CryptographicCryptographic HashHash FunctionsFunctions andand theirtheir manymany applicationsapplications
ShaiShai HaleviHalevi –– IBMIBM ResearchResearch
USENIX Security – August 2009
Thanks to Charanjit Jutla and Hugo Krawczyk WhatWhat areare hashhash functions?functions?
JustJust aa methodmethod ofof compressingcompressing stringsstrings –– E.g.,E.g., HH :: {0,1}*{0,1}* {0,1}{0,1}160 –– InputInput isis calledcalled ““messagemessage””,, outputoutput isis ““digestdigest”” WhyWhy wouldwould youyou wantwant toto dodo this?this? –– Short,Short, fixedfixed--sizesize betterbetter thanthan long,long, variablevariable--sizesize True also for non-crypto hash functions –– DigestDigest cancan bebe addedadded forfor redundancyredundancy –– DigestDigest hideshides possiblepossible structurestructure inin messagemessage But not HowHow areare theythey built?built? always… TypicallyTypically usingusing MerkleMerkle--DamgDamgåårdrd iteration:iteration: 1.1. StartStart fromfrom aa ““compressioncompression functionfunction”” –– h:h: {0,1}{0,1}b+n{0,1}{0,1}n |M|=b=512 bits
=160 bits 160 bits 2.2. IterateIterate itit
M1 M2 ML-1 ML
d d d IV=d0 d1 2 L-1 L … d=H(M) WhatWhat areare theythey goodgood for?for?
“Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm, such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes, pseudo random number generators, and key derivation functions.”
““RequestRequest forfor CandidateCandidate AlgorithmAlgorithm NominationsNominations””,, ---- NIST,NIST, NovemberNovember 20072007 SomeSome examplesexamples
Signatures:Signatures: sign(Msign(M)) == RSARSA-1(( H(M)H(M) )) MessageMessage--authentication:authentication: tag=tag=H(key,MH(key,M)) Commitment:Commitment: commit(Mcommit(M)) == H(M,H(M,……)) KeyKey derivation:derivation: AESAES--keykey == H(DHH(DH--value)value) RemovingRemoving interactioninteraction [Fiat-Shamir, 1987] A B –– TakeTake interactiveinteractive identificationidentification protocolprotocol smthng –– ReplaceReplace oneone sideside byby aa hashhash functionfunction challenge response Challenge = H(smthng, context) –– GetGet nonnon--interactiveinteractive signaturesignature schemescheme smthng, response PartPart I:I: RandomRandom functionsfunctions vs.vs. hashhash functionsfunctions RandomRandom functionsfunctions
WhatWhat wewe reallyreally wantwant isis HH thatthat behavesbehaves ““justjust likelike aa randomrandom functionfunction””:: DigestDigest d=H(M)d=H(M) chosenchosen uniformlyuniformly forfor eacheach MM –– DigestDigest d=H(M)d=H(M) hashas nono correlationcorrelation withwith MM
–– ForFor distinctdistinct MM1,M,M2,,……,, digestsdigests ddi==H(MH(Mi)) areare completelycompletely uncorrelateduncorrelated toto eacheach otherother –– CannotCannot findfind collisions,collisions, oror eveneven nearnear--collisionscollisions –– CannotCannot findfind MM toto ““hithit”” aa specificspecific dd –– CannotCannot findfind fixedfixed--pointspoints (d(d == H(dH(d)))) –– etc.etc. TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” 3.3. ReplaceReplace oracleoracle withwith aa hashhash functionfunction HopeHope thatthat itit remainsremains securesecure TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” 3.3. ReplaceReplace oracleoracle withwith aa hashhash functionfunction HopeHope thatthat itit remainsremains securesecure VeryVery successfulsuccessful paradigm,paradigm, manymany schemesschemes –– E.g.,E.g., OAEPOAEP encryption,encryption, FDH,PSSFDH,PSS signaturessignatures Also all the examples from before… –– SchemesSchemes seemseem toto ““withstandwithstand testtest ofof timetime”” RandomRandom oracles:oracles: rationalerationale
