Eindhoven University of Technology MASTER Cryptanalysis of hash functions in particular the SHA-3 contenders Shabal and Blake Aerts, N.K.M. Award date: 2011 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Cryptanalysis of Hash Functions In particular the SHA-3 contenders Shabal and Blake Nieke Aerts August 2011 Cryptanalysis of Hash Functions In particular the SHA-3 contenders Shabal and Blake Nieke Aerts Under supervision of Josef Pieprzyk & Benne de Weger Macquarie University & Eindhoven University of Technology August 18, 2011 Abstract Since NIST announced the SHA–3 competition in 2007, many new attacks to hash functions have been born. We tried to understand and apply these new attacks to the second round candidate Shabal and the final round candidate BLAKE. In Chapter 2 we set out the definitions used in this thesis and we describe different attacks. In Chapter 3 we set forth the previous analysis of Shabal and our own ideas. In the same way we discuss BLAKE in Chapter 4. In the last Chapter we discuss the comparison of these two functions. Contents 1 Introduction 4 1.1 NIST competition . .4 1.1.1 Security Requirements of SHA-3 . .4 1.2 Attacks on Hash functions . .5 1.3 Cryptanalysis in the competition . .5 1.4 Thesis Outline . .5 2 Preliminaries 6 2.1 Hash Function/Hash Algorithm . .6 2.1.1 Cryptographic hash function versus standard hash function . .6 2.1.2 Basic Properties . .6 2.1.3 Applications . .7 2.2 Iterative Hash functions . .7 2.2.1 Padding . .8 2.2.2 Merkle-Damgård . .8 2.3 Cryptanalysis . 10 2.3.1 Security Criteria of Hash functions . 10 2.3.2 (In)Differentiability . 12 2.3.3 Linear Cryptanalysis . 12 2.3.4 Differential Cryptanalysis . 14 2.3.5 Boomerang Attack . 17 2.3.6 Rebound Attack . 18 2.3.7 AIDA/Cube Attack . 19 3 Shabal 22 3.1 The mode of Operation . 22 3.1.1 The Compression function R ........................... 23 3.2 Recent Analysis . 24 3.2.1 On the permutation only . 24 3.2.2 On the compression function R ......................... 25 3.2.3 On full Shabal .................................... 25 3.3 Indifferentiability . 25 3.3.1 The original proof of Indifferentiability . 26 3.4 Indifferentiability with a biased permutation . 36 3.4.1 Conclusion on the Indifferentiability proofs . 48 3.5 Neutral Bits . 48 3.6 Does Shabal differ from a random function . 50 3.7 Message extension Attack . 51 3.8 The initial values . 52 2 Cryptanalysis of Hash Functions 3.8.1 Changing one of the internal variables . 52 3.9 T–functions . 53 3.10 Linear Cryptanalysis . 54 3.11 Expanding the pseudo–collision attack . 54 3.11.1 Finding a near–collision . 55 3.12 Rotational Attack . 56 3.13 Shift Attack . 57 3.14 Differential Attack . 58 3.14.1 Combination of attacks . 59 3.15 Algebraic properties of Shabal ............................... 59 3.15.1 Algebraic collision test for l ≤ log2(r) ...................... 60 3.15.2 Collisions for l > log2(r) ............................. 60 3.15.3 Application to Shabal ................................ 61 3.16 Conclusions on the security of Shabal .......................... 63 3.16.1 Ideas of further Analysis . 63 4 BLAKE 64 4.1 The mode of operation . 64 4.1.1 The compression function . 64 4.1.2 Toy versions of BLAKE [1] ............................. 66 4.2 Recent Analysis . 67 4.2.1 On the inner primitive G ............................. 67 4.2.2 On toy versions . 67 4.2.3 On round–reduced versions . 67 4.3 On the full function . 68 4.4 Properties . 69 4.4.1 The round function is a permutation . 69 4.4.2 Differential Properties . 71 4.4.3 Fixed points of G .................................. 77 4.4.4 On one round . 78 4.4.5 On the compression function . 79 4.4.6 Bounds on the probability of DC’s for BLAKE .................. 79 4.5 Conclusion . 82 5 Comparison between Blake and Shabal 83 5.1 Hardware requirements & speed . 83 5.2 Security . 83 A Notations 90 B on Shabal 92 B.1 Differential Attack of Novotney . 92 C on BLAKE 95 C.1 Initial Values and Constants . 95 C.2 Impossible States . 96 C.3 Proofs on output (D, 0, D0, 0) ................................ 97 C.4 Construction of Fixed Point Algorithms . 113 C.5 Proof on DC’s . 