DOCSLIB.ORG

On a Construction of Stream-Cipher-Based Hash Functions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On a Construction of Stream-Cipher-Based Hash Functions ON A CONSTRUCTION OF STREAM-CIPHER-BASED HASH FUNCTIONS Yuto Nakano, Jun Kurihara, Shinsaku Kiyomoto and Toshiaki Tanaka KDDI R&D Laboratories Inc., 2-1-15, Ohara, Fujimino, Saitama, Japan Keywords: Hash function, Stream cipher, Collision resistance, Second preimage resistance, Preimage resistance. Abstract: Hash functions using stream ciphers as components perform fast on a variety of platforms. However, the secu- rity and the design policy of stream-cipher-based hash functions (SCHs) have not yet been studied sufficiently. In this paper, we analyze its design criteria based on a ideal function of SCHs. First, we show that attacks against a stream cipher can also be threats against SCHs. Then we discuss the security on each phase of SCH; message injection, blank rounds, and hash generation with this function. Finally we derive the necessary conditions on the stream cipher function for an SCH to be secure. 1 INTRODUCTION ing stream cipher algorithms. The pre-computation function is used to absorb the message into the inter- Hash functions are used in many cryptographic ap- nal state of the stream cipher function. On the other plications, e.g., message authentication codes, dig- hand, a well developed evaluation design of the secu- ital signatures and authentication protocols. Stan- rity of SCHs is yet to be produced, and design princi- dard hash functions MD5 (Rivest, 1992) and SHA-1 ples of secure SCHs have not been established. (NIST, 1995) have been demonstrated that these func- In this paper, we define a stream cipher function tions are not collision resistant (Wang et al., 2005; that consists of three rounds; message injection, blank Wang and Yu, 2005). Many constructions for new rounds, and hash generation. With this function, we hash functions have been presented as alternatives to show that an attack on the keystream feedback mode these ordinary algorithms. Some hash functions such and an attack against a self-synchronizing stream ci- as Abacus (Sholer, 2008) and Boole (Rose, 2008) are pher can also be employed as an attack against SCHs. based on stream ciphers, and shows that they have Furthermore, we analyze the security of each phase good performance on a variety of platforms. A note- from an attack perspective. As a result of our work, worthy advantage of stream cipher-based hash func- following criteria can be formulated: tions is that the algorithm is used not only for gener- • The size of the internal state is larger than the size ating a hash value but also for encrypting/decrypting the of hash value. |S| > |H| is required for col- data as a stream cipher. We can reduce total costs of lision, second preimage, and preimage resistance, implementations for a hash function and a symmetric- where |S| is the size of the internal state and |H| is key encryption algorithm with a stream-cipher-based the length of the hash value. hash function. Thus, it is a reasonable solution for • The message injection has to be collision resis- resource constraint devices. tant. The computational cost of the collision at- The general construction of stream-cipher-based tack against message injection has to be equal to hash functions (SCHs) was first introduced by Goli´c or more than 2|H|/2, and an adversary is not able (Goli´c, 2001) as a mode of operation of stream ci- to control the internal state of the stream cipher phers. An SCH consists of a stream cipher function function. and an additional function that inputs a message into • Blank rounds are preimage resistant. That is, de- the internal state of the stream cipher function. There- riving the internal state after message injection by fore, a modelof an SCH consists of a pre-computation going blank rounds backwardlyrequires 2|H| com- function and a stream cipher function. The stream ci- putational cost. Furthermore, the transition of the pher function is a core component of SCHs and an internal state is cyclic and its period is more than appropriate algorithm is selected from among exist- or equal to 2|H|. 