isis somesome cryptocrypto schemescheme (e.g.,(e.g., signatures),signatures), thatthat usesuses aa hashhash functionfunction HH provenproven securesecure whenwhen HH isis randomrandom functionfunction AnyAny attackattack onon realreal--worldworld mustmust useuse somesome ““nonrandomnonrandom propertyproperty”” ofof HH WeWe shouldshould havehave chosenchosen aa betterbetter HH –– withoutwithout thatthat ““nonrandomnonrandom propertyproperty”” Caveat:Caveat: howhow dodo wewe knowknow whatwhat ““nonrandomnonrandom propertiesproperties”” areare important?important? ThisThis rationalerationale isnisn’’tt soundsound [Canetti-Goldreich-H 1997] ExistExist signaturesignature schemesschemes thatthat are:are: 1.1. ProvablyProvably securesecure wrtwrt aa randomrandom functionfunction 2.2. EasilyEasily brokenbroken forfor EVERYEVERY hashhash functionfunction Idea:Idea: hashhash functionsfunctions areare computablecomputable –– ThisThis isis aa ““nonrandomnonrandom propertyproperty”” byby itselfitself ExhibitExhibit aa schemescheme whichwhich isis securesecure onlyonly forfor ““nonnon--computablecomputable HH’’ss”” –– SchemeScheme isis (very)(very) ““contrivedcontrived”” ContrivedContrived exampleexample
StartStart fromfrom anyany securesecure signaturesignature schemescheme – Denote signature algorithm by SIG1H(key,msg) ChangeChange SIG1SIG1 toto SIG2SIG2 asas follows:follows: Some Technicalities SIG2H(key,msg): interprate msg as code Π – If Π(i)=H(i) for i=1,2,3,…,|msg|, then output key – Else output the same as SIG1H(key,msg) IfIf HH isis random,random, alwaysalways thethe ““ElseElse”” casecase IfIf HH isis aa hashhash function,function, attemptingattempting toto signsign thethe codecode ofof HH outputsoutputs thethe secretsecret keykey CautionaryCautionary notenote
ROMROM proofsproofs maymay notnot meanmean whatwhat youyou thinkthink…… –– StillStill theythey givegive valuablevaluable assurance,assurance, rulerule outout ““almostalmost allall realisticrealistic attacksattacks”” WhatWhat ““nonrandomnonrandom propertiesproperties”” areare importantimportant forfor OAEPOAEP // FDHFDH // PSSPSS // ……?? HowHow wouldwould thesethese schemescheme bebe affectedaffected byby aa weaknessweakness inin thethe hashhash functionfunction inin use?use? ROMROM maymay leadlead toto carelesscareless implementationimplementation MerkleMerkle--DamgDamgåårdrd vs.vs. randomrandom functionsfunctions … Recall:Recall: wewe oftenoften constructconstruct ourour hashhash functionsfunctions fromfrom compressioncompression functionsfunctions –– EvenEven ifif compressioncompression isis random,random, hashhash isis notnot E.g., H(key|M) subject to extension attack – H(key | M|M’) = h( H(key|M), M’) –– MinorMinor changeschanges toto MDMD fixfix thisthis But they come with a price (e.g. prefix-free encoding) CompressionCompression alsoalso builtbuilt fromfrom lowlow--levellevel blocksblocks
–– E.g.,E.g., DaviesDavies--MeyerMeyer construction,construction, h(c,Mh(c,M)=)=EEM(c)(c)cc –– ProvideProvide yetyet moremore structure,structure, cancan leadlead toto attacksattacks onon provableprovable ROMROM schemesschemes [H[H--KrawczykKrawczyk 2007]2007] PartPart II:II: UsingUsing hashhash functionsfunctions inin applicationsapplications UsingUsing ““imperfectimperfect”” hashhash functionsfunctions
