DOCSLIB.ORG

CS-466: Applied Cryptography Adam O'neill

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CS-466: Applied Cryptography Adam O'neill Hash functions CS-466: Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage • Today we will study a second lower-level primitive, hash functions. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. • Primary purpose is data compression, but they have many other uses and are often treated like a “magic wand” in protocol design. Collision resistance (CR) Collision Resistance n Definition: A collision for a function h : D 0, 1 is a pair x1, x2 D → { } ∈ of points such that h(x1)=h(x2)butx1 = x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a | | collision for h. Mihir Bellare UCSD 3 Collision resistance (CR) Collision resistanceCollision Resistance (CR) n Definition: A collision for a function h : D 0, 1 n is a pair x1, x2 D Definition: A collision for a function h : D → {0, 1} is a pair x1, x2 ∈ D of points such that h(x1)=h(x2)butx1 = →x2.{ } ∈ of points such that h(x1)=h(x2)butx1 ≠ x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a If |D| > 2n then the pigeonhole principle tells us that there must exist a collision| | for h. collision for h. We want that even though collisions exist, they are hard to find. Mihir Bellare UCSD 3 Mihir Bellare UCSD 5 Collision resistance (CR) Collision resistance (CR) Collision resistanceCollision Resistance (CR) n Definition: A collision for a function h : D 0, 1 n is a pair x1, x2 D Definition: A collision for a function h : D → {0, 1} is a pair x1, x2 ∈ D of points such that h(x1)=h(x2)butx1 = →x2.{ }n ∈ ofDefinition: points suchA thatcollisionh(x1for)= ah function(x2)buthx1: =D x2. 0, 1 is a pair x1, x2 D ̸ → { } ∈ of points such that h(x1)=h(x2)butx1 ̸= x2. If D > 2n then the pigeonhole principle tells̸ us that there must exist a If |D| > 2n then the pigeonhole principle tells us that there must exist a collision| | forn h. collisionIf D > for2 thenh. the pigeonhole principle tells us that there must exist a | | collision for h. We want that even though collisions exist, they are hard to find. We want that even though collisions exist, they are hard to find. Mihir Bellare UCSD 3 Mihir Bellare UCSD 5 Mihir Bellare UCSD 5 Collision-resistance of a function family The Game be ck - secure ? suppose } then can H The formalism considers a family H :Keys(H) D R of functions, × → meaning for each K Keys(H)wehaveamapHK : D R defined by ∈ → HK (x)=H(K, x). Game CRH procedure Finalize(x1, x2) procedure Initialize If (x1 = x2) then return false K $ Keys(H) If (x1 D or x2 D) then return false ← ̸∈ ̸∈ Return K Return (HK (x1)=HK (x2)) Let cr cne#% Adv (A) = Pr CRA true . KEESEY: H ! H ⇒ " is CK - secure Cor CR ) We that It just if say * " " " practical A Bs is small . K¥44any , Advuttctl for Mihir Bellare UCSD 6 Example Example k n n E- Let E: 0, 1 0, 1 0, 1 be a blockcipher. leg . let AES { }k × { }2n→ { } n Let H: 0, 1 0, 1 0, 1 be defined by n - 128 { } × { } → { } ) Alg H(K, x[1]x[2]) y EK (EK (x[1]) x[2]); Return y ← ⊕ are unequal CR . Let’s show. thatHisH isnot collision-resistant by giving an efficient adversary Claim cr wghioh - A such that AdvH (A)=1. Xz[DxzEi st . Want XIIIXEY , : .ES#kED ) Eetkcx ,E])•×Ei ) Ekftklx ⇒ Fkcx , [ EKCXZEIHGXZEIiD*X,G]= Mihir Bellare UCSD 8 =) KN=Ek( XED ) a XFDQEKCKED ) Keyless hash functions Keyless Hash Functions We say that H:Keys(H) D R is keyless if Keys(H)= ε consists of × → { } just one key, the empty string. In this case we write H(x)inplaceofH(ε, x)orHε(x). Practical hash functions like MD5, SHA1, SHA256, SHA3, ... are keyless. doesn't Although a formal definition of CR achievable for make Sense ( or is not ) keyless ode in we can still them hash functions , Mihir Bellare UCSD 12 reductions . Secure Hash SHA1 Algorithm . SHA1 Alg SHA1(M) // M < 264 | | V SHF1( 5A827999 6ED9EBA1 8F1BBCDC CA62C1D6 , M ) return←V ∥ ∥- ∥ 160 bits . Alg SHF1(K, M) // K =128and M < 264 | | | | y shapad(M) ← Parse y as M1 M2 Mn where Mi =512(1 i n) ∥ ∥ ··· ∥ | | ≤ ≤ V 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0 ← ∥ ∥ ∥ ∥ for i =1,...,n do V shf1(K, Mi V ) ← ∥ return V Alg shapad(M) // M < 264 | | d (447 M )mod512 ← − | | Let ℓ be the 64-bit binary representation of M | | y M 1 0d ℓ // y is a multiple of 512 ← ∥ ∥ ∥ | | return y Mihir Bellare UCSD 13 Underlying Compression Functionshf1 Alg shf1(K, B V ) // K =128, B =512and V =160 ∥ | | | | | | Parse B as W0 W1 W15 where Wi =32(0 i 15) ∥ ∥ ··· ∥ | | ≤ ≤ Parse V as V0 V1 V4 where Vi =32(0 i 4) ∥ ∥ ··· ∥ | | ≤ ≤ Parse K as K0 K1 K2 K3 where Ki =32(0 i 3) ∥ ∥ ∥ 1 | | ≤ ≤ for t =16to79do Wt ROTL (Wt−3 Wt−8 Wt−14 Wt−16) ← ⊕ ⊕ ⊕ A V0 ; B V1 ; C V2 ; D V3 ; E V4 ← ← ← ← ← for t =0to19do Lt K0 ; Lt+20 K1 ; Lt+40 K2 ; Lt+60 K3 ← ← ← ← for t =0to79do if (0 t 19) then f (B C) (( B) D) ≤ ≤ ← ∧ ∨ ¬ ∧ if (20 t 39 OR 60 t 79) then f B C D ≤ ≤ ≤ ≤ ← ⊕ ⊕ if (40 t 59) then f (B C) (B D) (C D) ≤ ≤ 5 ← ∧ ∨ ∧ ∨ ∧ temp ROTL (A)+f + E + Wt + Lt ← 30 E D ; D C ; C ROTL (B); B A ; A temp ← ← ← ← ← V0 V0 +A ; V1 V1 +B ; V2 V2 +C ; V3 V3 +D ; V4 V4 +E ← ← ← ← ← V V0 V1 V2 V3 V4; return V ← ∥ ∥ ∥ ∥ Mihir Bellare UCSD 14 Applications • Hashing before digitally signing. Applications • Hashing before digitally signing. • Primitive in cryptographic protocols. Applications • Hashing before digitally signing. • Primitive in cryptographic protocols. • Tool for security applications. Applications • Hashing before digitally signing. • Primitive in cryptographic protocols. • Tool for security applications. • Tool for non-security applications. Applications • Hashing before digitally signing. • Primitive in cryptographic protocols. • Tool for security applications. • Tool for non-security applications. • Let’s see some examples… Password Verification • Consider a password file stored on a remote server and clients logging in over a secure makes have adversary channel. to dir ME: Ⱦ - t¥Client f¥iYaw¥¥ K Senverk Now only Vulnerable to dictionary attack . Compare-by-Hash • Suppose two parties each have a large file and want to know if they have the same file. H¥) & ' f * ' ^ Seward] Bob Aliceof [ in - contexts . 1 even non security . Useful some measure 2. Seems to provide attack of Security ( but dictionary Stiel applies ) Virus Protection • Suppose you download an executable from somewhere on the Internet. How do you know it’s not a virus? !¥¥!#Ⱦ %fat 9¥ Birthday Attack ' let Ⱦ a hash fraction H :D { 0,15 be . - , ! Consider for Some integer parameter q Adversary A to do: For i=l q xitf D ȼ y , . HCx ;) st . If Ii ] , , izftq tii ,l=HCx :D ^ xiitxiz Xi return ( , Xi , then , ) Else return 1- . Analysis is meaning Assume that H regular " ' ( ) 1 = fye{ 0,13 III y ? ]=Pr[ xittttly ) ] then PRTHCKHY =÷n then Adult ,rCa)=cCzn,e)z .3eG±n - n . bit output for bit =) need nfe sewy . - we need Koo bit for 80 bit see e.g. has 160 bit . output E- S ' SHAI output 't qyazsb has 256 bit oatp Birthday attack times length Output time & as Function n TB find to MD4 128 264 MD5 128 2O64 collision - - SHA1 160 280 128 by bday SHA2-256 256 2 attack SHA2-512 512 2256 SHA3-256 256 2128 SHA3-512 512 2256 TB is the number of trials to find collisions via a birthday attack. Mihir Bellare UCSD 25 Cryptanalytic attacks against hash functions A. non - generic attacks is ( bday attack generic ) When Against Time Who 1993,1996 md5 216 [dBBo,Do] 2005 RIPEMD 218 2004 SHA0 251 [JoCaLeJa] 2005 SHA0 240 [WaFeLaYu] 2005 SHA1 269 [WaYiYu] 2012 SHA1 260 265 [St] − 2005,2006 MD5 1minute⇒ [WaFeLaYu,LeWadW,Kl] md5 is the compression function of MD5 SHA0 is an earlier, weaker version of SHA1 Mihir Bellare UCSD 44 CompressionCompression Functions functions A compression