Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl – a SHA-3 candidate Krystian Matusiewicz Wroclaw University of Technology CECC 2010, June 12, 2010 Krystian Matusiewicz Grøstl – a SHA-3 candidate 1 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Talk outline ◮ Cryptographic hash functions ◮ NIST SHA-3 Competition ◮ Grøstl Krystian Matusiewicz Grøstl – a SHA-3 candidate 2 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions Krystian Matusiewicz Grøstl – a SHA-3 candidate 3 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions: why? ◮ We want to have a short, fixed length “fingerprint” of any piece of data ◮ Different fingerprints – certainly different data ◮ Identical fingerprints – most likely the same data ◮ No one can get any information about the data from the fingerprint Krystian Matusiewicz Grøstl – a SHA-3 candidate 4 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage: 2n queries for n-bit outputs ◮ To find collisions: 2n/2 queries ◮ Random behaviour Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage: 2n queries for n-bit outputs ◮ To find collisions: 2n/2 queries ◮ Random behaviour We want to construct concrete algorithms which are as close to this behaviour as possible. Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl NIST SHA-3 Competition Krystian Matusiewicz Grøstl – a SHA-3 candidate 6 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Krystian Matusiewicz Grøstl – a SHA-3 candidate 7 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl The world after Wang (after 2004) hash designed Wang-inspired attacks MD4 1990 collisions by hand calculation MD5 1992 collisions in ms on a computer SHA-0 1993 collisions in ≈ 1hr SHA-1 1995 attacked, 269 SHA-2 2002 no attack Many other hash functions similar to MD5/SHA-1 were subsequently broken using Wang’s method. Krystian Matusiewicz Grøstl – a SHA-3 candidate 8 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl NIST SHA-3 competition ◮ There is only one hash function standardized by NIST which is not broken (SHA-256/SHA-512) ◮ But design principles are somehow similar to the broken ones, is it secure enough? ◮ Would be good to have a backup plan ◮ Let’s organize a competition like the one for Advanced Encryption Standard! Krystian Matusiewicz Grøstl – a SHA-3 candidate 9 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl First-round SHA-3 candidates Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1 LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall Krystian Matusiewicz Grøstl – a SHA-3 candidate 10 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Second-round SHA-3 candidates Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1 LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall Krystian Matusiewicz Grøstl – a SHA-3 candidate 11 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl What happens next? ◮ August 2010 – second NIST workshop ◮ Around 5 finalists will be announced before the end of the year ◮ The winner selected in 2012 Krystian Matusiewicz Grøstl – a SHA-3 candidate 12 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl The SHA-3 Zoo / Hash function Zoo Everything you ever wanted to know about SHA-3 candidates ◮ ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo ◮ ehash.iaik.tugraz.at/wiki/The_Hash_Function_Zoo Krystian Matusiewicz Grøstl – a SHA-3 candidate 13 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl Krystian Matusiewicz Grøstl – a SHA-3 candidate 14 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl The Grøstl team Søren S. Thomsen Martin Schl¨affer Christian Rechberger Florian Mendel Lars R. Knudsen Praveen Gauravaram & K.M. Krystian Matusiewicz Grøstl – a SHA-3 candidate 15 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl hash function m1 m2 m3 mt - - - - iv - f - f - f . - f - Ω - H(m) ◮ Iterated wide-pipe ◮ Output transformation Krystian Matusiewicz Grøstl – a SHA-3 candidate 16 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl Compression Function h m ? f ? ? P Q ? - ? ◮ P, Q – large, fixed permutations ◮ Security reductions: collision, preimage resistance provided that permutations behave like ideal ones Krystian Matusiewicz Grøstl – a SHA-3 candidate 17 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl Output Transformation x P ◮ Provides protection against some attacks ◮ Random behaviour Krystian Matusiewicz Grøstl – a SHA-3 candidate 18 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Designing an “ideal permutation” ◮ How to design an “ideal permutation”? ◮ No way of telling it apart from randomly chosen permutation ◮ No visible structure ◮ No differential trail with significant probability ◮ Wide-trail strategy Krystian Matusiewicz Grøstl – a SHA-3 candidate 19 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl : One round of P, Q (×10) AddRoundConstant SubBytes ShiftBytes MixBytes Krystian Matusiewicz Grøstl – a SHA-3 candidate 20 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl : AddRoundConstant i i ⊕ ff AddRoundConstant of P AddRoundConstant of Q ◮ Permutations must be different (security) ◮ Different constants for P and Q Krystian Matusiewicz Grøstl – a SHA-3 candidate 21 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl : SubBytes S(·) Krystian Matusiewicz Grøstl – a SHA-3 candidate 22 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl : ShiftBytes shift by 0 shift by 1 shift by 2 shift by 3 shift by 4 shift by 5 shift by 6 shift by 7 Krystian Matusiewicz Grøstl – a SHA-3 candidate 23 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl : MixBytes B = circ(02, 02, 03, 04, 05, 03, 05, 07) Krystian Matusiewicz Grøstl – a SHA-3 candidate 24 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptanalytic Results Hash function collisions Grøstl-256 4/10 Grøstl-512 5/14 Compression function collisions Grøstl-256 7/10 Grøstl-512 7/14 Permutation non-randomness Grøstl-256 8/10 Krystian Matusiewicz Grøstl – a SHA-3 candidate 25 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl : Enjoy! Krystian Matusiewicz Grøstl – a SHA-3 candidate 26 / 26.