ApplicationsApplications shouldshould relyrely onlyonly onon ““specificspecific securitysecurity propertiesproperties”” ofof hashhash functionsfunctions –– TryTry toto makemake thesethese propertiesproperties asas ““standardstandard”” andand asas weakweak asas possiblepossible IncreasesIncreases thethe oddsodds ofof longlong--termterm securitysecurity –– WhenWhen weaknessesweaknesses areare foundfound inin hashhash function,function, applicationapplication moremore likelylikely toto survivesurvive –– E.g.,E.g., MD5MD5 isis badlybadly broken,broken, butbut HMACHMAC--MD5MD5 isis barelybarely scratchedscratched SecuritySecurity requirementsrequirements
DeterministicDeterministic hashinghashing Stronger –– AttackerAttacker chooseschooses M,M, d=H(M)d=H(M) HashingHashing withwith aa randomrandom saltsalt –– AttackerAttacker chooseschooses M,M, thenthen goodgood guyguy chooseschooses publicpublic salt,salt, d=d=H(H(saltsalt,M,M)) HashingHashing randomrandom messagesmessages –– MM random,random, d=H(M)d=H(M) HashingHashing withwith aa secretsecret keykey
–– AttackerAttacker chooseschooses M,M, d=d=H(H(keykey,M,M)) Weaker DeterministicDeterministic hashinghashing
CollisionCollision ResistanceResistance –– AttackerAttacker cannotcannot findfind M,MM,M’’ suchsuch thatthat H(M)=H(MH(M)=H(M’’)) AlsoAlso manymany otherother propertiesproperties –– HardHard toto findfind fixedfixed--points,points, nearnear--collisions,collisions, MM s.ts.t.. H(M)H(M) hashas lowlow HammingHamming weight,weight, etc.etc. HashingHashing withwith publicpublic saltsalt
TargetTarget--CollisionCollision--ResistanceResistance (TCR)(TCR) –– AttackerAttacker chooseschooses M,M, thenthen givengiven randomrandom saltsalt,, cannotcannot findfind MM’ suchsuch thatthat H(salt,MH(salt,M)=)=H(H(saltsalt,M,M’)) enhancedenhanced TRCTRC ((eTCReTCR)) –– AttackerAttacker chooseschooses M,M, thenthen givengiven randomrandom saltsalt,, cannotcannot findfind MM’,,saltsalt’ s.ts.t.. H(H(saltsalt,M,M)=)=H(H(saltsalt’,M,M’)) HashingHashing randomrandom messagesmessages
SecondSecond PreimagePreimage ResistanceResistance –– GivenGiven randomrandom M,M, attackerattacker cannotcannot findfind MM’ suchsuch thatthat H(M)=H(MH(M)=H(M’)) OneOne--waynesswayness –– GivenGiven d=H(M)d=H(M) forfor randomrandom M,M, attackerattacker cannotcannot findfind MM’’ suchsuch thatthat H(MH(M’’)=d)=d Extraction*Extraction* –– ForFor randomrandom saltsalt,, highhigh--entropyentropy M,M, thethe digestdigest d=d=H(H(saltsalt,M,M)) isis closeclose toto beingbeing uniformuniform
* Combinatorial, not cryptographic HashingHashing withwith aa secretsecret keykey
PseudoPseudo--RandomRandom FunctionsFunctions –– TheThe mappingmapping MMH(H(keykey,M,M)) forfor secretsecret keykey lookslooks randomrandom toto anan attackerattacker UniversalUniversal hashing*hashing* ’ ’ –– ForFor allall MMMM ,, PrPrkey[[ H(H(keykey,M,M)=)=H(H(keykey,M,M )) ]<]<εε
* Combinatorial, not cryptographic ApplicationApplication 1:1: DigitalDigital signaturessignatures HashHash--thenthen--signsign paradigmparadigm –– FirstFirst shortenshorten thethe message,message, dd == H(M)H(M) –– ThenThen signsign thethe digest,digest, ss == SIGN(dSIGN(d)) ReliesRelies onon collisioncollision resistanceresistance –– IfIf H(M)=H(MH(M)=H(M’’)) thenthen ss isis aa signaturesignature onon bothboth AttacksAttacks onon MD5,MD5, SHASHA--11 threatenthreaten currentcurrent signaturessignatures –– MD5MD5 attacksattacks cancan bebe usedused toto getget badbad CACA certcert [Stevens et al. 2009] CollisionCollision resistanceresistance isis hardhard
