sign in sign up
<<
Home , Lane (hash function), MD6, NaSHA, Spectral Hash

Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl – a SHA-3 candidate

Krystian Matusiewicz

Wroclaw University of Technology

CECC 2010, June 12, 2010

Krystian Matusiewicz Grøstl – a SHA-3 candidate 1 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Talk outline

◮ Cryptographic hash functions ◮ NIST SHA-3 Competition ◮ Grøstl

Krystian Matusiewicz Grøstl – a SHA-3 candidate 2 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Cryptographic hash functions

Krystian Matusiewicz Grøstl – a SHA-3 candidate 3 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Cryptographic hash functions: why?

◮ We want to have a short, fixed length “fingerprint” of any piece of data ◮ Different fingerprints – certainly different data ◮ Identical fingerprints – most likely the same data ◮ No one can get any information about the data from the fingerprint

Krystian Matusiewicz Grøstl – a SHA-3 candidate 4 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function)

Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage: 2n queries for n-bit outputs ◮ To find collisions: 2n/2 queries ◮ Random behaviour

Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage: 2n queries for n-bit outputs ◮ To find collisions: 2n/2 queries ◮ Random behaviour

We want to construct concrete algorithms which are as close to this behaviour as possible.

Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

NIST SHA-3 Competition

Krystian Matusiewicz Grøstl – a SHA-3 candidate 6 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Krystian Matusiewicz Grøstl – a SHA-3 candidate 7 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

The world after Wang (after 2004)

hash designed Wang-inspired attacks MD4 1990 collisions by hand calculation MD5 1992 collisions in ms on a computer SHA-0 1993 collisions in ≈ 1hr SHA-1 1995 attacked, 269 SHA-2 2002 no attack

Many other hash functions similar to MD5/SHA-1 were subsequently broken using Wang’s method.

Krystian Matusiewicz Grøstl – a SHA-3 candidate 8 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

NIST SHA-3 competition

◮ There is only one hash function standardized by NIST which is not broken (SHA-256/SHA-512) ◮ But design principles are somehow similar to the broken ones, is it secure enough? ◮ Would be good to have a backup plan ◮ Let’s organize a competition like the one for Advanced Standard!

Krystian Matusiewicz Grøstl – a SHA-3 candidate 9 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

First-round SHA-3 candidates

Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Grøstl Hamsi JH Keccak Khichidi-1 Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall

Krystian Matusiewicz Grøstl – a SHA-3 candidate 10 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Second-round SHA-3 candidates

Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1 LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall

Krystian Matusiewicz Grøstl – a SHA-3 candidate 11 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

What happens next?

◮ August 2010 – second NIST workshop ◮ Around 5 finalists will be announced before the end of the year ◮ The winner selected in 2012

Krystian Matusiewicz Grøstl – a SHA-3 candidate 12 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

The SHA-3 Zoo / Hash function Zoo

Everything you ever wanted to know about SHA-3 candidates ◮ ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo ◮ ehash.iaik.tugraz.at/wiki/The_Hash_Function_Zoo

Krystian Matusiewicz Grøstl – a SHA-3 candidate 13 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl

Krystian Matusiewicz Grøstl – a SHA-3 candidate 14 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

The Grøstl team

Søren S. Thomsen Martin Schl¨affer

Christian Rechberger Florian Mendel

Lars R. Knudsen Praveen Gauravaram & K.M.

Krystian Matusiewicz Grøstl – a SHA-3 candidate 15 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl hash function

m1 m2 m3 mt

- - - - iv - f - f - f . . . - f - Ω - H(m)

◮ Iterated wide-pipe ◮ Output transformation

Krystian Matusiewicz Grøstl – a SHA-3 candidate 16 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl Compression Function h m

?  f

? ? P Q

? - 

?

◮ P, Q – large, fixed permutations ◮ Security reductions: collision, preimage resistance provided that permutations behave like ideal ones

Krystian Matusiewicz Grøstl – a SHA-3 candidate 17 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl Output Transformation

x P

◮ Provides protection against some attacks ◮ Random behaviour

Krystian Matusiewicz Grøstl – a SHA-3 candidate 18 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Designing an “ideal permutation”

◮ How to design an “ideal permutation”? ◮ No way of telling it apart from randomly chosen permutation ◮ No visible structure ◮ No differential trail with significant probability ◮ Wide-trail strategy

Krystian Matusiewicz Grøstl – a SHA-3 candidate 19 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl : One round of P, Q (×10)

AddRoundConstant SubBytes ShiftBytes MixBytes

Krystian Matusiewicz Grøstl – a SHA-3 candidate 20 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl : AddRoundConstant

i

i ⊕ ff AddRoundConstant of P AddRoundConstant of Q

◮ Permutations must be different (security) ◮ Different constants for P and Q

Krystian Matusiewicz Grøstl – a SHA-3 candidate 21 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl : SubBytes

S(·)

Krystian Matusiewicz Grøstl – a SHA-3 candidate 22 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl : ShiftBytes

shift by 0 shift by 1 shift by 2 shift by 3 shift by 4 shift by 5 shift by 6 shift by 7

Krystian Matusiewicz Grøstl – a SHA-3 candidate 23 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl : MixBytes

B = circ(02, 02, 03, 04, 05, 03, 05, 07)

Krystian Matusiewicz Grøstl – a SHA-3 candidate 24 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Cryptanalytic Results

Hash function collisions Grøstl-256 4/10 Grøstl-512 5/14

Compression function collisions Grøstl-256 7/10 Grøstl-512 7/14

Permutation non-randomness Grøstl-256 8/10

Krystian Matusiewicz Grøstl – a SHA-3 candidate 25 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl

Grøstl : Enjoy!

Krystian Matusiewicz Grøstl – a SHA-3 candidate 26 / 26