DOCSLIB.ORG

Secure Hash Algorithm-3 Cryptographic Hash Functions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Secure Hash Algorithm-3 Cryptographic Hash Functions Secure Hash Algorithm-3 Cryptographic Hash Functions SHA-3 is a cryptographic hash function (designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche) A cryptographic hash function takes an arbitrary block of data (message) and returns a fixed-size bit string (hash value) H : {0, 1}* --> {0,1}n Hash functions provides integrity and has applications in digital signatures, message authentication codes,etc. Need for SHA-3 Widespread Hash functions before 2004: MD4, MD5, RIPE-MD, RIPE-MD160, SHA0, SHA1, SHA2 • 1991-1993: Den Boer and Bosselaers attack MD4 and MD5 • 1996: Dobbertin improves attacks on MD4 and MD5 • 1998: Chabaud and Joux attack SHA-0 • 2004: Joux et al. break SHA-0 • 2004: Wang et al. break MD5 • 2005: Lenstra et al., and Klima, make MD5 attack practical • 2005: Wang et al. theoretically break SHA-1 • 2006: De Cannière and Rechberger further break SHA-1 Cypto 2004 In the conference, Joux shows a surprising property in Merkle-Damgaard hashes ►Multicollisions ►Cascaded hashes don’t help security much Wang, Feng, Lai, and Yu found a collison attack on SHA-0 with complexity of 2^40. Attacks on MD4, MD5 and RIPEMD were also found. Biham/Chen announced new results in cryptanalyzing SHA-1, including a collision attack in a reduced-round version of SHA-1. Wang's algorithm was extended to find collision in SHA-1 in 2^63 steps in 2005. Need for SHA3 and the NIST competition Algorithm Ouput size Collision attack Second Preimage (in bits) preimage attack attack MD5 128 Yes (2^20.96) Yes (2^123.4) Yes (2^123.4) SHA-0 160 Yes (2^33.6) No No SHA-1 160 Yes (2^51) No No SHA-2 256/224 Theoretical Theoretical Theoretical (2^28.5 : 24) (2^248.4 : 42) (2^248.4: 42) SHA-2 512/384 Theoretical Theoretical Theoretical (2^32.5 : 24) (2^494.6 : 42) (2^494.6 : 42) SHA-3 224/256/384/512 NO NO NO Keccak sponge construction Keccak uses the sponge construction The sponge construction builds a function SPONGE [f, pad, r] with variable length input and arbitrary length output where, f A fixed-length transformation/ permutaion (The permutation f operates on a fixed number of bits, the width b) pad A padding rule r A parameter called bitrate The value c = b − r is called the capacity. Keccak SHA-3 standardization For SHA-3, KECCAK == SPONGE[ Keccak-f (5×5×64), pad 10*1, r ] Value of bitrate r depends on the output hash size Output hash size 224 256 384 512 (in bits) Bitrate r 1152 1088 832 576 (in bits) There are 7 Keccak- f permutations, indicated by Keccak-f [b] , where b = 25 × 2^ℓ and ℓ ranges from 0 to 6. Here, 2^ℓ represents the word size,w. SHA-3 uses words of size 64 bits. Hence the Keccak -f permutation with b =( 25 × 2 ^ 6 ) is used in SHA-3. Keccak - f [b] permutation A sequence of operations on a state a which is a 3D array of elements of GF(2). a[5][5][w], with w = 2^ℓ Mapping between the bits of s and those of a is s[w(5y + x)+ z]= a[x][y][z] with x, y ∈ Z5 and z ∈ Zw. Keccak- f [b] is an iterated permutation, consisting of a sequence of nr rounds of R where R = and nr is 12+2ℓ θ Compute parity of each column Add to each bit a[x][y][z] the parity of the neighboring columns. Mapping is linear and provides diffusion within the slice. ρ The lanes are cyclically shifted by an offset equal to a triangular number n(n+1)/2. Creates inter-slice diffusion π Mapping is a transposition of lanes that disturbs the horizontal and vertical alignment within the slice π applied to aslice. Note that x = y = 0 is depicted at the center of the slice χ Only non-linear mapping of Keccak-f[b] (algebraic degree of 2) “Flip bit if neighbors exhibit 01 pattern” Operates independently and in parallel on 5-bit rows l All other values of RC[ir][x][y][z] are zero Only mapping that disrupts symmetry between the rounds. The bits of the round constants are different from round to round and are taken as the output of a maximum-length LFSR. The constants are only added in a single lane of the state. The disruption diffuses through θ and χ to all lanes of the state after a single round. SHA-3 summary Sponge function= State Memory (S) + function f + padding p ( 25* 64= 1600 bits ) Round function Keccak-f [1600]: f = θ o ρ o π o χ o ι Number of rounds: 12 + 2ℓ = 24 Operation of SHA3 • S is initialized to zero • Input string is padded • S XOR First r-bit block of padded input • S replaced by f(S) • S XOR Next r-bit block of padded input • S replaced by f(S) abd so on.. Process repeated till all blocks of padded input string are used up or "absorbed" • First r bits of S are outputted • S replaced by f(S) • Next r bits of S are outputted and so on.. Process repeated till the desired number of output bits are produced or "sqeezed out". If the output length is not a multiple of r bits,then it will be truncated. Analysis of SHA-3 Security level ( against all attacks) at CHES 2013 SHA3 Security level SHA3-224 128 bits SHA3-256 SHA3-384 256 bits SHA3-512 Keccak has high performance in hardware as well as software implementations.This coupled with its high security margin made it the winner of the NIST competition in 2012. Keccak-f[b] state naming convention.
