HC VIN K THUT QUN S

KHOA CNG NGH THNG TIN

--------O0O--------

BI TP MN L THUYT MT M
V BO MT THNG TIN

Tn ti: Hm bm mt m v m hnh random oracle

Gio vin hng dn: PGS. TS Nguyn Hu Minh

Nhm thc hin:
1. Nguyn Hu Nhn
2. V Th Thu Huyn
3. Trn Danh Minh Hong
LP CAO HC CNTT KHA 25B

H NI 2014

MC LC

I.

Tng quan v l thuyt mt m v bo mt thng tin

Mt m hc l ngnh khoa hc ng dng ton hc vo vic bin i thng tin
thnh mt dng khc vi mt mc ch l che du ni dung, ngha thng tin cn m
ha.
Cc ng dng ca mt m hc v bo mt thng tin rt a dng v phong ph
ty vo c trng mi h thng s c nhng c trng ring nh: Tnh bo mt thng
tin, tnh ton vn thng tin, Xc thc trong lin lc v ni dung trong lin lc, chng
li s thoi thc trch nhim.
Cc phng php m ha

- M ha i xng: L qu trnh m ha v gii m mt thng ip s dng

cng mt m kha gi l kha b mt hay cn gi l kha i xng. Mt s phng
php m ha i xng nh l m ha c in, m ha khi ...
- M ha bt i xng: cn c gi l phng php m ha kha cng cng
gip cho vic trao i m kha tr nn d dng hn. Ni dung ca kha cng cng
(public key) khng cn phi gi b mt nh i vi kha b mt trong cc phng php
m ha quy c.
II.
M hnh random oracle
1. Nguyn l lng chim
Nu c n lng chim b cu cha n+1 con chim b cu, th t nht mt lng chim
c cha 2 con chim. Theo nguyn tc lng chim b cu nu c n lng chim th cha
kn+1 con chim, vy nu c n lng chim b cu th t nht mt lng cha k+ 1 con
chim.
Gi s rng cc thng ip trong mt hm bm l chiu di 6 bit v bn rt gn
(digest) ch cn 4 bit. Sau , s lng c th ca digest (pigeonholes) l 24 = 16, v
s lng c th ca thng ip (b cu) l 26 = 64. iu ny c ngha l n = 16 v kn
+ 1 = 64, do k l ln hn 3. Kt lun l c t nht mt digest tng ng vi bn (k +
1) thng ip.
2. Bi ton ngy sinh

Nu kch thc ca hm Hash nh, th c th tm c 2 vn bn c cng gi tr

hm bm, tc l c va chm m khng ph thuc vo s lng bin i ca hm, cch
tn cng ny c tn ngy sinh nht. tng ca phng php tn da trn bi ton
ngy sinh nht sau. Cn phi chn mt nhm bao nhiu ngi xc sut hai ngi c
cng ngy sinh nht l 0.5? Vn ch l xc sut trng ngy sinh nht i vi mt
cp ngu nhin l p=1/365, cn trong nhm gm n ngi c n(n 1) / 2 n 2 cp khc
nhau. T y d dng nhn c nh gi gn ng. Xc sut tn ti t nht mt cp
c cng ngy sinh l

p p' n 2 / 2 ,

t y p=1/2 th chng ta thu c

1/ p' .

Chng ta xem s dng bi ton ngy sinh nht tm va chm trong hm Hash
nh th no. Gi s cho H l hm Hash vi kch thc u ra l m bt. Chng ta c N
bn tin khc nhau M (i ) , i 1...N , tnh ton gi tr bm ca cc bn tin ny, gi tr

tng ng l H (i ) . Nu nh hm Hash l hm bin i gi ngu nhin th d dng tnh

c xc sut sao cho gia N gi tr H (i ) khng tm c hai nh nhau.
u tin chng ta xem nh gi da trn tnh ton gn ng, sao cho s lng
va chm l nh. Chng ta chn mt s gi tr H (1) . Xc sut n khng trn vi
cc phn cn li l
P (1) (1 2 m ) N 1 .

Tip tc chn mt s gi tr mi H ( 2 ) . Xc sut n khng trng vi phn cn

li l
P ( 2 ) (1 2 m ) N 2 .