334 Nakano Y., Kurihara J., Kiyomoto S. and Tanaka T. (2010). ON A CONSTRUCTION OF STREAM-CIPHER-BASED HASH FUNCTIONS. In Proceedings of the International Conference on Security and Cryptography, pages 334-343 DOI: 10.5220/0002939703340343 Copyright c SciTePress ON A CONSTRUCTION OF STREAM-CIPHER-BASED HASH FUNCTIONS • The hash value has to be affected by the whole Collision Resistance. Finding M and M′ such that internal state. Suppose that the internal state size h(M)= h(M′) and M 6= M′ requires 2|H|/2 hash oper- is |S| and the hash size is |H|, the hash value bit ations. hasto bedecidedby at least an |S|/|H|-bit internal state. Second Pre-image Resistance. Finding M for • Suppose that an x-bit internal state can be con- given M′ such that h(M)= h(M′) and M 6= M′ re- trolled by an x-bit message and this operation does quires 2|H| hash operations. not affect other bits, then the whole internal state can be controlled with an |S|/x-bit message. Here we assume that one bit message is xored with n Pre-image Resistance. Finding M from h(M) re- |H| bits of the internal state at equal intervals. Then quires 2 hash operations. the adversary can control up to an |S|/n-bit in- ternal state. Hence the condition s(n − 1) ≥ nh Length-extension Security. This requirement has is required for a message injection to be collision been proposed in NIST SHA-3 competition. Given resistant. h(M), the complexity of finding (z,x) such that x = h(M||z) should be greater than or equal to either the complexity of guessing M itself or 2|H|. 2 PRELIMINARIES 2.3 Related Work We provide definitions and summarizes related works in this section. Here we introduce important research related to the construction of SCHs. 2.1 Definitions 2.3.1 Self-synchronizing Stream Cipher Throughoutthe paper, we use the following notations. A self-synchronizing stream cipher (SSSC) is one • M: input message in which the keystream is generated from the secret • mt : input message to the stream cipher function at key and a fixed number of previous ciphertext bits time t (Menezes et al., 1996). • St : internal state of the stream cipher function at Let pt , ct , and zt be a plaintext bit, a ciphertext time t bit, and a keystream bit at time t, respectively. The • ot : output of the stream cipher function at time t keystream at time t depends on the secret key K and • |x|: bit length of x (x can be M,S,H) previous nme ciphertext bits ct−nme ,...,ct−1, where • ⊕: bitwise exclusive-or nme is called input memory. The keystream bit is de- ′ • Smsg, Smsg: internal state of stream cipher function scribed by after message M or M′ are injected, respectively ′ zt = fc(ct−nme ,ct−(nme−1),...,ct−1,K), (1) • Sblk, Sblk: internal state of stream cipher function ′ where f is the function defined by the stream cipher. after blank rounds derived from Smsg or Smsg, re- c spectively When the ciphertext is decrypted, the keystream is • ∆msg: internal state difference after message injec- generated in the same manner as encryption. For the ∆ ′ first keystream bit, the previous n ciphertext bits do tion msg = Smsg − Smsg me • ∆blk: internal state difference after blank rounds not exist. Therefore, nme-bit Initial Vector(IV) has to ∆ ′ be defined as IV = c ,c ,...,c . blk = Sblk − Sblk nme (nme−1) 0 2.2 Security Definitions for Hash 2.3.2 Keystream Feedback Mode Functions Keystream feedback mode is employed in the initial- ization of many stream ciphers such as SNOW (Ek- Security requirements for hash functions are colli- dahl and Johansson, 2002). In the initialization of sion resistance, second pre-image resistance, and pre- stream ciphers, an initial key and an IV are loaded image resistance (Menezes et al., 1996). Let M and into the internal state of the stream cipher. After load- M′ be messages, |H| be hash length, h be a hash func- ing the key and the IV, the stream cipher is clocked tion, and the symbol || be concatenation of data. a specified number of times. In the initialization pro- cess, keystream bits are fed back to the internal state to enable the further diffusion of the key and the IV. 335 SECRYPT 2010 - International Conference on Security and Cryptography ¤ £ ¥ %%% ¥ ¨ © ¨ © § § ¥ "# ¥ ¨ © ¤ § £ ¥ ¨ ¥ ¨ © ¨ © ¨ § § ¥ ¥ £ ¦ ¡ ¢ ¤ £ ¥ " $ ¥ £ ¨ © ¨ © § § ¥ £ ¨ ¥ ¨ © ¤ £ ¥ ¦ § ¥ ¨ © ¨ © § § ¥ ! § Figure 1: Schematic of Abacus. Figure 2: Schematic of Boole. ´ 2.3.3 