114 D Proofs on combinations of operations 115 Nieke Aerts 3 Chapter 1 Introduction 1.1 NIST competition NIST began the standardization of hash algorithms in 1993 when they published the SHA-0 algorithm. Soon after, the algorithm was replaced by SHA-1 due to security issues of SHA-0. In 2001 the Merkle-Damgård based SHA-2 hash family was added to the standard hash algorithms by NIST. In 2005 SHA-1 was theoretically broken which called for the need to use the stronger algorithms of the SHA-2 family. In November 2007 NIST wrote out the request for candidate new hash algorithm families re- ferred to as SHA-3. Up until now, no attack on SHA-2 is known, but a collision in the SHA-2 family would have catastrophic effects for digital signatures. Therefore the new hash family should be able to immediately replace SHA-2 if necessary. The requirements for submissions for the SHA-3 contest were published in [2]. NIST received sixty–four entries in 2008, of which fifty–one advanced to the first round. In 2009 fourteen candidates were selected for the second round. Meanwhile cryptanalysts all over the world were analyzing the candidates. In December 2010 the five finalists were selected, of which one will be selected as winner in the spring of 2012. 1.1.1 Security Requirements of SHA-3 The security requirements were published in [2, Part 4.A]. Here I will state the most important ones considering this thesis1. 1. It should be possible and secure to use the hash family for a wide variety of cryptographic applications, including digital signatures, key derivation, hash-based message authentica- tion codes and deterministic random bit generators. 2. Support HMAC, Pseudo Random Functions (PRF) and Randomized Hashing • the PRF must resist distinguishing attacks that require much fewer than 2n/2 queries and significantly less computation than a preimage attack. • the construction for Randomized Hashing must be resistent to the following attack: the attacker chooses m1, the hashing algorithm processes this message with a to the attacker unknown randomization value r1, now the attacker tries to find a second 1As the research for this thesis consists of Cryptanalysis, we will only state the requirements considering this. 4 Cryptanalysis of Hash Functions message m2 and a randomization value r2 such that m2 with r2 is mapped to the same hash as m1 with r1. The construction should have at least n bits of security. 3. Collision resistance of approximately n/2 bits 4. Preimage resistance of approximately n bits 5. Second-preimage resistance of approximately n − k bits for any message shorter than 2k bits2 6. Resistance to length extension attacks 7. Any m–bit hash function specified by taking a fixed subset of the candidate’s function output bits is expected to meet the above requirements with m replacing n 1.2 Attacks on Hash functions Hash functions are used in many different applications, so an attack in one application is not necessarily an attack on every application. For a hash function to be broken one should be able to find a preimage, a second-preimage or a collision in feasible time. A hash function is computationally broken if one of those can be found with effort less than 2#output bits, but none has been found yet. The security of a hash function is questioned if there is a distinguishing attack, such that the attacker can distinguish the hash output from the output of a random oracle. 1.3 Cryptanalysis in the competition The authors of contending functions and many more cryptologists are currently analyzing the hash fucntions of the SHA–3 contest. Several functions in the first round were broken. All of the second round contenders were thoroughly analyzed. This has helped the committee of NIST to decide which functions progress to the next round. 1.4 Thesis Outline Chapter 2 is a preliminary chapter, it contains a small introduction to hash functions, many notations are borrowed from Menezes, van Oorschot and Vanstone [4], and a description of analysis and some attacks to hash functions. In Appendix A we summarize the notations used in this thesis. The third and fourth chapter are organized identically, they start with a description of the function, secondly an overview of recent work is given, followed by some analysis of my own and ending with a conclusion.