Chng ta chn tng t nh vy i vi gi tr mi ca hm Hash, trong bc

th I chng ta thu c xc sut khng trng l
P ( i ) (1 2 m ) N i

Tt c chng ta cn thc hin N-1 bc kim tra khng trng. Xc sut

khng mt gi tr trong chng khng trng l:
P ' (1 2 m ) N 1 (1 2 m ) N 2 ... (1 2 m ) N i ... (1 2 m ) (1 2 m )

Vi 1 2 ... ( N 1) N ( N 1) / 2 .
Xc sut tm thy va chm l
p 1 p ' 1 (1 2 m ) 1 (1 2 m ) N 2 2 m 1 .

Vi xc sut va chm l th ta c biu thc:

N 2 2m 1 1 / 2 ,

T y chng ta xc nh ga tr N1/2:
N1 / 2

2m

Chng ta xem tnh cch tnh chnh xc hn xc sut tm va chm trong tp hp

H ( i ) , i 1...N

, c th nhn c bng cch rt n gin sau. Chng ta chn H ( 2 ) . Xc

sut H ( 2 ) khng trng H (1) l p ( 2) (1 2 m ) . Tip tc chn H ( 3) . Xc sut

H ( 3) khng trng vi H ( 2 ) v H (1) , vi iu kin H (1) v H ( 2 ) khng trng nhau l
p ( 3) (1 2 m )(1 2 2 m ) . Mt cch tng t, chng ta xc nh xc sut p ( N ) H ( N )

khng trng vi mt trong cc gi tr H (1) , H ( 2 ) ,, H ( N 1) , vi iu kin l cc gi

tr

H (1) , H ( 2 ) ,, H ( N 1) khc

nhau tng i mt. Chng ta nhn c

p ( N ) p ( 2) p ( 3) ... p ( N 1) [1 ( N 1) 2 m ] . Nh vy gi tr chnh xc ca xc sut

khng c s va chm l:

N 1

p ' p ( N ) (1 2 m ) (1 2 2 m ) ... [1 (i 1) 2 m ] ... [1 ( N 1) 2 m ] (1 i 2 m )

i 1

.
T y chng ta xc nh xc sut c s va chm l p=1-p. p dng cng thc
gn ng 1 x e x . Chng ta thu c:
N 1

N 1

N 1

i 1

i 1

i 1

p ' (1 i 2 m ) exp(i 2 m ) exp( i 2 m ) exp[ N ( N 1) 2 m 1 ] .

Xac sut tn ti t nht mt va chm l:

p 1 p ' 1 exp[ N ( N 1) 2 m 1 ] .

T y ta d dng nhn c iu sau:

1 p

N 2 N 2 m 1 ln

Hay

N 2 2 m 1 ln
N

1 p

2 m 1 ln

Vi p=1/2 chng ta c N1 / 2

1.17 2 m

. Chng ta thy kt qu phng n tnh

ny chnh xc hn phng n u tin. V t cng thc ny chng ta thy, trong s 23

ngi chn ngu nhin th c t nht mt cp trng ngy sinh vi xc sut l . Nh
vy thc hin tn cng th cn b nh l 1.17 2m / 2 m bt v cn thc hin
1.17 2 m / 2 tnh ton hm Hash v thc hin sp xp 1.17 2m / 2 s. V t y chng thy

rng nu nh m khng ln th s d dng tm ra c s lng bn tin m c s va

chm. Vi cng ngh hin nay th i hi m 128 bt.
3. Tn cng trn m hnh random oracle
Hm bm c xem l hm mt chiu khi cho trc gi tr bm, khng th ti
to li thng ip ban u, hay cn gi l tin nh (pre-image). Nh vy, trong
trng hp l tng, cn phi thc hin hm bm cho khong 2 n thng ip tm ra
c tin nh tng ng vi mt gi tr bm.
Nu tm ra c mt phng php tn cng cho php xc nh c tin nh
tng ng vi mt gi tr bm cho trc th thut ton bm s khng cn an ton na.
Cch tn cng nhm to ra mt thng ip khc vi thng ip ban u nhng
c cng gi tr bm gi l tn cng tin nh th hai (second pre-image attack).

