9: The SHA-3 Competition

� After the attacks on SHA-1, NIST has been asked for a new hash standard But – unlike SHA-{0,1,2} – in an open and transparent competition (as for the AES block cipher) � November 2008: The call for algorithms,fixing the rules for an open and international competition � Recently, cryptanalysts have found collisions on the MD4, MD5, and SHA-0 algorithms; moreover, a method forfinding SHA-1 collisions with less than the expected amount of work has been published, [...]. � Although there is no specific reason to believe that a practical attack on any of the SHA-2 family of hash functions is imminent, a successful collision attack on an algorithm in the SHA-2 family could have catastrophic effects for digital signatures. � [...] it is prudent to develop a new hash algorithm [...]. The new hash algorithm will be referred to as “SHA-3” [...].

–222– Stefan Lucks Hash Fun. (2019) 9: SHA-3 Could there be more than one SHA-3?

No: For interoperability, NIST strongly desires a single hash algorithm family (that is, that different size message digests be internally generated in as similar a manner as possible) to be selected for SHA-3. Maybe yes: However, if more than one suitable candidate family is identified, and each provides significant advantages, NIST may consider recommending more than one family for inclusion in the revised Secure Hash Standard.

–223– Stefan Lucks Hash Fun. (2019) 9: SHA-3 What are the minimal requirements?

� output sizes of 224, 256, 384, 512 bit 64 � all input sizes below 2 bit � a ‘one-pass’ streaming mode of execution � security : n/2 � collisions in 2 ≈ n � preimages in 2 ≈ n k k � Second Preimages in 2 − for messages of length<2 bit ≈ � analog requirements when the output is truncated ton �

–224– Stefan Lucks Hash Fun. (2019) 9: SHA-3 Other relevant properties Not required, but beneficial

� speed � memory requirements � simplicity and ease of analysis � flexibility � a “tunable parameter”, to choose between different security/performance trade-offs � the ability to run on many different platforms ( smartcards, ∗ RFID-tags, embedded systems, . . . ) ∗ � and the ability to parallelize the algorithm.

–225– Stefan Lucks Hash Fun. (2019) 9: SHA-3 Who would win?

� Some “hard” criteria – a violating candidate will drop out � but note the “ ” in the security ≈ requirements � many soft criteria

“Demolition Derby”

� the relevance of the different “soft” criteria was to be discovered during the contest � a part of the process was tofind out what (soft or hard) criteria mattered most, for the users

–226– Stefan Lucks Hash Fun. (2019) 9: SHA-3 Schedule

� Nov. 2007: public competition (by the NIST) � Oct. 2008: 64 candidates � Dec. 2008: 51 candidates accepted for the first round (each as a “complete and proper submission package”) � Feb. 2009: “First SHA-3 Candidate Conference” (presentation of candidates) � Jul 2009: 14 second round candidates � Aug. 2010: “Second Hash Function Candidate Conference” � Dec. 2010: 5finalists � March 2012 “Third Hash Function Candidate Conference” � Second Q. 2012: final decision expected � September 2012 final decision (actually)

–227– Stefan Lucks Hash Fun. (2019) 9: SHA-3 Outlook

� cryptanalysis of twofirst-round candidates (EnRUPT, Edon-R) and one 2nd-round candidate (CubeHash)

� state of the art on the cryptanalysis of hash functions � some comments (from the NIST) on each of the nine 2nd-round candidates that didn’t make it into the final � an overview over each of thefive finalists (fundamental structure, some details, best attacks . . . ) � BLAKE, Grøstl, JH, Keccak, Skein � five very different hash functions – together the state of the art in hash function design

–228– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.1: EnRUPT Sean O’Neil, Karsten Nohl, Luca Henzen

� many parameters, to adapt the hash function dynamically for different requirements � 7 “official” variants for SHA-3 480 480 � first attack: preimages in time 2 , using 2 units of memory � second attack (Indesteege, 2008): 47 � collisions in time 2 � collision actually found

–229– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.1: EnRUPT How EnRUPT works

� word sizew (“officially”:w 32, 64 ) ∈{ } w � message(M ,M ,...M ),M 0,1 (after padding) 1 2 L i ∈{ } � hash value consists ofL � (w-bit) words � parameterH; internal state ofH+ 3 words r,d 0,d 1,x r ,x r+1 ,...,x r+H 1 − � round function RF, manipulating the internal state � EnRUPT works as follows:

� Initialize: X0,...,X H 1 ,d 0,d 1,r := 0;( all is zero ) − ∗ ∗ � Process Message: ForI := 1 ..L do: RF;d :=d M ; 1 1 ⊕ I � Finalize: ForI := 1 ..H do: RF;( empty rounds ) ∗ ∗ � Extract Output: ForI := 1 ..L � do: RF; Output(d1);

–230– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.1: EnRUPT The round function RF

