<a href="https://colab.research.google.com/github/taylan-sen/intro_jupyter_notebooks/blob/main/HashFunctions.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

DIRECTIONS: 
1. First, save your own copy of this notebook.
  * click the button "Open in colab"
  * File->Save
1. Read through, executing the code cells as you go along.
1. Answer all the questions labelled "Question #" directly into the notebook (following each question's specific directions).
1. When finished, save, then download the .ipynb file (File->save; File->download->.ipynb)
1. Upload the .ipynb file to canvas.

For additional reference in understanding this material see the Naranyan et al textbook Chapter 1.


# Hash Functions

Hash function technology is ***crucial*** for enabling blockchain and cryptocurrency (more specifically, *secure* hash functions). Bitcoin uses hash functions for multiple purposes including authentication (proving who you are), tamper detection (ensuring established blocks of data are not modified), consensus (deciding the validity of new blocks as a group), and proof-of-work (game theory based incentives for taking part in the blockchain and supporting consensus).

* [Purposes & Motivation](#purpose)
  * checksums (tamper detection)
  * digital signatures (authentication)
  * password hashing (security)
  * consensus & proof-of-work
* [Definitions & Summary](#summary)
  * input and output formats
  * checksum examples
* [Characteristics of Secure Hash Functions](#characteristics)
  * collision resistance
  * one-way
  * puzzle friendliness

<a name='purpose'></a>
<hr>

## Purpose/Motivation
Hash functions help solve several problems: 

**PROBLEM 1: Data transferred over the internet can be manipulated, is there an efficient way to detect manipulation?**  
<img src="https://c.tenor.com/ageODCEgS2sAAAAC/tenor.gif" width="300">

**PROBLEM 2: Its hard to tell if a person you are communicating with is the actual person they claim to be!!!**  (This problem/task is known as ***authentication***.)  
<img src="https://www.datingadvice.com/wp-content/uploads/2017/09/gatedcommunity.jpg" width="250">
<img src="https://bpb-us-w2.wpmucdn.com/sites.stedwards.edu/dist/f/1961/files/2014/02/online-dating2-1h3togt.jpg" width="250">  

Hash functions allow us to solve these and other problems through:
* **checksums**
* **digital signatures**
* **password hashing**

### checksums for tamper/error detection

Example 1: You want to send a large file over an insecure network to a friend and you want your friend to detect if it has been tampered with or if there are any transmission errors. You can send a short message over a secure/trusted channel (e.g. phone call). What should you make the short message so that your friend can detect if the original message has been changed? We call that short message a *checksum*. Certain hash functions have properties which make them a good way to generate checksums.


### digital signatures for authentication

Example 2: A teacher wants his classmates to be able to verify that messages posts on an online public discussion board came from him (as opposed to someone pretending to be him). He can put a short message (i.e. a "public key") in the syllabus that he hands out on the first day of class which does not remain secret. When he posts a message online, is there a way he can add a "digital signature" or short message that goes along with the original message that his students can use to verify he wrote the message?

### password hashing for security

Example 3: You want to allow users to set a password for your system, but you are not allowed to save their passwords. This is important for security considerations, since many people reuse passwords, you don't want to allow system operators to "see" what people's passwords are. Without storing the passwords, how can you tell if a user has the same password that they provided earlier? More specifically, you want to store some data other than the password (i.e. a password fingerprint), but data that only the password holder can demonstrably produce. Also, you need to ensure that having a fingerprint should not allow you to determine the original password.


<a name='summary'></a>
<hr>

## Definition & Summary

**hash function:** a function that receives a <u>variable sized input</u> and produces a <u>fixed size output</u>.

&emsp; _**example hash function:** divide the input number by a constant and output the remainder_

Here is the code for this hash function which we will call *my8bitHash* (the "8bit" refering to the size of the output):


In [None]:
def my8bitHash(inputNum):
  """Divides by 256 and returns the remainder."""
  # in python % is called the mod operator
  return inputNum % 256

print('my8bitHash(13) -->', my8bitHash(13))
print('my8bitHash(1000) -->', my8bitHash(1000))
print('my8bitHash(256) -->', my8bitHash(256))
print('my8bitHash(269) -->', my8bitHash(269))

Note that the input values 13 and 269 both produce a hash value of 13. This is called a ***collision***.  Whenever the input space (all possible function inputs) is larger than the fixed output space (all possible outputs), there will be collisions. As we will discuss, the ability to easily find collisions is an undesireable property of hash functions which are used in cryptography, also called __*cryptographic hash functions*__ or __*secure hash algorithms*__ .  

