Cryptographic Hash Functions: Cryptanalysis, Design and Applications by Praveen Gauravaram Bachelor of Technology in Electrical and Electronics Engineering Sri Venkateswara University College of Engineering, Tirupati, India, 2000 Master of Information Technology Queensland University of Technology, Brisbane, Australia, 2003 Thesis submitted in accordance with the regulations for Degree of Doctor of Philosophy Information Security Institute Faculty of Information Technology Queensland University of Technology 2007 ii Keywords Cryptography, hash functions, cryptanalysis, design, applications, Merkle-Damg˚ard construction, CAVE, 3CG, 3C, GOST-L, F-Hash, NMAC, HMAC, O-NMAC, M-NMAC, NMAC-1, Iterated Halving, digital signatures, side-channel attacks, practical and legal implications. iii iv Abstract Cryptographic hash functions are an important tool in cryptography to achieve certain security goals such as authenticity, digital signatures, digital time stamp- ing, and entity authentication. They are also strongly related to other important cryptographic tools such as block ciphers and pseudorandom functions. The stan- dard and widely used hash functions such as MD5 and SHA-1 follow the design principle of Merkle-Damg˚ard iterated hash function construction which was pre- sented independently by Ivan Damg˚ard and Ralph Merkle at Crypto’89. It has been established that neither these hash functions nor the Merkle-Damg˚ard con- struction itself meet certain security requirements. This thesis aims to study the attacks on this popular construction and propose schemes that offer more resistance against these attacks as well as investigating alternative approaches to the Merkle-Damg˚ard style of designing hash functions. This thesis aims at analysing the security of the standard hash function Cellular Authentication and Voice Encryption Algorithm (CAVE) used for authentication and key-derivation in the second generation (2G) North American IS-41 mobile phone system. In addition, this thesis studies the analysis issues of message authentication codes (MACs) designed using hash functions. With the aim to propose some efficient and secure MAC schemes based on hash functions. This thesis works on three aspects of hash functions: design, cryptanalysis and applications with the following significant contributions: • Proposes a family of variants to the Damg˚ard-Merkle construction called 3CG for better protection against specific and generic attacks. Analysis of the linear variant of 3CG called 3C is presented including its resistance to some of the known attacks on hash functions. • Improves the known cryptanalytical techniques to attack 3C and some other v similar designs including a linear variant of GOST, a Russian standard hash function. • Proposes a completely novel approach called Iterated Halving, alternative to the standard block iterated hash function construction. • Analyses provably secure HMAC and NMAC message authentication codes (MACs) based on weaker assumptions than stated in their proofs of security. Proposes an efficient variant for NMAC called NMAC-1 to authenticate short messages. Proposes a variant for NMAC called M-NMAC which offers better protection against the complete key-recovery attacks than NMAC. As well it is shown that M-NMAC with hash functions also resists side- channel attacks against which HMAC and NMAC are vulnerable. Proposes a new MAC scheme called O-NMAC based on hash functions using just one secret key. • Improves the open cryptanalysis of the CAVE algorithm. • Analyses the security and legal implications of the latest collision attacks on the widely used MD5 and SHA-1 hash functions. vi Contents Keywords iii Abstract v Declaration xvii Previously Published Material xix Acknowledgements xxiii 1 Hash Functions in Cryptology 1 1.0.1 SecurityGoalsinCryptography . 2 1.1 CryptographicHashFunctions. 3 1.1.1 Position of Hash Functions in Cryptology . 4 1.2 Design, Analysis and Applications of Hash Functions . .... 7 1.2.1 HashFunctionDesigns . 7 1.2.2 Hash Function Analysis . 8 1.2.3 Applications of Hash Functions . 9 1.3 AimsandObjectives ......................... 10 1.4 ResearchResults ........................... 11 2 An Overview of Merkle-Damg˚ard Hash Function Construction 15 2.1 DefinitionandProperties. 16 2.2 IteratedHashFunctions . 17 2.2.1 Merkle-Damg˚ardConstruction . 18 2.2.2 Hash Functions following the Merkle-Damg˚ard Structure . 20 2.2.3 Differences between Damg˚ard’s Design and Practical Hash Functions ........................... 22 vii 2.2.4 Compression Functions of Hash Functions . 23 2.3 AttacksonHashFunctions. 24 2.3.1 BruteforceAttacks. 24 2.3.2 CryptanalyticalAttacks . 25 2.3.3 Collision Attacks on the Compression Functions . 27 2.3.4 Collision finding Algorithms . 28 2.4 Generic Attacks on the Merkle-Damg˚ard Construction . .... 29 2.4.1 LengthExtensionAttacks . 30 2.4.2 JouxGenericAttacks. 31 2.4.3 Generic 2nd preimageAttacks . 33 2.4.4 HerdingAttack ........................ 35 2.5 Multi-block Collision Attacks on Hash Functions . .... 37 2.5.1 New Observations on Multi-block Collision Attacks . .. 