� ForI := 1 to 8 do

a(�x,d 0,d 1,r)

w w f :=  (2 x r 1 x r+4 d r mod1 r) <<< 9 mod2 ∗ ⊕ ⊕ ⊕ ⊕ 4 ∗ � �� ��       

x :=x f r+2 r+2 ⊕ d :=d f x r mod2 r mod2 ⊕ ⊕ r r :=r+1

–231– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.1: EnRUPT RF is almost linear

All operations are XOR-linear, except for “ 9”: ∗ ForI := 1 to 8 do

f := (a(�x,d ,d ,r) 9) mod2 w 0 1 ∗ = ((a(...) 3) + a(...)) mod2 w � x :=x f r+2 r+2 ⊕ d :=d f x r mod2 r mod2 ⊕ ⊕ r r :=r+1

rewrite: a() 9=( a() 8) + a() = (a() 3) + a() ∗ ∗ � linearize: replace “+” by “ ” ⊕

–232– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.1: EnRUPT Came the attack as a surprise?

The authors of EnRUPT knew about linearization: “The most straightforward way to attack EnRUPT algorithms is to approximate each arithmetic addition operation with XOR. It results in the rest of the cipher turning into an easily solved system of linear equations.”

But (my emphasis): “[EnRUPT] processes each word2 s times. It means that in order to define the state · [. . . ], at least2 (s 1) H rounds must be attacked, containing more than · − · 2 (s 1) H consecutive arithmetic additions to approximate [. . . ]. [Such attacks are] · − · highly unlikely, even fors=2 .”

Actually there exists a collision attack in time2 47 . . . and collisions have actually been found.

–233– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.1: EnRUPT 9.2: Edon-R Danilo Gligoroski, Rune Steinsmo Ødegård, Marija Mihova, Svein Johan Knapskog, Ljupco Kocarev, Ales Drapal, Vlastimil Klima

Forn 256, 512 : ∈{ } n 2 � internal 2n-bit state( P , P ) ( 0,1 ) 0 1 ∈ { } n 2 � Also 2n-bit message blocks( M , M ) ( 0,1 ) 0 1 ∈ { } � compression functionR: ( 0,1 n)2 ( 0,1 n)2 ( 0,1 n)2 { } × { } −→ { } old old (P0, P1) :=R P0 , P1 , M0, M1. � � n � hash-value P 0,1 , half of the internal state after thefinal 1 ∈{ } iteration of compression function

–234– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.2: Edon-R Cryptanalysis

� Khovratovich, Nikolic, Weinmann (2008):first few results � Klima (2008): degenerated compression function, multi-collisions (see below) � Novotney, Ferguson (2009): prove non-randomness of output

Internally, Edon-R uses a 2n-bit state, explicitly claiming that this protects against length extension and multi-collisions, . . . BUT:

� One can transform the compression functionR into a “degenerated” compression function DR: 0,1 n 0,1 n. { } →{ } � Withn-bits of effective internal state, Joux-style multi-collisions are applicable.

–235– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.2: Edon-R A look inside the compression functionR 1. a simple “reverse string transformation” 0,1 n 0,1 n { } →{ } M M . i ⇒ i 2. and a complex (but quite efficient) quasi-group operation Q: 0,1 n 0,1 n 0,1 n. { } × { } −→{ } A quasi-group is

� a nonempty setS, and � an operationf:S S S with the following properties: × → � for alla,b S the equationsf(a,x)=b andf(y,a)=b have a ∈ well-defined unique solutionx andy, respectively.

Example (quasi-group, not Edon-R):S= ZZ 2n , f(x,y)=x+y mod2 n, orf(x,y)=x y mod2 n. − –236– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.2: Edon-R Remark Any group operation is also a quasi-group operation, but not every quasi-group operation is also a group operation. For Edon-R, we have S= ZZ 2n , butf has (intentionally!) no simple algebraic structure.

A latin square ( Wikipedia) → A quasi-group withn elements can also be viewed as a “latin square” of ordern, i.e.,

� a square withn nfields, · � eachfield one ofn different symbols, � each symbol in each column and each row exactly once

–237– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.2: Edon-R Algorithmic properties ofQ

n � GivenX,Y 0,1 , one can efficiently computeZ=Q(X,Y). ∈{ } (This will be necessary to compute the hash.) � But also � givenZ andX, one can efficiently computeY , and � givenZ andY , one can efficiently computeX.

–238– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.2: Edon-R The compression functionR

M0 M1 input � Input M 1 � Chaining Value P0,P1 � Message M0,M1 � and its “reverse string P0 transformations” M0,M1 input j � Internally: eight valuesX b with b 0,1 ,j 1,2,3 . P1 ∈{ } ∈{ } � Output:

� Chaining Value P0,P1

M0 P1 P0 output

–239– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.2: Edon-R The compression functionR (2) M0 M1 ComputingR( P0, P1, M0, M1) takes eight steps: 1 1 X X 1. X1 :=Q( M , M ). M1 0 1 0 1 0 1 1 2. X1 :=Q(X 0, M0). ( ) 3. X2 :=Q( P ,X 1 ). 2 2 0 0 0 P0 X X 2 2 1 0 1 4. X1 :=Q(X 0,X 0). 3 2 5. X0 :=Q(X 0, P1). 3 := ( 2, 3) 3 3 6. X1 Q X 1 X 0 . P X X 3 1 0 1 7. P1 :=Q( M0,X 0). 3 8. P0 :=Q( P1,X 1). Observations: ( blackboard) M0 P1 P0 →