AttackerAttacker worksworks offoff--lineline (find(find M,MM,M’’)) –– CanCan useuse statestate--ofof--thethe--artart cryptanalysis,cryptanalysis, asas muchmuch computationcomputation powerpower asas itit cancan gather,gather, withoutwithout beingbeing detecteddetected !!!! HelpedHelped byby birthdaybirthday attackattack (e.g.,(e.g., 2280 vsvs 22160)) WellWell worthworth thethe efforteffort –– OneOne collisioncollision forgeryforgery forfor anyany signersigner SignaturesSignatures withoutwithout CRHFCRHF [Naor-Yung 1989, Bellare-Rogaway 1997] UseUse randomizedrandomized hashinghashing –– ToTo signsign M,M, firstfirst choosechoose freshfresh randomrandom saltsalt –– SetSet d=d= H(H(saltsalt,, M)M),, s=s= SIGN(SIGN( saltsalt |||| dd )) AttackAttack scenarioscenario (collision(collision game):game): –– AttackerAttacker chooseschooses M,M, MM’’ –– SignerSigner chooseschooses randomrandom saltsalt –– AttackerAttacker mustmust findfind M'M' s.ts.t.. H(salt,MH(salt,M)) == H(salt,MH(salt,M')') AttackAttack isis inherentlyinherently onon--lineline –– OnlyOnly relyrely onon targettarget collisioncollision resistanceresistance TCRTCR hashinghashing forfor signaturessignatures
NotNot everyevery randomizationrandomization worksworks – H(M|salt) may be subject to collision attacks when H is Merkle-Damgård – Yet this is what PSS does (and it’s provable in the ROM) ManyMany constructionsconstructions ““inin principleprinciple”” – From any one-way function SomeSome engineeringengineering challengeschallenges – Most constructions use long/variable-size randomness, don’t preserve Merkle-Damgård Also,Also, signingsigning saltsalt meansmeans changingchanging thethe underlyingunderlying signaturesignature schemesschemes SignaturesSignatures withwith enhancedenhanced TCRTCR [H-Krawczyk 2006] UseUse ““strongerstronger randomizedrandomized hashinghashing””,, eTCReTCR –– ToTo signsign M,M, firstfirst choosechoose freshfresh randomrandom saltsalt –– SetSet dd == H(H(saltsalt,, M)M),, ss == SIGN(SIGN( dd )) AttackAttack scenarioscenario (collision(collision game):game): –– AttackerAttacker chooseschooses MM –– SignerSigner chooseschooses randomrandom saltsalt –– AttackerAttacker needsneeds MM‘‘,,saltsalt’’ s.ts.t.. H(H(saltsalt,M,M)=)=H(H(saltsalt',M',M')') AttackAttack isis stillstill inherentlyinherently onon--lineline RandomizedRandomized hashinghashing withwith RMXRMX [H-Krawczyk 2006] UseUse simplesimple messagemessage--randomizationrandomization
–– RMX:RMX: M=(MM=(M1,M,M2,,……,M,ML),), rr (r,(r, MM1⊕⊕rr,M,M2⊕⊕rr,,……,M,ML⊕⊕rr)) Hash(Hash( RMX(r,MRMX(r,M)) )) isis eTCReTCR when:when: –– HashHash isis MerkleMerkle--DamgDamgåårdrd,, andand –– CompressionCompression functionfunction isis ~~ 22nd--preimagepreimage--resistantresistant Signature:Signature: [[ r,r, SIGN(SIGN( Hash(Hash( RMX(r,MRMX(r,M)) )))) ]] –– rr freshfresh perper signature,signature, oneone blockblock (e.g.(e.g. 512512 bits)bits) –– NoNo changechange inin Hash,Hash, nono signingsigning ofof rr PreservingPreserving hashhash--thenthen--signsign
…
…
⊕…⊕
ApplicationApplication 2:2: MessageMessage authenticationauthentication Sender,Sender, Receiver,Receiver, shareshare aa secretsecret keykey ComputeCompute anan authenticationauthentication tagtag –– tagtag == MAC(MAC(keykey,, MM)) SenderSender sendssends ((MM,, tagtag)) ReceiverReceiver verifiesverifies thatthat tagtag matchesmatches MM AttackerAttacker cannotcannot forgeforge tagstags withoutwithout keykey AuthenticationAuthentication withwith HMACHMAC [Bellare-Canetti-Krawczyk 1996]1996 SimpleSimple keykey--prependprepend/append/append havehave problemsproblems whenwhen usedused withwith aa