Golic’s Construction and a byte message are Exclusive-ORed(XORed) and the results go through S-Boxes. In the next step, four Goli´c (Goli´c, 2001) showed how to convert a counters are combined with registers. Then, the maxi- keystream generator into a stream cipher with mem- mum distance separable (MDS) matrix function is ap- ory (SCM) mode and how to built hash functions with plied and four bytes are output. Four bytes of registers SCM mode. When a feedback shift register (FSR) go through the S-Boxes again. based keystream generator is used, SCM mode is eas- ily converted by adding the plaintext bit to the feed- ATTACKS ON ABACUS. Two second pre-image at- back bit of the FSR. The following is the scheme of tacks against Abacus were proposed by Nikoli´cet Goli´c’s construction. al. (Nikoli´cand Khovratovich, 2008) and Wilson (Wilson, 2008) independently. In the paper (Wilson, 1. Generate a keystream by feeding back a message into the keystream generator and encrypting the 2008), Wilson also showed a collision attack. message. In the absorb phase of Abacus, message bytes are XORed with the register rd[0].
Load more

Recommended publications
  • Cryptographic Hash Functions and Message Authentication Code
    Cryptographic Hash Functions and Message Authentication Code Thierry Sans Cryptographic hashing H m1 m2 x1 m3 x2 H(m) = x is a hash function if • H is one-way function • m is a message of any length • x is a message digest of a fixed length ➡ H is a lossy compression function necessarily there exists x, m1 and m2 | H(m1) = H(m2) = x Computational complexity m H x • Given H and m, computing x is easy (polynomial or linear) • Given H and x, computing m is hard (exponential) ➡ H is not invertible Preimage resistance and collision resistance m H x PR - Preimage Resistance (a.k.a One Way) ➡ given H and x, hard to find m e.g. password storage 2PR - Second Preimage Resistance (a.k.a Weak Collision Resistance) ➡ given H, m and x, hard to find m’ such that H(m) = H(m’) = x e.g. virus identification CR - Collision Resistance (a.k.a Strong Collision Resistance) ➡ given H, hard to find m and m’ such that H(m) = H(m’) = x e.g. digital signatures CR → 2PR and CR → PR Hash functions in practice IV n’ bits n bits n’ bits Common hash functions m H x Name SHA-2 SHA-3 MD5 SHA-1 Variant SHA-224 SHA-256 SHA-384 SHA-512 SHA3-224 SHA3-256 SHA3-384 SHA3-512 Year 1992 1993 2001 2012 Guido Bertoni, Joan Daemen, Michaël Designer Rivest NSA NSA Peeters, and Gilles Van Assche Input 512 512 512 512 1024 1024 1152 1088 832 576 n bits Output 128 160 224 256 384 512 224 256 384 512 n’ bits Speed 6.8 11.4 15.8 17.7 12.5 cycle/byte Considered Broken yes yes no no How to hash long messages ? Merkle–Damgård construction m split m in blocks of n bits and add padding p n bits m1
    [Show full text]
  • Grostl-Comment-April28.Pdf
    Some notes on Grøstl John Kelsey, NIST, April 2009 These are some quick notes on some properties and observations of Grøstl. Nothing in this note threatens the hash function; instead, I'm pointing out some properties that are a bit surprising, and some broad approaches someone might take to get attacks to work. I've discussed these with the Grøstl team, and gotten quite a bit of useful feedback. I'm pretty sure they agree that my observations are correct, but obviously, any errors here are mine alone. 1 Grøstl Compression Function The Grøstl compression function is built from two different fixed permutations, P and Q, on 2n bits, where n is the final hash output size. The design is quite interesting; among other things, this (like LANE and Luffa, among others) takes away the key schedule as a way of affecting things inside P and Q. Here is a picture of the Grøstl compression function: M Q v u w Y + P + Z In this diagram, I've labeled the input hash chaining value Y, the output Z, and the message M. Similarly, I have introduced variables for the internal values inside the compression function--u, v, and w. I'll use this notation a lot in the next few pages to simplify discussion. To write this in terms of equations: u = Y xor M v = Q(M) w = P(u) Z = v xor w xor Y or, in a shorter form: Z = Q(M) xor P(Y xor M) xor Y It's important to remember here that all variables are 2n bits, so for a 256-bit hash, they're 512 bits each.