–240– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.2: Edon-R 9.3: CubeHash Dan Bernstein

� 3 “tunable parameters”: � r: number of rounds � b: bytes per message blocks � h: bits of output 32 � internal state: 32 32-bit wordsx ...,x 0,1 00000 11111 ∈{ } 1024 1024 � invertible round functionP: 0,1 0,1 { } →{ } 8b L � Hashing a messageM ,...,M ( 0,1 ) (after the padding): 1 L ∈ { } 8b L 1. messageM 1,...,M L ( 0,1 ) 2. fori 1,...,L : ∈ { } ∈{ } 2.1 XORM i into thefirstb state bytes 2.2 transform state (repeat round functionr times) 3. XOR a constant int the last state byte 4. transform state (repeat round function 10r times) 5. output thefirsth/8 state bytes

–241– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash The round function

1. for all(j,k,l,m):x 1jklm :=x 0jklm �x 1jklm 2. for all(j,k,l,m),x 0jklm :=x 0jklm ≪7 3. for all(k,l,m), swapx 00klm andx 01klm 4. for all(j,k,l,m),x :=x x 0jklm 0jklm ⊕ 1jklm 5. for all(j,k,m), swapx 1jk0m andx 1jk1m 6. for all(j,k,l,m),x 1jklm :=x 1jklm �x 0jklm 7. for all(j,k,l,m),x 0jklm :=x 0jklm ≪ 11 8. for all(j,l,m), swapx 0j0lm andx 0j1lm 9. for all(j,k,l,m),x :=x x 0jklm 0jklm ⊕ 1jklm 10. for all(j,k,l), swapx 1jkl0 andx 1jkl1

–242– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash Another look at the CubeHash Round Function (Aumasson et al)

–243– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash Default Values for the Parameters number of roundsr, sizeb of message blocks and output lengthh

First round (rather slow):

� r= 8,b= 1,h 224, 256, 384, 512 ∈{ }

Second round, the author’s recommendation (16-times faster but not quite meeting NIST’s security requirements forh 384, 512 ): ∈{ } � r= 16,b= 32,h 224, 256, 384, 512 ∈{ }

Second round, “formal”:

� r= 16,b= 32,h 224, 256 ∈{ } � r= 16,b= 1,h 384, 512 ∈{ }

–244– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash Cryptanalysis

� Note that the round function is invertible, thus preimages in time

(1024 8b)/2 2 −

(Aumasson, Brier, Meier, Naya-Plasencia, Peyrin 2009). � Forb= 1 this is “approximately 512-bit security” (NIST), but not for the recommendedb= 32. � Another unexpected property: classes of symmetric states (also Aumasson et al 2009). � Multi-collisions and preimages (Ferguson, Lucks, McKay, 2010): 384 � b= 32: multi-collisions and preimages slightly faster than 2 operations. 256 � b= 33: multi-collisions and preimages a little slower than 2 operations.

–245– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash Symmetric States (1)

� certain state words are pairwise identical, e.g., AABBCCDD EEFFGGHH IIJJKKLL MMNNOOPP � note that the start state is not symmetric 512 � each class has 2 states

–246– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash Symmetric States (2)

� the symmetry is not changed � by the round function (!) 8b � when xor-ing a message blockM i =0 � the symmetry is destroyed 8b � when xor-ing a message blockM =0 i � � when adding a constant � one can get from a non-symmetric into a symmetric state 8b � by inserting a message blockM =0 i � � if some parts of the state satisfy the symmetry criterion

–247– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash 15 Main Classes

C1 AABBCCDD EEFFGGHH IIJJKKLL MMNNOOPP C2 ABABCDCD EFEFGHGH IJIJKLKL MNMNOPOP C3 ABBACDDC EFFEGHHG IJJIKLLK MNNMOPPO C4 ABCDABCD EFGHEFGH IJKLIJKL MNOPMNOP C5 ABCDBADC EFGHFEHG IJKLJILK MNOPNMPO C6 ABCDCDAB EFGHGHEF IJKLKLIJ MNOPOPMN C7 ABCDDCBA EFGHHGFE IJKLLKJI MNOPPONM C8 ABCDEFGH ABCDEFGH IJKLMNOP IJKLMNOP C9 ABCDEFGH BADCFEHG IJKLMNOP JILKNMPO C10 ABCDEFGH CDABGHEF IJKLMNOP KLIJOPMN C11 ABCDEFGH DCBAHGFE IJKLMNOP LKJIPONM C12 ABCDEFGH EFGHABCD IJKLMNOP MNOPIJKL C13 ABCDEFGH FEHGBADC IJKLMNOP NMPOJILK C14 ABCDEFGH GHEFCDAB IJKLMNOP OPMNKLIJ C15 ABCDEFGH HGFEDCBA IJKLMNOP PONMLKJI

–248– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.3: CubeHash 9.4: Announcing the Finalists NIST Announcement, December, 2010

SHA-3 candidates for thefinal round:

� BLAKE � Grøstl [. . . ] Security was our greatest concern, [. . . ], but � JH none of these candidates was clearly broken. � Keccak [. . . ] in reality, NIST wanted highly secure algorithms that also performed well. [. . . ] in some � Skein cases did not select algorithms with exceptional performance, largely because something about them made us “nervous,” even though we knew of no clear attack against the full algorithm.

