DOCSLIB.ORG

Theory and Practice Theory and Practice for Hash Functions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

www.ecrypt . eu. org Theory and practiceTitle of Presentation for hash functions Bart Preneel Kath o lie ke Un ivers ite it Leuven - COSIC [email protected] Cambridge, 1 February 2012 Insert presenter logo here on slide master Hash functions X.509 Annex D RIPEMD-160 MDC-2 SHA-256 SHA-3 MD2, MD4, MD5 SHA-512 SHA-1 This is an input to a crypto - graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 2 Applications • short unique identifier to a string – digital signatures – data authentication • one-way function of a string – protection of passwords – micro-payments • confirma tion o f k nowl e dge /comm itmen t • pseudo-random string generation/key derivation • entropy extraction • construction of MAC algorithms, stream ciphers, block ciphers,… 2005: 800 uses of MD5 in Microsoft Windows 3 Bridging theory and practice? 4 Agenda Definitions Iterations (modes) Compression functions Hash functions SHA-3 5 Security requirements (n-bit result) preimage 2nd preimage collision ? x ≠ ? ? ≠ ? h h h h h h(()x) h(()x) = h(()x’) h(()x) = h(x’) 2n 2n 2n/2 6 Length extension length extension: if one knows h(x), easy to compute h(x || y) without knowing x or IV IV H H 1 2 H = h(x) f f f 3 x1 x2 x3 IV H1 H2 H3 H4= h(x || y) f f f f x1 x2 x3 y solution: output transformation IV H1 H2 H3 f f f f g x1 x2 x3 x4 7 Informal definitions: NIST requirements for SHA-3 • One Way Hash Function (OWHF) – preimage resistance (2n) – 2nd preimage resistance (2n-L for 2L-bit message) • Collision Resistant Hash Function (CRHF): – collision resistant • Resistance to length extension • Proper ties sca le we ll w ith trunca tion • HMAC-PRF indistinguishable up to 2n/2 queries • Secure in randomized hashing mode 8 Brute force (2nd) preimage • multippgle target second preima ge (()1 out of M): if one can attack 2t simultaneous targets, the effort to find a single preimage is 2n-t • multiple target second preimage (M out of M): – time-memory trade -off with Θ(2n) precomputation and storage Θ(22n/3) time per (2nd) preimage: Θ(22n/3) [Hellman’80] – full cost per (2nd) preimage from Θ(2n) to Θ(22n/5) [Wiener’02] (if Θ(23n/5)t) targe ts are att ack ed) answer: randomize hash function with a parameter S (salt , key , spice,… ) 9 Formal definition: (2nd) preimage resistance Notation: Σ = {0,1}, l(n)>n A one-way hash function (OWFH) h is a function with domain D=Σl(n) and range R=Σn that satisfies the following conditions: • Pre: let x be selected uniformly in D and let M be an adversary that on input h(x) uses time ≤ t and outputs M(h(x)) ∈ D. For each adversary M, Prx ∈ D { h(M(h(x)))=h(x) } < ε. Here the prob. is also taken over the random choices of M. • Sec:let: let x be selected uniformly in D=Σl(n) and let M' be an adversary who on input x uses time ≤ t and outputs x' ∈ D with ≠ x' x. For each adversary M', Prx ∈ D {h(M{ h(M'(x)) =h(x) } < ε. Here the prob. is taken over the random choices of M'. 10 Formal definitions: collision resistance A collision-resistant hash function (col) h is a function with domain D=Σl(()n) and range R=Σn that that satisfies the following conditions: • for each collision string finder F that uses time ≤ t and outputs either “?” or a pair x, x' ∈ Σl(n) with x' ≠ x such that h(x‘)=h(x) we have that Pr{ F(H) ≠ “?‘” } < ε. Here the prob. is taken over the random choices of F. Is this correct? No ! For every h there are many (s hor t) collidi ng s tr ings, and so there exist many very simple collision string finders F that output a collision with probability 1 11 Formal definitions: collision resistance A collision-resistant hash function family (CRHF) H is a l(n) n function family {hS} with domain D=Σ and range R=Σ and indexed by a “key” S that that satisfies the following conditions: • let F be a collision string finder that on input S ∈ Σs uses time ≤ t and outputs either “?”? or a pair x, x ' ∈ Σl(n) with x' ≠ x such that hS(x‘)=hS(x). For each F, ≠ PrS { F(H) “?‘” } < ε. Here the prob. is also taken over the random choices of F. 12 Formal definitions - continued • for collision resistance: formalization requires a family, btbut see [Stinson ’06], [R ogaway’06] : “formali z ing human ignorance” • for (2nd) preimage resistance, one can choose the challengg()e (x) and/or the key y() (S) that selects the function , resulting in 3 flavors [Rogaway-Shrimpton’04]: 1. random challenge, random key (Pre and Sec) 2. randkfidhll(PdSdom key, fixed challenge (ePre and eSec - everywh)here) (eSec=UOWHF) 3. fixed keyyg(, random challenge (aPre and aSec - alwayy)s) • complex relationship (see figure on next slide) 13 Relations between security properties [Rogaway-Shrimpton’04] Even if Coll [Andreeva-Stam’10] eSec/Pre: bound