Load more

Recommended publications
  • MD5 Collisions the Effect on Computer Forensics April 2006
    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
    [Show full text]
  • Cryptography in Modern World
    Cryptography in Modern World Julius O. Olwenyi, Aby Tino Thomas, Ayad Barsoum* St. Mary’s University, San Antonio, TX (USA) Emails: [email protected], [email protected], [email protected] Abstract — Cryptography and Encryption have been where a letter in plaintext is simply shifted 3 places down used for secure communication. In the modern world, the alphabet [4,5]. cryptography is a very important tool for protecting information in computer systems. With the invention ABCDEFGHIJKLMNOPQRSTUVWXYZ of the World Wide Web or Internet, computer systems are highly interconnected and accessible from DEFGHIJKLMNOPQRSTUVWXYZABC any part of the world. As more systems get interconnected, more threat actors try to gain access The ciphertext of the plaintext “CRYPTOGRAPHY” will to critical information stored on the network. It is the be “FUBSWRJUASLB” in a Caesar cipher. responsibility of data owners or organizations to keep More recent derivative of Caesar cipher is Rot13 this data securely and encryption is the main tool used which shifts 13 places down the alphabet instead of 3. to secure information. In this paper, we will focus on Rot13 was not all about data protection but it was used on different techniques and its modern application of online forums where members could share inappropriate cryptography. language or nasty jokes without necessarily being Keywords: Cryptography, Encryption, Decryption, Data offensive as it will take those interested in those “jokes’ security, Hybrid Encryption to shift characters 13 spaces to read the message and if not interested you do not need to go through the hassle of converting the cipher. I. INTRODUCTION In the 16th century, the French cryptographer Back in the days, cryptography was not all about Blaise de Vigenere [4,5], developed the first hiding messages or secret communication, but in ancient polyalphabetic substitution basically based on Caesar Egypt, where it began; it was carved into the walls of cipher, but more difficult to crack the cipher text.
    [Show full text]
  • A Review on Elliptic Curve Cryptography for Embedded Systems
    International Journal of Computer Science & Information Technology (IJCSIT), Vol 3, No 3, June 2011 A REVIEW ON ELLIPTIC CURVE CRYPTOGRAPHY FOR EMBEDDED SYSTEMS Rahat Afreen 1 and S.C. Mehrotra 2 1Tom Patrick Institute of Computer & I.T, Dr. Rafiq Zakaria Campus, Rauza Bagh, Aurangabad. (Maharashtra) INDIA [email protected] 2Department of C.S. & I.T., Dr. B.A.M. University, Aurangabad. (Maharashtra) INDIA [email protected] ABSTRACT Importance of Elliptic Curves in Cryptography was independently proposed by Neal Koblitz and Victor Miller in 1985.Since then, Elliptic curve cryptography or ECC has evolved as a vast field for public key cryptography (PKC) systems. In PKC system, we use separate keys to encode and decode the data. Since one of the keys is distributed publicly in PKC systems, the strength of security depends on large key size. The mathematical problems of prime factorization and discrete logarithm are previously used in PKC systems. ECC has proved to provide same level of security with relatively small key sizes. The research in the field of ECC is mostly focused on its implementation on application specific systems. Such systems have restricted resources like storage, processing speed and domain specific CPU architecture. KEYWORDS Elliptic curve cryptography Public Key Cryptography, embedded systems, Elliptic Curve Digital Signature Algorithm ( ECDSA), Elliptic Curve Diffie Hellman Key Exchange (ECDH) 1. INTRODUCTION The changing global scenario shows an elegant merging of computing and communication in such a way that computers with wired communication are being rapidly replaced to smaller handheld embedded computers using wireless communication in almost every field. This has increased data privacy and security requirements.