MerkleMerkle--DamgDamgåårdrd hashhash –– tag=tag=H(H(keykey || M)M) subjectsubject toto extensionextension attacksattacks –– tag=H(Mtag=H(M || keykey)) reliesrelies onon collisioncollision resistanceresistance HMAC:HMAC: ComputeCompute tagtag == H(keyH(key || H(keyH(key || M))M)) –– AboutAbout asas fastfast asas keykey--prependprepend forfor aa MDMD hashhash ReliesRelies onlyonly onon PRFPRF qualityquality ofof hashhash –– MMH(key|MH(key|M)) lookslooks randomrandom whenwhen keykey isis secretsecret AuthenticationAuthentication withwith HMACHMAC [Bellare-Canetti-Krawczyk 1996]1996 SimpleSimple keykey--prependprepend/append/append havehave problemsproblems whenwhen usedused withwith aa MerkleMerkle--DamgDamgåårdrd hashhash –– tag=tag=H(H(keykeyAs|| M)M)a result, subjectsubject barely toto extensionextension attacksattacks –– tag=H(Mtag=H(Maffected || keykey)) reliesrelies by collisiononon collisioncollision resistanceresistance HMAC:HMAC: attacksComputeCompute on tagtag MD5/SHA1 == H(keyH(key || H(keyH(key || M))M)) –– AboutAbout asas fastfast asas keykey--prependprepend forfor aa MDMD hashhash ReliesRelies onlyonly onon PRFPRF propertyproperty ofof hashhash –– MMH(key|MH(key|M)) lookslooks randomrandom whenwhen keykey isis secretsecret CarterCarter--WegmanWegman authenticationauthentication [Wegman-Carter 1981,…]…
CompressCompress messagemessage withwith hash,hash, t=H(t=H(keykey1,M),M)
HideHide tt usingusing aa PRF,PRF, tagtag == ttPRF(PRF(keykey2,nonce),nonce) –– PRFPRF cancan bebe AES,AES, HMAC,HMAC, RC4,RC4, etc.etc. –– OnlyOnly appliedapplied toto aa shortshort nonce,nonce, typicallytypically notnot aa performanceperformance bottleneckbottleneck SecureSecure ifif thethe PRFPRF isis good,good, HH isis ““universaluniversal”” ’ ’ –– ForFor MMMM ,,∆∆,, PrPrkey[[ H(H(keykey,M),M)H(H(keykey,M,M )=)=∆∆ ]<]<εε)) –– NotNot cryptographic,cryptographic, cancan bebe veryvery fastfast FastFast UniversalUniversal HashingHashing ““UniversalityUniversality”” isis combinatorial,combinatorial, provableprovable nono needneed forfor ““securitysecurity marginsmargins”” inin designdesign ManyMany worksworks onon fastfast implementationsimplementations
FromFrom innerinner--product,product, HHk1,k2(M(M1,M,M2)=()=(KK1+M+M1))··((KK2+M+M2)) [H-Krawczyk’97, Black et al.’99, …] i FromFrom polynomialpolynomial evaluationevaluation HHk(M(M1,,……,M,ML)=)=ΣΣi MMi kk [Krawczyk’94, Shoup’96, Bernstein’05, McGrew- Viega’06,…] AsAs fastfast asas 22--33 cyclecycle--perper--bytebyte (for(for longlong MM’’s)s) –– SoftwareSoftware implementation,implementation, contemporarycontemporary CPUsCPUs PartPart III:III: DesigningDesigning aa hashhash functionfunction
Fugue:Fugue: IBMIBM’’ss candidatecandidate forfor thethe NISTNIST hashhash competitioncompetition DesignDesign aa compressioncompression function?function? … PROsPROs:: modularmodular design,design, reducereduce toto thethe ““simplersimpler problemproblem”” ofof compressingcompressing fixedfixed--lengthlength stringsstrings –– ManyMany thingsthings areare knownknown aboutabout transformingtransforming compressioncompression intointo hashhash CONsCONs:: compressioncompressionhashhash hashas itsits problemsproblems –– ItIt’’ss notnot freefree (e.g.(e.g. messagemessage encoding)encoding) –– SomeSome attacksattacks basedbased onon thethe MDMD structurestructure Extension attacks ( rely on H(x|y)=h(H(x),y) ) “Birthday attacks” (herding, multicollisions, …) ExampleExample attack:attack: herdingherding [Kelsey-Kohno 2006]
