Cryptography 7. Hash functions Hash functions in data structures Hash function is a compression function On arbitrary length input H : f0; 1g∗ 7! f0; 1gk for k = 128; 160; 256; etc Classical application: data structures Storing a set of elements in a table of length k Achieving O(1) insertion and lookup time The element x is stored in the H(x) table-cell Retrieve x by computing H(x) and check the respective cell Collision: x 6= x0 : H(x) = H(x0) A hash function is „good” if there are few collisions It spreads the elements well Hash functions in cryptography Compressing data Few collisions A collision resistance in Data structures desired only Cryptography crucial In data structures x and H(:) are independent In cryptography the adversary can choose x arbitrarily to cause a collision Cryptographic hash functions are harder to construct... Hash functions in cryptography Definition A collision in a function H(:) is a pair of inputs x 6= x0 such that H(x) = H(x0): A function H(:) is collision resistant if any PPT adversary can find a collision with negligible probability only. A function H(:) is hash function if H : f0; 1g∗ 7! f0; 1gn: Weaker notions of security: 1 Collision resistance: see above 2 Second pre-image resistance: given x it is infeasible to find x0 6= x : H(x0) = H(x) by a PPT adversary 3 Pre-image resistance: given y = H(x) for random (and unknown) x it is infeasible to find x : H(x0) = y by a PPT adversary (in other words it’s a one-way function) Hash functions in cryptography Design principles Collision resistance Second pre-image resistance Pre-image resistance Avalanche effect: small change in input ) large change in output Strict avalanche criterion: if a single input bit is complemented ) every output bit is changed with 1/2 probability Bit independence criterion: 8i; j; k : if a single input bit i is complemented ) output bits j; k change independently Attacks and weaknesses Theorem (Birthday paradox) Let x1; : : : ; xn 2R f1; : : : ; dg uniform random values. Then − n(n−1) P (9i; j 2 f1; : : : ; ng : i 6= j; xi = xj) ≈ 1 − e 2d Birthday attack For a hash-function H : f0; 1g∗ 7! f0; 1gn a collision can be found with probability 1/2 by computing 2n=2 hash values. Significantly faster than brute force =) n ≥ 160 A collision can be found faster than the birthday attack =) tha hash is „broken” Attacks and weaknesses Sophisticated collision attacks: birthday paradox + cryptanalysis Chosen-prefix attack Given two prefixes p1 6= p2 find m1; m2 : H(p1jjm1) = H(p2jjm2): Specific to Merkle-Damgård Real-world attacks against MD5 based implementations Attacks and weaknesses Lenght-extension attack Given hash value H(m) and message length jmj compute H(mjjm0) for some m0 chosen by the attacker. Padding based attack H(datajjpadding) ) H(datajjpaddingjjOurDatajjNewP adding) Merkle-Damgård is vulnerable attacks on MD5, SHA1, SHA2 Attacks and weaknesses Rainbow tables Find a preimage using precomputed table of hashchains. Application: password recovery Storing the input-output pairs for hash-reduction chains Searching for identical output values Rainbow table with 3 reduction function for Wikipedia created by User:Dake Attacks and weaknesses Side-channel attacks Any attack based on information obtained from the implementation of a given cryptosystem instead of weaknesses in the algorithm itself. Timing information Power consumption Elektromagnetic leaks Sound Statistical methods Merkle-Damgård transform Practical constructions handling fixed-length input only Methodology to construct full-fledged hash function Let h : f0; 1g2n 7! f0; 1gn be a fixed-length hash function and m 2 f0; 1g∗ with jmj = ` < 2n Then the following H(:) is a variable-length hash function: 1 ` Split m into blocks of length n; i.e. let b := d n e and m = (m1jm2j ::: jmb) k n 2 Set mb+1 := ` 2 f0; 1g ; z0 := 0 3 For i = 1; : : : ; b + 1 compute zi := h(zi−1jmi) 4 H(m) := zb+1 Merkle-Damgård transform 1 ` Split m into blocks of length n; i.e. let b := d n e and m = (m1jm2j ::: jmb) k k 2 Set mb+1 := ` 2 f0; 1g ; z0 := 0 3 For i = 1; : : : ; b + 1 compute zi := h(zi−1jmi) 4 H(m) := zb+1 Practice: it is enough to consider fixed-length constructions Theory: the amount of compressing is not important Initialization vector – IV : z0 can be chosen freely Security: if h(:) is collision resistant then H(:) is collision resistant as well MD5 - Description 512 to 128 bits compression extended by Merkle-Damgård Works on 32-bit words m divided into 512(=16*32)-bit blocks Operates on a 128(=4*32)-bit state A; B; C; D are fixed 4 rounds, 16 similar operation each Four possible non-linear F : 1 F (B; C; D) = (B^C)_(:B^D) 2 G(B; C; D) = (B^D)_(C^:D) 3 H(B; C; D) = B ⊕ C ⊕ D 4 I(B; C; D) = C ⊕ (B _:D) Mi is a message block Ki constant, s a rotation parameter varies for each operation MD5 – Analysis NOT collision resistant! 