DOCSLIB.ORG

Cryptographic Hash Functions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

CryptographicCryptographic HashHash FunctionsFunctions andand theirtheir manymany applicationsapplications ShaiShai HaleviHalevi –– IBMIBM ResearchResearch USENIX Security – August 2009 Thanks to Charanjit Jutla and Hugo Krawczyk WhatWhat areare hashhash functions?functions? JustJust aa methodmethod ofof compressingcompressing stringsstrings –– E.g.,E.g., HH :: {0,1}*{0,1}* {0,1}{0,1}160 –– InputInput isis calledcalled ““messagemessage””,, outputoutput isis ““digestdigest”” WhyWhy wouldwould youyou wantwant toto dodo this?this? –– Short,Short, fixedfixed--sizesize betterbetter thanthan long,long, variablevariable--sizesize True also for non-crypto hash functions –– DigestDigest cancan bebe addedadded forfor redundancyredundancy –– DigestDigest hideshides possiblepossible structurestructure inin messagemessage But not HowHow areare theythey built?built? always… TypicallyTypically usingusing MerkleMerkle--DamgDamgåårdrd iteration:iteration: 1.1. StartStart fromfrom aa ““compressioncompression functionfunction”” –– h:h: {0,1}{0,1}b+n{0,1}{0,1}n |M|=b=512 bits =160 bits 160 bits 2.2. IterateIterate itit M1 M2 ML-1 ML d d d IV=d0 d1 2 L-1 L … d=H(M) WhatWhat areare theythey goodgood for?for? “Modern, collision resistant hash functions were designed to create small, fixed size message digests so that a digest could act as a proxy for a possibly very large variable length message in a digital signature algorithm, such as RSA or DSA. These hash functions have since been widely used for many other “ancillary” applications, including hash-based message authentication codes, pseudo random number generators, and key derivation functions.” ““RequestRequest forfor CandidateCandidate AlgorithmAlgorithm NominationsNominations””,, ---- NIST,NIST, NovemberNovember 20072007 SomeSome examplesexamples Signatures:Signatures: sign(Msign(M)) == RSARSA-1(( H(M)H(M) )) MessageMessage--authentication:authentication: tag=tag=H(key,MH(key,M)) Commitment:Commitment: commit(Mcommit(M)) == H(M,H(M,……)) KeyKey derivation:derivation: AESAES--keykey == H(DHH(DH--value)value) RemovingRemoving interactioninteraction [Fiat-Shamir, 1987] A B –– TakeTake interactiveinteractive identificationidentification protocolprotocol smthng –– ReplaceReplace oneone sideside byby aa hashhash functionfunction challenge response Challenge = H(smthng, context) –– GetGet nonnon--interactiveinteractive signaturesignature schemescheme smthng, response PartPart I:I: RandomRandom functionsfunctions vs.vs. hashhash functionsfunctions RandomRandom functionsfunctions WhatWhat wewe reallyreally wantwant isis HH thatthat behavesbehaves ““justjust likelike aa randomrandom functionfunction””:: DigestDigest d=H(M)d=H(M) chosenchosen uniformlyuniformly forfor eacheach MM –– DigestDigest d=H(M)d=H(M) hashas nono correlationcorrelation withwith MM –– ForFor distinctdistinct MM1,M,M2,,……,, digestsdigests ddi==H(MH(Mi)) areare completelycompletely uncorrelateduncorrelated toto eacheach otherother –– CannotCannot findfind collisions,collisions, oror eveneven nearnear--collisionscollisions –– CannotCannot findfind MM toto ““hithit”” aa specificspecific dd –– CannotCannot findfind fixedfixed--pointspoints (d(d == H(dH(d)))) –– etc.etc. TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” 3.3. ReplaceReplace oracleoracle withwith aa hashhash functionfunction HopeHope thatthat itit remainsremains securesecure TheThe ““RandomRandom--OracleOracle paradigmparadigm”” [Bellare-Rogaway, 1993] 1.1. PretendPretend hashhash functionfunction isis reallyreally thisthis goodgood 2.2. DesignDesign aa securesecure cryptosystemcryptosystem usingusing itit ProveProve securitysecurity relativerelative toto aa ““randomrandom oracleoracle”” 3.3. ReplaceReplace oracleoracle withwith aa hashhash functionfunction HopeHope thatthat itit remainsremains securesecure VeryVery successfulsuccessful paradigm,paradigm, manymany schemesschemes –– E.g.,E.g., OAEPOAEP encryption,encryption, FDH,PSSFDH,PSS signaturessignatures Also all the examples from before… –– SchemesSchemes seemseem toto ““withstandwithstand testtest ofof timetime”” RandomRandom oracles:oracles: rationalerationale isis somesome cryptocrypto schemescheme (e.g.,(e.g., signatures),signatures), thatthat usesuses aa hashhash functionfunction HH provenproven securesecure whenwhen HH isis randomrandom functionfunction AnyAny attackattack onon realreal--worldworld mustmust useuse somesome ““nonrandomnonrandom propertyproperty”” ofof HH WeWe