ECE 646 Lecture 9
Hash functions & MACs Required Reading
W. Stallings, "Cryptography and Network-Security,”
Chapter 11 Cryptographic Hash Functions
Appendix 11A Mathematical Basis of Birthday Attack
Chapter 12 Message Authentication Codes
Recommended Reading
SHA-3 Project https://csrc.nist.gov/projects/hash-functions/sha-3-project Digital Signature Alice Bob Message Signature Message Signature
Hash Hash function function
Hash value 1 Hash value yes no Hash value 2 Public key Public key algorithm algorithm
Alice’s private key Alice’s public key Hash function
arbitrary length m message
hash h function
h(m) hash value
fixed length Vocabulary hash function hash value message digest message digest hash total fingerprint imprint cryptographic checksum compressed encoding MDC, Message Digest Code Hash functions Basic requirements
1. Public description, NO key
2. Compression arbitrary length input ® fixed length output
3. Ease of computation Hash functions Security requirements It is computationally infeasible Given To Find 1. Preimage resistance y x, such that h(x) = y
2. 2nd preimage resistance x’ ¹ x, such that x and y=h(x) h(x’) = h(x) = y
3. Collision resistance x’ ¹ x, such that h(x’) = h(x) Hash functions Dependence between requirements
2nd preimage resistant
collision resistant Hash functions (unkeyed)
One-Way Collision-Resistant Hash Functions Hash Functions OWHF CRHF
preimage resistance
2nd preimage resistance
collision resistance Brute force attack against One-Way Hash Function Given y
mi’ i=1..2n 2n messages with the contents required by the forger h
? h(mi’) = y
n - bits Creating multiple versions of the required message
state thereby borrowed I confirm - that I received
Mr. Kris $10,000 from ten thousand dollars Dr. Krzysztof
October 23, money Gaj on 2019. This 10 / 23 / sum of money should returned Mr. be to Gaj is required to given back Dr. 4th by the day of December 2019. fourth Dec. Brute force attack against Yuval Collision Resistant Hash Function
r messages r messages acceptable for the signer required by the forger
mi i=1..r mj’ j=1..r
h h
h(mi) h(mj’)
n - bits n - bits
h(mi) = h(mj’) Creating multiple versions of the required message
state thereby borrowed I confirm - that I received
Mr. Kris $10,000 from ten thousand dollars Dr. Krzysztof
October 23, money Gaj on 2019. This 10 / 23 / sum of money should returned Mr. be to Gaj is required to given back Dr. 4th by the day of December 2019. fourth Dec. Message acceptable for the signer
state thereby October 23, I that on 2019 confirm - 10 / 23 /
borrowed Mr. Kris paper I a received from Dr. Krzysztof manuscript on security of Electronic Voting. This text side-channel attacks for PQC. item
should returned Mr. be to Gaj is required to given back Dr.
4th by the day of December 2019. fourth Dec. Birthday paradox
How many students must be in a class so that there is a greater than 50% chance that
1. one of the students shares the teacher’s birthday (up to the day and month)? 2. any two of the students share the same birthday (up to the day and month)? Birthday paradox
How many students must be in a class so that there is a greater than 50% chance that
1. one of the students shares the teacher’s birthday (day and month)?
~ 366/2 = 183
2. any two of the students share the same birthday (day and month)?
