Merkle-Damg˚ard HAIFA New Results Summary Re-Visiting HAIFA and why you should visit too Orr Dunkelman D´epartement d’Informatique Ecole´ Normale sup´erieure and France Telecom Chaire 3rd of June 2008 Joint work with Eli Biham, Charles Bouillaguet, Pierre-Alain Fouque, S´ebastian Zimmer. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 1/ 42 Merkle-Damg˚ard HAIFA New Results Summary Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 2/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Outline 1 Iterative Hashing — The Merkle Damg˚ard Construction The Merkle-Damg˚ard Construction Generic Attacks on the Merkle-Damg˚ard Construction Possible Conclusions 2 HAsh Iterative FrAmework The HAIFA Construction Dealing with Fix-Points Variable Hash Size Salts 3 New Results on HAIFA Implementing Other Suggested Modes in HAIFA On the Security of HAIFA 4 Summary Orr Dunkelman Re-Visiting HAIFA and why you should visit too 3/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Merkle-Damg˚ard Construction ◮ Presented by Merkle and Damg˚ard independently as an answer to the following problem: ◮ Given a compression function f : {0, 1}mc × {0, 1}n → {0, 1}mc , how would you ∗ m generate a hash function Hf : {0, 1} → {0, 1} . Orr Dunkelman Re-Visiting HAIFA and why you should visit too 4/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Merkle-Damg˚ard Construction ◮ Presented by Merkle and Damg˚ard independently as an answer to the following problem: ◮ Given a compression function f : {0, 1}mc × {0, 1}n → {0, 1}mc , how would you ∗ m generate a hash function Hf : {0, 1} → {0, 1} . ◮ The solution is as follows: 1 Pad the message M to a multiple of b (with 1, and many 0’s as needed and the length of the message). 2 Divided the padded message into l blocks m1m2 . ml . 3 Set h0 = IV . 4 For i =1 to l, do hi = f (hi−1, mi ). 5 Output hl (or some function of it). Orr Dunkelman Re-Visiting HAIFA and why you should visit too 4/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Security of the Merkle-Damg˚ard Construction ◮ Finding a collision in Hf means finding a collision in f . ◮ Thus, if f is collision-resistant, so is Hf . Orr Dunkelman Re-Visiting HAIFA and why you should visit too 5/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Security of the Merkle-Damg˚ard Construction ◮ Finding a collision in Hf means finding a collision in f . ◮ Thus, if f is collision-resistant, so is Hf . ◮ Also, finding a second preimage in Hf means finding collision in f . Orr Dunkelman Re-Visiting HAIFA and why you should visit too 5/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Security of the Merkle-Damg˚ard Construction ◮ Finding a collision in Hf means finding a collision in f . ◮ Thus, if f is collision-resistant, so is Hf . ◮ Also, finding a second preimage in Hf means finding collision in f . ◮ The same is true for finding a preimage (because you can use it to find a second preimage). Orr Dunkelman Re-Visiting HAIFA and why you should visit too 5/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions The Security of the Merkle-Damg˚ard Construction ◮ Finding a collision in Hf means finding a collision in f . ◮ Thus, if f is collision-resistant, so is Hf . ◮ Also, finding a second preimage in Hf means finding collision in f . ◮ The same is true for finding a preimage (because you can use it to find a second preimage). To conclude, if f is collision resistant (i.e., it takes O(2mc /2) invocations to find a collision), then Hf is collision resistant and (second) preimage resistant with security level of O(2mc /2). Orr Dunkelman Re-Visiting HAIFA and why you should visit too 5/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Attacks against the Merkle-Damg˚ard Construction Let m be the hash size, and mc be the chaining value size. Let l be the number of blocks of a given message M, and let k be the number of given messages (for one-of-many attacks). ◮ Easily invertible compression functions (the backward attack) — 2mc /2 (late 1970’s) ◮ One-of-many preimage attacks, one-of-many second preimage attacks — 2m−k , 2m/2 (Merkle 1979) Orr Dunkelman Re-Visiting HAIFA and why you should visit too 6/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) ◮ Multi-collision — O(2mc /2) (Joux, 2004) 1 1 1 1 m1 m2 m3 m4 h0 h1 h2 h3 h4 2 2 2 2 m1 m2 m3 m4 Finding 2t collisions takes O(t · 2mc /2) (ideally we would t − 2 1 ·m expect O(2 2t c )). Orr Dunkelman Re-Visiting HAIFA and why you should visit too 7/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) ◮ Fixpoint and second preimage attacks (long messages) — − 2mc l , O(2mc /2) (Dean, 1999) [mainly for Davies-Meyer functions] ◮ Find O(2mc /2) fix-points denoted by h A =(h, m). i ◮ Select O(2mc /2) single blocks and compute m B =(CMD (IV , m˜ ), m˜ ). i E ◮ Find a collision between A and B. ◮ Voil`a— an expandable message m˜ ||mt for all t lead to the same chaining value h. hi+1 Orr Dunkelman Re-Visiting HAIFA and why you should visit too 8/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) ◮ Fixpoint and second preimage attacks (long messages) — − 2mc l , O(2mc /2) (Dean, 1999) [mainly for Davies-Meyer functions] ◮ Find O(2mc /2) fix-points denoted by A =(h, m). ◮ Select O(2mc /2) single blocks and compute B =(CMD (IV , m˜ ), m˜ ). E ◮ Find a collision between A and B. 0 ◮ Voil`a— an expandable message m˜ ||mt for all t lead to the same chaining value h. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 8/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) ◮ Fixpoint and second preimage attacks (long messages) — − 2mc l , O(2mc /2) (Dean, 1999) [mainly for Davies-Meyer functions] ◮ Find O(2mc /2) fix-points denoted by A =(h, m). ◮ Select O(2mc /2) single blocks and compute m B =(CMD (IV , m˜ ), m˜ ). i E Pick at ◮ Find a collision between A and B. Random 0 ◮ Voil`a— an expandable message m˜ ||mt for all t lead to the same chaining value h. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 8/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) ◮ Fixpoint and second preimage attacks (long messages) — − 2mc l , O(2mc /2) (Dean, 1999) [mainly for Davies-Meyer functions] ◮ Find O(2mc /2) fix-points denoted by h A =(h, m). i ◮ Select O(2mc /2) single blocks and compute m B =(CMD (IV , m˜ ), m˜ ). i E Pick at ◮ Find a collision between A and B. Random 0 ◮ Voil`a— an expandable message m˜ ||mt for all t lead to the same chaining value h. Orr Dunkelman Re-Visiting HAIFA and why you should visit too 8/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) ◮ Fixpoint and second preimage attacks (long messages) — − 2mc l , O(2mc /2) (Dean, 1999) [mainly for Davies-Meyer functions] ◮ Find O(2mc /2) fix-points denoted by h A =(h, m). i ◮ Select O(2mc /2) single blocks and compute m B =(CMD (IV , m˜ ), m˜ ). i E Pick at ◮ Find a collision between A and B. Random 0 ◮ Voil`a— an expandable message m˜ ||mt for all t lead to the same chaining value h. hi+1 = hi Orr Dunkelman Re-Visiting HAIFA and why you should visit too 8/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) ◮ Fixpoint and second preimage attacks (long messages) — − 2mc l , O(2mc /2) (Dean, 1999) [mainly for Davies-Meyer functions] ◮ Take the message M. hi ◮ Starting from h, try to find a message block x f h x h m s.t., ( , )= i , for one of the chaining i E values of M. ◮ If succeeded, pad the message to the right length and obtain a second preimage. hi+1 = hi Orr Dunkelman Re-Visiting HAIFA and why you should visit too 9/ 42 Merkle-Damg˚ard HAIFA New Results Summary MD Generic Attacks Conclusions Generic Attacks against MD Construction (cont.) − ◮ One-of-many second preimage attacks — 2mc kl , O(2mc /2) (Dean, 1999) ◮ Expandable messages and second preimage attacks (long − messages) — 2mc l , O(2mc /2) (Kelsey, Schneier, 2005) [any iterative hash function]. They forgot to mention, applicable also to one-of-many second preimage attacks − — 2mc kl , O(2mc /2) ◮ In [KS05] the expandable message is constructed as a multi-collision.