DOCSLIB.ORG

Downloaded on 2017-02-12T10:18:32Z Cryptographic Coprocessors for Embedded Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Downloaded on 2017-02-12T10:18:32Z Cryptographic Coprocessors for Embedded Systems Title Cryptographic coprocessors for embedded systems Author(s) Hamilton, Mark Publication date 2014 Original citation Hamilton, M. 2014. Cryptographic coprocessors for embedded systems. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2014, Mark Hamilton http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1770 from Downloaded on 2017-02-12T10:18:32Z Cryptographic Coprocessors for Embedded Systems Mark Hamilton Department of Electrical and Electronic Engineering National University of Ireland, Cork Research Supervisor : Dr. William P. Marnane Head of Department : Prof. Nabeel Riza A thesis submitted for the degree of Doctor of Philosophy January 24, 2014 Abstract In the field of embedded systems design, coprocessors play an important role as a component to increase performance. Many embedded systems are built around a small General Purpose Processor (GPP). If the GPP cannot meet the performance requirements for a certain operation, a coprocessor can be included in the design. The GPP can then offload the computationally in- tensive operation to the coprocessor; thus increasing the performance of the overall system. A common application of coprocessors is the acceleration of cryptographic algorithms. The work presented in this thesis discusses co- processor architectures for various cryptographic algorithms that are found in many cryptographic protocols. Their performance is then analysed on a Field Programmable Gate Array (FPGA) platform. Firstly, the acceleration of Elliptic Curve Cryptography (ECC) algorithms is investigated through the use of instruction set extension of a GPP. The performance of these algorithms in a full hardware implementation is then investigated, and an architecture for the acceleration the ECC based digital signature algorithm is developed. Hash functions are also an important component of a cryptographic system. The FPGA implementation of recent hash function designs from the SHA- 3 competition are discussed and a fair comparison methodology for hash functions presented. Many cryptographic protocols involve the generation of random data, for keys or nonces. This requires a True Random Number Generator (TRNG) to be present in the system. Various TRNG designs are discussed and a secure implementation, including post-processing and failure detection, is introduced. Finally, a coprocessor for the acceleration of operations at the protocol level will be discussed, where, a novel aspect of the design is the secure method in which private-key data is handled. I, Mark Hamilton, certify that this thesis is my own work and I have not obtained a degree in this university or elsewhere on the basis of the work submitted in this thesis. Mark Hamilton Acknowledgements I would like to thank all those who have helped me during the course of completing this thesis, including, but not limited to, my supervisor Liam Marnane for giving me the opportunity to pursue this PhD, and for his guidance over the past few years; Christophe Negre and Emanuel Popovici for taking the time to read this thesis; the staff of the electrical engineering department in UCC; all of the postgraduate students and postdocs that I have worked with over the past few years; Arnaud Tisserand for inviting me to collaborate with him in Lannion; and my family for their support over the last few years. Contents Contents i 1 Introduction 1 1.1 Motivation .................................. 1 1.2 Contribution ................................. 3 1.3 Publications.................................. 4 2 Cryptography for Embedded Systems 6 2.1 Introduction.................................. 6 2.2 IntroductiontoCryptographicSystems . .... 7 2.3 MathematicalBackground. 8 2.3.1 Groups ................................ 8 2.3.2 Rings ................................. 9 2.3.3 Fields ................................. 9 2.3.4 FiniteFields ............................. 10 2.4 GeneratingRandomNumbers. 