~Ö 366 » 19 Brute force attack against Collision Resistant Hash Function
Probability p that two different messages have the same hash value:
r2 p = 1 − exp (− ) 2n
For r = 2n/2 p = 63% Brute force attack against Collision Resistant Hash Function Storage requirements
J.J. Quisquater collision search algorithm
Number of operations: 2 Ö p/2 · 2n/2 » 2.5 · 2n/2
Storage: Negligible Hash value size One-Way Collision-Resistant Older algorithms (currently insecure): n ³ 64 n ³ 128 8 bytes 16 bytes Old standards: n ³ 80 n ³ 160 10 bytes 20 bytes
Current standards (e.g., SHA-2, SHA-3): n = 128, 192, 256 n = 256, 384, 512 16, 24, 32 bytes 32, 48, 64 bytes Hash function algorithms
Customized Based on Based on (dedicated) block ciphers modular arithmetic
MD2 MDC-2 MASH-1 Rivest 1988 MDC-4 1988-1996 MD4 IBM, Brachtl, Meyer, Schilling, 1988 Rivest 1990
MD5 SHA-0 RIPEMD NSA, 1992 Rivest 1990 European RACE Integrity Primitives Evaluation Project, 1992 SHA-1 NSA, 1995 RIPEMD-160
SHA-256, SHA-384, SHA-512 NSA, 2000 Attacks against dedicated hash functions known by 2004 partially broken MD2 broken, H. Dobbertin, 1995 MD4 (one hour on PC, 20 free bytes at the start of the message)
weakness MD5 SHA-0 discovered, RIPEMD 1995 NSA, reduced round partially broken, 1998 France version broken, collisions for the Dobbertin 1995 compression function, Dobbertin, 1996 SHA-1 (10 hours on PC) RIPEMD-160
SHA-256, SHA-384, SHA-512 What was discovered in 2004-2005?
broken; MD4 Wang, Feng, Lai, Yu, Crypto 2004 (manually, without using a computer)
attack with broken; MD5 240 operations Wang, Feng, Lai, Yu, broken; SHA-0 Crypto 2004 RIPEMD Crypto 2004 Wang, Feng, Lai, Yu attack with (manully, without Crypto 2004 263 operations using a computer) (1 hr on a PC) SHA-1 Wang, Yin, RIPEMD-160 Yu, Aug 2005 SHA-256, SHA-384, SHA-512 263 operations Schneier, 2005 In hardware: Machine similar to the one used to break DES: Cost = $50,000-$70,000 Time: 18 days or Cost = $0.9-$1.26M Time: 24 hours In software: Computer network similar to distributed.net used to break DES (~331,252 computers) : Cost = ~ $0 Time: 7 months Recommendations of NIST (1)
NIST Brief Comments on Recent Cryptanalytic Attacks on SHA-1 Feb 2005 The new attack is applicable primarily to the use of hash functions in digital signatures.
In many cases applications of digital signatures introduce additional context information, which may make attacks impracticle.
Other applications of hash functions, such as Message Authentication Codes (MACs), are not threatened by the new attacks. Recommendations of NIST (2)
NIST was already earlier planning to withdraw SHA-1 in favor of SHA-224, SHA-256, SHA-384 & SHA-512 by 2010.
New implementations should use new hash functions.
NIST encourages government agancies to develop plans for gradually moving towards new hash functions, taking into account the sensitivity of the systems when setting the timetables. SHA-3 Contest Timeline 2007 • publication of requirements • 29.X. 2007: request for candidates 2008 • 31.X.2008: deadline for submitting candidates • 9.XII.2008: announcement of 51 candidates accepted for Round 1 2009 • 25-28.II.2009: 1st SHA-3 Candidate Conference, Leuven, Belgium • 24.VII.2009: 14 Round 2 candidates announced 2010 • 23-24.VIII.2010: 2nd SHA-3 Candidate Conference, Santa Barbara, CA • 9.XII.2010: 5 Round 3 candidates announced 2012 • 22-23.III.2012: 3rd SHA-3 Candidate Conference, Washington, D.C. • 2.X.2012: selection of the winner 2014: • 28.V.2014: draft version of the standard published 2015: • 5.VIII.2015: final version of the standard published Number of Submissions
• Number of submissions received by NIST: 64
• Number of submissions publicly available: 56
• Number of submissions qualified to the first round: 51 Basic Requirements for a new hash function
• Must support hash values of 224, 256, 384 and 512 bits • Available worldwide without licensing fees • Secure over tens of years • Suitable for use in - digital signatures FIPS 186 - message authentication codes, HMAC, FIPS 198 - key agreement schemes, SP 800-56A - random number generators, SP 800-90 • At least the same security level as SHA-2 with increased efficiency SHA-3 Contest: 2008-2012
51 Round 1 Round 2 Round 3 candidates 14 5 1 Jul. 2009 Dec. 2010 Oct. 2012 Oct. 2008 Hardware benchmarking
Security Analysis & Software Benchmarking
29 FPGA Benchmarking of Round 2 Candidates
Altera Xilinx Technology Low-cost High- Low-cost High- performance performance
90 nm CycloneDesigners: II Stratix II Spartan 3 Virtex 4
65 nm Cyclone III Stratix III Virtex 5
Designers:
Marcin Ekawat Rogawski Homsirikamol (“Ice”)
30 ATHENa – Automated Tool for Hardware EvaluatioN
• Open-source • Written in Perl • Developed 2009-2012 • Automated search for optimal § Options of tools § Target frequency § Starting placement point • Supporting Xilinx ISE & Altera Quartus
FPL Community Award 2010 Milan, Italy, Sep. 2010
Image of Athena Goddess courtesy of Carolyn Angus 31 ATHENa Inputs/Outputs
configuration files
testbench synthesizable source files
OR
result summary database entries (human-friendly) (machine- friendly)
32 ATHENa Database of Results
http://cryptography.gmu.edu/athenadb
33 ATHENa Gains
3 Area 2.5 Thr 2 Thr/Area
1.5
1
0.5
0
Ratios of results obtained using ATHENa suggested options vs. default options of FPGA tools 34 ATHENa Gains
