is proposed as follows.

    C(x) = H1(H1(x) || H2(x))

    The hope is that this construction is is stronger than either of its two underlying hash functions H1 and H2.

    I am not sure, but I would intuitively say that the construction C is just as secure as H1.

    Here is a try for proofing this intuition in which I am not sure:

    let
    y = C(X) = H1(H1(X) || H2(X)) = H1(X’) with X’ = (X’1 || X’2)

    Consider the H1(X’) part of the construction. (|H1|+|H2|)-bit inputs are
    mapped to (|H1|)-bit outputs. This means for every output “y” that are 2^(|
    H2|) possible inputs.

    Now, consider the probability of the following event:

    y = C(K) = H1(H1(K) || H2(K)) = H1(X”).

    This means find a X” hashing to y. There are 2^(|
    H2|) such inputs as shown above.

    Therefore we need to compute the probability

    = Pr[H1(K) = X”1 and H2(K) = X”2]
    = Pr[H1(K) = X”1] * Pr[ H2(K) = X”2]* 2^(|
    H2|)
    = 1/2^(|H1|)

    Obviously, this is equal to the security level of H1.

    Do you have any comments if I am thinking wrong or right?

Leave a reply to osmugus Cancel reply