always 2n/2 << 2n ∀Q rPre Easy to prove d Relevant in practice How does ePre (theoretically easy to prove) relate to dPre (practically relevant)? For sufficiently Col secure H, ePre implies dPre (if the message space has sufficient Rényi2 entropy > |Y|) 14 Collision resistance • more complex to formalize • hard to achieve in theory – [Simon’ 98] one cannot derive collision resistance from “general” preimage resistance (there exists no black box reduction) • hard to achieve in practice – requires double output length 2n/2 versus 2n – many attacks Good news: not alwayyys necessary Even better news: rarely necessary 15 How to solve collision problem in digital signatures? Message m UOWHF TCR $ Random r r ← {0,1}k eSEC Signature Sig SKA ( r || hr(m)) SKA • Hash fffunction is only chosen after the message has been committed to, so collisions for a particular hash function are useless • If two messages m, m’ are found with the same signature, the signer must have cheated by first choosing r and then finding a collision • Fine in theory, but will this work in p ractice? 16 Courts and second preimage resistance 17 Pseudo-random function computationally indistinguishable from a random function $ $ prf ← hK(.) ← f Advh = Pr [ K K: A 1] - Pr [ f RAND(m,n): A 1] RAND(m,n): set of all functions from m-bit to n-bit strings K h f ?or?? or ? This concept makes only sense for a function with a D secret key 18 Indifferentiability from a random oracle or PRO property [Maurer+04] variant of indistinguishability appropriate when distinguisher has access to inner component (e.g. bu ilding bloc k o f a hash function) ∃ Simulator S, ∀ distinguisher DAdvD, AdvPRO(H,S) is small FIL H VIL RO S (hash function) RO ? or ? !! But [Ristenpart-Shacham- D Shrimpton’11]: not always suffic ient for ROM secur ity 19 Properties in practice • other properties are needed: – near-collis ion res is tance – partial preimage resistance (most of input known) – multiplication freeness – MAC property Which properties How to formalize are relevant? these requirements and the relation between all these properties? Keyed or unkeyed? Who chooses the key? What about the salt? 20 21 Itera tion (df(mode of compress ifion functi ti)on) 22 22 Hash function: iterated structure IV H1 H2 H3 f f f f g x1 x2 x3 x4 Fix IV Are the roles of the Unambiguous padding 2 inputs of the Suffix-free encoding compression function really equivalent? [Merkle’89-Damgård’89] f is collision resistant h is collision resistant 23 Attacks on MD-type iterations • multi-collision attack and impact on concatenation [Joux’04] • long message 2nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier’05] – Sec security degrades lineary with number 2t of message blocks hashed: 2n-t+1 +t2+ t 2n/2+1 – appending the length does not help! • herding attack [Kelsey-Kohno’06] – reduces security of commitment using a hash function from 2n – on-line 2n-t + precomputtitation 222.2(n+t)/2 + storage 2t 24 Improving MD iteration salt + output transformation + counter + wide pipe salt salt salt salt salt IV H1 H H 2 3 g 2n f 2n f 2n f 2n f 2n n x x x x |x| 1 1 2 2 3 3 4 4 25 Improving MD iteration • degradation with use: salting (family of functions, randii)domization) – or should a salt be part of the input? • PRO/Indif: strong output transformation g – also solves length extension • long message 2nd preimage: preclude fix points → – counter f fi [Biham-Dunkelman’07] • multi-collisions, herding: avoid breakdown at 2n/2 with larger internal memory: known as wide pipe – e.g., extended MD4, RIPEMD, [Lucks’05] 26 Some Domain Extender Security Results [Andreeva-Neven-P-Shrimpton07], [Andreeva-Mennink-P11] Col Sec aSec eSec Pre aPre ePre Indif 1. SMD [M90, D90] + - - - - - + - 2. Linear hash [BR97] -- - - - - ++ 3. XOR Linear hash [BR97] + -- + -- + - 4. Shoup's hash [Sho00] + -- + -- + - 5. BCM [AP08] ++ ----+ ? 6. Prefix-free MD [CDMP05] -- - - - - ++ 7. Randomized hash [HK06] + -- --- + - 8. HAIFA [BD06] + -- --- + + 9. Enveloped MD [BR06] + -- --- ++ 10. Str. Merkle Tree [[]Mer80] + -- --- + ? 11. Linear Tree [BR97] -- - - - - + ? 12. ROX [ANPS07] ++ + + + + + ? 27 Preservation • which constructions preserve which properties? • or is it ok if we can prove security for the iteration? • assumptions on compression function f for PRO/Indif – f is preimage aware (MD) – f is FIL-PRO (variant of MD) Can tight Impact of results reductions be in ideal model? made? Is it meaningful to preserve Pre? 28 Compression function 29 29 Block cipher (EK) based: single block length Davies-Meyer Miyaguchi-Preneel Hi Hi H x i-1 E i E xi Hi-1 • outppgut length = block len g;;ygth
Recommended publications
  • IMPLEMENTATION and BENCHMARKING of PADDING UNITS and HMAC for SHA-3 CANDIDATES in FPGAS and ASICS by Ambarish Vyas a Thesis Subm