    [Show full text]
  • Methods and Tools for Analysis of Symmetric Cryptographic Primitives
    METHODSANDTOOLS FOR ANALYSIS OF SYMMETRICCRYPTOGRAPHIC PRIMITIVES Oleksandr Kazymyrov dissertation for the degree of philosophiae doctor the selmer center department of informatics university of bergen norway DECEMBER 1, 2014 A CKNOWLEDGMENTS It is impossible to thank all those who have, directly or indirectly, helped me with this thesis, giving of their time and experience. I wish to use this opportunity to thank some of them. Foremost, I would like to express my very great appreciation to my main supervisor Tor Helleseth, who has shared his extensive knowledge and expe- rience, and made warm conditions for the comfortable research in one of the rainiest cities in the world. I owe a great deal to Lilya Budaghyan, who was always ready to offer assistance and suggestions during my research. Advice given by Alexander Kholosha has been a great help in the early stages of my work on the thesis. My grateful thanks are also extended to all my friends and colleagues at the Selmer Center for creating such a pleasant environment to work in. I am particularly grateful to Kjell Jørgen Hole, Matthew G. Parker and Håvard Raddum for the shared teaching experience they provided. Moreover, I am very grateful for the comments and propositions given by everyone who proofread my thesis. In addition, I would like to thank the administrative staff at the Department of Informatics for their immediate and exhaustive solutions of practical issues. I wish to acknowledge the staff at the Department of Information Tech- nologies Security, Kharkiv National University of Radioelectronics, Ukraine, especially Roman Oliynykov, Ivan Gorbenko, Viktor Dolgov and Oleksandr Kuznetsov for their patient guidance, enthusiastic encouragement and useful critiques.
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • Broad View of Cryptographic Hash Functions
    IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 4, No 1, July 2013 ISSN (Print): 1694-0814 | ISSN (Online): 1694-0784 www.IJCSI.org 239 Broad View of Cryptographic Hash Functions 1 2 Mohammad A. AlAhmad , Imad Fakhri Alshaikhli 1 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia, 2 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia Abstract Cryptographic hash function is a function that takes an arbitrary length as an input and produces a fixed size of an output. The viability of using cryptographic hash function is to verify data integrity and sender identity or source of information. This paper provides a detailed overview of cryptographic hash functions. It includes the properties, classification, constructions, attacks, applications and an overview of a selected dedicated cryptographic hash functions. Keywords-cryptographic hash function, construction, attack, classification, SHA-1, SHA-2, SHA-3. Figure 1. Classification of cryptographic hash function 1. INTRODUCTION CRHF usually deals with longer length hash values. An A cryptographic hash function H is an algorithm that takes an unkeyed hash function is a function for a fixed positive integer n * arbitrary length of message as an input {0, 1} and produce a which has, as a minimum, the following two properties: n fixed length of an output called message digest {0, 1} 1) Compression: h maps an input x of arbitrary finite bit (sometimes called an imprint, digital fingerprint, hash code, hash length, to an output h(x) of fixed bit length n.