shouldshould havehave chosenchosen aa betterbetter HH –– withoutwithout thatthat ““nonrandomnonrandom propertyproperty”” Caveat:Caveat: howhow dodo wewe knowknow whatwhat ““nonrandomnonrandom propertiesproperties”” areare important?important? ThisThis rationalerationale isnisn’’tt soundsound [Canetti-Goldreich-H 1997] ExistExist signaturesignature schemesschemes thatthat are:are: 1.1. ProvablyProvably securesecure wrtwrt aa randomrandom functionfunction 2.2. EasilyEasily brokenbroken forfor EVERYEVERY hashhash functionfunction Idea:Idea: hashhash functionsfunctions areare computablecomputable –– ThisThis isis aa ““nonrandomnonrandom propertyproperty”” byby itselfitself ExhibitExhibit aa schemescheme whichwhich isis securesecure onlyonly forfor ““nonnon--computablecomputable HH’’ss”” –– SchemeScheme isis (very)(very) ““contrivedcontrived”” ContrivedContrived exampleexample StartStart fromfrom anyany securesecure signaturesignature schemescheme – Denote signature algorithm by SIG1H(key,msg) ChangeChange SIG1SIG1 toto SIG2SIG2 asas follows:follows: Some Technicalities SIG2H(key,msg): interprate msg as code Π – If Π(i)=H(i) for i=1,2,3,…,|msg|, then output key – Else output the same as SIG1H(key,msg) IfIf HH isis random,random, alwaysalways thethe ““ElseElse”” casecase IfIf HH isis aa hashhash function,function, attemptingattempting toto signsign thethe codecode ofof HH outputsoutputs thethe secretsecret keykey CautionaryCautionary notenote ROMROM proofsproofs maymay notnot meanmean whatwhat youyou thinkthink…… –– StillStill theythey givegive valuablevaluable assurance,assurance, rulerule outout ““almostalmost allall realisticrealistic attacksattacks”” WhatWhat ““nonrandomnonrandom propertiesproperties”” areare importantimportant forfor OAEPOAEP // FDHFDH // PSSPSS // ……?? HowHow wouldwould thesethese schemescheme bebe affectedaffected byby aa weaknessweakness inin thethe hashhash functionfunction inin use?use? ROMROM maymay leadlead toto carelesscareless implementationimplementation MerkleMerkle--DamgDamgåårdrd vs.vs. randomrandom functionsfunctions … Recall:Recall: wewe oftenoften constructconstruct ourour hashhash functionsfunctions fromfrom compressioncompression functionsfunctions –– EvenEven ifif compressioncompression isis random,random, hashhash isis notnot E.g., H(key|M) subject to extension attack – H(key | M|M’) = h( H(key|M), M’) –– MinorMinor changeschanges toto MDMD fixfix thisthis But they come with a price (e.g. prefix-free encoding) CompressionCompression alsoalso builtbuilt fromfrom lowlow--levellevel blocksblocks –– E.g.,E.g., DaviesDavies--MeyerMeyer construction,construction, h(c,Mh(c,M)=)=EEM(c)(c)cc –– ProvideProvide yetyet moremore structure,structure, cancan leadlead toto attacksattacks onon provableprovable ROMROM schemesschemes [H[H--KrawczykKrawczyk 2007]2007] PartPart II:II: UsingUsing hashhash functionsfunctions inin applicationsapplications UsingUsing ““imperfectimperfect”” hashhash functionsfunctions ApplicationsApplications shouldshould relyrely onlyonly onon ““specificspecific securitysecurity propertiesproperties”” ofof hashhash functionsfunctions –– TryTry toto makemake thesethese propertiesproperties asas ““standardstandard”” andand asas weakweak asas possiblepossible IncreasesIncreases thethe oddsodds ofof longlong--termterm securitysecurity –– WhenWhen weaknessesweaknesses areare foundfound inin hashhash function,function, applicationapplication moremore likelylikely toto survivesurvive –– E.g.,E.g., MD5MD5 isis badlybadly broken,broken, butbut HMACHMAC--MD5MD5 isis barelybarely scratchedscratched SecuritySecurity requirementsrequirements DeterministicDeterministic hashinghashing Stronger –– AttackerAttacker chooseschooses M,M, d=H(M)d=H(M) HashingHashing withwith aa randomrandom saltsalt –– AttackerAttacker chooseschooses M,M, thenthen goodgood guyguy chooseschooses publicpublic salt,salt, d=d=H(H(saltsalt,M,M)) HashingHashing randomrandom messagesmessages –– MM random,random, d=H(M)d=H(M) HashingHashing withwith aa secretsecret keykey –– AttackerAttacker chooseschooses M,M, d=d=H(H(keykey,M,M)) Weaker DeterministicDeterministic hashinghashing CollisionCollision ResistanceResistance –– AttackerAttacker cannotcannot findfind M,MM,M’’ suchsuch thatthat H(M)=H(MH(M)=H(M’’)) AlsoAlso manymany otherother propertiesproperties –– HardHard toto findfind fixedfixed--points,points, nearnear--collisions,collisions, MM s.ts.t.. H(M)H(M) hashas lowlow HammingHamming weight,weight,
Recommended publications
  • RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective

    RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective

    RESOURCE-EFFICIENT CRYPTOGRAPHY FOR UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective DISSERTATION for the degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr University Bochum, Germany by Elif Bilge Kavun Bochum, December 2014 Copyright © 2014 by Elif Bilge Kavun. All rights reserved. Printed in Germany. Anneme ve babama... Elif Bilge Kavun Place of birth: Izmir,˙ Turkey Author’s contact information: [email protected] www.emsec.rub.de/chair/ staff/elif bilge kavun Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Christian Rechberger Danmarks Tekniske Universitet, Denmark Thesis submitted: December 19, 2014 Thesis defense: February 6, 2015 v Abstract Technological advancements in the semiconductor industry over the last few decades made the mass production of very small-scale computing devices possible. Thanks to the compactness and mobility of these devices, they can be deployed “pervasively”, in other words, everywhere and anywhere – such as in smart homes, logistics, e-commerce, and medical technology. Em- bedding the small-scale devices into everyday objects pervasively also indicates the realization of the foreseen “ubiquitous computing” concept. However, ubiquitous computing and the mass deployment of the pervasive devices in turn brought some concerns – especially, security and privacy. Many people criticize the security and privacy management in the ubiquitous context. It is even believed that an inadequate level of security may be the greatest barrier to the long-term success of ubiquitous computing. For ubiquitous computing, the adversary model and the se- curity level is not the same as in traditional applications due to limited resources in pervasive devices – area, power, and energy are actually harsh constraints for such devices.
  • Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas

    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas

    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski ECE Department, George Mason University, Fairfax, VA 22030, U.S.A. {kgaj,ehomsiri,mrogawsk}@gmu.edu http://cryptography.gmu.edu Abstract. Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic stan- dards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and ac- ceptable for the majority of the cryptographic community. In this pa- per, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round 2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the de- velopment of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking. Keywords: benchmarking, hash functions, SHA-3, FPGA. 1 Introduction and Motivation Starting from the Advanced Encryption Standard (AES) contest organized by NIST in 1997-2000 [1], open contests have become a method of choice for select- ing cryptographic standards in the U.S. and over the world. The AES contest in the U.S. was followed by the NESSIE competition in Europe [2], CRYPTREC in Japan, and eSTREAM in Europe [3]. Four typical criteria taken into account in the evaluation of candidates are: security, performance in software, performance in hardware, and flexibility.
  • Modern Password Security for System Designers What to Consider When Building a Password-Based Authentication System

    Modern Password Security for System Designers What to Consider When Building a Password-Based Authentication System

    Modern password security for system designers What to consider when building a password-based authentication system By Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects This whitepaper describes and models modern password guidance and recommendations for the designers and engineers who create secure online applications. A related whitepaper, Password security ​ for users, offers guidance for end users. This whitepaper covers the wide range of options to consider ​ when building a password-based authentication system. It also establishes a set of user-focused recommendations for password policies and storage, including the balance of password strength and usability. The technology world has been trying to improve on the password since the early days of computing. Shared-knowledge authentication is problematic because information can fall into the wrong hands or be forgotten. The problem is magnified by systems that don't support real-world secure use cases and by the frequent decision of users to take shortcuts. According to a 2019 Yubico/Ponemon study, 69 percent of respondents admit to sharing passwords with ​ ​ their colleagues to access accounts. More than half of respondents (51 percent) reuse an average of five passwords across their business and personal accounts. Furthermore, two-factor authentication is not widely used, even though it adds protection beyond a username and password. Of the respondents, 67 percent don’t use any form of two-factor authentication in their personal life, and 55 percent don’t use it at work. Password systems often allow, or even encourage, users to use insecure passwords. Systems that allow only single-factor credentials and that implement ineffective security policies add to the problem.
  • Sharing Resources Between AES and the SHA-3 Second Round

    Sharing Resources Between AES and the SHA-3 Second Round

    Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo, Finland AES-inspired SHA-3 Candidates I Design strongly influenced by AES: Share the structure and have significant similarity in transformations, or even use AES as a subroutine I ECHO, Fugue, Grøstl, and SHAvite-3 I Benadjila et al. (ASIACRYPT 2009) studied useability of Intel’s AES instructions for AES-inspired candidates Conclusion: only ECHO and SHAvite-3, which use AES as a subroutine, benefit from the instructions I This is the first study of combining AES with the SHA-3 candidates on hardware (FPGA) The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Research Topics and Motivation Research Questions I What modifications are required to embed AES into the data path of the hash algorithm (or vice versa)? I How much resources can be shared (logic, registers, memory, . )? I What are the costs (area, delay, throughput, power consumption, . )? Applications I Any applications that require dedicated hardware implementations of a hash algorithm and a block cipher would benefit from reduced costs I Particularly important if resources are very limited The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Advanced Encryption Standard AES with a 128-bit key (AES-128) 8 I State: 4 × 4 bytes; each byte is an element of GF(2 ) I 10 rounds with four transformations Transformations I SubBytes: Bytes mapped
  • Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms

    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms

    Implementation and Performance Analysis of PBKDF2, Bcrypt, Scrypt Algorithms Levent Ertaul, Manpreet Kaur, Venkata Arun Kumar R Gudise CSU East Bay, Hayward, CA, USA. [email protected], [email protected], [email protected] Abstract- With the increase in mobile wireless or data lookup. Whereas, Cryptographic hash functions are technologies, security breaches are also increasing. It has used for building blocks for HMACs which provides become critical to safeguard our sensitive information message authentication. They ensure integrity of the data from the wrongdoers. So, having strong password is that is transmitted. Collision free hash function is the one pivotal. As almost every website needs you to login and which can never have same hashes of different output. If a create a password, it’s tempting to use same password and b are inputs such that H (a) =H (b), and a ≠ b. for numerous websites like banks, shopping and social User chosen passwords shall not be used directly as networking websites. This way we are making our cryptographic keys as they have low entropy and information easily accessible to hackers. Hence, we need randomness properties [2].Password is the secret value from a strong application for password security and which the cryptographic key can be generated. Figure 1 management. In this paper, we are going to compare the shows the statics of increasing cybercrime every year. Hence performance of 3 key derivation algorithms, namely, there is a need for strong key generation algorithms which PBKDF2 (Password Based Key Derivation Function), can generate the keys which are nearly impossible for the Bcrypt and Scrypt.
  • Key Derivation Functions and Their GPU Implementation

    Key Derivation Functions and Their GPU Implementation

    MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨ OF I !"#$%&'()+,-./012345<yA|NFORMATICS Key derivation functions and their GPU implementation BACHELOR’S THESIS Ondrej Mosnáˇcek Brno, Spring 2015 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-nc-sa/4.0/ cbna ii Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Ondrej Mosnáˇcek Advisor: Ing. Milan Brož iii Acknowledgement I would like to thank my supervisor for his guidance and support, and also for his extensive contributions to the Cryptsetup open- source project. Next, I would like to thank my family for their support and pa- tience and also to my friends who were falling behind schedule just like me and thus helped me not to panic. Last but not least, access to computing and storage facilities owned by parties and projects contributing to the National Grid In- frastructure MetaCentrum, provided under the programme “Projects of Large Infrastructure for Research, Development, and Innovations” (LM2010005), is also greatly appreciated. v Abstract Key derivation functions are a key element of many cryptographic applications. Password-based key derivation functions are designed specifically to derive cryptographic keys from low-entropy sources (such as passwords or passphrases) and to counter brute-force and dictionary attacks. However, the most widely adopted standard for password-based key derivation, PBKDF2, as implemented in most applications, is highly susceptible to attacks using Graphics Process- ing Units (GPUs).
  • Hash Functions

    Hash Functions

    11 Hash Functions Suppose you share a huge le with a friend, but you are not sure whether you both have the same version of the le. You could send your version of the le to your friend and they could compare to their version. Is there any way to check that involves less communication than this? Let’s call your version of the le x (a string) and your friend’s version y. The goal is to determine whether x = y. A natural approach is to agree on some deterministic function H, compute H¹xº, and send it to your friend. Your friend can compute H¹yº and, since H is deterministic, compare the result to your H¹xº. In order for this method to be fool-proof, we need H to have the property that dierent inputs always map to dierent outputs — in other words, H must be injective (1-to-1). Unfortunately, if H is injective and H : f0; 1gin ! f0; 1gout is injective, then out > in. This means that sending H¹xº is no better/shorter than sending x itself! Let us call a pair ¹x;yº a collision in H if x , y and H¹xº = H¹yº. An injective function has no collisions. One common theme in cryptography is that you don’t always need something to be impossible; it’s often enough for that thing to be just highly unlikely. Instead of saying that H should have no collisions, what if we just say that collisions should be hard (for polynomial-time algorithms) to nd? An H with this property will probably be good enough for anything we care about.
  • Salting Vs Stretching Passwords for Enterprise Security