–249– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.4: Announcing the Finalists Same Announcement

� No algorithm survived to become afinalist that did not have a clear round structure that could be readily adjusted to trade security for performance. � NIST eliminated several algorithms because of the extent of their second-round tweaks or because of a relative lack of reported cryptanalysis - either tended to create the suspicion that the design might not yet be fully tested and mature. � NIST was generally comfortable with tweaks to the number of rounds or to constants, but more suspicious of changes that seemed to affect the structure of the compression functions.

–250– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.4: Announcing the Finalists 9.5: Blake Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan

Variants

Blake-256 Blake-224 bit 32-bit words Blake-512 bit Blake-384 64-bit words

BLAKE was selected as afinalist, due to its high security margin, good performance in software, and its simple and clear design.

–251– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake Structure of Compression Function

� input:

� chaining valueh 0,...,h 7 (8 words) � salts 0,s 1,s 2,s 3 (4 words) � countert 0,t 1 (2 words) � message blockm 0,...,m 15 (16 words) � output: chaining value (8 words)

Observe:

� 8 32= 256 and 8 64= 512; ∗ ∗ � chaining values as small as hash values for Blake-{256,512} (“narrow-pipe”).

–252– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake Padding for Blake-256 (-512)

messageM padded toM X with ||

X=1 0 ∗ � || ||

� one 1-bit � as many 0-bits as required to get 512L 64 (1024L 128, − − respectively) bits � 64-bit (128-bit) message length

–253– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake Iteration Mode

0 � initial valueh (8 words) 1 2 N � message blocksm ,m ,...m (each 16 words), � salts, i 1 i � current lengthL : number of bits inm ... m , (without || || paddingX) � fori 1..N : ∈{i } i 1 i i h := Compress(h − ,s,L ,m ) returnh N

� indifferentiable from a random oracle

–254– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake A Closer Look at the Compression Function “Local Wide-Pipe”

� expand chaining value (8 words), salt (4 words) and counter (2 words) into a 16-word state � “encrypt” the state, using the message as a “pseudo-key” 10 rounds (resp. 14) � fold 16-word state into 8-word chaining value

–255– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake “Local Wide-Pipe”

much storage − (16 message words + 16 state words + 8 words chaining value). misses the advantage of a real “wide-pipe”, with resp. to, e.g., − Joux’ multi-collision attacks + attacks based on running the “encryption” backwards seem to be very difficult

–256– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake Expand

� h0,...,h 7: chaining value

� s0,...,s 4: salt

� t0,t 1: counter � c ,c ,...: constants=0 0 1 �

–257– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake Fold

–258– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake The Round Function calling a “G-Function” eight times

–259– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake A G-Function (Addition, Rotation, XOR) four state words, two message words four new state words →

Blake-512: 64-bit words, rotations by 32, 25, 16, 11 Blake-256: 32-bit words, rotations by 16, 12, 8, 7

–260– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake Processing 16 wordsm 0,...,m 15

eachm i is used exactly once in each round when and where (at them- or them �-position is round-dependent)

–261– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake differential attacks

input differences δ= 100... 000 2 in single words allow to predict the output differences after one or two rounds (with good probability)

–262– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake Best Attacks and Tweak

� best attacks � 6 rounds (of 14) for Blake-512 � 8 rounds (of 10) for Blake-256 “encryption” � reaction: increase number of rounds � from 10 to 14 for BLAKE-256, and � from 14 to 16 for BLAKE-512

–263– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.5: Blake 9.6: Grøstl Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen

–264– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl Grøstl was selected as afinalist because of its well-understood design and solid performance, especially in hardware. While Grøstl’s security margin is not ideal, NIST views it in light of the extensive amount of cryptanalysis that has been published, both on Grøstl itself and the larger AES structure on which Grøstl is based. Due to the large amount of existing cryptanalysis, NIST feels that future results are less likely to dramatically narrow Grøstl’s security margin than that of the other candidates.