37 2.6 Conclusion............................... 40 3 New Modes of Operation for Hash Functions 41 3.1 The 3CG Construction: An Enhancement to the Merkle-Damg˚ard Scheme................................. 43 3.1.1 The 3C construction: A Linear Variant of 3CG . 43 3.2 Analysis of 3C against Collision Attacks . 44 3.3 Security Analysis of 3C against Known Generic Attacks . 49 3.3.1 Analysis Against Joux’s Attacks . 49 3.3.2 Analysis against 2nd-preimageAttacks . 50 3.3.3 Analysis against Herding Attack . 51 3.3.4 Analysis against Length Extension Attacks . 51 3.3.5 Analysis against 2nd-collisionAttacks . 52 3.4 Comparison of 3C with Related Hash Function Proposals . 54 3.5 Hybrid Hash Function Constructions using 3C . 57 3.6 The 3C+ Construction........................ 58 3.6.1 SomeVariantsfor3Cand3C+ . 59 3.7 ImplementationIssues . 61 3.8 Conclusion............................... 61 4 Cryptanalysis of a Class of Cryptographic Hash Functions 65 4.1 Linear checksum variants of Merkle-Damg˚ard . .. 66 viii 4.1.1 GOSTanditsVariants. 66 4.1.2 F-HashHashFunction . 67 4.1.3 3C-GOST-LDesign. 68 4.2 Inapplicability of Known Generic Attack Techniques on GOST-L, F-Hashand3C-GOST-L . 69 4.2.1 2nd-preimageAttack ..................... 69 4.2.2 HerdingAttack ........................ 70 4.3 New Cryptanalytical Techniques . 71 4.3.1 Combining Multi-block Collisions and Multicollisions ... 71 4.3.2 Building 2t 2-block multicollisions on 3C .......... 71 4.3.3 Defeating the Linear Checksum in a 2t 2-block Multicolli- sion on 3C .......................... 72 4.3.4 Building a 2b 1-block Multicollision on GOST-L . 75 4.3.5 Defeating the Linear Checksum in 2b 1-block Multicollision onGOST-L .......................... 76 4.3.6 Defeating the Checksum in 2t Multicollision on F-Hash . 77 4.3.7 Defeating the Linear Checksum in 3C-GOST-L ...... 79 4.4 Generic Attacks on 3C, GOST-L, F-Hash and 3C-GOST-L . 82 4.4.1 Long-message 2nd-preimage Attack on 3C ......... 82 4.4.2 Herding Attack on 3C .................... 85 4.4.3 The Generic Attacks on Better Linear Checksums . 87 4.4.4 Making Meaningful Messages in the Attacks . 88 4.4.5 Some Other Techniques to Perform the Generic Attacks . 88 4.5 Collision Attacks on GOST-L, 3C andF-Hash. 89 4.6 Finding Multiple 2nd preimages for Hash Functions in less than 2t Work.................................. 91 4.6.1 Multi-2nd preimage Attack on the Cascade Constructions . 94 4.7 Conclusion............................... 95 5 Iterated Halving- A New Approach for Hash Function Design 97 5.1 IteratedHalvingStructure . 99 5.2 WorkingdetailsofanIHhashfunction . 102 5.3 Performance and Security of the IH Process . 103 5.4 SecurityAnalysis . .. .. 105 5.5 CRUSH: A Hash Function Proposal based on IH Technique . 108 ix 5.5.1 NotationandDefinitions . 108 5.5.2 WorkingDetailsofCRUSH . 111 5.6 Conclusion............................... 112 6 Improved Cryptanalysis of the CAVE Algorithm 117 6.1 NotationandDefinitions:. 118 6.2 TheCAVEAlgorithmDescription . 121 6.3 PracticalUsageofCAVE. 124 6.4 PropertiesoftheCAVEAlgorithm . 126 6.5 PreviousAnalysisofCAVE . 130 6.5.1 Millan’s Reconstruction Attack on CAVE . 131 6.6 Improved Cryptanalysis of CAVE . 134 6.7 Conclusion............................... 138 7 An Update on MACs based on Hash Functions 141 7.1 A Review of MACs based on Hash Functions . 143 7.1.1 NMAC and HMAC Functions . 150 7.1.2 Analysis of NMAC and HMAC . 152 7.1.3 SummaryoftheReviewonMACs. 154 7.2 Analysis of NMAC using Weaker Assumptions on the Hash Functions156 7.2.1 SecurityAnalysis . 156 7.3 AnEfficientVariantforNMAC . 159 7.3.1 SpecificationofNMAC-1 . 159 7.3.2 PerformanceAspectsofNMAC-1 . 160 7.3.3 Security Analysis of NMAC-1 . 161 7.3.4 Comparison of NMAC-1 with Other Efficient MACs based onHashFunctions . .. 163 7.4 M-NMAC:ANewVariantofNMAC . 166 7.4.1 Security Analysis of M-NMAC . 168 7.5 Pseudorandomness of NMAC and HMAC Functions . 168 7.6 On designing a MAC using a Hash Function with a Single Secret Key .................................. 172 7.6.1 TheO-NMACFunction . 173 7.6.2 AnalysisofO-NMAC. 174 7.6.3 Comparison with NMAC, HMAC and ACSC Constructions 178 x 7.7 Conclusion............................... 179 8 Side-Channel Cryptanalysis of MACs using Hash Functions 183 8.1 Side-channel Attacks on NMAC and HMAC . 185 8.1.1 DPAandReverseDPASettings . 185 8.1.2 Side-channel Attacks on NMAC and HMAC with 12 PGV Schemes ............................ 186 8.2 Side-channel Attacks on M-NMAC . 187 8.2.1 Target Compression Functions in M-NMAC . 187 8.2.2 Key Recovery Attacks on M-NMAC with 12 PGV Schemes 188 8.2.3 Extending Side-channel Analysis on M-NMAC to Forgery Attacks ............................ 190 8.2.4 Comparison with NMAC and HMAC . 190 8.3 Conclusion............................... 191 9 Collision Attacks on MD5 and SHA-1: Is this the “Sword of Damocles” for Electronic Commerce? 195 9.1 Practical and Legal Implication of Collision Attacks on MD5 and SHA-1 ................................. 196 9.1.1 DigitalSignaturesonMessages . 197 9.1.2 Digital Signatures on Digital Certificates .