Also note with my8bitHash it is pretty trivial to come up with an input that will produce a desired hash value; consider that any number between 0 and 255 will *hash to itself*. This is an undesireable property of cryptographic hash functions. This property stated another way, my8bitHash is not a ***one-way function*** as it is easy to determine an input that produces a target output. 

It is also important to point out that my8bitHash is ***deterministic***; in other words, a given input will **always** produce the same output. Nondeterministic functions involve randomness or multiple *internal states* and may produce different outputs for the same input.

A hash function output is also called the ***hash value***, the ***digest***, or simply just ***the hash***. 

#### Input/Output formats: data types and number systems
(binary, hex, decimal, ints, and strings)

It is important to be aware of the many different ways and formats that messages/data and hash values can be represented on a computer, as well as "on paper", or on a screen. Python and most other programming languages have fundamental *data types* which include an integer type, usually specified as *int*, and a *string* data type (specified as str) which represents a string of letters or characters. The python function **type(<object>)** allows you to find out the data type (i.e. object type) of a variable.

In [None]:
# Python int and str examples
my_int = 56
my_int2 = 4312451345134513  # An int this big causes other languages to overflow 
print('my_int type:', type(my_int))
my_str = 'You got to pump it up!'
my_str2 = '56'
print('my_str2 type:', type(my_str2))
my_str3 = '©§®µÄš™𐐷'
print(my_int + 5)

In [None]:
# you can't do basic math with str 
print(my_str2 + 5) # error

In [None]:
# converting int to str and str to int
x = 5
str_x = str(x)
s = '10'
int_s = int(s)
print(1 + int_s)

In [None]:
# not all strings can convert to int directly
s = 'hello'
int_s = int(s)

Notice that strings are *wrapped* in single quotes (you can also use double quotes).

When integers are printed to the screen, it can be in a different base number system than the decimal (base 10) system we are familiar with. 

**Base 10.** Our implementation of my8bitHash expects input to be a base 10 (decimal) integer. In the base 10 number system, we use the digits 0,1,2,3,4,5,6,7,8,9. A shift of one digit to the left means the digit represents 10 times more (ex: 2 and 20), two spaces to the left means multiplying by 100. Stated another way, the rightmost position of a base 10 integer represents the number of *ones* ($10^0$), the second from the right position represents the number of *tens* ($10^1$), the third from the right position represents the number of *hundreds* ($10^2$), and the $n^{th}$ position from the right represents the number of $10^ns$. For example, the number 234 means: four ones, three tens, and two hundreds.

**In base 2**, or binary, only the digits 0 and 1 are used. For example, 101 is a binary number representing the decimal number 5. (Note: we usually write binary numbers with a leading "0b" so that we don't confuse them with decimal numbers, i.e. 101 --> 0b101) The rightmost binary integer position represents the number of *ones* ($2^0$), the second from the right position represents the number of *twos* ($2^1$), the third position from the right represents the number of *fours* ($2^2$), the fourth position from the right represents the number of *eights* ($2^3$), and so on. Base 2 is especially important for computers since data is usually represented by elements that can be in one of only two states. For example, as mentioned earlier, the voltage on a wire can be either high or low, representing either a 1 or 0. Each digit in binary represents a ***bit*** of data. Eight bits of data are called a ***byte***. 