10 2.5 Private-KeyCryptography. 11 2.6 Public-KeyCryptography . 12 2.6.1 PublicKeyInfrastructure . 13 2.6.1.1 Digital Signatures . 13 2.6.1.2 Digital Certificates . 16 2.7 CryptographicProtocols . 16 2.8 TransportLayerSecurity . 17 2.8.1 TLSRecordProtocol . .. .. .. .. .. .. .. 18 2.8.2 TLSAlertProtocol.. .. .. .. .. .. .. .. 18 2.8.3 TLSChangeCipherSpecProtocol . 19 2.8.4 TLS Application Data Protocol . 19 i CONTENTS 2.8.5 TLSHandshakeProtocol . 20 2.9 FieldProgrammableGateArrays . 22 2.9.1 MicroblazeProcessor. 23 2.9.2 FSLBus................................ 24 2.10 FPGAsandCryptography. 25 2.11 SideChannelAttacks ............................ 27 2.12RelatedWork................................. 28 2.12.1 Isobeetal. .............................. 28 2.12.2 Wangetal. .............................. 29 2.12.3 InstructionSetExtension . 30 2.12.4 Secure Key Management . 30 2.13Discussion................................... 32 3 Hardware-Software Co-Design for Elliptic Curve Cryptography 34 3.1 Introduction.................................. 34 3.2 BackgroundtoECC ............................. 35 3.2.1 Group operations on Elliptic Curves . 35 3.2.2 JacobianCoordinates . 36 3.2.3 Co-Z Arithmetic ........................... 38 3.3 Point Scalar Multiplication . 39 3.3.1 SPA Resistant Point Scalar Multiplication . 40 3.3.1.1 Combined double-add operation . 43 3.3.1.2 (X,Y )-only operations . 43 3.4 Montgomery Multiplication . 45 3.5 InstructionSetExtensionforECC . 47 3.5.1 Software................................ 47 3.6 Custom Hardware Acceleration . 49 3.6.1 Montgomery Multiplication in Hardware . 49 3.6.2 Instruction Set Extension Results . 50 3.7 Optimisations for the q = 2n 1case.................... 53 − 3.7.1 SerialMultiplier ........................... 54 3.7.2 BoothMultiplier ........................... 55 3.7.3 Multiplier with BRAMs and DSP48Es . 56 3.7.3.1 Multiplier Architecture . 58 3.7.3.2 Decomposing the Multiplicands . 59 3.7.3.3 DSPBlocks......................... 61 ii CONTENTS 3.7.3.4 BlockRAM......................... 62 3.7.3.5 TheAdder ......................... 62 3.7.3.6 Controller . 63 3.7.3.7 Multiplier Operation . 64 3.7.4 Results ................................ 64 3.8 Discussion................................... 66 4 FPGA Implementation of an ECDSA Coprocessor 68 4.1 Introduction.................................. 68 4.2 ECCProcessor ................................ 68 4.2.1 Fq Addition/Subtraction. 69 4.2.2 Fq Inversion.............................. 70 4.3 ComparingCoordinatePerformance . 71 4.4 Applications of Elliptic Curves in TLS . 76 4.4.1 Elliptic Curve Diffie-Hellman Key Exchange (ECDH) . 77 4.4.2 Elliptic Curve Digital Signature Algorithm (ECDSA) . ..... 78 4.4.3 DPAresistantECDSA. 80 4.4.4 Simultaneous multiple point multiplication . ..... 80 4.5 RelatedWork................................. 81 4.6 ECDSAProcessorArchitecture . 83 4.7 ImplementationResults . 84 4.8 Discussion................................... 87 5 Hash Functions and their Applications 89 5.1 Introduction.................................. 89 5.2 HashFunctionDesign ............................ 90 5.2.1 Implementation Options . 90 5.3 HashFunctionUsage............................. 91 5.4 HashFunctionsandTLS........................... 92 5.4.1 HMACFunction ........................... 92 5.4.2 TLSPseudorandomFunction . 93 5.4.3 Keyderivation ............................ 94 5.4.4 Finished Message Calculation . 94 5.5 SHAAlgorithms ............................... 95 5.5.1 SHA256................................ 95 5.6 SHA-3Competition ............................. 97 iii CONTENTS 5.7 BlueMidnightWish ............................. 97 5.8 Hamsi ..................................... 99 5.9 CubeHash................................... 100 5.10 Fair Comparison Methodology . 102 5.10.1 WrapperOverview . 102 5.10.2 Communications Protocol . 103 5.10.3 PaddingProtocol. 104 5.11 ImplementationResults . 105 5.12Discussion................................... 107 6 True Random Number Generators 109 6.1 Introduction.................................. 109 6.2 ImplementationofTRNGs. 