    IMPLEMENTATION and BENCHMARKING of PADDING UNITS and HMAC for SHA-3 CANDIDATES in FPGAS and ASICS by Ambarish Vyas a Thesis Subm

    IMPLEMENTATION AND BENCHMARKING OF PADDING UNITS AND HMAC FOR SHA-3 CANDIDATES IN FPGAS AND ASICS by Ambarish Vyas A Thesis Submitted to the Graduate Faculty of George Mason University in Partial Fulfillment of The Requirements for the Degree of Master of Science Computer Engineering Committee: Dr. Kris Gaj, Thesis Director Dr. Jens-Peter Kaps. Committee Member Dr. Bernd-Peter Paris. Committee Member Dr. Andre Manitius, Department Chair of Electrical and Computer Engineering Dr. Lloyd J. Griffiths. Dean, Volgenau School of Engineering Date: ---J d. / q /9- 0 II Fall Semester 2011 George Mason University Fairfax, VA Implementation and Benchmarking of Padding Units and HMAC for SHA-3 Candidates in FPGAs and ASICs A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science at George Mason University By Ambarish Vyas Bachelor of Science University of Pune, 2009 Director: Dr. Kris Gaj, Associate Professor Department of Electrical and Computer Engineering Fall Semester 2011 George Mason University Fairfax, VA Copyright c 2011 by Ambarish Vyas All Rights Reserved ii Acknowledgments I would like to use this oppurtunity to thank the people who have supported me throughout my thesis. First and foremost my advisor Dr.Kris Gaj, without his zeal, his motivation, his patience, his confidence in me, his humility, his diverse knowledge, and his great efforts this thesis wouldn't be possible. It is difficult to exaggerate my gratitude towards him. I also thank Ekawat Homsirikamol for his contributions to this project. He has significantly contributed to the designs and implementations of the architectures. Additionally, I am indebted to my student colleagues in CERG for providing a fun environment to learn and giving invaluable tips and support.
  • Lecture9.Pdf

