Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl – a SHA-3 candidate
Krystian Matusiewicz
Wroclaw University of Technology
CECC 2010, June 12, 2010
Krystian Matusiewicz Grøstl – a SHA-3 candidate 1 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Talk outline
◮ Cryptographic hash functions ◮ NIST SHA-3 Competition ◮ Grøstl
Krystian Matusiewicz Grøstl – a SHA-3 candidate 2 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Cryptographic hash functions
Krystian Matusiewicz Grøstl – a SHA-3 candidate 3 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Cryptographic hash functions: why?
◮ We want to have a short, fixed length “fingerprint” of any piece of data ◮ Different fingerprints – certainly different data ◮ Identical fingerprints – most likely the same data ◮ No one can get any information about the data from the fingerprint
Krystian Matusiewicz Grøstl – a SHA-3 candidate 4 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function)
Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage: 2n queries for n-bit outputs ◮ To find collisions: 2n/2 queries ◮ Random behaviour
Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage: 2n queries for n-bit outputs ◮ To find collisions: 2n/2 queries ◮ Random behaviour
We want to construct concrete algorithms which are as close to this behaviour as possible.
Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
NIST SHA-3 Competition
Krystian Matusiewicz Grøstl – a SHA-3 candidate 6 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Krystian Matusiewicz Grøstl – a SHA-3 candidate 7 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
The world after Wang (after 2004)
hash designed Wang-inspired attacks MD4 1990 collisions by hand calculation MD5 1992 collisions in ms on a computer SHA-0 1993 collisions in ≈ 1hr SHA-1 1995 attacked, 269 SHA-2 2002 no attack
Many other hash functions similar to MD5/SHA-1 were subsequently broken using Wang’s method.
Krystian Matusiewicz Grøstl – a SHA-3 candidate 8 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
NIST SHA-3 competition
◮ There is only one hash function standardized by NIST which is not broken (SHA-256/SHA-512) ◮ But design principles are somehow similar to the broken ones, is it secure enough? ◮ Would be good to have a backup plan ◮ Let’s organize a competition like the one for Advanced Encryption Standard!
Krystian Matusiewicz Grøstl – a SHA-3 candidate 9 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
First-round SHA-3 candidates
Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1 LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall
Krystian Matusiewicz Grøstl – a SHA-3 candidate 10 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Second-round SHA-3 candidates
Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1 LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall
Krystian Matusiewicz Grøstl – a SHA-3 candidate 11 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
What happens next?
◮ August 2010 – second NIST workshop ◮ Around 5 finalists will be announced before the end of the year ◮ The winner selected in 2012
Krystian Matusiewicz Grøstl – a SHA-3 candidate 12 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
The SHA-3 Zoo / Hash function Zoo
Everything you ever wanted to know about SHA-3 candidates ◮ ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo ◮ ehash.iaik.tugraz.at/wiki/The_Hash_Function_Zoo
Krystian Matusiewicz Grøstl – a SHA-3 candidate 13 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl
Krystian Matusiewicz Grøstl – a SHA-3 candidate 14 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
The Grøstl team
Søren S. Thomsen Martin Schl¨affer
Christian Rechberger Florian Mendel
Lars R. Knudsen Praveen Gauravaram & K.M.
Krystian Matusiewicz Grøstl – a SHA-3 candidate 15 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl hash function
m1 m2 m3 mt
- - - - iv - f - f - f . . . - f - Ω - H(m)
◮ Iterated wide-pipe ◮ Output transformation
Krystian Matusiewicz Grøstl – a SHA-3 candidate 16 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl Compression Function h m
? f
? ? P Q
? -
?
◮ P, Q – large, fixed permutations ◮ Security reductions: collision, preimage resistance provided that permutations behave like ideal ones
Krystian Matusiewicz Grøstl – a SHA-3 candidate 17 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl Output Transformation
x P
◮ Provides protection against some attacks ◮ Random behaviour
Krystian Matusiewicz Grøstl – a SHA-3 candidate 18 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Designing an “ideal permutation”
◮ How to design an “ideal permutation”? ◮ No way of telling it apart from randomly chosen permutation ◮ No visible structure ◮ No differential trail with significant probability ◮ Wide-trail strategy
Krystian Matusiewicz Grøstl – a SHA-3 candidate 19 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl : One round of P, Q (×10)
AddRoundConstant SubBytes ShiftBytes MixBytes
Krystian Matusiewicz Grøstl – a SHA-3 candidate 20 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl : AddRoundConstant
i
i ⊕ ff AddRoundConstant of P AddRoundConstant of Q
◮ Permutations must be different (security) ◮ Different constants for P and Q
Krystian Matusiewicz Grøstl – a SHA-3 candidate 21 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl : SubBytes
S(·)
Krystian Matusiewicz Grøstl – a SHA-3 candidate 22 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl : ShiftBytes
shift by 0 shift by 1 shift by 2 shift by 3 shift by 4 shift by 5 shift by 6 shift by 7
Krystian Matusiewicz Grøstl – a SHA-3 candidate 23 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl : MixBytes
B = circ(02, 02, 03, 04, 05, 03, 05, 07)
Krystian Matusiewicz Grøstl – a SHA-3 candidate 24 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Cryptanalytic Results
Hash function collisions Grøstl-256 4/10 Grøstl-512 5/14
Compression function collisions Grøstl-256 7/10 Grøstl-512 7/14
Permutation non-randomness Grøstl-256 8/10
Krystian Matusiewicz Grøstl – a SHA-3 candidate 25 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl
Grøstl : Enjoy!
Krystian Matusiewicz Grøstl – a SHA-3 candidate 26 / 26