110 6.2.1 Analysing the Quality of TRNG Output Data . 111 6.3 Vasyltsovetal. ................................ 113 6.4 VarcholaandDrutarovsk´y. 116 6.5 DichtlandGoli´c ............................... 118 6.6 ComparingtheResults. .. .. .. .. .. .. .. .. 122 6.7 TRNGFailureDetection. 123 6.7.1 FPGA Implementation . 124 6.8 Post-processingofTRNGs. 125 6.9 Secure Architecture Implementation Results . ....... 125 6.10Discussion................................... 126 7 Coprocessor Design For the Protocol Level 128 7.1 Introduction.................................. 128 7.2 DesigningaSecureCoprocessor . 129 7.3 RequirementsofaTLSCoprocessor . 131 7.3.1 Public-key algorithms . 131 7.3.2 Private-key Algorithms . 131 7.3.3 HashingOperations . 132 7.3.4 Operations Involving Private Keys . 132 7.4 EncryptionforTLS ............................. 132 7.4.1 CipherBlockChaining. 134 7.4.2 AES Implementation . 135 7.5 SHA256ImplementationforTLS . 136 iv CONTENTS 7.6 DesignOverview ............................... 137 7.7 Hardware/Software Partition . 137 7.8 CoprocessorOperation. 139 7.9 TestPlatform................................. 141 7.9.1 Microblaze Configuration . 141 7.10 ImplementationResults . 142 7.11Conclusions .................................. 143 8 Conclusions and Future Work 145 8.1 ContributiontotheField . 145 8.2 FutureWork ................................. 147 A Co-Z Algorithms 148 A.1 Point Doubling Formulæ with Update in Homogeneous
Load more

Recommended publications
  • Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS
    Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols
    [Show full text]
  • Características Y Aplicaciones De Las Funciones Resumen Criptográficas En La Gestión De Contraseñas
    Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas Alicia Lorena Andrade Bazurto Instituto Universitario de Investigación en Informática Escuela Politécnica Superior Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas ALICIA LORENA ANDRADE BAZURTO Tesis presentada para aspirar al grado de DOCTORA POR LA UNIVERSIDAD DE ALICANTE DOCTORADO EN INFORMÁTICA Dirigida por: Dr. Rafael I. Álvarez Sánchez Alicante, julio 2019 Índice Índice de tablas .................................................................................................................. vii Índice de figuras ................................................................................................................. ix Agradecimiento .................................................................................................................. xi Resumen .......................................................................................................................... xiii Resum ............................................................................................................................... xv Abstract ........................................................................................................................... xvii 1 Introducción .................................................................................................................. 1 1.1 Objetivos ...............................................................................................................4
    [Show full text]
  • Rebound Attack
    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
    [Show full text]
  • The Hitchhiker's Guide to the SHA-3 Competition
    History First Second Third The Hitchhiker’s Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department 20 June, 2012 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 33 History First Second Third Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 33 History First Second Third History Sad Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 33 History First Second Third History Sad A(n Extremely) Short History of Hash Functions 1976 Diffie and Hellman suggest to use hash functions to make digital signatures shorter. 1979 Salted passwords for UNIX (Morris and Thompson). 1983/4 Davies/Meyer introduce Davies-Meyer. 1986 Fiat and Shamir use random oracles. 1989 Merkle and Damg˚ard present the Merkle-Damg˚ard hash function.