    [Show full text]
  • Choosing Key Sizes for Cryptography
    information security technical report 15 (2010) 21e27 available at www.sciencedirect.com www.compseconline.com/publications/prodinf.htm Choosing key sizes for cryptography Alexander W. Dent Information Security Group, University Of London, Royal Holloway, UK abstract After making the decision to use public-key cryptography, an organisation still has to make many important decisions before a practical system can be implemented. One of the more difficult challenges is to decide the length of the keys which are to be used within the system: longer keys provide more security but mean that the cryptographic operation will take more time to complete. The most common solution is to take advice from information security standards. This article will investigate the methodology that is used produce these standards and their meaning for an organisation who wishes to implement public-key cryptography. ª 2010 Elsevier Ltd. All rights reserved. 1. Introduction being compromised by an attacker). It also typically means a slower scheme. Most symmetric cryptographic schemes do The power of public-key cryptography is undeniable. It is not allow the use of keys of different lengths. If a designer astounding in its simplicity and its ability to provide solutions wishes to offer a symmetric scheme which provides different to many seemingly insurmountable organisational problems. security levels depending on the key size, then the designer However, the use of public-key cryptography in practice is has to construct distinct variants of a central design which rarely as simple as the concept first appears. First one has to make use of different pre-specified key lengths.
    [Show full text]
  • Cryptographic Control Standard, Version
    Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Standard Office Instruction: OCIO-CS-STD-2009 Office Instruction Title: Cryptographic Control Standard Revision Number: 2.0 Issuance: Date of last signature below Effective Date: October 1, 2017 Primary Contacts: Kathy Lyons-Burke, Senior Level Advisor for Information Security Responsible Organization: OCIO Summary of Changes: OCIO-CS-STD-2009, “Cryptographic Control Standard,” provides the minimum security requirements that must be applied to the Nuclear Regulatory Commission (NRC) systems which utilize cryptographic algorithms, protocols, and cryptographic modules to provide secure communication services. This update is based on the latest versions of the National Institute of Standards and Technology (NIST) Guidance and Federal Information Processing Standards (FIPS) publications, Committee on National Security System (CNSS) issuances, and National Security Agency (NSA) requirements. Training: Upon request ADAMS Accession No.: ML17024A095 Approvals Primary Office Owner Office of the Chief Information Officer Signature Date Enterprise Security Kathy Lyons-Burke 09/26/17 Architecture Working Group Chair CIO David Nelson /RA/ 09/26/17 CISO Jonathan Feibus 09/26/17 OCIO-CS-STD-2009 Page i TABLE OF CONTENTS 1 PURPOSE ............................................................................................................................. 1 2 INTRODUCTION ..................................................................................................................
    [Show full text]
  • BLAKE2: Simpler, Smaller, Fast As MD5
    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.
    [Show full text]
  • SHA-3 and the Hash Function Keccak
    Christof Paar Jan Pelzl SHA-3 and The Hash Function Keccak An extension chapter for “Understanding Cryptography — A Textbook for Students and Practitioners” www.crypto-textbook.com Springer 2 Table of Contents 1 The Hash Function Keccak and the Upcoming SHA-3 Standard . 1 1.1 Brief History of the SHA Family of Hash Functions. .2 1.2 High-level Description of Keccak . .3 1.3 Input Padding and Generating of Output . .6 1.4 The Function Keccak- f (or the Keccak- f Permutation) . .7 1.4.1 Theta (q)Step.......................................9 1.4.2 Steps Rho (r) and Pi (p).............................. 10 1.4.3 Chi (c)Step ........................................ 10 1.4.4 Iota (i)Step......................................... 11 1.5 Implementation in Software and Hardware . 11 1.6 Discussion and Further Reading . 12 1.7 Lessons Learned . 14 Problems . 15 References ......................................................... 17 v Chapter 1 The Hash Function Keccak and the Upcoming SHA-3 Standard This document1 is a stand-alone description of the Keccak hash function which is the basis of the upcoming SHA-3 standard. The description is consistent with the approach used in our book Understanding Cryptography — A Textbook for Students and Practioners [11]. If you own the book, this document can be considered “Chap- ter 11b”. However, the book is most certainly not necessary for using the SHA-3 description in this document. You may want to check the companion web site of Understanding Cryptography for more information on Keccak: www.crypto-textbook.com. In this chapter you will learn: A brief history of the SHA-3 selection process A high-level description of SHA-3 The internal structure of SHA-3 A discussion of the software and hardware implementation of SHA-3 A problem set and recommended further readings 1 We would like to thank the Keccak designers as well as Pawel Swierczynski and Christian Zenger for their extremely helpful input to this document.