–265– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl Merkle-Damgård with additionalfinalization function

–266– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl Padding

messageM padded toM X with ||

X=1 0 ∗ L || || and split into 512-bit resp. 1024-bit blocks:

� one 1-bit � as many 0-bits as required for message length 512 L 64 ∗ − � L: number of blocks (64-bit number)

–267– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl Inside the compression function

f(h,m)=P(h m) Q(m) h ⊕ ⊕ ⊕

� twon-bit permutationsP andQ � two variants: � n= 512 (Grøstl-256) � n= 1024 (Grøstl-512)

–268– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl The Output-Transformation

Ω(x)= chop(x P(x)) ⊕

–269– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl Alternative representation of Output-Transformation

Ω(x)= chop(f(x,0) Q(0)) ⊕ consequences: 1. without “chop”: plain MD-Structure, length-extension 2. as specified: ChopMD, indifferentiable

–270– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl The inner structure ofP andQ

� similarly to the AES � Grøstl-256 8 8 bytes, 10 rounds × � Grøstl-512 8 16 bytes, 14 rounds × � P andQ: different round constants

–271– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl AddRoundConstant

–272– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl SubBytes

–273– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl ShiftBytes

–274– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl MixBytes

MDS-Matrix

–275– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl Best Attacks and Tweak

� modelingP andQ as two independent ideal permutations � optimal preimage, 2nd preimage and collision security � distinguisher for � 11 rounds of Grøstl-512 and � 10 rounds of Grøstl-256 (full number of rounds) exploiting the great similarity ofP andQ � reaction: tweak Grøstl to make sure thatP andQ behave more differently � best attack now � 6 rounds pseudo-collision � 9 rounds “differential permutation distinguisher”

–276– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.6: Grøstl 9.7: JH Hongjun Wu (Singapore)

2n 2n � permutationE: 0,1 0,1 { } →{ } n � message blockM 0,1 (for SHA-3:n= 512) i ∈{ } n n � Compress(H,M)=E(H (M 0 )) (0 M)) ⊕ || ⊕ ||

–277– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH Padding

messageM 0,1 n of� bit � ∈{ } messageM=M X of 512L bit: �|| 383 X=1 0 ∗ 0 � : || || || 128 1: one 1-bit

0∗ as many 0-bits as required 0383: 383 0-bits � : the length�= M as a 128-bit value 128 | | Note: Es istL= l/512 +1. � � I.e., padding always generates one extra-block with at least 383 constant bits!

–278– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH M1 ML a hash b

� ChopMD using JH compression function

� output the bits that have been xor-ed withM L before

–279– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH Indifferentiability

� ChopMD Coron et al: ChopMD indifferentiable at 2 n/2 queries, if the � compression function is a random function � Unfortunately, 1 1.E is a permutation andE − is efficiently computable 1 2. with access toE ± , one can differentiate the compression function from a random function (even ifE is a modeled as a random permutation)

–280– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH Indifferentiability (2) Bhattacharyya, Mandal, Nandi:

� JH structure without thefinal (partially constant) message block is easily differentiable n/3 � JH structure with that message block is indifferentiable at 2 � oracle queries � different chop-rule (the other half of the 2n output bits) indifferentiable at 2 n/2 queries �

–281– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH Indifferentiability (3) Some kind of an attack – JH withoutfinal message block

M y

a h z b ? y ?

M

a x h s b y 0 t

0. initial(a b). || 1. ask forh=Hash(M). 2. ask for(s,t)=E(h,0) and(x y)=E(a,b M). || ⊕ 3. ask forz=Hash(M y). Ifz=s y then “not JH!” || � ⊕

–282– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH The Padding rule defeats the attack Becausey is unlikely tofit

M y

a h z b ? y ?

M

a x h s b y 0 t

0. initial(a b). || 1. ask forh=Hash(M). 2. ask for(x y) =E(a,b M) and(s,t)=E(h,0). || ⊕ 3. ask forz=Hash(M y) if possible! ||

–283– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH A preimage attack marginally better than2 512

Florian Mendel, Søren S. Thomsen: An Observation on JH-512:

Improvement to 2507: Rishiraj Bhattacharyya, Avradip Mandal, Mridul Nandi: Security Analysis of the Mode of JH Hash Function

–284– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH The PermutationE d

n n d � FamilyE : 0,1 0,1 of permutations,n=4 2 d { } →{ } ∗ � SHA-3:d=8

� Ed internally: 1. two S-boxesS andS , permutations 0,1 4 0,1 4 0 1 { } →{ } 2. linear transformationL:( 0,1 4)2 ( 0,1 4)2 { } → { } with the MDS property ( next slide) → 3. and a permutation of the 2d 4-bit words

–285– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH 1 L andL −

� MDS-property: for(A,B) :=L(X,Y),(A �,B �) =L(X �,Y �): if (X=X � andY=Y �) or (X=X � andY=Y �) � � thenA=A � andB=B � � � � inverse MDS: if (X=X � orY=Y �) � � 4 then Pr[A=A � orB=B �] = 3840/57600 2 − . ≈ 1 (similarly forL − )

–286– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH The round structure

each round: 1. S-box layer 2. linear transformation layer 3. permutation between 2d 4-bit words

In total 5 (d 1) rounds, plus one additional S-box layer ∗ −

–287– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH Two rounds ofE 4

–288– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH Alternative representation ofE d repeats everyd 1 rounds, hered=4 −

–289– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH A Start-from-the-Middle Attack 8 roundsd=4; similarly for 16 roundsd=8

–290– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH Best Attacks and Tweak

