DOCSLIB.ORG

Security Analysis of BLAKE2's Modes of Operation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Analysis of BLAKE2's Modes of Operation Security Analysis of BLAKE2's Modes of Operation Atul Luykx, Bart Mennink, Samuel Neves KU Leuven (Belgium) and Radboud University (The Netherlands) FSE 2017 March 7, 2017 1 / 14 BLAKE2 m1 m2 m3 m 0∗ `k IV PB F F F F H(m) ⊕ t1 f1 t2 f2 t3 f3 t` f` Cryptographic hash function • Aumasson, Neves, Wilcox-O'Hearn, Winnerlein (2013) • Simplication of SHA-3 nalist BLAKE • 2 / 14 BLAKE2 Use in Password Hashing Argon2 (Biryukov et al.) • Catena (Forler et al.) • Lyra (Almeida et al.) • Lyra2 (Simplício Jr. et al.) • Rig (Chang et al.) • Use in Authenticated Encryption AEZ (Hoang et al.) • Applications Noise Protocol Framework (Perrin) • Zcash Protocol (Hopwood et al.) • RAR 5.0 (Roshal) • 3 / 14 BLAKE2 Guo et al. 2014 Hao 2014 Khovratovich et al. 2015 Espitau et al. 2015 ??? Even slight modications may make a scheme insecure! Security Inheritance? BLAKE cryptanalysis Aumasson et al. 2010 Biryukov et al. 2011 Dunkelman&K. 2011 generic Andreeva et al. 2012 Chang et al. 2012 4 / 14 ??? Even slight modications may make a scheme insecure! Security Inheritance? BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 Chang et al. 2012 4 / 14 Even slight modications may make a scheme insecure! Security Inheritance? BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012 4 / 14 Security Inheritance? BLAKE BLAKE2 cryptanalysis Aumasson et al. 2010 Guo et al. 2014 Biryukov et al. 2011 Hao 2014 Dunkelman&K. 2011 Khovratovich et al. 2015 Espitau et al. 2015 generic Andreeva et al. 2012 ??? Chang et al. 2012 Even slight modications may make a scheme insecure! 4 / 14 No structural design aws • Well-suited for composition • Indierentiability real world simulated world IC C idealPrandom Rsimulator S function primitive for oracle P distinguisher D Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R 9 S ( ; ) and ( ; ) indistinguishable C P R S 5 / 14 1 Indierentiability real world simulated world IC C idealPrandom Rsimulator S function primitive for oracle P distinguisher D Indierentiability of function from a random oracle • C P is indierentiable from if simulator such that • C R 9 S ( ; ) and ( ; ) indistinguishable C P R S No structural design aws • Well-suited for composition • 5 / 14 1 (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! Composition1 indiff-compose-0 H E F H 6 / 14 (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! Composition2 indiff-compose-1 H (i) E F (i) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! 6 / 14 (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! Composition3 indiff-compose-2 H (i) E (ii) F (i) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! 6 / 14 Composition4 indiff-compose-3 (iii) H (i) E (ii) F (i) (iii) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! 6 / 14 Composition5 indiff-compose-4 (iii) H (i) E (ii) F (i) (iii) H (i) First hash-function indierentiability results • Chop-/PF-MD with ideal F indierentiable −! (ii) Most obvious second step (composition) • But (e.g.) Davies-Meyer with ideal E dierentiable −! (iii) Researchers focused on direct proofs • Chop-/PF-MD with Davies-Meyer and ideal E indierentiable −! 6 / 14 Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties • Our Results Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! • 7 / 14 Our Results Compression Level Indierentiability BLAKE2 indierentiable at compression function level • Immediately implies • • indierentiability of sequential hash mode • indierentiability of tree/parallel hash mode • multi-key PRF security of keyed BLAKE2 mode One proof ts all! • Weakly Ideal Cipher Model BLAKE2 cipher has known, but harmless, properties • Analysis tolerates these properties • 7 / 14 BLAKE2 Compression Function n \ m 2n \ n h \ n \ n/2 2n n \ \ \ 0 h0 E \ n/4 n n \ t \ n/4 \ f n \ IV h is state, m is message, t is counter, f is ag • IV is initialization value • 8 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 9 / 14 Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 Weakly Ideal Cipher Model E is an ideal cipher modulo above property • 9 / 14 Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys • 9 / 14 Underlying Block Cipher k k k k k k k k k k k k k k k k \ 2n a a a a a a a a 2n 2n 0 0 0 0 \ b b b b \ b0 b0 b0 b0 c c c c E c0 c0 c0 c0 ! ! d d d d d0 d0 d0 d0 Weakly Ideal Cipher Model E is an ideal cipher modulo above property • Weak- and strong-subspace invariance for weak keys • Evaluation of E in BLAKE2 is never weak • (as left half of IV is not of the form cccc) 9 / 14 inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 input matches legitimate F -call? yes no consult R input weak? yes no reply like weak reply uniformly permutation at random Proof Idea E Construction : n Simulator : F \ S m 2n \ n h \ n \ n/2 2n n \ \ \ 0 h0 E \ n/4 n n \ t \ n/4 \ f n \ IV 10 / 14 inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ t \ yes no n/4 \ f n \ reply like weak reply uniformly permutation at random IV 10 / 14 inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV 10 / 14 inverse query−−! hits 0-block q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV −−−−! collision in uniformly random−−! responses 10 / 14 q Indiff E (q) = Θ F ;S 2n=2 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses 10 / 14 Proof Idea E Construction : n Simulator : F \ S m input matches \ legitimate F -call? 2n n h \ yes no n \ n/2 2n n \ \ \ consult input weak? 0 R h0 E \ n/4 n n \ \ yes no t n/4 \ f n \ reply like weak reply uniformly permutation at random IV inverse query−−! hits 0-block −−−−! collision in uniformly random−−! responses q Indiff E (q) = Θ F ;S 2n=2 10 / 14 Prex-Free Merkle-Damgård? BLAKE2 Hashing Modes m1 m2 m3 m 0∗ `k IV PB F F F F H(m) ⊕ t1 f1 t2 f2 t3 f3 t` f` Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block • 11 / 14 BLAKE2 Hashing Modes m1 m2 m3 m 0∗ `k IV PB F F F F H(m) ⊕ t1 f1 t2 f2 t3 f3 t` f` Message m padded into m1 m` • k · · · k t1 t` are counter values, f1 f` are ags • k · · · k k · · · k PB is a parameter block • Prex-Free Merkle-Damgård? 11 / 14 Captured by generalized design of Bertoni et al.
Load more

Recommended publications
  • BLAKE2: Simpler, Smaller, Fast As MD5
    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.
    [Show full text]
  • Extending NIST's CAVP Testing of Cryptographic Hash Function
    Extending NIST’s CAVP Testing of Cryptographic Hash Function Implementations Nicky Mouha and Christopher Celi National Institute of Standards and Technology, Gaithersburg, MD, USA [email protected],[email protected] Abstract. This paper describes a vulnerability in Apple’s CoreCrypto library, which affects 11 out of the 12 implemented hash functions: every implemented hash function except MD2 (Message Digest 2), as well as several higher-level operations such as the Hash-based Message Authen- tication Code (HMAC) and the Ed25519 signature scheme. The vulnera- bility is present in each of Apple’s CoreCrypto libraries that are currently validated under FIPS 140-2 (Federal Information Processing Standard). For inputs of about 232 bytes (4 GiB) or more, the implementations do not produce the correct output, but instead enter into an infinite loop. The vulnerability shows a limitation in the Cryptographic Algorithm Validation Program (CAVP) of the National Institute of Standards and Technology (NIST), which currently does not perform tests on hash func- tions for inputs larger than 65 535 bits. To overcome this limitation of NIST’s CAVP, we introduce a new test type called the Large Data Test (LDT). The LDT detects vulnerabilities similar to that in CoreCrypto in implementations submitted for validation under FIPS 140-2. Keywords: CVE-2019-8741, FIPS, CAVP, ACVP, Apple, CoreCrypto, hash function, vulnerability. 1 Introduction The security of cryptography in practice relies not only on the resistance of the algorithms against cryptanalytical attacks, but also on the correctness and robustness of their implementations. Software implementations are vulnerable to software faults, also known as bugs.