**In base 16**, also called hexadecimal, the sixteen digits 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F are used. When writing a number in hexadecimal, we usually write it with a leading "0x". For example 0x10 represents 16 in base ten. A shift of one to the left represents multiplying by 16, a shift of two to the left represents multiplying by 256 (i.e. 16*16), and shifting by $n$ spaces to the left represents multiplying by $16^n$).


|Decimal|Binary|Hexadecimal|
|---:|---:|---:|
|0|0|0|
|1|1|1|
|2|10|2|
|3|11|3|
|4|100|4|
|5|101|5|
|6|110|6|
|7|111|7|
|8|1000|8|
|9|1001|9|
|10|1010|A|
|11|1011|B|
|12|1100|C|
|13|1101|D|
|14|1110|E|
|15|1111|F|
|16|10000|10|
|17|10001|11|

Python provides some useful functions for converting numbers between bases:

    bin(<input int>)                 # convert a number TO a binary str
    hex(<input int>)                 # convert a number TO a hexadecimal str 
    int(<input str>, <source base>)  # convert FROM a base other than 10

In [None]:
# bin and hex
# The bin function converts an int (base 10) to a binary string
b = bin(13)
print('13 in binary is: ',b)
print('type(b)=', type(b))

# the hex function converts an int (base 10) into a base 16 string
h = hex(13)
print('13 in hexadecimal is: ',h)
print('type(h)=', type(h))

In [None]:
# int conversion
# the int function can convert from a different base back into an int
d = int(b,2) # binary to decimal
print('d=',d)
print('type(d)=', type(d))

d2 = int(h,16) # hexadecimal to decimal
print('d2=',d2)
print('type(d2)=', type(d2))


Digital data can be represented as 1's and 0's, also called ***bits*** of data. Bits are typically grouped together in 8 bits at once, which are called ***bytes***. Python provides the following functions to convert ints and strings TO and FROM bytes:



    <input str>.encode()                 # converts a string into a byte 'array'
    <input str>.decode()                 # converts bytes to a string
    int.to_bytes(<input int>, "big")     # splits an integers binary representation to byte 'array'
    int.from_bytes(<byte array>, "big")  # converts a byte array to int


In [None]:
# encode, decode example
msg = 'Hello world!'
msg_encoded = msg.encode()
msg_decoded = msg_encoded.decode()
print('msg:', msg)
print('msg type: ', type(msg_encoded))
print('msg_encoded:', msg_encoded)
print('msg_encoded type:', type(msg_encoded))
print('msg_decoded:', msg_decoded)
print('msg_decoded type:', type(msg_decoded))



In [None]:
# Below we see the steps of converting string data to an integer
msg = 'Hello world!'
msg_encoded = msg.encode()
msg_int = int.from_bytes(msg_encoded,'big')

print('msg:', msg)
print('msg_encoded:', msg_encoded)
print('msg_int:', msg_int)
print(type(msg_encoded))



In [None]:
x = 50
xbytes = x.to_bytes(1,'big')
print(xbytes)  # NOTE: '2' in ASCII is 00110010 in binary, which is 50 in base10
print("".join("{:02x}".format(byte) for byte in xbytes))

**Question 1a:** Complete the code cell below which converts a str of your full name (swap your name in for mine) into a single integer and print it out in decimal from (use the encode and from_bytes functions).

**Question 1b:** Print the integer out in hexadecimal. 

In [None]:
# QUESTION 1
name_str = 'Taylan Sen' # replace with your name
# TODO 1a: use encode and from_bytes as specified in the above section to 
# convert the name to a single integer

# TODO 1b: Now print the above integer out in hexadecimal (base 16)

<a name='characteristics'></a>
<hr>

## Desired Characteristics of Cryptographic Hash Functions (Secure Hash Algorithms)

* security properties
  * collision resistance
  * first preimage resistance (aka one-way, hiding)
  * second preimage resistance (aka puzzle-friendly) 
* deterministic
* fast

### Collision Resistance

**collision resistance:** a hash function is collision resistant if it is very hard to find any two inputs which produce the same output. By very hard, we typically mean ***computationally infeasible*** which generally means: given today's known hardware and mathematical capabilities, it would take conceivably unobtainable money or time in order to accomplish a given computational task. (Computationally infeasible is not equal to provably impossible.)

    # Collision
    Given: a hash function
    Find: any two inputs which produce the same hash



**one-way function:** (aka first preimage resistance or hiding property)given an output, its very hard to find a corresponding input. By very hard again we mean is *computationally infeasible* to find an input which produces a given output.

    # first-preimage
    Given: a hash function and a hash output out1
    Find: any input which hashes to out1

**second pre-image resistant:** given an input, it is very hard to find a second input which produces the same hash output.  