M1,1 Find many off-line collisions M Find many off-line collisions 2,1 d1,1 M n/3 1,2 d –– ““TreeTree structurestructure”” withwith ~2~2 ddi,j’’ss 2,1 d 2n/3 1,2 –– TakesTakes ~~ 22 timetime M1,3 d d M PublishPublish finalfinal dd 1,3 2,2 M1,4 d 2,2 d ThenThen forfor anyany prefixprefix PP 1,4 –– FindFind ““linkinglinking blockblock”” LL s.ts.t.. H(P|L)H(P|L) inin thethe treetree –– TakesTakes ~~ 222n/3 timetime –– ReadRead offoff thethe treetree thethe suffixsuffix SS toto getget toto dd ShowShow anan extensionextension ofof PP s.ts.t.. H(P|L|S)H(P|L|S) == dd TheThe culprit:culprit: smallsmall intermediateintermediate statestate
WithWith aa compressioncompression function,function, we:we: –– WorkWork hardhard onon currentcurrent messagemessage blockblock –– ThrowThrow awayaway thisthis work,work, keepkeep onlyonly nn--bitbit statestate Alternative:Alternative: keepkeep aa largelarge statestate –– WorkWork hardhard onon currentcurrent messagemessage block/wordblock/word –– UpdateUpdate somesome partpart ofof thethe bigbig statestate MoreMore flexibleflexible approachapproach –– AlsoAlso moremore opportunitiesopportunities toto messmess thingsthings upup TheThe hashhash functionfunction GrindahlGrindahl [Knudsen-Rechberger-Thomsen 2007]2007
StateState isis 1313 wordswords == 5252 bytesbytes ProcessProcess oneone 44--bytebyte wordword atat aa timetime –– OneOne AESAES--likelike mixingmixing stepstep perper wordword ofof inputinput AfterAfter somesome finalfinal processing,processing, outputoutput 88 wordswords CollisionCollision attackattack byby PeyrinPeyrin (2007)(2007) –– ComplexityComplexity ~~ 22112 (still(still betterbetter thanthan brutebrute--force)force) Recently improved to ~ 2100 [Khovratovich 2009] –– ““StartStart fromfrom aa collisioncollision andand gogo backwardsbackwards”” TheThe hashhash functionfunction ““FugueFugue”” [H-Hall-Jutla 2008] ProofProof--drivendriven designdesign –– DesignedDesigned toto enableenable analysisanalysis ProofsProofs thatthat PeyrinPeyrin--stylestyle attacksattacks dodo notnot workwork StateState ofof 3030 44--bytebyte wordswords == 120120 bytesbytes TwoTwo ““supersuper--mixingmixing”” roundsrounds perper wordword ofof inputinput –– EachEach appliedapplied toto onlyonly 1616 bytesbytes ofof thethe statestate –– WithWith somesome extraextra linearlinear diffusiondiffusion SuperSuper--mixingmixing isis AESAES--likelike –– ButBut usesuses strongerstronger MDSMDS codescodes FugueFugue--256256
Initial State (30 words)
Process M1
New State
Iterate Mi State
Final Processing
Output 8 words = 256 bits CollisionCollision attacksattacks
Think of M , …,M Initial State (30 words) 1 L and M’1,…,M’L Process ∆M 1 Collision means that
New State ∆Mi’s are not all zero Iterate ∆Mi ∆ State = 0? ∆ State = 0 Internal collision ∆ State 0 Final Processing External collision
∆ = 0 ProcessingProcessing oneone inputinput wordword Initial State (30 words)
1. Input one word Process M1 2. Shift 3 columns to right M 1New State 3. XOR into columns 1-3 Process 4. “super-mix” operation SMIX on columns 1-4 Repeat 2-4 once more This is where Iterate the crypto happens State
Final Stage SMIXSMIX inin FugueFugue SimilarSimilar toto oneone AESAES roundround –– WorksWorks onon aa 4x44x4 matrixmatrix ofof bytesbytes –– StartsStarts withwith SS--boxbox substitutionsubstitution Byte b, S[256] = {...}; ... b = S[b]; –– DoesDoes linearlinear mixingmixing StrongerStronger mixingmixing thanthan AESAES –– DiagonalDiagonal bytesbytes asas inin AESAES –– OtherOther bytesbytes areare mixedmixed intointo bothboth columncolumn andand rowrow SMIXSMIX inin FugueFugue