function is a family h : 0, 1 k 0, 1 b+n 0, 1 n of { } × { } → { } hash functions whose inputs are of a fixed size b + n, where b is called the block size. for SHAI Ⱦ blocks E.g. b =512andn =160,inwhichcase - h : 0, 1 k 0, 1 672 0, 1 160 { } × { } → { } • w Ige key space x hK v hK (x v) ∥ Mihir Bellare UCSD 26 The MD transform Merkle - Dam guard MD Transform Design principle: To build a CR hash function H : 0, 1 k D 0, 1 n { } × → { } 64 where D = 0, 1 ≤2 : { } First build a CR compression function • h : 0, 1 k 0, 1 b+n 0, 1 n. { } × { } N → { } Appropriately iterate h to get H,usingh to hash block-by-block. • I U ite b isauedapo Mihir Bellare UCSD 27 MD setup MD Setup SHAI ageistfor Assume for simplicity that M is a multiple of b.Let | | M b be the number of b-bit blocks in M, and write • ∥ ∥ M = M[1] ...M[ℓ] where ℓ = M b. ∥ ∥ i denote the b-bit binary representation of i 0,...,2b 1 .
Load more

Recommended publications
  • Linearization Framework for Collision Attacks: Application to Cubehash and MD6
    Linearization Framework for Collision Attacks: Application to CubeHash and MD6 Eric Brier1, Shahram Khazaei2, Willi Meier3, and Thomas Peyrin1 1 Ingenico, France 2 EPFL, Switzerland 3 FHNW, Switzerland Abstract. In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on lineariza- tion of compression functions in order to find low weight differential characteris- tics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differ- ential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the con- dition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in ac- celerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates. Keywords: Hash functions, collisions, differential attack, SHA-3, CubeHash and MD6. 1 Introduction Hash functions are important cryptographic primitives that find applications in many areas including digital signatures and commitment schemes. A hash function is a trans- formation which maps a variable-length input to a fixed-size output, called message digest. One expects a hash function to possess several security properties, one of which is collision resistance.
    [Show full text]
  • Nasha, Cubehash, SWIFFTX, Skein
    6.857 Homework Problem Set 1 # 1-3 - Open Source Security Model Aleksandar Zlateski Ranko Sredojevic Sarah Cheng March 12, 2009 NaSHA NaSHA was a fairly well-documented submission. Too bad that a collision has already been found. Here are the security properties that they have addressed in their submission: • Pseudorandomness. The paper does not address pseudorandomness directly, though they did show proof of a fairly fast avalanching effect (page 19). Not quite sure if that is related to pseudorandomness, however. • First and second preimage resistance. On page 17, it references a separate document provided in the submission. The proofs are given in the file Part2B4.pdf. The proof that its main transfunction is one-way can be found on pages 5-6. • Collision resistance. Same as previous; noted on page 17 of the main document, proof given in Part2B4.pdf. • Resistance to linear and differential attacks. Not referenced in the main paper, but Part2B5.pdf attempts to provide some justification for this. • Resistance to length extension attacks. Proof of this is given on pages 4-5 of Part2B4.pdf. We should also note that a collision in the n = 384 and n = 512 versions of the hash function. It was claimed that the best attack would be a birthday attack, whereas a collision was able to be produced within 2128 steps. CubeHash According to the author, CubeHash is a very simple cryptographic hash function. The submission does not include almost any of the security details, and for the ones that are included the analysis is very poor. But, for the sake of making this PSet more interesting we will cite some of the authors comments on different security issues.