    [Show full text]
  • HCAHF: a New Family of CA-Based Hash Functions
    (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 10, No. 12, 2019 HCAHF: A New Family of CA-based Hash Functions Anas Sadak1, Fatima Ezzahra Ziani2, Bouchra Echandouri3, Charifa Hanin4, Fouzia Omary5 Faculty of Science, Mohammed V University Rabat, Morocco Abstract—Cryptographic hash functions (CHF) represent a The article is organized as follows: in Section 2, a core cryptographic primitive. They have application in digital background on cellular automata and hash functions is signature and message authentication protocols. Their main included. In Section 3, some related works are presented. building block are Boolean functions. Those functions provide Section 4 details the hashing scheme proposed. In Section 5, pseudo-randomness and sensitivity to the input. They also help the result of the different statistical tests and the cryptographic prevent and lower the risk of attacks targeted at CHF. Cellular properties of cellular automata are provided. Next, in Section 6 automata (CA) are a class of Boolean functions that exhibit good a security analysis is performed. Finally, Section 7 summarizes cryptographic properties and display a chaotic behavior. In this the article. article, a new hash function based on CA is proposed. A description of the algorithm and the security measures to II. BACKGROUND increase the robustness of the construction are presented. A security analysis against generic and dedicated attacks is A. Cryptographic Hash Functions (CHF) included. It shows that the hashing algorithm has good security Cryptographic hash functions with good security properties features and meet the security requirements of a good hashing represent a significant part of cryptography. They are the basis scheme.
    [Show full text]
  • ΥΣ13 - Computer Security
    ΥΣ13 - Computer Security Hashing Κώστας Χατζηκοκολάκης 1 • Solution : hash function - h(x): f0; 1g∗ ! f0; 1gn - h(x) is the hash/digest of x Context • Goal - Represent large/sensitive message by a smaller one - Numerous applications 2 Context • Goal - Represent large/sensitive message by a smaller one - Numerous applications • Solution : hash function - h(x): f0; 1g∗ ! f0; 1gn - h(x) is the hash/digest of x 2 - h(x) ! x : hard · Even to find a single bit of x ! • No collisions - Do x =6 x0 exist such that h(x) = h(x0)? YES - But the should be hard to find! Properties • One-way - x ! h(x) : easy 3 YES - But the should be hard to find! Properties • One-way - x ! h(x) : easy - h(x) ! x : hard · Even to find a single bit of x ! • No collisions - Do x =6 x0 exist such that h(x) = h(x0)? 3 Properties • One-way - x ! h(x) : easy - h(x) ! x : hard · Even to find a single bit of x ! • No collisions - Do x =6 x0 exist such that h(x) = h(x0)? YES - But the should be hard to find! 3 • Just 23! − • − 364 · 363 · · 365 22 ≈ pb = 1 365 365 ::: 365 0:507 • Approximation - e−x ≈ 1 − x (x ≈ 0) − m2 - pb ≈ 1 − e 2·365 Collision-resistance Birthday paradox • How many people do we need so that any 2 have the same birthday with pb 50%? 4 • Approximation - e−x ≈ 1 − x (x ≈ 0) − m2 - pb ≈ 1 − e 2·365 Collision-resistance Birthday paradox • How many people do we need so that any 2 have the same birthday with pb 50%? • Just 23! − • − 364 · 363 · · 365 22 ≈ pb = 1 365 365 ::: 365 0:507 4 Collision-resistance Birthday paradox • How many people do we need so that
    [Show full text]
  • Lab 1: Classical Cryptanalysis and Attacking Cryptographic Hashes
    CS 588 Released January 24, 2016. Last updated January 24, 2017. Network Security Lab 1: Classical Cryptanalysis and Attacking Cryptographic Hashes Lab 1: Classical Cryptanalysis and Attacking Cryptographic Hashes This lab is due on February 7, 2016 at 11:59PM, following the submission checklist below. Late submissions will be penalized according to course policy. Your writeup MUST include the following information: 1. List of collaborators (on all parts of the project, not just the writeup) 2. List of references used (online material, course nodes, textbooks, wikipedia,...) 3. Number of late days used on this assignment 4. Total number of late days used thus far in the entire semester If any of this information is missing, at least 20% of the points for the assignment will automatically be deducted from your assignment. See also discussion on plagiarism and the collaboration policy on the course syllabus. While we provide you with the tools to run this lab at any platform (Windows, Linux and Mac OS), I strongly recommend working at a Linux or Mac OS machine as it will make things considerably easier for you. The instructions given for the rest of the description of the lab are therefore explicitly for this case (unless otherwise noted). Administration: This lab will be administered by Sophia Yakoubov. Introduction In Section1 of this lab, you will break two classical ciphers: the substitution cipher and the Vigenere cipher. In the rest of the lab, you will investigate vulnerabilities in widely used cryptographic hash functions, including length-extension attacks and collision vulnerabilities. In Section2, we will guide you through attacking the authentication capability of an imaginary server API.