Tiu chun ca
Hm bm mt m

Tin nh 1

Tin nh 2

ng

Cch tn cng Tin nh 1:

Gi s y = h(M) , tm M sao cho y = h(M)

Trong : M: l Thng ip
H : l hn bm
H(M): l bn thng ip rt gn
Thut ton: Tin nh 1
Preimage_Attack(D)
{
For (i = 1 to k)
{
Create (M[i])
T h(M[i])
If (T = D) return M[i]
}
Return failure
}
Nhng kh khn ca mt cuc tn cng tin nh 1 c t l vi 2n
Mt hm bm mt m s dng mt digest ca 64 bit. C bao nhiu digest khng
Eve cn to tm ra thng bo ban u vi xc sut hn 0,5?
S lng digest c to ra l k 0,69 2n 0,69 264. y l mt s lng
ln. Ngay c khi Eve c th to ra 230 (gn mt t ng) tin nhn mi th hai, n mt
0,69 234 giy hoc hn 500 nm. iu ny c ngha rng mt thng ip tiu ha
ca kch thc 64 bit l an ton i vi preimage tn cng vi, nhng, nh chng ta s
thy ngay, khng c bo m tn cng va chm

Cch tn cng Tin nh 2

Gi s cho M v H(M) , tm M M sao cho h(M) = H(M)

Thut ton: tin nh 2
Second_Preimage_Attack(D,M)
{
For (i = 1 to k-1)
{
Create (M[i])
T h(M[i])
If (T = D) return M[i]
}
Return failure
}
Nhng kh khn ca mt cuc tn cng tin nh 2 c t l vi 2n
Cch tn cng ng

Tm M v M sao cho M M nhng h(M) = h(M)

Thut ton: ng
Collision_Attack(D,M)
{
For (i = 1 to k)
{
Create (M[i])
D[i] h(M[i])
for (j = 1 to i-1)
{
if (D[i] = D[j] return M[i] and M[j])

}
}
Return failure
}
Nhng kh khn ca mt cuc tn cng ng c t l vi 2n/2
4. Tn cng trn cu trc
Tn cng hm hash theo kiu gp nhau gia (meet in the middle
attack)
Phng php tn cng gp nhau gia p dng cho cc hm Hash xy dng
trn c s m khi, m chng ta tm hiu phn trc. Phng php ny cho kt qu
tt hn phng php tn cng theo ngy sinh nht. Trong tn cng theo kiu ngy sinh
nht tm c va chm nhng gi tr nhn c ca hm Hash i vi tm kim va
chm l ngu nhin. Tn cng u tin c xut l tn cng trn hm Hash xy
dng trn c s s Rabin xem hnh 11.1.
S ny da trn thut ton m khi an ton. S da trn tng v tnh
ton phc tp xc nh kha khi bit u vo v u ra ca khi d liu. Khi d liu
Mi c s dng nh kha tng ng vi mt vng tnh ton ca hm Hash. Tm
kim va chm lin quan n bi ton tnh ton kha. V d, tn cng c th thay th
mt s khi Mk thnh Mk. iu ny dn n nhn c gi tr mi ca vng hm hash
Hk. C th tn ti mt s kha m Mk+1, m chng ta nhn c ng thc sau:
H k' 1 EM ' k 1 ( H k' ) H k 1 .

Nu nh cch thm m tm c M 'k 1 cho th thay th khi d liu M k v

M k 1 thnh M 'k

v M 'k 1 , tc l ta tm c bn tin mi, m c gi tr hm Hash

bng vi gi tr hm Hash ca bn tin ban u. Nu nh thut ton m khi l vng

chc i vi php tn cng trn c s bit bn tin, th php tn cng cho trn hm
Hash c tnh phc tp cao.
Chng ta xem c th php tn cng ny. Gi s cho bn tin M, gi tr hm Hash
ca M l H. Mc ch ca php tn cng l tm ra bn tin khc M m ga tr hm Hash
ca M cng bng H. Chng ta chia bn tin M ( M 1 , M 2 ,..., M k , M k 1 ,..., M n ) thnh
hai phn M (1) ( M 1 , M 2 ,..., M k ) v M ( 2 ) ( M k 1 ,..., M n ) . Phn u tin ca bn tin
c bin dng nhiu ln v mi s bin dng gi tr hm Hash c tnh bng
H (1) . Gi s nhn c N1 ga tr H (1) t N1 phng n ca phn th nht (xem hnh

