Provable Security of Cryptographic Hash Functions
Total Page:16
File Type:pdf, Size:1020Kb
ARENBERG DOCTORAL SCHOOL Faculty of Engineering Science Provable Security of Cryptographic Hash Functions Bart Mennink Jury: Dissertation presented in partial Prof. dr. ir. Pierre Verbaeten, chairman fulfillment of the requirements Prof. dr. ir. Bart Preneel, promotor for the degree of Doctor in Prof. dr. ir. Vincent Rijmen, promotor Engineering Prof. dr. Marc Fischlin (Darmstadt University of Technology, Germany) Prof. dr. ir. Frank Piessens Dr. ir. Martijn Stam (University of Bristol, UK) Prof. dr. ir. Joos Vandewalle May 2013 Provable Security of Cryptographic Hash Functions Bart Mennink Jury: Dissertation presented in partial Prof. dr. ir. Pierre Verbaeten, chairman fulfillment of the requirements Prof. dr. ir. Bart Preneel, promotor for the degree of Doctor in Prof. dr. ir. Vincent Rijmen, promotor Engineering Prof. dr. Marc Fischlin (Darmstadt University of Technology, Germany) Prof. dr. ir. Frank Piessens Dr. ir. Martijn Stam (University of Bristol, UK) Prof. dr. ir. Joos Vandewalle May 2013 \Alle grote ontdekkingen komen voort uit onzinnige intu¨ıties.” Harry Mulisch, De Procedure c Katholieke Universiteit Leuven { Faculty of Engineering Science Arenbergkasteel, B-3001 Heverlee (Belgium) Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigd en/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijke toestemming van de uitgever. All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm or any other means without written permission from the publisher. D/2013/7515/46 ISBN 978-94-6018-660-8 Preface After months of thesis writing, it is time to start with the hardest but most important chapter of this thesis. I would like to take the opportunity to express my gratitude to all people that have played an important role in the conclusion of this thesis. At the very first place, I am utterly grateful to my promotors, prof. dr. ir. Bart Preneel and prof. dr. ir. Vincent Rijmen. It has been a great honor to pursuit a PhD under the guidance of two of the world's most notable cryptographers. Back in 2009, when you offered me the opportunity to become a PhD student on symmetric cryptology, I was about to finish my Master's thesis in the area of asymmetric cryptographic protocols, and had barely any knowledge of symmetric cryptology. Particularly, I had no specific research topic in mind, it would just be \symmetric cryptology." However, with the help and encouragement of both of you, I quickly became familiar with symmetric cryptology, and managed to plot my own path in the area of provable security. I am thankful for the full freedom you gave me to choose my own research topics. I believe it is exactly this freedom that gives rise to nonsensical intuitions that are needed for great discoveries. Besides Bart and Vincent, I would like to express my gratitude to the other members of my jury, prof. dr. Marc Fischlin, prof. dr. ir. Frank Piessens, dr. ir. Martijn Stam, and prof. dr. ir. Joos Vandewalle, for reading my manuscript, attending my private and public defence, and providing valuable feedback. I would also like to thank prof. dr. ir. Pierre Verbaeten for chairing the jury. A word of appreciation goes to the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT) for their financial support that made this thesis possible. During my stay at COSIC and at the conferences I visited, I have had the fortune and pleasure to meet some of the brightest cryptographers and had plenty of interesting and inspiring discussions with them. I am especially indebted to my co-authors, Elena Andreeva, Andrey Bogdanov, Yevgeniy Dodis, Jorge Guajardo, Atul Luykx, Florian Mendel, Bart Preneel, Christian Rechberger, i Preface Vincent Rijmen, Berry Schoenmakers, Marjan Skrobot,ˇ John P. Steinberger, and Elmar Tischhauser. Partially overlapping this list, I would like to thank Elena, Andrey, Atul, Mohammad Reza Reyhanitabar, and Kan Yasuda for the enjoyable and delighting discussions on symmetric provable security. I want to thank Elena in particular also for always being available to discuss research ideas, to read proof write-ups, and to provide feedback on my papers. Also thanks in particular to Atul and Marjan, whose Master's theses I co-supervised. I learned a lot from both of you, and wish you good luck with your own fresh, yet challenging, PhD periods. A sportive thanks to Joan Daemen and Simon Knellwolf for the enlightening and unforgettable discussions while discovering Washington DC or the UCSB coastline on running shoes. Furthermore, I want to thank all remaining COSIC members for the occasional chats, and all other friends and colleagues abroad. A warm thanks to the administrative fundament of COSIC, P´ela No¨e, Elsy Vermoesen, and Wim Devroye. Without your help, I would have been stuck in the maze of administration and paperwork for most of the time. Thanks to Sebastiaan Indesteege for providing me with a template of his