    # second pre-image
    Given: a hash function and a hash input in1
    Find: a second input in2 which hashes to the same hash output as in1

**birthday attack:** an attempt to find *any* collision using a brute force trial of inputs and memorizing the hash function outputs. In each step of a birthday attack, a new input is attempted, and its hash is then compared to all other hashes created so far to see if any match. The name comes from the following scenario: consider trying to find two people that have the same birthday (month and day of the month) in a lecture full of people (e.g. n=30). To many people it seems unlikely that two people out of 30 would have the same birthday. However, probabilistically, the chance that two or more people share a birthday out of 50 people is over 70%! This mis-estimation by most people is known as the *birthday paradox*.

With 2 people, what is the probability they have the same birthday?
$$P_{match} = 1 - P_{no \space match} = 1 - \frac{365}{366} = \frac{1}{366} ≈ 0.0027$$

With 3 people, what is the probability they have the same birthday?
$$P_{match} = 1 - P_{no \space match} = 1 - \frac{365}{366}*\frac{364}{366} ≈ 0.008$$

With 4 people, what is the probability they have the same birthday?
$$P_{match} = 1 - P_{no \space match} = 1 - \frac{365}{366}*\frac{364}{366}*\frac{363}{366} ≈ 0.016$$

With N people, what is the probability they have the same birthday?
$$P_{match} = 1 - P_{no \space match} = 1 - \frac{\frac{366!}{(366-N)!}}{366^N}$$

In [None]:
# Birthday attack formula
from math import factorial   # this is just to get access to the factorial func
n = 30  # note, numerical overflow will occur for n > 120
p = 1 - factorial(366)/factorial(366-n)/366**n
print('probability of a collision with ' + str(n) + ' people:', p)

probability of a collision with 30 people: 0.7053034120089918


## Checksum examples
Let's now try to put my8bitHash to use as a checksum. Recall, our motivation is to detect errors or tampering in a message or file that is transmitted across a noisy or insecure communications channel. As seen in the example below, my8bitHash is not collision resistant at all since it is immesiately obvious how to find an input which hashes to he same value as your message; the hash value itself! One could create a new false message, such as simply replacing the message with a single character.


In [None]:
def my8bitHash(inputNum):
  """Divides by 256 and returns the remainder."""
  # in python % is called the mod operator
  return inputNum % 256

msg = 'Watson, come here!'
msg_hash = my8bitHash(int.from_bytes(msg.encode(), 'big'))
print('msg:', msg)
print('msg_hash:', msg_hash)

# Can we produce another message with same hash?
# Just use the character that has the same ascii value as the hash
msg = chr(33) 
msg_hash = my8bitHash(int.from_bytes(msg.encode(), 'big'))
print('msg:', msg)
print('msg_hash:', msg_hash)


A big part of the problem is that the hash output space is too small. An output size of 8 bits only gives $2^8=256$ possible outputs. A computer can easily go through 256 attempts to find a different message that has the same hash. For example, suppose someone wants to change the message from "Watson, come here!" to "Watson, you are an idiot! ! !" They could keep adding more exclamation marks and/or spaces until the hash matches the hash of the original message.  

Bitcoin makes use of a hash function with an output size of 256 bits.

**Question 2:** What is the size of the output space of a 256 bit hash function? (Use the code cell below to give answer as an integer.)

**Question 3:**  
a) If we are able to evaluate a hash in a single CPU clock cycle (@4GHz) how many years would it take for us to expect to find a collision? (Use the code cell below to show your work for your answer.) 

b) How many times the lifetime of the universe is your answer? (use 14 billion years as the lifetime of the universe.)

In [None]:
# how big is 256bit space


### SHA256
A widely used and trusted secure hash function is known as SHA256 (used heavily in the bitcoin protocol), which is part of *FIPS* specified by *NIST*. 

**Question 4:** Please use Google to write a short one sentence definition of each below (double click to edit):  
NIST:  
FIPS:  
SHA256:  

### hashlib
Many secure hash functions have been implemented (somewhat efficiently) in python's **hashlib** module. Below is an example of how to use the module and its sha256 function.  

