Hash Functions and SHA-3 2 Iterated Hash Functions

Hash Functions and SHA-3 2 Iterated Hash Functions

Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro 1 Introduction Hash Functions and SHA-3 2 Iterated hash functions Lars R. Knudsen 3 Block cipher constructions 4 SHA-3 February 13, 2008 5 Outtro 1/59 2/59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Definition - hash function Generic attacks For H : {0, 1}∗ →{0, 1}n Aboriginal settlers arrived on the conti- nent from Southeast Asia about 40,000 years before the first Europeans began ex- ploration in the 17th century. No formal attack rough complexities territorial claims were made until 1770, √ when Capt. James Cook took possession n n/2 inthenameofGreatBritain.Sixcolonies - - collisions 2 =2 were created in the late 18th and 19th H 150763210262 n centuries; they federated and became the 2nd preimages 2 Commonwealth of Australia in 1901. The n new country took advantage of its nat- preimage 2 ural resources to rapidly develop agricul- tural and manufacturing industries and to make a major contribution to the British effort in World Wars I and II. Goal: generic attacks are best (known) attacks H : {0, 1}∗ →{0, 1}n, for fixed value of n 3/59 4/59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Further properties Structure “Behave like” a random oracle Classical Merkle-Damg˚ard ? Indifferentiable from random oracle Sponge ? Variants of (seond)-preimage resistance Two chains ? aPre, ePre, aSec, and eSec RIPE-MD style Checksums (MD2) Security against Double-pipe Extension attack Multi-collisions 5/59 6/59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Iterated hash functions - (Merkle-Damg˚ard schemes) Generic attacks - iterated hash functions ∗ n For H : {0, 1} →{0, 1} Message - Padding - x1, x2,...,xt−1, xt attack rough complexities collisions 2n/2 2nd preimages k2n/2 +2n−k with 2k blocks preimage 2n x1 P x2 P xt P - PP - PP - PP PPP PPP PPP - Compress - Compress - - Compress - h0 ··· ht h1 ht−1 7/59 8/59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Merkle (1989) Damg˚ard (1989) h : {0, 1}m →{0, 1}t , assume m > t +1 h : {0, 1}m →{0, 1}t , assume m > t Split message, x,intoblocksofm − t − 1bits. Split message, x,intoblocksofm − t bits. If last block incomplete, pad with d zeros. If last block incomplete, pad with zeros. Append extra block containing bin. repr. of d (fixed length) Append extra block containing length of x (bits) Then define Define hi = h(hi , xi ), +1 +1 h1 = h(iv | 0 | x1) H(x)=hs . hi+1 = h(hi | 1 | xi+1) Collision for H means collision for h H(x)=hs . 10 / 59 13 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Damg˚ard (1989) (2) Merkle-Damg˚ard Strengthening, Lai-Massey (1992) Build H : {0, 1}∗ →{0, 1}n from h : {0, 1}m →{0, 1}n, m > n Merkle’s scheme Parallelizable hash: h : {0, 1}2t →{0, 1}t H : {0, 1}N →{0, 1}n Message x of j bits. j Pad message with 0s until length is 2 t for some j. Damg˚ard’s scheme j Let h0 be padded message of 2 t bits H : {0, 1}∗ →{0, 1}n j−1 Hash h0 to h1 of 2 t bits using h j−2 Lai-Massey used Merkle’s scheme and named the method Hash h1 to h2 of 2 t bits using h Merkle-Damg˚ard Strengthening Gives hj of t bits H(x)=h(hj | length(x)) collision for H ⇒ collision for h NB! Pad with ’1’, then zeros, then add message length (blocks) to message 14 / 59 15 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro In the beginning there was ... Diffie-Hellman, κ>n e : {0, 1}κ ×{0, 1}n →{0, 1}n Diffie and Hellman, 1976. New directions in cryptography. (mi | hi− ) Digital signatures .... for efficiency: 1 “Let g be a one-way mapping from binary N-space to binary n-space...”