    [Show full text]
  • Internet Engineering Task Force (IETF) A. Langley Request for Comments: 7905 W
    Internet Engineering Task Force (IETF) A. Langley Request for Comments: 7905 W. Chang Updates: 5246, 6347 Google, Inc. Category: Standards Track N. Mavrogiannopoulos ISSN: 2070-1721 Red Hat J. Strombergson Secworks Sweden AB S. Josefsson SJD AB June 2016 ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) Abstract This document describes the use of the ChaCha stream cipher and Poly1305 authenticator in the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols. This document updates RFCs 5246 and 6347. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7905. Langley, et al. Standards Track [Page 1] RFC 7905 ChaCha-Poly1305 for TLS June 2016 Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
    [Show full text]
  • High-Speed Hardware Implementations of BLAKE, Blue
    High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Version 2.0, November 11, 2009 Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely Graz University of Technology, Institute for Applied Information Processing and Communications, Inffeldgasse 16a, A{8010 Graz, Austria {Stefan.Tillich,Martin.Feldhofer,Mario.Kirschbaum, Thomas.Plos,Joern-Marc.Schmidt,Alexander.Szekely}@iaik.tugraz.at Abstract. In this paper we describe our high-speed hardware imple- mentations of the 14 candidates of the second evaluation round of the SHA-3 hash function competition. We synthesized all implementations using a uniform tool chain, standard-cell library, target technology, and optimization heuristic. This work provides the fairest comparison of all second-round candidates to date. Keywords: SHA-3, round 2, hardware, ASIC, standard-cell implemen- tation, high speed, high throughput, BLAKE, Blue Midnight Wish, Cube- Hash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. 1 About Paper Version 2.0 This version of the paper contains improved performance results for Blue Mid- night Wish and SHAvite-3, which have been achieved with additional imple- mentation variants. Furthermore, we include the performance results of a simple SHA-256 implementation as a point of reference. As of now, the implementations of 13 of the candidates include eventual round-two tweaks. Our implementation of SIMD realizes the specification from round one. 2 Introduction Following the weakening of the widely-used SHA-1 hash algorithm and concerns over the similarly-structured algorithms of the SHA-2 family, the US NIST has initiated the SHA-3 contest in order to select a suitable drop-in replacement [27].
    [Show full text]
  • Side-Channel Analysis of Six SHA-3 Candidates⋆
    Side-channel Analysis of Six SHA-3 Candidates? Olivier Beno^ıtand Thomas Peyrin Ingenico, France [email protected] Abstract. In this paper we study six 2nd round SHA-3 candidates from a side-channel crypt- analysis point of view. For each of them, we give the exact procedure and appropriate choice of selection functions to perform the attack. Depending on their inherent structure and the internal primitives used (Sbox, addition or XOR), some schemes are more prone to side channel analysis than others, as shown by our simulations. Key words: side-channel, hash function, cryptanalysis, HMAC, SHA-3. 1 Introduction Hash functions are one of the most important and useful tools in cryptography. A n-bit cryp- tographic hash function H is a function taking an arbitrarily long message as input and out- putting a fixed-length hash value of size n bits. Those primitives are used in many applications such as digital signatures or key generation. In practice, hash functions are also very useful for building Message Authentication Codes (MAC), especially in a HMAC [5, 34] construction. HMAC offers a good efficiency considering that hash functions are among the fastest bricks in cryptography, while its security can be proven if the underlying function is secure as well [4]. In recent years, we saw the apparition of devastating attacks [39, 38] that broke many standardized hash functions [37, 31]. The NIST launched the SHA-3 competition [33] in response to these attacks and in order to maintain an appropriate security margin considering the increase of the computation power or further cryptanalysis improvements.
    [Show full text]
  • Implementation of Hash Function for Cryptography (Rsa Security)
    International Journal For Technological Research In Engineering Volume 4, Issue 6, February-2017 ISSN (Online): 2347 - 4718 IMPLEMENTATION OF HASH FUNCTION FOR CRYPTOGRAPHY (RSA SECURITY) Syed Fateh Reza1, Mr. Prasun Das2 1M.Tech. (ECE), 2Assistant Professor (ECE), Bitm,Bolpur ABSTRACT: In this thesis, a new method for expected to have a unique hash code and it should be implementing cryptographic hash functions is proposed. generally difficult for an attacker to find two messages with This method seeks to improve the speed of the hash the same hash code. function particularly when a large set of messages with Mathematically, a hash function (H) is defined as follows: similar blocks such as documents with common Headers H: {0, 1}* → {0, 1}n are to be hashed. The method utilizes the peculiar run-time In this notation, {0, 1}* refers to the set of binary elements configurability Feature of FPGA. Essentially, when a block of any length including the empty string while {0, 1}n refers of message that is commonly hashed is identified, the hash to the set of binary elements of length n. Thus, the hash value is stored in memory so that in subsequent occurrences function maps a set of binary elements of arbitrary length to of The message block, the hash value does not need to be a set of binary elements of fixed length. Similarly, the recomputed; rather it is Simply retrieved from memory, thus properties of a hash function are defined as follows: giving a significant increase in speed. The System is self- x {0, 1}*; y {0,1}n learning and able to dynamically build on its knowledge of Pre-image resistance: given y= H(x), it should be difficult to frequently Occurring message blocks without intervention find x.