128 bit output =) birthday attack is possible... 1992 - MD5 published 1993 - „pseudo-collision” in the compression function (IV based attack) 1996 - collision in the compression function 2004 - MD5CRK, a distributed effort using birthday attack 2004 - hash collision within 1 hour (analytical attack) 2005 - practical collision of two X.509 certificates with different public keys and the same MD5 hash value 2010 - first published single-block collision SHA-1 SHA – Secure Hash Algorithm Designed by U.S. NSA, published by U.S. NIST Similar to MD5 Versions: SHA-0 (1993) 160-bit output, 32-bit words, 80 rounds Operations: ⊕; ; ^; _; n Collision found SHA-1 (1995) 160-bit output, 32-bit words, 80 rounds Operations: ⊕; ; ^; _; n Wt expanded message word for round t Kt round constant for round t More resistant, theoretical attack of SHA-1, original diagram for Wikipedia created 61 complexity 2 (2011) by User:Matt Crypto SHA-2 SHA-2 (2001) = SHA-256/SHA-512 256/512-bit output, 32/64-bit words, 64/80 rounds Operations: ⊕; ; ^; _; n; rot Ch(E; F; G) = (E ^ F ) ⊕ (:E ^ G) Ma(A; B; C) = (A ^ B) ⊕ (A ^ C) ⊕ (B ^ C) Σ0(A) = (A o 2) ⊕ (A o 13) ⊕ (A o 22) Σ1(E) = (E o 6)⊕(E o 11)⊕(E o 25) No collision found (yet) SHA-3 (2014-) Different design SHA-2, original diagram for Wikipedia created An alternative of SHA-2 by User:kockmeyer RIPEMD-160 Published in 1996 160-bit hash value Similar design principles as MD5 A bit faster than SHA-1 BUT designed in the open academic community!!! Developed in the framework of the EU project RIPE (RACE Integrity Primitives Evaluation) No collision found (yet) Optional extensions: RIPEMD-256 and RIPEMD-360 Longer hash values The same levels of security A possible alternative of SHA-1 NIST hash function competition (2007 – 2012) Development process similar to the AES competition Oct. 2008 Submission deadline Dec. 2008 51 candidates for Round 1 Feb. 2009 NIST conference: submitters presented their algorithms Jul. 2009 14 candidates accepted to Round 2 Aug. 2010 CRYPTO 2010:the second-round candidates were discussed Dec. 2010 Announcement of finalists Performance: small hardware requirement Security: possible crypto /design weaknesses Analysis: (lack of) cryptanalysis of the whole crypto-community Diversity: different modes of operation and internal structures Dec. 2012 Winner: Keccak Aug. 2013 NIST announced changes in the proposed standard to achieve better security/performance trade-off... Aug. 2015 Keccak aka SHA-3 is the hashing standard One finalist: Grøstl The Grøstl hash-function Knudsen et al. (TU of Denmark & TU Graz) Modified Merkle-Damgård h0 = iv; hi = f(hi−1; mi) Compression function f based on permutations P; Q(see later) H(m) = Ω(ht) Output transformation Ω(x) = truncn(P (x) ⊕ x) One finalist: Grøstl f(h; m) = P (h ⊕ m) ⊕ Q(m) ⊕ h Design of P and Q are inspired by AES Small number of permutations =) simple analysis Well-known design principles Provably secure if the permutations are ideal Collision find with ≥ 2`=4 P; Q eval `=2 Preimage find with ≥ 2 P; Q eval The compression function f of Grøstl Indifferentiable from a random oracle One finalist: Skein Schneier et al. Main components 1. Threefish A tweakable block cipher Tweak: an extra input provides variability Large number of simple rounds instead of fewer complex rounds Key + tweak subkeys Mix: ⊕; ; <<< Four of the 72 rounds of the Threefish-512 One finalist: Skein Main components 2. Unique Block Iteration (UBI): A chaining mode using Threefish to build a compression function Example: 166 byte input with 3 calls of Threefish-512 Tweak: length + first/last block + „type” Hashing a three-block message using UBI Skein: multiple invocations of UBI 3. Optional Argument System For extensions and other modes Skein in normal hashing mode SHA-3/Keccak Diagram of a sponge construction from http://sponge.noekeon.org/ Winner of the NIST hash function competition (2012) Created by Bertoni, Daemen, Peteers and Van Assche Sponge construction – a fixed-length permutation f and a padding rule: 1. m is padded and splitted into r-bit blocks pi 2. Absorbing: XORing pis into the hash state at a given rate r interleaved with application of f (f : 4 × 24 rounds of simple operations on a state consists of a 5 × 5 array of 64-bit words) 3. Squeezing: get the output blocks zi similarly from it at the same rate GPU-resistant hash functions RandomHash serial vs. parallel hashers N rounds, Hi-s are well-known hash functions 8 round H 2R fH1;:::;H18g Output is expanded for memory-hardness A possible solution RandomHash design by Herman Schoenfeld Privacy vs.