    [Show full text]
  • Tocubehash, Grøstl, Lane, Toshabal and Spectral Hash
    FPGA Implementations of SHA-3 Candidates: CubeHash, Grøstl, Lane, Shabal and Spectral Hash Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley, Robert P. McEvoy, Weibo Pan and William P. Marnane Claude Shannon Institute for Discrete Mathematics, Coding and Cryptography & Department of Electrical & Electronic Engineering, University College Cork, Ireland. Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest Overview of the Hash Function Architectures UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function Implementations Results Conclusions Overview Hash Function Description Introduction Background Operation The SHA-3 Contest Overview of the Hash Function Architectures Hash Function Implementations CubeHash Grøstl Lane Shabal Spectral Hash UCC Cryptography Group, 2009 The Claude Shannon Workshop On Coding and Cryptography Hash Functions The SHA-3 Contest Hash Function
    [Show full text]
  • An Efficient Hardware Architecture for Spectral Hash Algorithm
    An Efficient Hardware Architecture for Spectral Hash Algorithm Ray C.C. Cheung C¸etin Kaya Koc¸ Department of Electrical Engineering University of California Santa Barbara & University of California Los Angeles City University of Istanbul [email protected] [email protected] John D. Villasenor Department of Electrical Engineering University of California Los Angeles [email protected] Abstract “frequency domain techniques”) have recently been used in certain special applications in cryptography, including in The Spectral Hash algorithm is one of the Round 1 can- hash function computation [2, 3], modular arithmetic for the didates for the SHA-3 family, and is based on spectral arith- RSA cryptosystem [4], and finite field arithmetic for elliptic metic over a finite field, involving multidimensional dis- curve cryptography [5, 6, 7]. crete Fourier transformations over a finite field, data de- Cryptographic applications require exact arithmetic and pendent permutations, Rubic-type rotations, and affine and the underlying mathematical structures (groups, rings, and nonlinear functions. The underlying mathematical struc- fields) have finitely many elements. Typically, the finite tures and operations pose interesting and challenging tasks ring of integers modulo n, the finite field of p (where p is for computer architects and hardware designers to create a prime) or 2k elements are used, respectively represented k fast, efficient, and compact ASIC and FPGA realizations. as Zn, GF(p) and GF(2 ). Furthermore, in cryptographic In this paper, we present an efficient hardware architec- applications, the DFT computations are performed in a fi- ture for the full 512-bit hash computation using the spectral nite ring or finite field; this differs from many applications hash algorithm.
    [Show full text]
  • NISTIR 7620 Status Report on the First Round of the SHA-3
    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
    [Show full text]
  • Kriptografske Tehničke Sigurnosne Mjere
    Sigurnost računalnih sustava Computer Systems Security Kriptografske tehničke sigurnosne mjere Marin Golub Sadržaj • Uvod: Jesu li i koliko su kriptoalgoritmi sigurni? • Napadi na simetrične i asimetrične kriptosustave • Asimetrični kriptosustavi – Kriptosustavi zasnovani na eliptičkim krivuljama • Funkcije za izračunavanje sažetka poruke – Napadi na funkcije za izračunavanje sažetka poruke – Elektronički vs. digitalni potpis – SHA-2 i SHA-3 • Kvantna kriptografija • Natječaji za nove kriptografske algoritme koji su u tijeku – Kriptografija prilagođena ugrađenim računalima (Lightweight Cryptography ) – Asimetrična kriptografija nakon kvantnih računala (Post-Quantum Cryptography ) SRS-Crypto-2/79 Osnovni pojmovi Kriptologija = kriptografija + kriptoanaliza Kriptografija • znanstvena disciplina (ili umjetnost?) sastavljanja poruka sa ciljem skrivanja sadržaja poruka Kriptoanaliza • znanstvena disciplina koja se bavi analizom skrivenih aspekata sustava i koristi se kako bi se ispitala (ili narušila) sigurnost kriptografskog sustava SRS-Crypto-3/79 Jesu li i koliko su kriptoalgoritmi sigurni? • Postoje specijalizirana računala za napad grubom silom na DES kriptosustav: COPACOBANA (A Cost-Optimized PArallel COde Breaker) • 12.12.2009. faktoriziran RSA-768 • na kvantnom računalu je riješen problem faktoriziranja velikih brojeva i problem diskretnog logaritma • 17.8.2004. - kineski i francuski znanstvenici su objavili članak pod naslovom: "Kolizija za hash funkcije: MD4, MD5, Haval-128 i RIPEMD" • 13.2.2005. - kineski znanstvenici: "Collision
    [Show full text]
  • Re-Visiting HAIFA and Why You Should Visit Too
    Merkle-Damg˚ard HAIFA New Results Summary Re-Visiting HAIFA and why you should visit too Orr Dunkelman D´epartement d’Informatique Ecole´ Normale sup´erieure and France Telecom Chaire 3rd of June 2008 Joint work with Eli Biham, Charles Bouillaguet, Pierre-Alain Fouque, S´ebastian Zimmer. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 1/ 42 Merkle-Damg˚ard HAIFA New Results Summary Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 2/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 3/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Merkle-Damg˚ard Construction ◮ Presented by Merkle and Damg˚ard independently as an answer to the following problem: ◮ Given a compression function f : {0, 1}mc × {0, 1}n → {0, 1}mc , how would you ∗ m generate a hash function Hf : {0, 1} → {0, 1} .