    Lecture9.Pdf

    Merkle- Suppose H is a Damgaord hash function built from a secure compression function : several to build a function ways keyed : m : = H Ilm 1 . end FCK ) (k ) Prep key , " " ↳ - Insecure due to structure of Merkle : can mount an extension attack: H (KH m) can Barnyard given , compute ' Hlkllmllm ) by extending Merkle- Danged chain = : m : 2 . FCK ) 11k) Append key , Hlm ↳ - - to : Similar to hash then MAC construction and vulnerable same offline attack adversary finds a collision in the - - > Merkle and uses that to construct a for SHA I used PDF files Barnyard prefix forgery f , they ↳ - Structure in SHA I (can matches exploited collision demonstration generate arbitrary collisions once prefix ) ' = : FCK m - H on h 3. method , ) ( K HMH K) for reasonable randomness ( both Envelope pseudo assumptions e.g , : = - = i - - : F ( m m } : h K m h m k 4. nest ( ki ) H Ck H (k m ( , and m ( ) is a PRF both Two , kz , ) (ka HH , )) F- , ) ) Falk , ) , ) key , - of these constructions are secure PRFS on a variable size domain hash- based MAC ✓ a the - nest with correlated : HMAC is PRF / MAC based on two key (though keys) : = m H H ka m HMACCK ( K H ( , )) , ) , where k ← k ④ and kz ← k to , ipad opad and and are fixed ( in the HMAC standard) ipad opad strings specified I 0×36 repeated %x5C repeated : k . a Since , and ka are correlated need to make on h remains under Sety , stronger assumption security leg , pseudorandom related attack) Instantiations : denoted HMAC- H where H is the hash function Typically , HMAC- SHAI %" - - HMAC SHA256
  • Authenticated Key-Exchange: Protocols, Attacks, and Analyses

    Authenticated Key-Exchange: Protocols, Attacks, and Analyses

    The HMAC construction: A decade later Ran Canetti IBM Research What is HMAC? ● HMAC: A Message Authentication Code based on Cryptographic Hash functions [Bellare-C-Krawczyk96]. ● Developed for the IPSec standard of the Internet Engineering Task Force (IETF). ● Currently: - incorporated in IPSec, SSL/TLS, SSH, Kerberos, SHTTP, HTTPS, SRTP, MSEC, ... - ANSI and NIST standards - Used daily by all of us. Why is HMAC interesting? ● “Theoretical” security analysis impacts the security of real systems. ● Demonstrates the importance of modelling and abstraction in practical cryptography. ● The recent attacks on hash functions highlight the properties of the HMAC design and analysis. ● Use the HMAC lesson to propose requirements for the next cryptographic hash function. Organization ● Authentication, MACs, Hash-based MACs ● HMAC construction and analysis ● Other uses of HMAC: ● Pseudo-Random Functions ● Extractors ● What properties do we want from a “cryptographic hash function”? Authentication m m' A B The goal: Any tampering with messages should be detected. “If B accepts message m from A then A has sent m to B.” • One of the most basic cryptographic tasks • The basis for any security-conscious interaction over an open network Elements of authentication The structure of typical cryptographic solutions: • Initial entity authentication: The parties perform an initial exchange, bootstrapping from initial trusted information on each other. The result is a secret key that binds the parties to each other. • Message authentication: The parties use the key to authenticate exchanged messages via message authentication codes. Message Authentication Codes m,t m',t' A B t=FK(m) t' =? FK(m') • A and B obtain a common secret key K • A and B agree on a keyed function F • A sends t=FK(m) together with m • B gets (m',t') and accepts m' if t'=FK(m').
  • Fast Hashing and Stream Encryption with Panama