“working” with ATHENa…
old days…
35 Why ATHENa?
"The Greek goddess Athena was frequently called upon to settle disputes between the gods or various mortals. Athena Goddess of Wisdom was known for her superb logic and intellect. Her decisions were usually well-considered, highly ethical, and seldom motivated by self-interest.”
from "Athena, Greek Goddess of Wisdom and Craftsmanship"
36 SHA-3 Round 2 Results: 14 candidates Throughput Best: Fast & Small
Worst: Slow & Big
Area
Throughput vs. Area: Normalized to Results for SHA-2 and Averaged over 7 FPGA Families 37 Research: Multiple Architectures
Horizontal Folding • datapath width = state size /2(h) • two clock cycles per one round/step Throughput
/2(h) Th x1
Area A
Typically Throughput/Area ratio increases 38 Research: Design Space Exploration
Results for BLAKE 39 Research: Design Space Exploration
All Final SHA-3 Candidates (Keccak, SHA-2, JH, BLAKE, Groestl) & the old standard SHA-2 40 Research: FPGA vs. ASIC
• ASIC developed in collaboration with ETH Zurich • standard-cell CMOS 65nm UMC process • 6 GMU implementations 6 ETH Zurich implementations • Taped-out in Oct. 2011, successfully tested in Feb. 2012 • Results reported at the 3rd SHA-3 Candidate Conference in Washington D.C. in Mar. 2012
41 Research: FPGA vs. ASIC
ASIC Stratix III FPGA
42 Results Relative to SHA-2
0.25 0.35 0.50 0.79 1.00 1.41 2.00 2.83 4.00
43 Hash functions Applications (1) 1. Digital Signatures
Advantages 1. Shorter signature 2. Much faster computations 3. Larger resistance to manipulation (one block instead of several blocks of signature)
4. Resistance to the multiplicative attacks
5. Avoids problems with different sizes of the sender and the receiver moduli Hash functions Applications (2)
2. Fingerprint of a program or a document (e.g., to detect a modification by a virus or an intruder)
program
hash safe place ? fingerprint = original_fingerprint Hash functions Applications (3) 3. Storing passwords
Instead of: password ID, password
hash System stores:
ID, hash(password) hash(password) UNIX password scheme “00000000” password DES salt
ID, salt, password DES salt hash(password, salt) . . . . salt modifies the password DES salt expansion function E of DES hash(password, salt) Hash functions Applications (4) 4. Fast encryption
PRNG
ki
mi ci
k0 = hash(KAB || IV ) k0 = hash(KAB || IV) k1 = hash(KAB || k0) or k1 = hash(KAB || c0) ......