    [Show full text]
  • Eurocrypt 2013 Athens, Greece, May 28Th, 2013
    Keccak Guido Bertoni1 Joan Daemen1 Michaël Peeters2 Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors Eurocrypt 2013 Athens, Greece, May 28th, 2013 1 / 57 Symmetric crypto: what textbooks and intro’s say Symmetric cryptographic primitives: Block ciphers Stream ciphers Hash functions And their modes-of-use Picture by GlasgowAmateur 2 / 57 Outline 1 The sponge construction 2 Inside Keccak 3 Outside Keccak (using sponge and duplex) 4 Keccak towards the SHA-3 standard 5 Further inside Keccak 3 / 57 The sponge construction Outline 1 The sponge construction 2 Inside Keccak 3 Outside Keccak (using sponge and duplex) 4 Keccak towards the SHA-3 standard 5 Further inside Keccak 4 / 57 The sponge construction Our beginning: RadioGatún Initiative to design hash/stream function (late 2005) rumours about NIST call for hash functions forming of Keccak Team starting point: fixing Panama [Daemen, Clapp, FSE 1998] RadioGatún [Keccak team, NIST 2nd hash workshop 2006] more conservative than Panama arbitrary output length primitive expressing security claim for arbitrary output length primitive Sponge functions [Keccak team, Ecrypt hash, 2007] … closest thing to a random oracle with a finite state … Sponge construction calling random permutation 5 / 57 The sponge construction The sponge construction More general than a hash function: arbitrary-length output Calls a b-bit permutation f, with b = r + c r bits of rate c bits of capacity (security parameter) 6 / 57 The sponge construction Generic security of the sponge construction Theorem (Indifferentiability of the sponge construction) The sponge construction calling a random permutation, S0[F], is 2 (tD, tS, N, e)-indifferentiable from a random oracle, for any tD, tS = O(N ), c e e ≈ N N < 2 and for any with > fP(N) 2c+1 .
    [Show full text]
  • Broad View of Cryptographic Hash Functions
    IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 4, No 1, July 2013 ISSN (Print): 1694-0814 | ISSN (Online): 1694-0784 www.IJCSI.org 239 Broad View of Cryptographic Hash Functions 1 2 Mohammad A. AlAhmad , Imad Fakhri Alshaikhli 1 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia, 2 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia Abstract Cryptographic hash function is a function that takes an arbitrary length as an input and produces a fixed size of an output. The viability of using cryptographic hash function is to verify data integrity and sender identity or source of information. This paper provides a detailed overview of cryptographic hash functions. It includes the properties, classification, constructions, attacks, applications and an overview of a selected dedicated cryptographic hash functions. Keywords-cryptographic hash function, construction, attack, classification, SHA-1, SHA-2, SHA-3. Figure 1. Classification of cryptographic hash function 1. INTRODUCTION CRHF usually deals with longer length hash values. An A cryptographic hash function H is an algorithm that takes an unkeyed hash function is a function for a fixed positive integer n * arbitrary length of message as an input {0, 1} and produce a which has, as a minimum, the following two properties: n fixed length of an output called message digest {0, 1} 1) Compression: h maps an input x of arbitrary finite bit (sometimes called an imprint, digital fingerprint, hash code, hash length, to an output h(x) of fixed bit length n.