    [Show full text]
  • Finding Bugs in Cryptographic Hash Function Implementations Nicky Mouha, Mohammad S Raunak, D
    1 Finding Bugs in Cryptographic Hash Function Implementations Nicky Mouha, Mohammad S Raunak, D. Richard Kuhn, and Raghu Kacker Abstract—Cryptographic hash functions are security-critical on the SHA-2 family, these hash functions are in the same algorithms with many practical applications, notably in digital general family, and could potentially be attacked with similar signatures. Developing an approach to test them can be par- techniques. ticularly diffcult, and bugs can remain unnoticed for many years. We revisit the NIST hash function competition, which was In 2007, the National Institute of Standards and Technology used to develop the SHA-3 standard, and apply a new testing (NIST) released a Call for Submissions [4] to develop the new strategy to all available reference implementations. Motivated SHA-3 standard through a public competition. The intention by the cryptographic properties that a hash function should was to specify an unclassifed, publicly disclosed algorithm, to satisfy, we develop four tests. The Bit-Contribution Test checks be available worldwide without royalties or other intellectual if changes in the message affect the hash value, and the Bit- Exclusion Test checks that changes beyond the last message bit property restrictions. To allow the direct substitution of the leave the hash value unchanged. We develop the Update Test SHA-2 family of algorithms, the SHA-3 submissions were to verify that messages are processed correctly in chunks, and required to provide the same four message digest lengths. then use combinatorial testing methods to reduce the test set size Chosen through a rigorous open process that spanned eight by several orders of magnitude while retaining the same fault- years, SHA-3 became the frst hash function standard that detection capability.
    [Show full text]
  • Grøstl – a SHA-3 Candidate
    Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl – a SHA-3 candidate Krystian Matusiewicz Wroclaw University of Technology CECC 2010, June 12, 2010 Krystian Matusiewicz Grøstl – a SHA-3 candidate 1 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Talk outline ◮ Cryptographic hash functions ◮ NIST SHA-3 Competition ◮ Grøstl Krystian Matusiewicz Grøstl – a SHA-3 candidate 2 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions Krystian Matusiewicz Grøstl – a SHA-3 candidate 3 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions: why? ◮ We want to have a short, fixed length “fingerprint” of any piece of data ◮ Different fingerprints – certainly different data ◮ Identical fingerprints – most likely the same data ◮ No one can get any information about the data from the fingerprint Krystian Matusiewicz Grøstl – a SHA-3 candidate 4 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage:
    [Show full text]
  • Preimage Attacks on Reduced-Round GOST and Grøstl-256 and Studies on Several Truncation Patterns for AES-Like Compression Functions (Full Version)?
    Improved (Pseudo) Preimage Attacks on Reduced-Round GOST and Grøstl-256 and Studies on Several Truncation Patterns for AES-like Compression Functions (Full Version)? Bingke Ma1;2;3, Bao Li1;2, Ronglin Hao1;2;4, and Xiaoqian Li1;2;3 1State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China 2Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, 100093, China fbkma,lb,[email protected] 3University of Chinese Academy of Sciences, Beijing, China 4Department of Electronic Engineering and Information Science, University of Science and Technology of China, Hefei, 230027, China [email protected] Abstract. In this paper, we present improved preimage attacks on the reduced-round GOST hash function family, which serves as the new Russian hash standard, with the aid of techniques such as the rebound attack, the Meet-in-the-Middle preimage attack and the multicollisions. Firstly, the preimage attack on 5-round GOST-256 is proposed which is the first preimage attack for GOST-256 at the hash function level. Then we extend the (previous) attacks on 5-round GOST-256 and 6-round GOST-512 to 6.5 and 7.5 rounds respectively by exploiting the involution property of the GOST transposition operation. Secondly, inspired by the preimage attack on GOST-256, we also study the impacts of four representa- tive truncation patterns on the resistance of the Meet-in-the-Middle preimage attack against AES-like compression functions, and propose two stronger truncation patterns which make it more difficult to launch this type of attack.
    [Show full text]