kn = hash(KAB || kn-1) kn = hash(KAB || cn-1) General scheme for constructing a secure hash function Message m
Padding, appending bit length, M
M1 M2 . . . Mt
h(m) H0 H1 H2 Ht IV f f . . . g
compression output function transformation Merkle-Damgard Scheme Parameters of the Merkle-Damgard Scheme
Compression Mi function r In SHA-1 n=160 n n r=512 Hi-1 f Hi In SHA-256 n=256 Entire hash r=512
H0 = IV In SHA-512 H = f(H , M ) n=512 i i-1 i r=1024 h(m) = g(Ht) Sponge Scheme Hash padding – SHA-1 & SHA-256 64-bits
message 100000000000 length
length of the entire message in bits
All zero padding: Correct padding: X X X 0 0 0 0 0 X X X 0 0 1 0 0 X X X 0 0 0 0 0 X X X 1 0 0 0 0 Hash padding – SHA-3 Candidates
BLAKE256D 1000 . . . 0001 len64 Grøstl D 1000 . . . 0000 #blocks JH42D 1000 . . . 0001 len128 Keccak D 1000 . . . 0001 Skein D 0000 . . . 0000 SHA−2 (256) D 1000 . . . 0000 len64 Minimum D Data M Padding P Padding C Counter Parameters of new hash functions Features affecting security and functionality
SHA-1 SHA-256 SHA-384 SHA-512
Size of hash 160 256 384 512 value Complexity of 280 2128 2192 2256 the birthday attack Equivalently secure Skipjack AES-128 AES-192 AES-256 secret-key cipher Message size < 264 < 264 < 2128 < 2128 Parameters of new hash functions Features affecting implementation speed
SHA-1 SHA-256 SHA-384 SHA-512
Message block 512 512 1024 1024 size Number of 80 64 80 80 digest rounds Hardware implementations Conceptual comparison Speed
SHA-512, SHA-384
SHA-256
SHA-1 Area Results of the prototype FPGA implementation GMU, 2002 Speed in hardware [Mbit/s] 700 616 600 462 500 400 300 200 100 0 SHA-1 SHA-512 Complexity of the best attack 280 2256 the same as Skipjack AES-256 Hash functions 20 years ago Present U.S. Government standards: U.S. Government standards:
SHA-1 SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 Other popular hash functions: SHA-3
MD5, RIPEMD Other popular hash functions:
Security status: Whirlpool – winner of NESSIE
MD4 broken (1995) Security status: SHA-1 replaced SHA-0 (1995) MD5 partially broken MD5 broken (1 hr on PC) (collisions in compression SHA-0 broken function, 1996) RIPEMD broken (without a need for computer) SHA-1 practically broken, best attack – 263 operations – only 128 x more than breaking DES Hash functions Timeline
U.S. Government standards: II. 2003 SHA-1 FIPS 180 FIPS 180-2 SHA-256, 384, 512 FIPS 180-2 SHA-224 FIPS 180-2 II. 2004 Contests: I. 2000 XII. 2002 SHA-256, SHA-384, SHA-512, NESSIE Whirlpool
VIII. 2004 Attacks: broken: MD5 – collisions VIII. 1998 MD4, MD5, SHA-0, for compression SHA-0 – attack RIPEMD 61 function, with 2 operations II-VIII. 2005 10 hrs on PC attack on SHA-1 269®263 operations
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 Authentication Alice Bob Message MAC Message MAC
K KAB Secret key AB Secret key algorithm algorithm Secret key Secret key of Alice and Bob of Alice and Bob MAC’
yes no MAC MAC - Message Autentication Codes (keyed hash functions)
arbitrary length m message secret key K MAC function
MAC
fixed length MAC functions Basic requirements
1. Public description, SECRET key parameter
2. Compression arbitrary length input ® fixed length output
3. Ease of computation MAC functions Security requirements
Given zero or more pairs
mi, MACK(mi) i = 1..k
it is computationally impossible to find any new pair
m’, MACK(m’) Such that
m’ ¹ mi i = 1..k MAC functions Security requirements
Resistance against
1. Known-text attack
2. Chosen-text attack
3. Adaptive chosen-text attack CBC-MAC (1)
m1 m2 mt H 0 t-1 . . . .