    [Show full text]
  • Hash Function Design Overview of the Basic Components in SHA-3 Competition
    Hash Function Design Overview of the basic components in SHA-3 competition Daniel Joščák [email protected] S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract In this article we bring an overview of basic building blocks used in the design of new hash functions submitted to the SHA-3 competition. We briefly present the current widely used hash functions MD5, SHA-1, SHA-2 and RIPEMD-160. At the end we consider several properties of the candidates and give an example of candidates that are in SHA-3 competition. Keywords: SHA-3 competition, hash functions. 1 Introduction In 2004 a group of researchers led by Xiaoyun Wang (Shandong University, China) presented real collisions in MD5 and other hash functions at the rump session of Crypto conference and they explained the method in [10]. In 2006 the same group presented a collision attack on SHA–1 in [8] and since then a lot of progress in collision finding algorithms has been made. Although there is no specific reason to believe that a practical attack on any of the SHA–2 family of hash functions is imminent, a successful collision attack on an algorithm in the SHA–2 family could have catastrophic effects for digital signatures. In reaction to this situation the National Institute of Standards and Technology (NIST) created a public competition for a new hash algorithm standard SHA–3 [1]. Except for the obvious requirements of the hash function (i.e. collision resistance, first and second preimage resistance, …) NIST expects SHA–3 to have a security strength that is at least as good as the hash algorithms in the SHA–2 family, and that this security strength will be achieved with significantly improved efficiency.
    [Show full text]
  • Attacks on Cryptographic Hash Functions and Advances Arvind K
    INTERNATIONAL JOURNAL OF INFORMATION AND COMPUTING SCIENCE ISSN NO: 0972-1347 Attacks on Cryptographic Hash Functions and Advances Arvind K. Sharma1, Dr.S.K. Mittal2, Dr.Sumit Mittal3 1,3 Department of Computer Applications (MMICT&BM) Maharishi Markandeshwar University, Mullana, Ambala (Haryana), India University School of Engineering & Technology2 Rayat Bahra University, Sahibzada Ajit Singh Nagar (Punjab), India Email: [email protected], [email protected], [email protected] Abstract: −− Cryptographic Hash Functions have a distinct importance in the area of Network Security or Internet Security as compare to Symmetric and Public Key Encryption-Decryption techniques. Major issues primarily which resolved by any hash algorithm, are to manage the Integrity and Authenticity of messages which are to be transmitting between communicating parties and users with digital signatures. Hash function also utilized for fixed length secrect key generation in Symmetric and Public Key Cryptosystems. Different level of security provided by different algorithms depending on how difficult is to break them. The most well-known hash algorithms are MD4, MD5, SHA, JH, Skein, Grøstl, Blake, Hamsi, Fugue, Crush, Whirlpool, Tav etc. In this paper we are discussing importance of hash functions, hash functions widely used in networking, most importantly various Attacks applicable on hash functions and compression functions utilized by hash functions. Keywords: Algorithms; Compression Function, Cipher; Stream; Block; Confidentiality; Integity; Authentication; Server; Message-Digest, Message-Block, Non-repudation;Differential; Communication between at-least two parties using a network may uses Encryption-Decryption 1. Introduction techniques to maintain privacy. And for Security and Privacy in interconnected authentication purpose apart from Encryption- domain means to preserve the Confidentiality, Decryption techniques Hash Functions most Integrity and Authenticity of messages as well as widely used.