    [Show full text]
  • Fast Collision Attack on MD5
    Fast Collision Attack on MD5 Marc Stevens Department of Mathematics and Computer Science, Eindhoven University of Technology P.O. Box 513, 5600 MB Eindhoven, The Netherlands. [email protected] Abstract. In this paper, we present an improved attack algorithm to find two-block colli- sions of the hash function MD5. The attack uses the same differential path of MD5 and the set of sufficient conditions that was presented by Wang et al. We present a new technique which allows us to deterministically fulfill restrictions to properly rotate the differentials in the first round. We will present a new algorithm to find the first block and we will use an al- gorithm of Klima to find the second block. To optimize the inner loop of these algorithms we will optimize the set of sufficient conditions. We also show that the initial value used for the attack has a large influence on the attack complexity. Therefore a recommendation is made for 2 conditions on the initial value of the attack to avoid very hard situations if one has some freedom in choosing this initial value. Our attack can be done in an average of about 1 minute (avg. complexity 232.3) on a 3Ghz Pentium4 for these random recommended initial values. For arbitrary random initial values the average is about 5 minutes (avg. complexity 234.1). With a reasonable probability a collision is found within mere seconds, allowing for instance an attack during the execution of a protocol. Keywords: MD5, collision, differential cryptanalysis 1 Introduction Hash functions are among the primitive functions used in cryptography, because of their one- way and collision free properties.
    [Show full text]
  • SHA-3 Conference, March 2012, Efficient Hardware Implementations
    Efficient Hardware Implementations and Hardware Performance Evaluation of SHA-3 Finalists Kashif Latif, M Muzaffar Rao, Arshad Aziz and Athar Mahboob National University of Sciences and Technology (NUST), H-12 Islamabad, Pakistan [email protected], [email protected], [email protected], [email protected] Abstract. Cryptographic hash functions are at the heart of many information security applications like digital signatures, message authentication codes (MACs), and other forms of authentication. In consequence of recent innovations in cryptanalysis of commonly used hash algorithms, NIST USA announced a publicly open competition for selection of new standard Secure Hash Algorithm called SHA-3. An essential part of this contest is hardware performance evaluation of the candidates. In this work we present efficient hardware implementations and hardware performance evaluations of SHA-3 finalists. We implemented and investigated the performance of SHA-3 finalists on latest Xilinx FPGAs. We show our results in the form of chip area consumption, throughput and throughput per area on most recently released devices from Xilinx on which implementations have not been reported yet. We have achieved substantial improvements in implementation results from all of the previously reported work. This work serves as performance investigation of SHA-3 finalists on most up-to-date FPGAs. Keywords: SHA-3, Performance Evaluation, Cryptographic Hash Functions, High Speed Encryption Hardware, FPGA. 1 Introduction A cryptographic hash function is a deterministic procedure whose input is an arbitrary block of data and output is a fixed-size bit string, which is known as the (Cryptographic) hash value. Cryptographic hash functions are widely used in many information security applications like digital signatures, message authentication codes (MACs), and other forms of authentication.
    [Show full text]
  • Security Analysis of SHA-256 and Sisters
    Security Analysis of SHA-256 and Sisters Henri Gilbert1 and Helena Handschuh2 1 France T´el´ecom R&D, FTRD/DTL/SSR 38-40 Rue du G´en´eral Leclerc, F-92131 Issy-Les Moulineaux [email protected] 2 GEMPLUS, Security Technologies Department 34 Rue Guynemer, F-92447 Issy-les-Moulineaux [email protected] Abstract. This paper studies the security of SHA-256, SHA-384 and SHA-512 against collision attacks and provides some insight into the security properties of the basic building blocks of the structure. It is concluded that neither Chabaud and Joux’s attack, nor Dobbertin-style attacks apply. Differential and linear attacks also don’t apply on the underlying structure. However we show that slightly simplified versions of the hash functions are surprisingly weak : whenever symmetric con- stants and initialization values are used throughout the computations, and modular additions are replaced by exclusive or operations, sym- metric messages hash to symmetric digests. Therefore the complexity of collision search on these modified hash functions potentially becomes as low as one wishes. 1 Introduction A cryptographic hash function can be informally defined as an easy to compute but hard to invert function which maps a message of arbitrary length into a fixed length (m-bit) hash value, and satisfies the property that finding a collision, i.e. two messages with the same hash value, is computationally infeasible. Most collision resistant hash function candidates proposed so far are based upon the iterated use of a so-called compression function, which maps a fixed-length (m+ n-bit) input value into a shorter fixed-length m-bit output value.
    [Show full text]