507 � structural: preimages in time 2 (for any number of rounds) � specific: 37 rounds (of 35.5) � reaction: increased number of rounds from 35.5 to 42

–291– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.7: JH 9.8: Keccak Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche

Keccak was selected as afinalist, mainly due to its high security margin, its high throughput and throughput-to-area ratio and the simplicity of its design.

d � family of sponge functions over a 25 2 bit state ∗ represents the state as 5 5 matrix of 2 d -bit words × � message inr-bit blocks (r = “rate”) � N= 12+2d internal rounds (originally 12+1d) � Free output size ofW words � SHA-3: 6 � d= 6, thus state size 24 2 = 1600 bit andN= 12+2 6= 24 ∗ ∗ � forn-bit Hash:r= 1600 2n, e.g.,r= 576 − (“capacity”:c=2n)

–292– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak The state

–293– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Padding

messageM padded toM X with ||

X=1 0 ∗ 1 || || and split intor-bit blocks:

� one 1-bit � as many 0-bits, as required � one further 1-bit (to distinguish absorbing thefinal message block from squeezing the output)

Note: Message length is not appended!

–294– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Sponge

� initS

� “absorb” (M1,...,M L): for 1 i L: ≤ ≤ forX+5Y<5/2 d :S[X,Y ] :=S[X,Y] M [X+5Y] ⊕ i permutation: for 0 j

–295– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Indifferentiability

� sponge structure indifferentiable from a random oracle (Keccak team, Eurocrypt 2008). � importantfinal message block= 0 (recall the padding rule!) � for Keccak: model the permutation for 0 j

–296– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Round(A, j) run forx,y 0,...,4 ∈{ }

� C[x] :=A[x,0] A[x,1] A[x,2] A[x,3] A[x,4] ⊕ ⊕ ⊕ ⊕ � D[x] :=C[x 1] rotate(C[x+1],1) − ⊕ � A[x,y] :=A[x,y] D[x] ⊕ � B[y,2 x+3 y]= rotate(A[x,y],r[x,y]) ∗ ∗ � A[x,y]=B[x,y] (( B[x+1,y]) andB[x+2,y]) ⊕ ¬ � A[0,0] :=A[0,0] Round_Constant[j] ⊕ � returnA one single non-linear operation: bit-wise and

–297– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Boolean Functions, Monomials, Degrees A Boolean Function (BF) is a functionf: 0,1 n 0,1 . { } →{ } Each BF can be written a as a polynomial

f(x ,...,x ) =m m m , 1 n 1 ⊕ 2 ⊕···⊕ k i.e., the xor of monomialsm i , where eachm i is a “product”

m =x x x . i σ1 ∧ σ2 ∧···∧ σi

The degree of a monomial is its numberσ i of factors. The degree of a polynomialm m m is the maximum of the monomials’ 1 ⊕ 2 ⊕···⊕ k degrees. The degree of a BF is the minimal degree of all polynomials that define the function (the degree of the “minimal polynomial”). Example (a BF of degree 3): f(x ,...,x ) =x x x x x x x x x 1 6 1 2 3 ⊕ 2 4 ⊕ 3 5 ⊕ 1 ⊕ 6

–298– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Zero-Sum Distinguisher for Low-Degree BFs

n � LetF: 0,1 0,1 be a BF of degreed. { } →{ } � Set anyn d 1 variables to a constant (either 0 or 1). − − d+1 � Consider the setX 0,1 of inputs and observe ∈{ } F(X)=0. x X �∈ � Why? Look at a single monomialm of degree d: i ≤ � X has at least one variableb on whichm i does not depend, thus

m (X)= m (x) m (x) . i  i  ⊕  i  x X x X,b=0 x X,b=1 �∈ ∈� ∈�     � Asm i does not depend onb, the two expressions left and right of the -operator are the same, and the operation thus gives 0. ⊕

–299– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak The Degree of the Keccak Round Function

� One Keccak-Round: Set of 1600 BFs, each in 1600 variables. � Each single BF has only degree 2. (Why?) f � Thenf consecutive rounds have at most degree 2 . (Why?) � Similarly, the inverse Keccak round function is a set of 1600 BFs, each in 1600 variables. � As it turns out, each of these BFs has at most degree 3, andb consecutive backward rounds have at most degree 3b.

–300– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Zero-Sum Distinguisher for Keccak (b+f rounds)

b f � setd = max 3 ,2 and { } � fix 1600 d 1 variables; − − d+1 � for all 2 valuesx X loop ∈ computeb rounds backward computef rounds forward d+1 � result: setZ of 2 inputs with

z=0= f(z). z Z z Z �∈ �∈

–301– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Zero-Sum Distinguisher 16 rounds (b=6,f= 10, workload2 1025)

This does not immediately extend to more rounds, because 37 = 2187, 211 = 2048.

