www.ecrypt . eu. org Theory and practiceTitle of Presentation for hash functions Bart Preneel Kath o lie ke Un ivers ite it Leuven - COSIC [email protected] Cambridge, 1 February 2012 Insert presenter logo here on slide master Hash functions X.509 Annex D RIPEMD-160 MDC-2 SHA-256 SHA-3 MD2, MD4, MD5 SHA-512 SHA-1 This is an input to a crypto - graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 2 Applications • short unique identifier to a string – digital signatures – data authentication • one-way function of a string – protection of passwords – micro-payments • confirma tion o f k nowl e dge /comm itmen t • pseudo-random string generation/key derivation • entropy extraction • construction of MAC algorithms, stream ciphers, block ciphers,… 2005: 800 uses of MD5 in Microsoft Windows 3 Bridging theory and practice? 4 Agenda Definitions Iterations (modes) Compression functions Hash functions SHA-3 5 Security requirements (n-bit result) preimage 2nd preimage collision ? x ≠ ? ? ≠ ? h h h h h h(()x) h(()x) = h(()x’) h(()x) = h(x’) 2n 2n 2n/2 6 Length extension length extension: if one knows h(x), easy to compute h(x || y) without knowing x or IV IV H H 1 2 H = h(x) f f f 3 x1 x2 x3 IV H1 H2 H3 H4= h(x || y) f f f f x1 x2 x3 y solution: output transformation IV H1 H2 H3 f f f f g x1 x2 x3 x4 7 Informal definitions: NIST requirements for SHA-3 • One Way Hash Function (OWHF) – preimage resistance (2n) – 2nd preimage resistance (2n-L for 2L-bit message) • Collision Resistant Hash Function (CRHF): – collision resistant • Resistance to length extension • Proper ties sca le we ll w ith trunca tion • HMAC-PRF indistinguishable up to 2n/2 queries • Secure in randomized hashing mode 8 Brute force (2nd) preimage • multippgle target second preima ge (()1 out of M): if one can attack 2t simultaneous targets, the effort to find a single preimage is 2n-t • multiple target second preimage (M out of M): – time-memory trade -off with Θ(2n) precomputation and storage Θ(22n/3) time per (2nd) preimage: Θ(22n/3) [Hellman’80] – full cost per (2nd) preimage from Θ(2n) to Θ(22n/5) [Wiener’02] (if Θ(23n/5)t) targe ts are att ack ed) answer: randomize hash function with a parameter S (salt , key , spice,… ) 9 Formal definition: (2nd) preimage resistance Notation: Σ = {0,1}, l(n)>n A one-way hash function (OWFH) h is a function with domain D=Σl(n) and range R=Σn that satisfies the following conditions: • Pre: let x be selected uniformly in D and let M be an adversary that on input h(x) uses time ≤ t and outputs M(h(x)) ∈ D. For each adversary M, Prx ∈ D { h(M(h(x)))=h(x) } < ε. Here the prob. is also taken over the random choices of M. • Sec:let: let x be selected uniformly in D=Σl(n) and let M' be an adversary who on input x uses time ≤ t and outputs x' ∈ D with ≠ x' x. For each adversary M', Prx ∈ D {h(M{ h(M'(x)) =h(x) } < ε. Here the prob. is taken over the random choices of M'. 10 Formal definitions: collision resistance A collision-resistant hash function (col) h is a function with domain D=Σl(()n) and range R=Σn that that satisfies the following conditions: • for each collision string finder F that uses time ≤ t and outputs either “?” or a pair x, x' ∈ Σl(n) with x' ≠ x such that h(x‘)=h(x) we have that Pr{ F(H) ≠ “?‘” } < ε. Here the prob. is taken over the random choices of F. Is this correct? No ! For every h there are many (s hor t) collidi ng s tr ings, and so there exist many very simple collision string finders F that output a collision with probability 1 11 Formal definitions: collision resistance A collision-resistant hash function family (CRHF) H is a l(n) n function family {hS} with domain D=Σ and range R=Σ and indexed by a “key” S that that satisfies the following conditions: • let F be a collision string finder that on input S ∈ Σs uses time ≤ t and outputs either “?”? or a pair x, x ' ∈ Σl(n) with x' ≠ x such that hS(x‘)=hS(x). For each F, ≠ PrS { F(H) “?‘” } < ε. Here the prob. is also taken over the random choices of F. 12 Formal definitions - continued • for collision resistance: formalization requires a family, btbut see [Stinson ’06], [R ogaway’06] : “formali z ing human ignorance” • for (2nd) preimage resistance, one can choose the challengg()e (x) and/or the key y() (S) that selects the function , resulting in 3 flavors [Rogaway-Shrimpton’04]: 1. random challenge, random key (Pre and Sec) 2. randkfidhll(PdSdom key, fixed challenge (ePre and eSec - everywh)here) (eSec=UOWHF) 3. fixed keyyg(, random challenge (aPre and aSec - alwayy)s) • complex relationship (see figure on next slide) 13 Relations between security properties [Rogaway-Shrimpton’04] Even if Coll [Andreeva-Stam’10] eSec/Pre: bound always 2n/2 << 2n ∀Q rPre Easy to prove d Relevant in practice How does ePre (theoretically easy to prove) relate to dPre (practically relevant)? For sufficiently Col secure H, ePre implies dPre (if the message space has sufficient Rényi2 entropy > |Y|) 14 Collision resistance • more complex to formalize • hard to achieve in theory – [Simon’ 98] one cannot derive collision resistance from “general” preimage resistance (there exists no black box reduction) • hard to achieve in practice – requires double output length 2n/2 versus 2n – many attacks Good news: not alwayyys necessary Even better news: rarely necessary 15 How to solve collision problem in digital signatures? Message m UOWHF TCR $ Random r r ← {0,1}k eSEC Signature Sig SKA ( r || hr(m)) SKA • Hash fffunction is only chosen after the message has been committed to, so collisions for a particular hash function are useless • If two messages m, m’ are found with the same signature, the signer must have cheated by first choosing r and then finding a collision • Fine in theory, but will this work in p ractice? 16 Courts and second preimage resistance 17 Pseudo-random function computationally indistinguishable from a random function $ $ prf ← hK(.) ← f Advh = Pr [ K K: A 1] - Pr [ f RAND(m,n): A 1] RAND(m,n): set of all functions from m-bit to n-bit strings K h f ?or?? or ? This concept makes only sense for a function with a D secret key 18 Indifferentiability from a random oracle or PRO property [Maurer+04] variant of indistinguishability appropriate when distinguisher has access to inner component (e.g. bu ilding bloc k o f a hash function) ∃ Simulator S, ∀ distinguisher DAdvD, AdvPRO(H,S) is small FIL H VIL RO S (hash function) RO ? or ? !! But [Ristenpart-Shacham- D Shrimpton’11]: not always suffic ient for ROM secur ity 19 Properties in practice • other properties are needed: – near-collis ion res is tance – partial preimage resistance (most of input known) – multiplication freeness – MAC property Which properties How to formalize are relevant? these requirements and the relation between all these properties? Keyed or unkeyed? Who chooses the key? What about the salt? 20 21 Itera tion (df(mode of compress ifion functi ti)on) 22 22 Hash function: iterated structure IV H1 H2 H3 f f f f g x1 x2 x3 x4 Fix IV Are the roles of the Unambiguous padding 2 inputs of the Suffix-free encoding compression function really equivalent? [Merkle’89-Damgård’89] f is collision resistant h is collision resistant 23 Attacks on MD-type iterations • multi-collision attack and impact on concatenation [Joux’04] • long message 2nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier’05] – Sec security degrades lineary with number 2t of message blocks hashed: 2n-t+1 +t2+ t 2n/2+1 – appending the length does not help! • herding attack [Kelsey-Kohno’06] – reduces security of commitment using a hash function from 2n – on-line 2n-t + precomputtitation 222.2(n+t)/2 + storage 2t 24 Improving MD iteration salt + output transformation + counter + wide pipe salt salt salt salt salt IV H1 H H 2 3 g 2n f 2n f 2n f 2n f 2n n x x x x |x| 1 1 2 2 3 3 4 4 25 Improving MD iteration • degradation with use: salting (family of functions, randii)domization) – or should a salt be part of the input? • PRO/Indif: strong output transformation g – also solves length extension • long message 2nd preimage: preclude fix points → – counter f fi [Biham-Dunkelman’07] • multi-collisions, herding: avoid breakdown at 2n/2 with larger internal memory: known as wide pipe – e.g., extended MD4, RIPEMD, [Lucks’05] 26 Some Domain Extender Security Results [Andreeva-Neven-P-Shrimpton07], [Andreeva-Mennink-P11] Col Sec aSec eSec Pre aPre ePre Indif 1. SMD [M90, D90] + - - - - - + - 2. Linear hash [BR97] -- - - - - ++ 3. XOR Linear hash [BR97] + -- + -- + - 4. Shoup's hash [Sho00] + -- + -- + - 5. BCM [AP08] ++ ----+ ? 6. Prefix-free MD [CDMP05] -- - - - - ++ 7. Randomized hash [HK06] + -- --- + - 8. HAIFA [BD06] + -- --- + + 9. Enveloped MD [BR06] + -- --- ++ 10. Str. Merkle Tree [[]Mer80] + -- --- + ? 11. Linear Tree [BR97] -- - - - - + ? 12. ROX [ANPS07] ++ + + + + + ? 27 Preservation • which constructions preserve which properties? • or is it ok if we can prove security for the iteration? • assumptions on compression function f for PRO/Indif – f is preimage aware (MD) – f is FIL-PRO (variant of MD) Can tight Impact of results reductions be in ideal model? made? Is it meaningful to preserve Pre? 28 Compression function 29 29 Block cipher (EK) based: single block length Davies-Meyer Miyaguchi-Preneel Hi Hi H x i-1 E i E xi Hi-1 • outppgut length = block len g;;ygth
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages60 Page
-
File Size-