*import* is used to "pull in" a *module* to add more functionality to base python.
*sha256* is the name of the function, it expects the input to be bytes and returns output in a *hash* object.
Use hash.hexdigest() to get the output written in hexadecimal.   

In [None]:
# sha256
import hashlib

msg = 'Hello world!'
hash = hashlib.sha256(msg.encode())
print(hash.hexdigest())

**Question 5:** Use sha256 to get the hex digest of your full name in a new cell below.

## Puzzle Friendliness
Puzzle friendliness is a property that applies nicely as we will discuss to our original motivational problem of designing a computer system which verifies login passwords without storing the passwords itself.

### Password Hashing
Recall our original motivation problem example 3 from the first section: *we want a system in which users have a username and a password to login, but __the password must not be stored on the system__*. How can cryptographic hash functions help us out? The trick is to store the hash of the user's password on the system instead of the password itself. Each time a user tries to login, the login program will hash the password they type and compare it to the stored hash, and if it matches, access is granted. Because of the *one-way* property of the cryptographic hash function, someone can not easily find the password from the hash. Read through the source code below and try running it.

<img src='https://www.azmemes.com/wp-content/uploads/2020/04/I-Changed-My-Password-To-Incorrect.jpg' width="300">  


In [None]:
# STORING THE PASSWORD HASH ONLY
import hashlib

stored_hash = 'dcb5e79778425c09b1fb74d870807addfa80b2c25ce9b4029f9e7777777ae101'
pass_input = input('Password: ')

pass_hash = hashlib.sha256(pass_input.encode()).hexdigest()
if pass_hash == stored_hash:
  print('ACCESS GRANTED')
else:
  print('YOUR PASSWORD IS INCORRECT')

In the example above we see that the actual password is not actually stored in the source code, only the hash is stored. Please think about this point deeply for a minute, it is a very important concept for blockchains and computing in general.
![alt text](https://i.pinimg.com/originals/99/3f/a8/993fa82c035136e3be273e39f112558a.jpg "An authentication system doesn't actually have to store passwords...")




### Password Salt

While the above password hashing scheme was a reasonable approach on computer systems for a while, with the availablity of increasing compute power and storage, coupled with the fact that most people don't want to have a password that is *too long* and want to use easily memorizable words, it became possible to "crack" a password from the hash using something called ***rainbow tables***. In a nutshell, a rainbow table is a <u>precomputed</u> table of passwords and hashes. The idea being, an attacker can by brute force simply try every single password that is 8 letters long and store the resulting hash in a lookup table (i.e. dictionary). 


**Question: 6a** In the cell below, compute how many 8 letter passwords can be made from the 26 letters of the alphabet using only lowercase letters?  


In [None]:
# QUESTION: If a hacker creates a precomputed ranbow table of 8 letter 
# passwords using only lowercase with a 26 letter alphabet, how many
# entries will it have?

**Question: 6b** How hard do you think it is to store this much space?

To prevent this style of attack, the concept of password ***salt*** was introduced. Before hashing a user's password, a random fixed length string gets concatenated to the user's password first. When storing the hash, the salt is also stored.  

Read through the code below, then try running it.

In [None]:
# EXAMPLE PROGRAM USING RANDOM SALT
import hashlib
import random
import string

def store_new_user(salt_and_hash_dict):
  """ This function will store a new user along with a randomly selected salt
  and a hash of the salt concatenated with the password. The password is not
  stored. """
  print('STORING A NEW USER')
  username = input('Username: ')
  password = input('Password: ')
  salt = ''
  for i in range(8):
    salt += random.choice(string.ascii_letters)
  salted_pass = salt + password
  hash = hashlib.sha256(salted_pass.encode()).hexdigest()
  print(' NEW USER HASH:', hash)
  print(' NEW USER SALT:', salt)
  salt_and_hash_dict[username] = (salt, hash)
  print(' NEW USER:', username,'stored with above salt and hash.')

def login(salt_and_hash_dict):
  """ This function will prompt a user to login and test that their password
  matches with the salt and password stored in salt_and_hash_dict. """
  print('LOGIN')
  username = input('Username: ')
  if username not in salt_and_hash_dict:
    print('NO SUCH USER: ', username)
  else:
    password = input('Password: ')
    salt, stored_hash = salt_and_hash_dict[username]
    print('USER:' + username + ', stored SALT:'+ salt)
    print('  stored HASH:  ', stored_hash)
    salted_pass = salt + password
    test_hash = hashlib.sha256(salted_pass.encode()).hexdigest()
    print('  computed HASH:', test_hash)
    
    if test_hash == stored_hash:
      print('ACCESS GRANTED')
    else:
      print('YOUR PASSWORD IS INCORRECT!')