    [Show full text]
  • SHA-3 Conference, March 2012, Efficient Hardware Implementations
    Efficient Hardware Implementations and Hardware Performance Evaluation of SHA-3 Finalists Kashif Latif, M Muzaffar Rao, Arshad Aziz and Athar Mahboob National University of Sciences and Technology (NUST), H-12 Islamabad, Pakistan [email protected], [email protected], [email protected], [email protected] Abstract. Cryptographic hash functions are at the heart of many information security applications like digital signatures, message authentication codes (MACs), and other forms of authentication. In consequence of recent innovations in cryptanalysis of commonly used hash algorithms, NIST USA announced a publicly open competition for selection of new standard Secure Hash Algorithm called SHA-3. An essential part of this contest is hardware performance evaluation of the candidates. In this work we present efficient hardware implementations and hardware performance evaluations of SHA-3 finalists. We implemented and investigated the performance of SHA-3 finalists on latest Xilinx FPGAs. We show our results in the form of chip area consumption, throughput and throughput per area on most recently released devices from Xilinx on which implementations have not been reported yet. We have achieved substantial improvements in implementation results from all of the previously reported work. This work serves as performance investigation of SHA-3 finalists on most up-to-date FPGAs. Keywords: SHA-3, Performance Evaluation, Cryptographic Hash Functions, High Speed Encryption Hardware, FPGA. 1 Introduction A cryptographic hash function is a deterministic procedure whose input is an arbitrary block of data and output is a fixed-size bit string, which is known as the (Cryptographic) hash value. Cryptographic hash functions are widely used in many information security applications like digital signatures, message authentication codes (MACs), and other forms of authentication.
    [Show full text]
  • Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
    I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated.
    [Show full text]
  • Research Intuitions of Hashing Crypto System
    Published by : International Journal of Engineering Research & Technology (IJERT) http://www.ijert.org ISSN: 2278-0181 Vol. 9 Issue 12, December-2020 Research Intuitions of Hashing Crypto System 1Rojasree. V, 2Gnana Jayanthi. J, 3Christy Sujatha. D PG & Research Department of Computer Science, Rajah Serfoji Govt. College(A), (Affiliated to Bharathidasan University), Thanjavur-613005, Tamilnadu, India. Abstract—Data transition over the internet has become there is no correlation between input and output bits; and no inevitable. Most data transmitted in the form of multimedia. correlation between output bits, etc. The data transmission must be less complex and user friendly To ensure about the originator of the message, Message at the same time with more security. Message authentication Authentication Code (MAC) is used which can be and integrity is one of the major issues in security data implemented using either symmetric Stream cipher Transmission. There are plenty of methods used to ensure the integrity of data when it is send from the receiver and before it cryptography or Hashing cryptography techniques. reaches the corresponding receiver. If these messages are However, MAC is limited with (i) Establishment of Shared tampered in the midst, it should be intimated to the receiver Secret and (ii) Inability to Provide Non-Repudiation. Even and discarded. Hash algorithms are supposed to provide the some kind of attacks is found like Content modification, integrity but almost all the algorithms have confirmed Sequence modification, Timing modification etc. breakable or less secure. In this review, the performances of This paper is aimed to discuss the several security various hash functions are studied with an analysis from the algorithms based on hash functions in cryptography to point of view of various researchers.