). Phn th hai ca bn tin M ( 2 ) cng bin dng nhiu ln, t mi bin dng hm
Hash c tnh theo thut ton khc, y chng ta tnh theo th t ngc v s dng
hm gii m D, tng ng vi hm m ha E (xem hnh). Gi s thu c N 2 gi tr
H ( 2 ) t N2 phng n ca phn hai.
Khi s lng N1 v N2 ln th c th tm c cp gi tr bng nhau trong s
H (1) v H ( 2 ) v xc sut ln. Gi s rng n tng ng vi hai bn tin l M '(1) v

(1)
( 2)
M '( 2 ) . R rng rng bn tin M ' ( M ' , M ' ) M m H(M)=H(M). Vy tm ra

c s va chm. Gi chng ta xc nh xem cn b nh v kh ca phng php

tn cng ny.
Chng ta gi s rng N1 v N2 tn ti gi tr nh hn 2 m , m l kch thc ca
gi tr bm. Nh th, vi gi tr xc sut gn ng chnh xc c th tip nhn, sao
cho gi tr u tin H (1) t tp H (1) khng trng vi mt gi tr no ca tp H ( 2 )
bng

p1 (1 2 m ) N 2 .

Xc sut khng mt gi tr no ca tp H (1) trng vi mt gi tr ca tp

H bng
( 2)

p ' (1 2 m ) N 2 N1

Nh vy xc sut tm ra t nht mt cp trng nhau gia tp H (1) v tp

H l
( 2)

p 1 p ' 1 (1 2 m ) N1 N 2 1 (1 N1 N 2 2 m ) N1 N 2 2 m .

By gi vi iu kin N1 N 2 2m 1 / 2 iv vi trng hp N1 N 2 N d dng

xc nh gi tr N1/2, vi xc sut va chm l :
N1 / 2

2m 1

nhn c nh gi chnh xc hn khi N1 N 2 2 m / 2 c th nhn ga tr

p=0.63. Nh vy cn b nh cn thit cho php tn cng l

2m 2 m 1

bt, kh tn

cng l N1 N 2 2m 1 .
III. Hm bm mt m hc
1. Gii thiu v hm bm
y l hm c tham s u vo l vn bn c chiu di bt k v chiu ra l
mt bn tm lt c chiu di c nh.
Nh ni trong phn ch k s, hm hash c vai tr rt quan trng, ngoi
trnh c s gi mo ch k, n cn gip cho qu trnh k din ra nhanh hn rt
nhiu, bi hm hash c tc ln, nhng quan trng nht l n lm ch k ngn i rt
nhiu iu ny c vai tr rt quan trng trong thc t khi lm vic vi s lng ln cc
ch k.
to ra hm Hash th hm hash phi tha mn cc yu cu sau:
- i s ca hm hash l bn tin c chiu di bt k;
- Gi tr ca hm hash c chiu di khng i;
- Hm H(x) cn phi c tnh ton hiu qu, tc l thut ton Hash khi thc hin
trn phn cng v phn mm cn phi c cng sut ln. Phi m bo c rng qu

trnh k v kim tra ln gi tr ca hm hash nhanh hn so vi qu trnh k v kim tra

trn bn thn bn tin;
- Cho y l gi tr ca hm hash, th kh v mt tnh ton tm c x tha
h(x)=y, tc l hm hash phi l hm mt chiu;
- Hm hash l hm khng va chm, tc l khi cho trc bn tin x, khng th
thc hin c v mt tnh ton tm c bn x x sao cho h(x)=h(x).
- Hm hash l hm khng va chm mnh, khi khng th thc hin c v mt
tnh ton tm c hai bn tin x v x, vi x x m h(x)=h(x).
Cu trc chung ca hm bm Hash gm cc phn sau:
Cho trc mt thng ip M c di bt k. Ty theo thut ton c s
dng, chng ta c th cn thm thng ip cc bit nhn c thng ip c di
l bi s ca chiu di c nh cho trc phc v cho vic tnh ton. Chia thng
ip thnh tng khi c kch thc bng nhau tc l M=(M1, M2, Ms).
Gi Hi l trng thi c kch thc n bit, n l chiu di ca gi tr hm bm, F l
hm nn thc hin thao tc trn khi d liu vi trng thi hin hnh:

Khi to H0, bng vc t khi to no .