# Main Program
salt_and_hash_dict = {}               # holds usernames with each salt and hash
store_new_user(salt_and_hash_dict)    # call function to store a new user
login(salt_and_hash_dict)             # call function to check provided pass

<img src="https://i.imgflip.com/1um7i.jpg" width="300">

**Question 7a:** A hacker attempting to attack a salted password system (with a salt length of 20) wants to create a rainbow table. If the table is to hold an entry for every possible 8 letter password together with every possible salt, how many entries must it hold? Calculate answer in cell below.

In [None]:
# QUESTION: What is size of a rainbow table for an 8 letter password with
# a 20 letter salt?

Question 7b: Is the required rainbow table size reasonably achievable? (enter answer in this cell))

<img src="https://c.tenor.com/I4VSWV0zOE0AAAAC/tenor.gif" width="300" title="Can't we use google sheets for rainbow tables?">

It is also important to note: in order for a salt to be useful as designed, it must be randomly selected and used only once. A **n**umber used only **once** in this cryptographic scheme is also called a ***nonce***.  

### Proof of Work

A fundamental concept in bitcoin and many other cryptocurrencies that is closely related to password hashing is the concept of ***Proof-of-Work***. In order to incentivize people to be bitcoin ***miners*** (i.e. those who run the bitcoin software on their machines), built into the bitcoin protocol is a reward for the person who can solve a computational puzzle fastest. This setup is particularly elegant, because the puzzle is also computing a hash of the recent bitcoin transactions that needs to be recorded (to become part of what is called the ***global ledger***. The analogy with salted password hashing is this:

* The "password" that is being hashed is actually just the recent public transaction data. 
* The salt (or nonce) is a number picked by the miner.
* The hash function used is our beloved SHA256.
* The "winner" of the puzzle is the first person who can find a nonce that produces a hash that has 18 leading zeros.$^*$ 

In the code below, note how the nonce of 'k' causes the hash to begin with zero. Different nonces will make the hash begin with zero only 1/16 times. For example, when you replace the nonce below from 'k' to 'a', the hash begins with 1.


In [None]:
import hashlib
name = 'Taylan Sen'
nonce = 'k'
nonce_name = nonce + name
hash = hashlib.sha256(nonce_name.encode()).hexdigest()
print(hash)
if(hash[0] == '0'):
  print('CONGRATULATIONS! YOU FOUND A NONCE WHICH MAKES THE hash START WITH 0!')
else:
  print('TRY AGAIN.')
  print('The nonce creates a hash that starts with:', hash[0],'instead of 0.')

**Question 8:** In the above code cell, replace name with your own name. Then, find a nonce which causes the hash to start with a '0'. When you are done, congratulate yourself, because you just completed a proof-of-work just like a human bitcoin miner! (For true bitcoin mining difficulty, find a nonce which makes the hash start with eighteen leading zeros!)

For the above proof-of-work scheme to be secure from mathemagicians coming up with a more successful scheme of picking nonces that random chance, each nonce must have *an equal* chance of hashing into the different possible hashes in the hash function output space. This property is loosly defined as ***puzzle friendliness***.  

In the next assignment, we will see how digital signatures are created using secure hash functions along with a new cryptography concept called ***public key crypotography***.

**Question 9:** For each of the following provide a short definition.

**secure hash algorithm/cryptographic hash function:**  a hash function which has the properties of....

**deterministic algorithm:**  

**one-way function:**   

**hash collision:**  

**digest:**


<img src="https://memeguy.com/photos/images/password-savers-are-really-convenient-but-351861.png" width="300">


# Submission
When working on the assignment, please make sure you save before loging out. When completely finished, please save (File->save) download the .ipynb file (File->download->.ipynb), and upload to canvas. 