    [Show full text]
  • Quantum Preimage and Collision Attacks on Cubehash
    Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, [email protected] Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. This kind of attack is expected to cost 2256 for a good 512-bit hash function, and we argue that this violates the expected security of CubeHash. The preimage attack can also be used as a collision attack, given that a generic quantum collision attack on a 512-bit hash function require 2256 operations, as explained in the CubeHash submission document. This attack only uses very simple techniques, most of which are borrowed from previous analysis of CubeHash: we just combine symmetry based attacks [1,8] with Grover’s algo- rithm. However, it is arguably the first attack on a second-round SHA-3 candidate that is more efficient than the attacks considered by the designer. 1 Introduction CubeHash is a hash function designed by Bernstein and submitted to the SHA-3 com- petition [2]. It has been accepted for the second round of the competition. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. We show that this attack should be considered as better that the attacks considered by the designer, and we explain what were our expectations of the security of CubeHash. P P Fig. 1. CubeHash follows the sponge construction 1.1 CubeHash Versions CubeHash is built following the sponge construction with a 1024-bit permutation. The small size of the state allows for compact hardware implementations, but it is too small to build a fast 512-bit hash function satisfying NIST security requirements.
    [Show full text]
  • Inside the Hypercube
    Inside the Hypercube Jean-Philippe Aumasson1∗, Eric Brier3, Willi Meier1†, Mar´ıa Naya-Plasencia2‡, and Thomas Peyrin3 1 FHNW, Windisch, Switzerland 2 INRIA project-team SECRET, France 3 Ingenico, France Some force inside the Hypercube occasionally manifests itself with deadly results. http://www.staticzombie.com/2003/06/cube 2 hypercube.html Abstract. Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The sub- missions to NIST recommends r = 8, b = 1, and h ∈ {224, 256, 384, 512}. This paper presents the first external analysis of CubeHash, with • improved standard generic attacks for collisions and preimages • a multicollision attack that exploits fixed points • a study of the round function symmetries • a preimage attack that exploits these symmetries • a practical collision attack on a weakened version of CubeHash • a study of fixed points and an example of nontrivial fixed point • high-probability truncated differentials over 10 rounds Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parame- ters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions. 1 CubeHash Bernstein’s CubeHash is a hash function family submitted to the NIST Hash Competition.
    [Show full text]
  • Rebound Attack
    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
    [Show full text]
  • The Hitchhiker's Guide to the SHA-3 Competition
    History First Second Third The Hitchhiker’s Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department 20 June, 2012 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 33 History First Second Third Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 33 History First Second Third History Sad Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 33 History First Second Third History Sad A(n Extremely) Short History of Hash Functions 1976 Diffie and Hellman suggest to use hash functions to make digital signatures shorter. 1979 Salted passwords for UNIX (Morris and Thompson). 1983/4 Davies/Meyer introduce Davies-Meyer. 1986 Fiat and Shamir use random oracles. 1989 Merkle and Damg˚ard present the Merkle-Damg˚ard hash function.