    Salting Vs Stretching Passwords for Enterprise Security

    Salting vs Stretching Passwords for Enterprise Security Password security is important. Salting and stretching a password are two ways to make passwords more secure from attackers. You can use the strategies separately or deploy them in tandem for the most security. This article covers the logic of password protection, including salting and stretching passwords. Database attacks Because passwords are a user’s key to their data, they are a key target for attackers. Popular methods of password attacks happen through brute force and rainbow attacks: Brute force attacks are a trial and error approach where a computer guesses until it gets it right. This may sound ineffective, but computers can try many, many times. In this era of computing, “Hashcat breaks an 8 character full coverage (a-zA-Z0-9!-=) password in 26 days on a single 1080 Nvidia GPU.” Rainbow attacks are another form of cracking passwords, where all possible combinations of hashed passwords are pre-computed and stored in a dictionary. Then, an attacker runs through their list of hashes to find a match. If their scan returns a match, then they have the password. Passwords help prevent attacks First things first: nothing online is perfectly secure. Not even computers not connected to the internet are perfectly secure. We use passwords to minimize risk of attack, not to guarantee it will never happen. Though you cannot guarantee security, there are some ways to increase database security. Salting and stretching passwords are two such strategies: 1. Salting passwords. Designing the password encryption so only one password is compromised rather than the whole database.
  • Rebound Attack

    Rebound Attack

    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
  • A Short Note on AES-Inspired Hashes

    A Short Note on AES-Inspired Hashes

    A Short Note on AES-Inspired Hashes Tor E. Bjørstad University of Bergen, Norway Email : [email protected] 1 Introduction This paper gives a rough classification of various AES-based hash algorithms that have been accepted for Round 1 of the NIST Hash Function Competition. We compare the different algorithms based on the number of \AES-like" rounds performed by a single invocation of the compression function, versus the size of the input block. This is not particularly rigorous or scientific way of comparing hash algorithms, but as we shall see it may still yield somewhat interesting results. With the exception of Sarmal and Whirlpool, all the listed algorithms use the AES S-box as their only source of nonlinearity. How they use it is a different matter. What all the algorithms do have in common, is that they use the 8 bit S-box together with a MDS matrix, in a construction where SubBytes() and MixColumns() are applied after one another on some internal data structure. The actual MDS matrices used are frequently different from the one in AES; for instance, Fugue uses a 16 × 16 matrix. For the sake of comparison, the number of of rounds has been normalised to correspond to those of AES-128. This is not entirely fair, but it would be hard to make any comparison between the internals of such wildly different hash algorithms without making some (over)simplifications. The reader is invited to take note of 3 main observations. First, there is a very wide spread between the number of \rounds" used by the different algorithms { but a strong tendency of clustering.
  • NISTIR 7620 Status Report on the First Round of the SHA-3

    NISTIR 7620 Status Report on the First Round of the SHA-3

    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
  • High-Speed Hardware Implementations of BLAKE, Blue

    High-Speed Hardware Implementations of BLAKE, Blue

    High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Version 2.0, November 11, 2009 Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely Graz University of Technology, Institute for Applied Information Processing and Communications, Inffeldgasse 16a, A{8010 Graz, Austria {Stefan.Tillich,Martin.Feldhofer,Mario.Kirschbaum, Thomas.Plos,Joern-Marc.Schmidt,Alexander.Szekely}@iaik.tugraz.at Abstract. In this paper we describe our high-speed hardware imple- mentations of the 14 candidates of the second evaluation round of the SHA-3 hash function competition. We synthesized all implementations using a uniform tool chain, standard-cell library, target technology, and optimization heuristic. This work provides the fairest comparison of all second-round candidates to date. Keywords: SHA-3, round 2, hardware, ASIC, standard-cell implemen- tation, high speed, high throughput, BLAKE, Blue Midnight Wish, Cube- Hash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. 1 About Paper Version 2.0 This version of the paper contains improved performance results for Blue Mid- night Wish and SHAvite-3, which have been achieved with additional imple- mentation variants. Furthermore, we include the performance results of a simple SHA-256 implementation as a point of reference. As of now, the implementations of 13 of the candidates include eventual round-two tweaks. Our implementation of SIMD realizes the specification from round one. 2 Introduction Following the weakening of the widely-used SHA-1 hash algorithm and concerns over the similarly-structured algorithms of the SHA-2 family, the US NIST has initiated the SHA-3 contest in order to select a suitable drop-in replacement [27].