E E E
Ht K K K H1 H2 MAC FIPS-113 K’ D
K E MAC CBC-MAC (1)
H0 = IV = 0 Hi = DESK(mi Å Hi-1) i = 1..t
MAC(m) = Ht[1..32] or -1 MAC(m) = EK(EK’ (Ht))[1..32] MAC functions
Based on Based on Based block hash Dedicated on stream ciphers functions ciphers
CBC-MAC HMAC MAA CRC-MAC CFB-MAC MD5-MAC RIPE-MAC CMAC CMAC RIPE-MAC
H0 = IV = 0
Hi = DESK(mi Å Hi-1) Å mi i = 1..t -1 MAC(m) = EK(EK’ (Ht))[0..31] K’ = K Å 0xf0f0…f0 HMAC Bellare, Canetti, Krawczyk, 1996
Used in SSL and IPSec
HMAC(m) = h(K Å ipad || h(K Å opad || m)) ipad, opad - constant padding strings of the length of the message block size in the hash function h
ipad = repetitions of 0x36 = 00110110 opad = repetitions of 0x5A = 01011010 HMAC KEY Å opad = KEY’ message m
KEY Å h • American standard ipad FIPS 198 = KEY” • Arbitrary hash function and key size
h HMAC Message Authentication Codes - MACs 20 years ago Present U.S. Government standards: U.S. Government standards:
MAC (DAC) based on DES HMAC – based on hash functions (since 1985) used in SSL and IPSec
CMAC – block cipher mode (AES, Triple DES, Skipjack)
Other MACs in use: Other MACs in use:
RIPE-MAC3, CRC-MAC, MAA UMAC, TTMAC, EMAC – winners of the NESSIE contest NESSIE: Winners of the contest: 2002 Message Authentication Codes, MACs
Security level Key size Output width high ³ 256 32×k normal ³ 128 32×k
Name Origin 1. UMAC UC Davis 2. TTMAC K.U. Leuven 3. EMAC U. of Toronto 4. HMAC NIST & NSA Message Authentication Codes Timeline
U.S. standards: MAC (DAC) FIPS 113 (based on DES) withdrawn in 2008 HMAC FIPS 198 (based on hash functions) CMAC SP 800-38C III. 2002 V. 2005
Contests: Contest winners: NESSIE UMAC, TTMAC, EMAC
2002 RMAC – practical attack Attacks: against MAC proposed by NIST and based on Triple DES
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 Confidentiality & Authentication Authenticated Ciphers
Bob Alice N Message N Ciphertext Tag
K KAB Authenticated AB Authenticated Cipher Cipher Encryption Decryption
N Ciphertext Tag invalid or Message
KAB - Secret key of Alice and Bob N – Nonce or Initialization Vector Confidentiality & Authentication Authenticated Ciphers
Enc Npub Nsec AD Message NpubNsec AD Ciphertext Tag
KKeyAB KKeyAB Encryption Decryption
or Enc NpubNsec AD Ciphertext Tag Invalid Nsec AD Message
Npub - Public Message Number Nsec - Secret Message Number Enc Nsec - Encrypted Secret Message Number AD - Associated Data KAB - Secret key of Alice and Bob Examples of Most Commonly Used Authenticated Ciphers
• AES-GCM • AES-OCB3 • AES-OCB • AES-CCM • AES-EAX CAESAR Contest 2013-2019 Cryptographic Standard Contests
IX.1997 X.2000 AES 15 block ciphers ® 1 winner
NESSIE I.2000 XII.2002 CRYPTREC XI.2004 IV.2008 34 stream 4 HW winners eSTREAM ciphers ® + 4 SW winners X.2007 X.2012 51 hash functions ® 1 winner SHA-3 I.2013 II.2019 57 authenticated ciphers ® multiple winners CAESAR
97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 time Evaluation of Candidates in Cryptographic Contests
Completed 51 hash functions ® 1 winner X.2007 X.2012 In progress SHA-3 I.2013 II.2019 57 authenticated ciphers CAESAR ® multiple winners VIII.2018 TBD 56 Lightweight authenticated ciphers & hash functions Lightweight Cryptography
07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 Year Evaluation Criteria
Security
Software Efficiency Hardware Efficiency
µProcessors µControllers FPGAs ASICs
Flexibility Simplicity Licensing
82 CAESAR Contest: 2015-2018
Round 1 Round 2 Round 3 Round 4 57 Final 15 7 6 candidates 29 Portfolio Jul. 2015 Aug. 2016 Mar. 2018 Feb. 2019 Mar. 2014 Hardware benchmarking
Security Analysis & Software Benchmarking
83 CAESAR Major Challenges
Fairness Number of Candidates
84 CAESAR Hardware API
1. Minimum Compliance Criteria 3. Communication Protocol • Encryption, decryption, key scheduling • Padding • Maximum size of message & AD • Permitted data port widths, etc.