    [Show full text]
  • Tocubehash, Grøstl, Lane, Toshabal and Spectral Hash
    FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, Lane, Shabal and Spectral Hash Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan and William P. Marnane Claude Shannon Institute for Discrete Mathematics, Coding and Cryptography & Department of Electrical & Electronic Engineering, University College Cork, Ireland. Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest Overview of the Hash Function Architectures UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest Overview of the Hash Function Architectures Hash Function Implementations CubeHash Grøstl Lane Shabal Spectral Hash UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function
    [Show full text]
  • NISTIR 7620 Status Report on the First Round of the SHA-3
    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
    [Show full text]
  • High-Speed Hardware Implementations of BLAKE, Blue
    High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Version 2.0, November 11, 2009 Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely Graz University of Technology, Institute for Applied Information Processing and Communications, Inffeldgasse 16a, A{8010 Graz, Austria {Stefan.Tillich,Martin.Feldhofer,Mario.Kirschbaum, Thomas.Plos,Joern-Marc.Schmidt,Alexander.Szekely}@iaik.tugraz.at Abstract. In this paper we describe our high-speed hardware imple- mentations of the 14 candidates of the second evaluation round of the SHA-3 hash function competition. We synthesized all implementations using a uniform tool chain, standard-cell library, target technology, and optimization heuristic. This work provides the fairest comparison of all second-round candidates to date. Keywords: SHA-3, round 2, hardware, ASIC, standard-cell implemen- tation, high speed, high throughput, BLAKE, Blue Midnight Wish, Cube- Hash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. 1 About Paper Version 2.0 This version of the paper contains improved performance results for Blue Mid- night Wish and SHAvite-3, which have been achieved with additional imple- mentation variants. Furthermore, we include the performance results of a simple SHA-256 implementation as a point of reference. As of now, the implementations of 13 of the candidates include eventual round-two tweaks. Our implementation of SIMD realizes the specification from round one. 2 Introduction Following the weakening of the widely-used SHA-1 hash algorithm and concerns over the similarly-structured algorithms of the SHA-2 family, the US NIST has initiated the SHA-3 contest in order to select a suitable drop-in replacement [27].
    [Show full text]
  • Side-Channel Analysis of Six SHA-3 Candidates⋆
    Side-channel Analysis of Six SHA-3 Candidates? Olivier Beno^ıtand Thomas Peyrin Ingenico, France [email protected] Abstract. In this paper we study six 2nd round SHA-3 candidates from a side-channel crypt- analysis point of view. For each of them, we give the exact procedure and appropriate choice of selection functions to perform the attack. Depending on their inherent structure and the internal primitives used (Sbox, addition or XOR), some schemes are more prone to side channel analysis than others, as shown by our simulations. Key words: side-channel, hash function, cryptanalysis, HMAC, SHA-3. 1 Introduction Hash functions are one of the most important and useful tools in cryptography. A n-bit cryp- tographic hash function H is a function taking an arbitrarily long message as input and out- putting a fixed-length hash value of size n bits. Those primitives are used in many applications such as digital signatures or key generation. In practice, hash functions are also very useful for building Message Authentication Codes (MAC), especially in a HMAC [5, 34] construction. HMAC offers a good efficiency considering that hash functions are among the fastest bricks in cryptography, while its security can be proven if the underlying function is secure as well [4]. In recent years, we saw the apparition of devastating attacks [39, 38] that broke many standardized hash functions [37, 31]. The NIST launched the SHA-3 competition [33] in response to these attacks and in order to maintain an appropriate security margin considering the increase of the computation power or further cryptanalysis improvements.
    [Show full text]
  • Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
    I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated.
    [Show full text]
  • Uniform Logical Cryptanalysis of Cubehash Function
    FACTA UNIVERSITATIS (NIŠ) SER.: ELEC. ENERG. vol. 23, no. 3, December 2010, 357-366 Uniform Logical Cryptanalysis of CubeHash Function Miodrag Milic´ and Vojin Šenk Abstract: In this paper we present results of uniform logical cryptanalysis method applied to cryptographic hash function CubeHash. During the last decade, some of the most popular cryptographic hash functions were broken. Therefore, in 2007, National Institute of Standards and Technology (NIST), announced an international competi- tion for a new Hash Standard called SHA-3. Only 14 candidates passed first two selection rounds and CubeHash is one of them. A great effort is made in their analysis and comparison. Uniform logical cryptanalysis presents an interesting method for this purpose. Universal, adjustable to almost any cryptographic hash function, very fast and reliable, it presents a promising method in the world of cryptanalysis. Keywords: Cryptography, hash functions, uniform logical cryptanalysis, proposi- tional satisfiability, CubeHash. 1 Introduction Hash functions have a very important role in modern cryptography, primarily in digital signatures and various forms of authentication. Therefore, a great effort is made in order to enhance their design and analysis methods. The most popular hash functions today are MD5 and SHA-1. There are many principles used for hash function design. Some of them rely on strong mathematical background, i.e. they have a theoretical foundation that sup- ports claims of their security. Some hash functions rely on well-known and heavily- tested block cipher functions. However, most of them are specially designed using small set of fast operations carefully mixed and iterated over input sequence many times.
    [Show full text]