    [Show full text]
  • Attacks on and Advances in Secure Hash Algorithms
    IAENG International Journal of Computer Science, 43:3, IJCS_43_3_08 ______________________________________________________________________________________ Attacks on and Advances in Secure Hash Algorithms Neha Kishore, Member IAENG, and Bhanu Kapoor service but is a collection of various services. These services Abstract— In today’s information-based society, encryption include: authentication, access control, data confidentiality, along with the techniques for authentication and integrity are non-repudiation, and data integrity[1]. A system has to key to the security of information. Cryptographic hashing ensure one or more of these depending upon the security algorithms, such as the Secure Hashing Algorithms (SHA), are an integral part of the solution to the information security requirements for a particular system. For example, in problem. This paper presents the state of art hashing addition to the encryption of the data, we may also need algorithms including the security challenges for these hashing authentication and data integrity checks for most of the algorithms. It also covers the latest research on parallel situations in the dynamic context [2]. The development of implementations of these cryptographic algorithms. We present cryptographic hashing algorithms, to ensure authentication an analysis of serial and parallel implementations of these and data integrity services as part of ensuring information algorithms, both in hardware and in software, including an analysis of the performance and the level of protection offered security, has been an active area of research. against attacks on the algorithms. For ensuring data integrity, SHA-1[1] and MD5[1] are the most common hashing algorithms being used in various Index Terms—Cryptographic Hash Function, Parallel types of applications.
    [Show full text]
  • Security Analysis of BLAKE2's Modes of Operation
    Security Analysis of BLAKE2’s Modes of Operation Atul Luykx1, Bart Mennink1 and Samuel Neves2 1 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium [email protected], [email protected] 2 CISUC, Dept. of Informatics Engineering, University of Coimbra, Portugal [email protected] Abstract. BLAKE2 is a hash function introduced at ACNS 2013, which has been adopted in many constructions and applications. It is a successor to the SHA-3 finalist BLAKE, which received a significant amount of security analysis. Nevertheless, BLAKE2 introduces sufficient changes so that not all results from BLAKE carry over, meaning new analysis is necessary. To date, all known cryptanalysis done on BLAKE2 has focused on its underlying building blocks, with little focus placed on understanding BLAKE2’s generic security. We prove that BLAKE2’s compression function is indifferentiable from a random function in a weakly ideal cipher model, which was not the case for BLAKE. This implies that there are no generic attacks against any of the modes that BLAKE2 uses. Keywords: BLAKE · BLAKE2 · hash function · indifferentiability · PRF 1 Introduction Widespread adoption of cryptographic algorithms in practice often occurs regardless of their scrutiny by the cryptographic community. Although competitions such as AES and SHA-3 popularize thoroughly analyzed algorithms, they are not the only means with which practitioners find new algorithms. Standards, textbooks, and social media are sometimes more effective than publications and competitions. Nevertheless, analysis of algorithms is important regardless of how they were pop- ularized, and can result in finding insecurities, but also new techniques. For example, the PLAID protocol avoided cryptographic scrutiny by being standardized via the Cards and personal identification subcommittee of ISO, instead of via the Cryptography and security mechanisms working group, and when properly analyzed, PLAID turned out to be significantly weaker than claimed [DFF+14].
    [Show full text]
  • Chacha20 and Poly1305 Cipher Suites for TLS
    ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ● ChaCha20 stream cipher ● Poly1305 authenticator ● ChaCha20+Poly1305 AEAD construction ● TLS cipher suites ● Performance ChaCha20 stream cipher ● Designed by Dan J. Bernstein ● A variant of Salsa20 to improve diffusion ● Used in BLAKE, a SHA-3 finalist ● 256-bit key ● 64-bit nonce ● 64-bit block counter ● Outputs a 64-byte block of key stream and increments block counter in each invocation ● Plaintext is XOR’ed with the key stream ChaCha20 function constants key counter nonce Input S0 S1 S2 S3 S4 S5 S6 S7 State (16 words) S8 S9 S10 S11 S12 S13 S14 S15 Output key stream (64 bytes) Poly1305 authenticator ● A Wegman-Carter, one-time authenticator ● Designed by Dan J. Bernstein ● 256-bit key ● 128-bit output Poly1305 calculation Key (r, s): r => integer R, s => integer S Input is divided into 16-byte chunks C0 C1 C2 C3 C4 C5 . Cn-2 Cn-1 C0*R^n + C1*R^(n-1) + C2*R^(n-2) + … + Cn-2*R^2 + Cn-1*R mod (2^130- 5) Evaluate this polynomial with Horner’s Rule + S mod 2^128 AEAD construction ● The AEAD key is a ChaCha20 key ● For each nonce, derive: Poly1305 key = ChaCha20(000...0, counter=0) Discard the last 32 bytes of output ● A = additional data ● S = ChaCha20(plaintext, counter=1) ● T = Poly1305(A || len(A) || S || len(S)) ● Ciphertext = S || T TLS cipher suites ● Three forward secret, AEAD ciphers: ○ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ○ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ○ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ● No implicit nonce: fixed_iv_length
    [Show full text]