Thc hin trn: Hi=F(Hi-1,Mi), i [1,s].

Gi tr ca Hs l gi tr ca hm bm.
Nu hm hash c cho l bn vng, khi c mt s thay i bt k i s ca
n ( tc l bn tin u vo) th gi tr ca n cng thay i ngu nhin, tc l mi bt
trong n bt c xc sut b thay i l . Mt phng php tn cng n gin trn hm
mt chiu hash l la chn bn tin sao cho gi tr hm hash ca n bng vi gi tr hm
hash cho hay ni cch khc y l phng php vc cn, chng ta gi s lng bn
tin cn chn l N m tha mn c iu trn. Chng ta thy xc sut gi tr hm
hash ca mt bn tin bt k khng trng vi gi tr H cho bng 1 2 n , n l chiu
di ca gi tr hm hash. Nh th xc sut khng mt bn tin no t N bn tin khc
nhau m gi tr ca bn tin khng trng vi H bng

p ' 1 2 n

. Xc sut tn

ti mt bn tin m gi tr hm hash ca n bng H cho trc l:

p 1 p ' 1 (1 2 n ) N

S dng cng thc Niutn, chng ta nhn c gi tr gn ng sau:

(1 x) N 1 Nx

N ( N 1) 2 N ( N 1)( N 2) 3
x
x ... 1 Nx , nu nh x nh,
2!
3!

Nn chng ta c:

p N 2 n

N p 2n .

Khi p=1/2, chng ta c N 2n 1 . Vi k thut tnh ton hin nay th n=64 th

tn cng c th thc hin c nu c ti nguyn ln cho tnh ton. Nu nh n > 96
thi c xem l an ton i vi cch tn cng ny, th nhng cn nhiu cch tn cng
khc, nn khuyn co chn gi tr n 128 .

Cu trc ca Hm bm mt m
C th chng minh cu trc bo mt ca hm bm mt m bao gm hai thnh
phn c th c nghin cu c lp vi nhau. Thnh phn u tin l hm nn m
nh x mt u vo vi chiu di c nh ti mt u ra c chiu di c nh. Thnh
phn th hai ca cu trc l min m rng, a ra mt hm nn, kt qu ca hm vi
u vo c di ty .
Compression function. T quan im ca nh l lun, mt hm mt chiu l
mt thnh phn c bn th s nht, t nhiu cng c m ha khc c th c bt
ngun. Kt qu ca mt cuc hi tho do Simon cung cp cc bng chng mnh m
rng kh nng chu xung t ca hm bm khng th c xy dng da trn hm mt
chiu. Thay vo , tc gi thit k hm bm chng xung t da trn mt khi m
ha th s-mt khi m t m.
Mt khi m t m l mt hon v kha E: {0, 1}n x {0, 1}k {0, 1}n
V mt k thut, Mt khi m t m dng nn u vo ca n - n nh x k +
n bit ti n bit. Tuy nhin, Mt khi m t m thm ch khng phi l one-way: o
ngc E trn w, c nh bt k kho k0 v gii m w di kho ny. Nu w gii m cho
ra x, sau E(k0, x) = w. Tuy nhin, c ti 12 cu trc n gin xy dng da trn kt
qu ca mt khi m ho trong mt hm nn chng xung t. Hai n thng c
s dng nht trong cc hm bm nh sau:
Davies-Meyer: H(x, y) = Ey(x) y
Miyaguchi-Preneel: H(x, y) = Ex(y) x y
Bng chng ca bo mt ca nhng n ny v khi m ha - da trn gi
nh rng cc thut ton m ho c bn l khng th phn bit t mt khi nim tru
tng c th, gi l m ha tng, vt xa cc yu cu bo mt tiu chun cho khi
m ha.
Domain extender. Tn min m rng l mt cu trc chung m bin i mt
hm nn vi u vo c di c nh vo mt hm bm vi u vo ty .
Tn min m rng n gin v c s dng ph bin nht l cu trc Merkle
-Damgard v n hot ng nh sau:
Cho mt hm nn C: {0, 1}n x {0, 1}m {0, 1}n
n-bit lin tc IV.
Input: Thng ip M
1. Break M into m-bit blocks M1,. . . ,Mk, padding if necessary;
2. Let Mk+1 be encoding of |M|;
3. Let h0 = IV;
4. For i = 1 to k + 1 let hi = C(hi-1,Mi);
5. Output hk+1 .