    Fast Hashing and Stream Encryption with Panama

    Fast Hashing and Stream Encryption with Panama Joan Daemen1 and Craig Clapp2 1 Banksys, Haachtesteenweg 1442, B-1130 Brussel, Belgium [email protected] 2 PictureTel Corporation, 100 Minuteman Rd., Andover, MA 01810, USA [email protected] Abstract. We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low work-factor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the stream cipher mode are demonstrated on a com- mercially available VLIW micro-processor. 1 Introduction Panama is a cryptographic module that can be used both as a cryptographic hash function and a stream cipher. It is designed to be very efficient in software implementations on 32-bit architectures. Its basic operations are on 32-bit words. The hashing state is updated by a parallel nonlinear transformation, the buffer operates as a linear feedback shift register, similar to that applied in the compression function of SHA [6]. Panama is largely based on the StepRightUp stream/hash module that was described in [4]. Panama has a low per-byte work factor while still claiming very high security. The price paid for this is a relatively high fixed computational overhead for every execution of the hash function. This makes the Panama hash function less suited for the hashing of messages shorter than the equivalent of a typewritten page. For the stream cipher it results in a relatively long initialization procedure. Hence, in applications where speed is critical, too frequent resynchronization should be avoided.
  • CS-466: Applied Cryptography Adam O'neill

    CS-466: Applied Cryptography Adam O'neill

    Hash functions CS-466: Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage • Today we will study a second lower-level primitive, hash functions. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. • Primary purpose is data compression, but they have many other uses and are often treated like a “magic wand” in protocol design. Collision resistance (CR) Collision Resistance n Definition: A collision for a function h : D 0, 1 is a pair x1, x2 D → { } ∈ of points such that h(x1)=h(x2)butx1 = x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a | | collision for h. Mihir Bellare UCSD 3 Collision resistance (CR) Collision resistanceCollision Resistance (CR) n Definition: A collision for a function h : D 0, 1 n is a pair x1, x2 D Definition: A collision for a function h : D → {0, 1} is a pair x1, x2 ∈ D of points such that h(x1)=h(x2)butx1 = →x2.{ } ∈ of points such that h(x1)=h(x2)butx1 ≠ x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a If |D| > 2n then the pigeonhole principle tells us that there must exist a collision| | for h. collision for h. We want that even though collisions exist, they are hard to find.
  • Linearization Framework for Collision Attacks: Application to Cubehash and MD6

    Linearization Framework for Collision Attacks: Application to Cubehash and MD6

    Linearization Framework for Collision Attacks: Application to CubeHash and MD6 Eric Brier1, Shahram Khazaei2, Willi Meier3, and Thomas Peyrin1 1 Ingenico, France 2 EPFL, Switzerland 3 FHNW, Switzerland Abstract. In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on lineariza- tion of compression functions in order to find low weight differential characteris- tics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differ- ential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the con- dition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in ac- celerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates. Keywords: Hash functions, collisions, differential attack, SHA-3, CubeHash and MD6. 1 Introduction Hash functions are important cryptographic primitives that find applications in many areas including digital signatures and commitment schemes. A hash function is a trans- formation which maps a variable-length input to a fixed-size output, called message digest. One expects a hash function to possess several security properties, one of which is collision resistance.
  • Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
  • FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS

    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS

    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-4.0.0 Date: January 22nd, 2020 Document Version 2.3 © Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 NSS Cryptographic Module Security Policy Date: January 22nd, 2020 Author: Oracle Security Evaluations – Global Product Security Contributing Authors: Oracle Linux Engineering Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 NSS Cryptographic Module Security Policy i TABLE OF CONTENTS Section Title
  • The Boomerang Attacks on the Round-Reduced Skein-512 *

    The Boomerang Attacks on the Round-Reduced Skein-512 *

    The Boomerang Attacks on the Round-Reduced Skein-512 ? Hongbo Yu1, Jiazhe Chen3, and Xiaoyun Wang2;3 1 Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China 2 Institute for Advanced Study, Tsinghua University, Beijing 100084, China fyuhongbo,[email protected] 3 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, School of Mathematics, Shandong University, Jinan 250100, China [email protected] Abstract. The hash function Skein is one of the ¯ve ¯nalists of the NIST SHA-3 competition; it is based on the block cipher Three¯sh which only uses three primitive operations: modular addition, rotation and bitwise XOR (ARX). This paper studies the boomerang attacks on Skein-512. Boomerang distinguishers on the compression function reduced to 32 and 36 rounds are proposed, with complexities 2104:5 and 2454 respectively. Examples of the distinguishers on 28-round and 31- round are also given. In addition, the boomerang distinguishers are applicable to the key-recovery attacks on reduced Three¯sh-512. The complexities for key-recovery attacks reduced to 32-/33- /34-round are about 2181, 2305 and 2424. Because Laurent et al. [14] pointed out that the previous boomerang distinguishers for Three¯sh-512 are in fact not compatible, our attacks are the ¯rst valid boomerang attacks for the ¯nal round Skein-512. Key words: Hash function, Boomerang attack, Three¯sh, Skein 1 Introduction Cryptographic hash functions, which provide integrity, authentication and etc., are very impor- tant in modern cryptology. In 2005, as the most widely used hash functions MD5 and SHA-1 were broken by Wang et al.
  • An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage

    An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage

    An Analytic Attack Against ARX Addition Exploiting Standard Side-Channel Leakage Yan Yan1, Elisabeth Oswald1 and Srinivas Vivek2 1University of Klagenfurt, Klagenfurt, Austria 2IIIT Bangalore, India fyan.yan, [email protected], [email protected] Keywords: ARX construction, Side-channel analysis, Hamming weight, Chosen plaintext attack Abstract: In the last few years a new design paradigm, the so-called ARX (modular addition, rotation, exclusive-or) ciphers, have gained popularity in part because of their non-linear operation’s seemingly ‘inherent resilience’ against Differential Power Analysis (DPA) Attacks: the non-linear modular addition is not only known to be a poor target for DPA attacks, but also the computational complexity of DPA-style attacks grows exponentially with the operand size and thus DPA-style attacks quickly become practically infeasible. We however propose a novel DPA-style attack strategy that scales linearly with respect to the operand size in the chosen-message attack setting. 1 Introduction ever are different: they offer a potentially ‘high reso- lution’ for the adversary. In principle, under suitably Ciphers that base their round function on the sim- strong assumptions, adversaries can not only observe ple combination of modular addition, rotation, and leaks for all instructions that are executed on a proces- exclusive-or, (short ARX) have gained recent popu- sor, but indeed attribute leakage points (more or less larity for their lightweight implementations that are accurately) to instructions (Mangard et al., 2007). suitable for resource constrained devices. Some re- Achieving security in this scenario has proven to cent examples include Chacha20 (Nir and Langley, be extremely challenging, and countermeasures such 2015) and Salsa20 (Bernstein, 2008) family stream as masking (secret sharing) are well understood but ciphers, SHA-3 finalists BLAKE (Aumasson et al., costly (Schneider et al., 2015).
  • SHA-3 Conference, March 2012, Skein: More Than Just a Hash Function

    SHA-3 Conference, March 2012, Skein: More Than Just a Hash Function

    Skein More than just a hash function Third SHA-3 Candidate Conference 23 March 2012 Washington DC 1 Skein is Skein-512 • Confusion is common, partially our fault • Skein has two special-purpose siblings: – Skein-256 for extreme memory constraints – Skein-1024 for the ultra-high security margin • But for SHA-3, Skein is Skein-512 – One hash function for all output sizes 2 Skein Architecture • Mix function is 64-bit ARX • Permutation: relocation of eight 64-bit words • Threefish: tweakable block cipher – Mix + Permutation – Simple key schedule – 72 rounds, subkey injection every four rounds – Tweakable-cipher design key to speed, security • Skein chains Threefish with UBI chaining mode – Tweakable mode based on MMO – Provable properties – Every hashed block is unique • Variable size output means flexible to use! – One function for any size output 3 The Skein/Threefish Mix 4 Four Threefish Rounds 5 Skein and UBI chaining 6 Fastest in Software • 5.5 cycles/byte on 64-bit reference platform • 17.4 cycles/byte on 32-bit reference platform • 4.7 cycles/byte on Itanium • 15.2 cycles/byte on ARM Cortex A8 (ARMv7) – New numbers, best finalist on ARMv7 (iOS, Samsung, etc.) 7 Fast and Compact in Hardware • Fast – Skein-512 at 32 Gbit/s in 32 nm in 58 k gates – (57 Gbit/s if processing two messages in parallel) • To maximize hardware performance: – Use a fast adder, rely on simple control structure, and exploit Threefish's opportunities for pipelining – Do not trust your EDA tool to generate an efficient implementation • Compact design: – Small FPGA
  • BLAKE2: Simpler, Smaller, Fast As MD5

    BLAKE2: Simpler, Smaller, Fast As MD5

    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.