InIn algebraicalgebraic notation:notation: b S b '1 [ 1] b S b '2 × [ 2] = M16x16 b S b '16 [ 16] MM generatesgenerates aa goodgood linearlinear codecode
–– IfIf allall thethe bbi’’ bytesbytes butbut 44 areare zerozero thenthen ≥≥ 1313 ofof thethe S[bS[bi]] bytesbytes mustmust bebe nonzerononzero –– AndAnd otherother suchsuch propertiesproperties AnalyzingAnalyzing internalinternal collisions*collisions*
now ∆28-10 3 columns
still ∆1-40
before SMIX: ∆1-40 ≤4SMIX nonzero byte diffs
before input word: ∆10 ∆ After last input word: ∆State=0
* a bit oversimplified AnalyzingAnalyzing internalinternal collisions*collisions*
∆25-10 3 columns
∆28-40
∆28-40 ≤4SMIX nonzero byte diffs
now ∆28-10 3 columns
still ∆1-40
before SMIX: ∆1-40 SMIX
before input word: ∆10 ∆ after input word: ∆State=0
* a bit oversimplified AnalyzingAnalyzing internalinternal collisions*collisions*
before input: ∆1=?, ∆25-300 ∆∆∆’
∆25-10 3 columns
∆28-40
∆28-40 SMIX
now ∆28-10 3 columns
still ∆1-40
before SMIX: ∆1-40 SMIX
before input word: ∆10 ∆ after input word: ∆State=0
* a bit oversimplified Many nonzero byte differences before the SMIX operations The analysis from previous slides was upto here
AnalyzingAnalyzing internalinternal collisionscollisions
WhatWhat doesdoes thisthis mean?mean? ConsiderConsider thisthis attack:attack:
–– AttackerAttacker feedsfeeds inin randomrandom MM1,M,M2,,…… andand MM’’1,M,M’’2,,……
–– UntilUntil StateStateL StateState’’L == somesome ““goodgood ∆∆””
–– ThenThen itit searchessearches forfor suffixedsuffixed (M(ML+1,,……,M,ML+4),), (M(M’’L+1,,……,M,M’’L+4)) thatthat willwill induceinduce internalinternal collisioncollision TheoremTheorem**:: ForFor anyany fixedfixed ∆∆,, Pr[Pr[ ∃∃ suffixessuffixes thatthat induceinduce collisioncollision ]] << 22-150
* Relies on a very mild independence assumptions AnalyzingAnalyzing internalinternal collisionscollisions
WhyWhy dodo wewe carecare aboutabout thisthis analysis?analysis? PeyrinPeyrin’’ss attacksattacks areare ofof thisthis typetype AllAll differentialdifferential attacksattacks cancan bebe seenseen asas (optimizations(optimizations of)of) thisthis attackattack –– EntitiesEntities thatthat areare notnot controlledcontrolled byby attackattack areare alwaysalways presumedpresumed randomrandom AA knownknown ““collisioncollision tracetrace”” isis asas closeclose asas wewe cancan getget toto understandingunderstanding collisioncollision resistanceresistance Fugue:Fugue: concludingconcluding remarksremarks
SimilarSimilar analysisanalysis alsoalso forfor externalexternal collisionscollisions –– ““UnusuallyUnusually thoroughthorough”” levellevel ofof analysisanalysis PerformancePerformance comparablecomparable toto SHASHA--256256 –– ButBut moremore amenableamenable toto parallelismparallelism OneOne ofof 1414 submissionssubmissions thatthat werewere selectedselected byby NISTNIST toto advanceadvance toto 22nd roundround ofof thethe SHA3SHA3 competitioncompetition MoralsMorals
HashHash functionsfunctions areare veryvery usefuluseful WeWe wantwant themthem toto behavebehave ““justjust likelike randomrandom functionsfunctions”” –– ButBut theythey dondon’’tt reallyreally ApplicationsApplications shouldshould bebe designeddesigned toto relyrely onon ““asas weakweak asas practicalpractical”” propertiesproperties ofof hashinghashing –– E.g.,E.g., TCR/TCR/eTCReTCR ratherrather thanthan collisioncollision--resistanceresistance AA tastetaste ofof howhow aa hashhash functionfunction isis builtbuilt ThankThank you!you!