–302– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak Best Attacks and Tweak

N N � note that 2 and 3 are upper bounds for the algebraic degree of the involved BFs – actually, the degree grows a bit slower � reaction (on the zero-sum distinguishers): increase the number of rounds from 12+1d to 12+2d (i.e., from → 18 to 24, for SHA-3) � best known zero-sum distinguisher: 24 rounds (the full Keccak), workload a bit slower than 21600 � best “standard” attack: 2nd preimage attacks for up to 8 rounds of Keccak, slightly faster than exhaustive search

–303– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.8: Keccak 9.9: Skein Mihir Bellare, Jesse Walker, Jon Callas, Doug Whiting, Stefan Lucks, Niels Ferguson, Bruce Schneier, Tadayoshi Kohno (from left to right)

–304– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Three Variants

Skein was selected as afinalist, mainly due to its high security margin and speed in software.

� Skein-512 (512 state bits, default) � any output size, such as 256 bit (“wide-pipe”), 512 bit (“narrow-pipe”), but also, say 2048 bit, or whatever

� Skein-1024 (1024-bit state bits) � “Skein for the paranoid”, but not much slower than Skein-512 � any output size � Skein-256 � tiny memory footprint (about 100 bytes) � any output size, but security determined by the 256-bit state

–305– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Design-Philosophy

� 64-bit arithmetic, ARX (+, rot, ) ⊕ � internally uses a block cipher (“ThreeFish-n” for Skein-n) � block ciphers well understood � well developed theory of block cipher based hash functions (especially when block length = state size) � cryptanalysts can analyze ThreeFish to gain confidence in Skein � but, a good attack on ThreeFish would have killed Skein � the block cipher has an additional 128-bit input (the “tweak”) � used in Skein as a counter for the number of bytes consumed so far, and for some additional type information � the usage of the tweak allows to safely and easily adapt Skein for many different tasks (hashing for arbitrary output sizes, message authentication, tree hashing, etc.) � that makes Skein extremelyflexible! � no S-boxes, no table-look-ups (to prevent side-channel attacks, as those for the AES)

–306– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Unique Block Interaction (UBI) MMO plus usage of the tweak

–307– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Padding

The messageM is extended toM X with ||

X=0 ∗, if the length ofM is a multiple of 8( ), and else ∗

X= 10 ∗.

This does not seem distinguish certain different messages (e.g.,M andM 0 if M is a multiple of 8, but not a multiple of the block length). || | | But the true length M actually goes into the compression function, via | | the tweak.

—————— ( ) This simplifies byte-oriented implementations. ∗

–308– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein The 128-bit Tweak additional information in every call of the compression function / block cipher

� a 96-bit counter for the length M ofM in bytes | | � 6 bit type information (cfg, key, message output, . . . ) � 1 bit to indicate the current message block is thefinal one � 1 bit to indicate if the length of the current message block is a multiple of 8 (only applicable to thefinal message block) � ...

–309– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Proofs of Security

� if compression function collision resistant, then so is Skein � if ThreeFish behaves like a good family of tweaked PRP (Pseudorandom Permutation), then Skein is � a good PRP � a secure MAC, � a secure stream cipher, � ... � If one models ThreeFish as an ideal tweakable block cipher, then Skein is indifferentiable from a random oracle

–310– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein The MIX-Operation (the heart of ThreeFish)

� deals with 64-bit words � addition, rotation, XOR � amortized 1 clock cycle on current CPUs � rotation by a data-independent constant 1,..., 63 ∈{ } � rotation constants (repeat every 8 rounds) optimized to maximize diffusion

–311– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein 4 rounds of ThreeFish-512 4 MIX-operations per round

–312– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein ThreeFish Diffusion

� replace all Add- and XOR-operations by Or-operations � set any bit of the start state to “1”, all the other bits to “0” � how long does it take until all state bits are “1”?

full Diff. # rounds security after factor Threefish-256 9 rounds 72 8.0 Threefish-512 10 rounds 72 7.2 Threefish-1024 11 rounds 80 7.3

–313– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Comparison a similar experiment for MD5, SHA-1, SHA-2

� replace all Add- . . . � also replace the nonlinear Fun-ctions by the bitwise Or in three inputs

full Diff. # rounds security after factor MD5 15 64 4.3 SHA-1 30 80 2.7 SHA-2 (SHA-256) 14 64 4.6 SHA-2 (SHA-512) 18 80 4.4

–314– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Differential Cryptanalysis Easy to bridge 8 rounds

–315– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Rotational Cryptanalysis (Basics)

� let(X,Y)= MIX(A,B),

� A� =A <<

� (X �,Y �) = MIX(A�,B �).