. “Take the N bit message m and operate on it ? with g to obtain the n bit vector m .” - - x0 e hi “Itmustbehardevengivenm to find a different inverse image of m” x0 fixed block “Finding such functions appears to offer little trouble” 2nd preimages hard if e secure against known-plaintext attack 19 / 59 20 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Hash function using a block cipher Block cipher based hash functions Why build on a block cipher? it’s natural ! “Diffusion is more important than confusion in hash functions” use existing technology “Confusion is more important than diffusion in block ciphers” transfer security (trust?!) to hash construction Why? Why not have S-boxes in hash functions ? How fast should/can a hash function be ? schemes “slow” (partly due to key-schedules) weaknesses of block cipher not relevant for encryption 21 / 59 22 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Speed .. Additive stream cipher k ? - - iv z1, z2, z3, z4,... 23 / 59 24 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Block cipher Hash function k mi ? ? - - pi - - ci hi−1 f hi 25 / 59 26 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Speed .. DES & AES Additive stream cipher, known/chosen plaintext attack DES = Data Encryption Standard Block cipher, chosen plaintext attack AES = Advanced Encryption Standard Hash function, known/chosen-key attack Stream 4-8 cycles/byte system year block size key size AES 20 cycles/byte DES 1977 64 56 SHA-1 11 cycles/byte AES 2001 128 128, 192 or 256 SHA-512 18 cycles/byte 27 / 59 28 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Hash rate Rabin, 1978 e : {0, 1}κ ×{0, 1}n →{0, 1}n Given hash function built from block cipher mi e : {0, 1}κ ×{0, 1}n →{0, 1}n Rate usually is defined as ? # n-bit blocks hashed - - hi− e hi #invocationsofe 1 Ought perhaps be defined as rate = (κ/n)/(1 + 1) # n-bit blocks hashed #invocationsofe + # key-schedules Yuval: collisions based on birthday paradox (79) (Merkle 79) Pre-images in approximately same time 29 / 59 30 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Davies-Price variant of Rabin’s scheme 1980 Single block hash { , }κ ×{ , }n →{ , }n m e : 0 1 0 1 0 1 m1 m2 t−1 mt ↓ ↓ ↓ ↓ h0 −→ e −→ e −→·········−→ e −→ e −→ ht 12 secure ones (Preneel 93, Black et al 02), here three m ⊕ m1 m2 t−1 mt hi = emi (hi−1) hi−1 Davies-Meyer ↓ ↓ ↓ ↓ h −→ e −→ e −→·········−→ e −→ e −→ h ⊕ t 2t hi = ehi−1 (mi ) mi Matyas-Meyer-Oseas ⊕ ⊕ hi = ehi−1 (mi ) mi hi−1 Preneel-Miyaguchi Coppersmith 1985: Hash rates. About 1/(1+1) (1/2 for DES and AES) preimage attack on one-chain Rabin ≈ 2n/2 preimage attack on two-chains Rabin ≈ 2n/2+n/16 using Collisions (birthday attack) in 2n/2 operations multi-collisions 31 / 59 33 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro MD4-family Double block hash - based on block ciphers MD4, Rivest 1990 Based on e : {0, 1}κ ×{0, 1}n →{0, 1}n MD5, Rivest 1991 Length of hash, 2n bits SHA-0, 1993 Aim: 2n security level for collisions SHA-1, 1994 Merkle, 1989 all hash functions of Davies-Meyer form MDC-2, Brachtl, Coppersmith et al 1988/1990 PBGV, QG, LOKI-DBH, ...., 1990s “block ciphers” with feed-forward Hirose, Nandi, 2005 hash rates for Davies-Meyer can be (arbitrarily) high 34 / 59 35 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Merkle’s double block schemes with DES (1989) MDC-2 mi “DES can be used to build a one-way hash function which is q secure” qq ? ? if DES fails “it seems almost certain that some block cipher h1 -φ- e h2 -φ- e exist with the desirable properties” i−1 1 i−1 2 ? ? i i proof of security in ideal cipher model ? ? X A B XX C D 55 XX collisions ≈ 2 , inconvenient block sizes, low hash rates XX XXXz ? 9 ? A D C B “recent proposal from IBM looks very hopeful”, but no proof.. ? ? 1 2 hi hi 36 / 59 37 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro MDC-2 MCD-2 used with DES and AES (Best known attacks) DES AES designed for DES but can be used with any block cipher Preimage attack 283 2192 83 192 hash rate 1/(2+2) (1/4 for DES and AES) 2nd preimage attack 2 2 Collision attack 255 2128 1992: Coppersmith “defends” MDC-2 Hash rate 1/4 1/4 For use with AES, “proof” that collision requries > 275 operations (Steinberger 2007) 38 / 59 39 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    13 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us