    [Show full text]
  • Hash Functions and Gröbner Bases Cryptanalysis
    Rune Steinsmo Ødegård Hash Functions and Gröbner Bases Cryptanalysis Thesis for the degree of Philosophiae Doctor Trondheim, April 2012 Norwegian University of Science and Technology Faculty of Information Technology, Mathematics and Electrical Engineering Department of Telematics NTNU Norwegian University of Science and Technology Thesis for the degree of Philosophiae Doctor Faculty of Information Technology, Mathematics and Electrical Engineering Department of Telematics © Rune Steinsmo Ødegård ISBN 978-82-471-3501-3 (printed ver.) ISBN 978-82-471-3502-0 (electronic ver.) ISSN 1503-8181 Doctoral theses at NTNU, 2012:111 Printed by NTNU-trykk Abstract Hash functions are being used as building blocks in such diverse primitives as commitment schemes, message authentication codes and digital signatures. These primitives have important applications by themselves, and they are also used in the construction of more complex protocols such as electronic voting systems, online auctions, public-key distribution, mutual authentication hand- shakes and more. Part of the work presented in this thesis has contributed to the \SHA-3 contest" for developing the new standard for hash functions orga- nized by the National Institute of Standards and Technology. We constructed the candidate Edon-R, which is a hash function based on quasigroup string transformation. Edon-R was designed to be much more efficient than SHA-2 cryptographic hash functions, while at the same time offering same or better security. Most notably Edon-R was the most efficient hash function submit- ted to the contest. Another contribution to the contest was our cryptanalysis of the second round SHA-3 candidate Hamsi. In our work we studied Hamsi's resistance to differential and higher-order differential cryptanalysis, with focus on the 256-bit version of Hamsi.
    [Show full text]
  • Bad Cryptography Bruce Barnett Who Am I?
    Bad Cryptography Bruce Barnett Who am I? • Security consultant @ NYSTEC • 22 years a research scientist @ GE’s R&D Center • 15 years software developer, system administrator @ GE and Schlumberger • I’m not a cryptographer • I attended a lot of talks at Blackhat/DEFCON • Then I took a course on cryptography……….. Who should attend this talk? • Project Managers • Computer programmers • Those that are currently using cryptography • Those that are thinking about using cryptography in systems and protocols • Security professionals • Penetration testers who don’t know how to test cryptographic systems and want to learn more • … and anybody who is confused by cryptography Something for everyone What this presentation is … • A gentle introduction to cryptography • An explanation why cryptography can’t be just “plugged in” • Several examples of how cryptography can be done incorrectly • A brief description of why certain choices are bad and how to exploit it. • A checklist of warning signs that indicate when “Bad Cryptography” is happening. Example of Bad Cryptography!!! Siren from snottyboy http://soundbible.com/1355-Warning-Siren.html What this talk is not about • No equations • No certificates • No protocols • No mention of SSL/TLS/HTTPS • No quantum cryptography • Nothing that can cause headaches • (Almost) no math used Math: Exclusive Or (XOR) ⊕ Your Cat Your Roommates' Will you have Cat kittens? No kittens No kittens Note that this operator can “go backwards” (invertible) What is encryption and decryption? Plain text Good Morning, Mr. Phelps
    [Show full text]