thesis, it saved me plenty of LATEX work. Thanks to Elena and Atul for proofreading parts of the thesis, and to Sander for verifying my Limburgish abstract. I would like to thank my high school classmates, Benno, Dennis, Joost, Rob, Rob, and Ron. Even though high school is already almost a decade ago, the friendship has lasted through all those years. Also thanks to Roger, not only a good friend but also a great physicist. I am quite sure you will end up with a nice PhD thesis. A very sincere word of thanks goes to my family, my parents and my brother Paul, for the continuous support, the chances you have given me, and for always being there when needed. Thanks to my family (in-law) for all enjoyable moments in my life. Finally, I would like to express my utmost gratefulness to my wife Audrey. You have supported me throughout my entire PhD, and I want to thank you for all your love, support, understanding, humor, and friendship. It is hardly possible to express your importance for this thesis in words. Bart Mennink Leuven, April 2013 ii Abstract Cryptographic hash functions form the basis of the security of today's digital environment, and find applications in numerous cryptographic systems such as tamper detection, key derivation functions, and digital signatures. Ideally, hash functions behave like a random oracle, a function that returns random outputs for each new input, but in practice such a construction does not exist. Usually, a hash function is designed to give strong confidence that it is indeed secure, and it is presumed secure until it is broken. In 2004-2005, cryptanalytic breakthroughs have raised doubts about the security of many widely employed hash functions, such as MD5 and SHA-1. As a response, in 2007 the US National Institute for Standards and Technology (NIST) announced a call for the design of a new SHA-3 hashing algorithm. This dissertation deals with the fundamental security properties of hash functions. It is divided into two parts. In the first part of the dissertation, we analyze existing hash functions and introduce design methodologies. We particularly search for the limits within the provable security framework, by considering minimalist designs with maximal security. Firstly, we look at double block length 3n-to-2n-bit compression functions based on block ciphers with an n-bit message and key space. We consider the MDC-4 hash function, and improve its collision and preimage security bounds. Next, we present a family of designs that make three cipher calls and achieve optimal collision security and very good preimage security. Furthermore, we consider the possibility of compression functions based on permutations, and provide a full security classification of all 2n-to-n-bit compression functions solely built of XOR operators and three permutations. As a final contribution of this part, we propose the family of parazoa functions as a generalization of the sponge hash function design, and prove that parazoa functions are indifferentiable from a random oracle. The sponge is a popular hash function design and many derivatives, called sponge-like functions, appeared in literature. However, these sponge-like functions do not automatically enjoy the same security guarantees as the original sponge. Our generalized parazoa family applies to a wide class of sponge-like functions, and the indifferentiability proof for parazoa naturally carries over. iii Abstract In the second part of the dissertation, we consider NIST's SHA-3 hash function competition from a provable security point of view. We provide a detailed survey of the five SHA-3 finalists, in which we analyze and compare their security guarantees. We consider collision, preimage, and second preimage resistance and indifferentiability of all finalists, and solve open problems where needed. iv Samenvatting Cryptografische hashfuncties liggen ten grondslag aan de beveiliging van de hedendaagse digitale wereld, en worden gebruikt in talrijke cryptografische toepassingen zoals het detecteren van ongeoorloofde datawijzigingen, het afleiden van cryptografische sleutels en digitale handtekeningen. In het ideale geval gedraagt een hashfunctie zich als een volledig willekeurige functionaliteit, een functie die voor iedere invoer een willekeurige uitvoer produceert, maar zulk soort functies bestaan in de praktijk niet. Derhalve worden hashfuncties normaliter op een zodanige wijze ontworpen dat ze veilig genoeg lijken, en ze worden veilig geacht totdat iemand een zwakheid in de functie ontdekt. In 2004-2005 hebben cryptanalytische doorbraken echter de veiligheid van enkele wijdverspreide hashfuncties, zoals MD5 en SHA-1, ter discussie gesteld. Om deze reden lanceerde het National Institute for Standards and Technology (NIST) van de VS in 2007 een internationale competitie voor het ontwerp van een nieuwe SHA-3 hashfunctie. Deze dissertatie behandelt fundamentele veiligheidsaspecten van cryptografi- sche hashfuncties. Ze bestaat uit twee delen.