Cu trc lp i lp li hm nn C: output ca C, cng vi khi tip theo ca

thng ip, tr thnh u vo cho cc ng dng tip theo ca C.
Bm ca khi cui cng, trong c cha mt m ha chiu di ca thng
ip, l bm ca ton b thng ip. Lu tr tm thi u ra ca hm nn, h i, c gi
l chui bin hoc trng thi ni (hnh 1).

Hnh 1: Cu trc Merkle-Damgard.

C mt s linh hot nht nh trong hai bc u tin ca cu trc MerkleDamgard. M ha bt k s thc hin min l n p ng ba iu kin sau y:
M c m ho nh mt s nguyn ca cc khi m-bit.
M ha l xung t t do;
di ca M c ng gi trong khi cui cng.
Cu trc Merkle-Damgard tng thch vi dng API, ni mt thng ip c
cung cp mt khi ti mt thi im vo mt cng c tm kim mt m. Chiu di ca
n khng cn phi c bit n cho n khi khi cui cng tr nn c hiu lc. Mt
khc, cp nht thm ch mt bit ca thng ip c th kch hot s c lng li ca
ton b bng bm.
Nu hm nn l c kh nng chng xung t, nh vy n l kt qu cu trc
Tuy nhin, cu trc Merkle-Damgard a ra mt hm vi nhiu cu trc thuc
tnh, to ra mt s l hng bo mt bt ng.
Trong thc t, cu trc Merkle-Damgard l l do quan trng nht gii thch ti
sao n l sai (nguy him, liu lnh, thiu hiu bit) suy ngh v hm bm nh l h p
en. Vic cu trc c lp i lp li c thit k p ng mt mc tiu rt khim
tn, l m rng tn min ca hm chng xung t v khng nn mong i s c
m bo bo mt xa hn.
2. SHA-512
SHA 512 l phin bn ca SHA cng vi chui kt qu bm l 512 bit. SHA
512 cng ging vi h SHA u da trn m hnh Merkle-Damgard. SHA 512 to ra
chui kt qu bm l 512 bit t nhiu khi thng ip v mi khi thng ip ny c
di l 1024 bit.

1024 bits

Hm nn

512 bit

1024 bits

Hm nn

1024 bits

Hm nn

i512
vibitSHA 512 bits th chiu
di ti a ca chui ban u
512 bit
512khng
bit di qu
512 bit

128
2 bits. Nu chui c di ln hn s khng dng SHA 512.
3. WHIRLPOOL

Whirlpool c thit k bi Paulo Barreto v Vincent Rijmen v gi cc

p ng cc cuc gi m ho th s ban hnh bi Nessie ( n mi ca chu u
cho ch k, ton vn v m ho) vo nm 2000. Whirlpool c la chn
cng vi SHA-256, 384, 512 nh l mt phn danh mc u t ca Nessie.
Thit k ca Whirlpool kt hp vi tn min m rng Merkle-Damgard
vi mt khi m ho da trn hm nn. Khi m ho l mt bin th ca AES,
n c bn l khc vi SHACAL, v n c chuyn thnh mt hm nn bng
cch s dng cu trc Miyaguchi-Preneel. Whirlpool khng nhm vo bt k
kin trc c th no, mc d 32 - hoc 64-bit b vi x l cho php mt s ti
u ha khng th trin khai thc hin trong 8-bit.
Ti liu tham kho
- Bi ging mn L thuyt mt m v bo mt thng tin ca PSG, TS Nguyn Hiu
Minh.
- Cryptography & Network Security The McGraw-Hill Companies.
- Handbook of Applied Cryptography, by A. Menezes, P. Van Oorschot, and S.
Vanstone, CRC Press, 1996