� then the probability thatX � =X <<

–316– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein The Key Schedule

� key:k 0,...,k N 1 (N=4,N=8,N= 16 for Threefish-256, -512, − -1024)

� auxiliary valuek N :=C 5 k 0 k 1 k N 1 . ⊕ ⊕ ···⊕ − � constantC 5 = 55...5 16

� tweak:t 0,t 1

� auxiliary valuet 2 =t 0 +t 1. i i i � i-th round keyr =r 0,...,r N 1 with − r i :=k ifj N 4 j (i+j) mod (N+1) ≤ − i rj :=k (i+j) mod (N+1) +t (i+j 2) mod3 ifj N 3,N 2 − ∈{ − − } i rN 1 :=k (i+N 1) mod (N+1) +i( round constant ) − − ∗ ∗

–317– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Rotational Cryptanalysis i � keyK , tweakT , round keysR i � keyK <<< 2, tweakT , round keysS � with significant probability

(Ri <<<2) S i ≈ (“ ” because of the round constant) ≈ � Observe:C 5 = 55...5 16 =C 5 <<<2 so we’ll use rotations by 2:

� start with key, tweak, plaintext:K,T,X � and rotated key:K (K <<<2) � ≈ � and rotated plaintext:X (X <<<2) � ≈ � with some probability, you get

E (X) E (X �) K,T ≈ K �,T

–318– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein Best Attack and Tweak

� best rotational attack: � distinguisher for 53 rounds Threefish-256 and 57 rounds ThreeFish-512 � key recovery for 39 rounds Threefish-256 and 42 rounds Threefish-512 � reaction: a tweak for Skein/Threefish

� replaceC 5 by irregular constantC 240 = AES-2560(240). � throws back rotational attacks � no effect on other attacks � best attacks for tweaked version (differential or bi-clique): � key recovery for 34 rounds � pseudo-preimages for 37 rounds

–319– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.9: Skein 9.10: Summary– Comparison of Design Strategies

(1) state size forn-bit Hash (n 256, 512 ) ∈{ } invertible compr. (2) (1) (2) (3) (4) (5) (6) function BLAKE n n arx b y y (3) non-linearity by Grøstl 2n n 8-bit p y y � ARX, JH 1024 y 4-bit p y y � 4-bit S-boxes, � 8-bit S-boxes, Keccak 1600 y and p y y � bit-wise and Skein 256, (4) internally uses a 512, n arx b y y � b(lock cipher) 1024 � p(ermutation) (5) provably indifferentiable from a random oracle (6) has been tweaked, as a reaction from cryptanalytic results

–320– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary Performance Comparison – a Simplified Overview

� hardware-performance: � ARX-based candidates (BLAKE, Skein) suffer from lack of efficient adders � Skein a bit worse than BLAKE (Skein’s rotation constants only repeat every 8 rounds) � software-performance: � ARX-based candidates leading, since (fast) adders are free � Blake and Skein faster than SHA-2, Groestl, JH and Keccak slower

–321– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary Other Issues

� As it turned out, SHA-2 performs quite well on modern CPUs. � There has not been much recent progress in attacking SHA-2. � Thus, unlike 2007/2008, the question is now which hash function will complement SHA-2, rather than which hash function will replace SHA-2? � Performance: Software or hardware – what should count more? � Flexibility: � Skein and Keccak offer special features (e.g., for MAC), BLAKE, Grøstl and JH just hashing. � Unique standard: v � To cover all output sizes, BLAKE and Groestl propose to implement two different hash functions, JH, Keccak and Skein only a single one.

–322– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary And the winner was

Keccak

(Not Skein, alas!) Apparent reasons:

� SHA-2 appears quite good (security, performance in software, . . . ) � NIST wanted to choose a good hash function while maximizing “ecological diversity”.

–323– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary Content I General Information 1: Introduction 1.1: Hash Functions for Hash Tables 1.2: Cryptographic Hash Functions 1.3: Random Oracles 1.4: Passwords and Password-Hashing 2: Iterated Cryptographic Hash Functions 2.1: Indifferentiability 3: Generic Attacks 3.1: Cycle Finding Algorithms 3.2: Parallel Collision Search 3.3: Preimages 4: Block-Cipher-Based Compression Functions 4.1: Meet-In-The-Middle (MITM) Attacks

–324– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary Content II 4.2: The Classification from Preneel, Govaerts and Vanderwalle (1993) 4.3: Black, Rogaway und Shrimpton (2002) – the Proof-Centric Approach 4.4: “Double Block Length” Hash functions 5: Dedicated Compression Functions 5.1: Number-Theory Based Compression Functions 5.2: MD4 and Relatives 5.3: The MD4 structure 5.4: MD4 Details 5.5: Initial Cryptanalysis 5.6: Standardized Offsprings of MD4 6: Hash Trees and Hash-Based Signatures 7: Password-Hashing 7.1: Key Stretching

–325– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary Content III 7.2: Considering Memory 7.3: The Pebble Game 7.4: Catena 7.5: The Password Hashing Competition (PHC) 7.6: Amortised Costs for Parallel Pebbling 8: Bitcoins and the Blockchain 8.1: HashCash – Proofs of Work 8.2: Blockchain 8.3: Bitcoins 8.4: Smart Contracts 8.5: Other Cryptocurrencies 9: The SHA-3 Competition 9.1: EnRUPT 9.2: Edon-R

–326– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary Content IV 9.3: CubeHash 9.4: Announcing the Finalists 9.5: Blake 9.6: Grøstl 9.7: JH 9.8: Keccak 9.9: Skein 9.10: Summary

–327– Stefan Lucks Hash Fun. (2019) 9: SHA-3 9.10: Summary