2. Interface 4. Timing Characteristics
Proposed by GMU in Feb. 2016, approved by the CAESAR Committee in May 2016 85 CAESAR Development Package
Universal Testbench (VHDL)
Code Common for All Candidates (VHDL)
Test Vector Generator (Python) 86 VHDL/Verilog Code Submitters
1. CCRG NTU (Nanyang Technological University) Singapore – ACORN, AEGIS, JAMBU, & MORUS 2. CLOC-SILC Team, Japan – CLOC & SILC 3. Ketje-Keyak Team – Ketje & Keyak 4. Lab Hubert Curien, St. Etienne, France – ELmD & TriviA-ck 5. Axel Y. Poschmann and Marc Stöttinger – Deoxys & Joltik 6. NEC Japan – AES-OTR 7. IAIK TU Graz, Austria – Ascon 8. DS Radboud University Nijmegen, Netherlands – HS1-SIV 9. IIS ETH Zurich, Switzerland – NORX 10.Pi-Cipher Team – Pi-Cipher 11.EmSec RUB, Germany – POET 12.CG UCL, INRIA – SCREAM 13.Shanghai Jiao Tong University, China – SHELL 13 Design Groups, 19 CAESAR Round 2 Candidates 87 VHDL/Verilog Code Submitters
“Ice” Homsirikamol Will Diehl AES-GCM, AEZ, Minalpher Ascon, Deoxys, OMD HS1-SIV, ICEPOLE, POET Joltik, NORX, OCB, SCREAM PAEQ, Pi-Cipher, STRIBOB
Ahmed Farnoud Mike X. Ferozpuri Farahmand Lyons PRIMATEs- AES-COPA TriviA-ck GIBBON & CLOC HANUMAN, PAEQ GMU alone, 19 Candidate Families + AES-GCM 88 CAESAR Contest: Impact
75 unique open-source designs Covering the majority of primary variants of 28 out of 29 Round 2 Candidate Families (all except Tiaoxin) High-speed implementation of AES-GCM (baseline)
The biggest and the earliest hardware benchmarking effort in the history of cryptographic competitions
89 Percentage of Candidates in Hardware
Initial number Implemented Percentage of candidates in hardware
AES 15 5 33.3% eSTREAM 34 8 23.5%
SHA-3 51 14 27.5%
CAESAR 57 28 49.1%
90 CAESAR Contest: Results for Round 2
Relative (w.r.t. AES-GCM) Throughput in Virtex 6
14-16x better than the E – Throughput for Encryption D – Throughput for Decryption current standard A – Throughput for Authentication Only Default: Throughput the same for all 3 operations Why the slowest?
Red – algorithms qualified to Round 3
Throughput of AES-GCM = 3239 Mbit/s 91 CAESAR Contest: Results for Round 2
Relative (w.r.t. AES-GCM) Throughput/Area in Virtex 6
E – Throughput/Area for Encryption Team D – Throughput/Area for Decryption Keccak A – Throughput/Area for Authentication Only Default: Throughput/Area the same for all 3 operations
Red – algorithms qualified to Round 3
Throughput/Area of AES-GCM = 1.020 (Mbit/s)/LUTs 92 Side-Channel Analysis Resistance
Use Case: Lightweight applications (resource constrained environments) • critical: fits into small hardware area and/or small code for 8-bit CPUs • desirable: ability to protect against side-channel attacks (e.g., power attacks)
Will Diehl (co-advised with Jens-Peter Kaps) t-test using low-cost FOBOS environment developed by CERG
93 Side-Channel Analysis – Preliminary Results Unprotected Lightweight Implementations
Best: Fast & Small Best: ACORN JAMBU-SIMON
Worst: CLOC-AES Worst: Slow SILC-AES & Big
x 94 Side-Channel Analysis – Preliminary Results Protected Lightweight Implementations On Average: Area: x2.7 Thr: x1.8 Thr/Area: x5.4 Best: ACORN JAMBU-SIMON
Worst: CLOC-TWINE CLOC-AES
95 Presentation of Prof. D. Bernstein at the Rump Session of the Fast Software Encryption conference, March 2018