Professional Documents
Culture Documents
November 2014
Hash functions
X.509 Annex D
RIPEMD-160
MDC-2
SHA-256
SHA-512
SHA-3
SHA-1
Bart Preneel
KU Leuven - COSIC
firstname.lastname@esat.kuleuven.be
1A3FD4128A198FB3CA345932
Applications
Agenda
Definitions
Iterations (modes)
Compression functions
protection of passwords
micro-payments
Constructions
confirmation of knowledge/commitment
g
SHA-3
SHA 3
Conclusions
Preimage resistance
collision
2nd preimage
preimage
(username, password)
but
(username,hash(password))
h(x)
h(x)
2n
= h(x)
2n
h(x)
h(x)
h
h(x)
2n/2
2n
5
November 2014
Collision resistance
hacker Alice prepares two versions
of a software driver for the O/S
company Bob
h(x)
Channel 2: low capacity but secure
( authenticated
(=
th ti t d cannott be
b modified)
difi d)
h(x)
= h(x)
2n
7
h
h(x)
h(x)
2n/2
collision
x is correct code
x contains a backdoor that gives Alice
access to the machine
collision
h
h(x)
r terms
q = 1 - p = 1 . 364/365 . 363/365 . 362/365 (365-(r-1))/365
q = 1-p 0.5 for r = 23
h(x)
intuition: number of distinct pairs of people is 23.22/2 = 253; each pair has
probability 1/365 to have the same birthday
2n/2
9
10
r terms
12
November 2014
Pseudo-random function
computationally indistinguishable from a random function
f
? or ?
[Hellman80]
13
14
Quantum computers
in principle exponential parallelism
240
targets in
[Grover96]
15
16
Properties in practice
collision resistance is not always necessary
other properties are needed:
Iteration
( d off compression
(mode
i ffunction)
ti )
17
18
18
November 2014
IV
Message block 1: x1
Message block 2: x2
x1
H1
x2
H2
H3
x4
x3
Message block t: xt
IV
H1
x2
x1
IV = H1
H2
x2
H3
[Merkle89-Damgrd89]
H2
H3
x4
x3
20
x4
x3
21
22
IV
x2
x1
IV
H1
H1
H2
H3
H4= h(x || y)
x3
x1
H1
x2
multi-collision
multi collision attack and impact on concatenation
herding attack
[J
[Joux04
04]
[Kelsey-Kohno06]
H3= h(x)
x3
x2
x1
H2
H2
x3
H3
x4
g
23
24
November 2014
[Coppersmith85][Joux04]
answer: concatenation
h1 (n1-bit result) and h2 (n2-bit result)
h(x)=h(x)
iintuition:
t iti
th
the strength
t
th off g against
i t
collision/(2nd) preimage attacks is the
product of the strength of h1 and h2
h1
h2
but.
26
x1, x1
H1
x2, x2
H2
x3, x3
H3
much harder than finding a single collision (if the size of the
internal memory is n bits)
algorithm
generate R =
x4, x4
f IV:
for
IV collision
lli i for
f block
bl k 1:
1 x1, x1
R
2n1/2-fold
multi-collision
lti lli i ffor h2
in R: search by brute
force for h1
h1
h2
27
28
Improving MD iteration
IV
29
2n
x1
salt
H1
f
1
2n
x2
f
2
salt
H2
2
2n
x3
f
3
salt
salt
H3
2n
x4
2n
|x|
4
30
November 2014
Improving MD iteration
x1 x2
x3
x7
x8
x5 x6
x4
counter f fi [Biham-Dunkelman07]
31
32
x2
x3
h1
x4
Modes: summary
growing theory to reduce security properties of
hash function to that of compression function
(MD) or permutation (sponge)
h2
H10
r
H20
squeeze
absorb
if result has n bits, H1 has r bits (rate), H2 has c bits (capacity) and
the permutation is ideal collisions
min (2c/2 , 2n/2)
2nd preimage min (2c/2 , 2n)
preimage
min (2c , 2n)
33
34
IV
Compression
p
functions
H1
x4
x3
x2
x1
H2
E
H2
H3
H4
H2
35
35
36
November 2014
Permutation () based
small permutation
Grstl
parazoa
Miyaguchi-Preneel
Davies-Meyer
JH
Hi
Hi-1
xi
xi
Hi
H1i-1
H2i-1
Hi-1
H2i
Hi-1
xi
xi
H1i
Hi
[Mennink12]
Number of
block cipher
calls
[Jetchev-zen-Stam12]
(2)
2n/3
MDC-4
MDC-2
(2)
(4)
sponge is simpler
should xi and Hi-1 be treated differently?
trivial
(1)
n 5n/4
3n/2
2n
preimage
39
40
DES
1980
Hash function
constructions
t ti
HARDWARE
5n/8
3n/5
n/2
single
block
length
1990
2000
SOFTWARE
(3)
Open problems:
collision
38
double
block
length
AES
small
permutations
ad hoc
schemes
Dedicated
MD2
MD4
MD5
security
reduction
for
factoring,
DLOG,
lattices
SNEFRU
SHA-1
RIPEMD-160
SHA-2
Whirlpool
SHA-3
2010
41
41
42
November 2014
Ext. MD4
HAVAL
RIPEMD
x0
RIPEMD-160
SHA-2
92
94
95
02
SHA-3
12
A0
B0
A1
B1
C0
D0
C1
D1
C16
D16
93
SHA(-0)
H i-1
90
91
MD5
SHA-1
MD5
x15
A16
B16
xp(0)
A17
B17
xp(15)
A32
B32
xq(0)
A33
B33
xq(15)
A48
B48
C48
D48
xr(0)
A49
B49
C49
D49
xr(15)
A64
B64
C17
D17
C32
D32
C33
D33
xi
K
i
C64
D64
+
Hi
43
44
SHA/SHA-1
SHA-256
90
80
70
60
50
40
30
20
10
0
19
92
19
92
19
94
19
96
19
98
20
00
20
02
20
04
20
06
20
08
20
10
MD4
MD5
SHA-0
SHA-1
Brute force
45
46
SHA-1
Rogue CA attack
log2 complexity
[Wang+05]
[Mendel+08]
[Wang+04]
[Sugita+06]
[Manuel+09]
[Stevens12]
impact: rogue CA
that can issue certs
that are trusted by
all browsers
[McDonald+09]
Most attacks
unpublished/withdrawn
User1
Self-signed
root key
CA1
CA2
User2
User x
Rogue CA
6CAshaveissuedcertificatessignedwithMD5in2008:
47
RapidSSL,FreeSSL(freetrialcertificatesofferedbyRapidSSL),TCTrustCenter
AG,RSADataSecurity,Verisign.co.jp
48
November 2014
Upgrades
SHA-2 [FIPS180,NIST02]
SHA-224, SHA-256, SHA-384, SHA-512
non-randomness
d
4
47/64
/64 steps ((practical)
i l) [Bi
[Biryukov+11][Mendel+11]
k
11][M d l 11]
49
50
02/11/07
SHA-3
80
(bit and
(bits
db
bytes)
t )
60
64
51
Final (5):
10/12/10
Selection:
02/10/12
40
14
20
Q4/10
Q4/12
0
Q4/08
Q3/09
round 1
final
52
The candidates
Preliminary cryptanalysis
53
round 2
51
51
54
November 2014
Round 2 candidates
55
56
[Watanabe10]
Blake-256
Grstl-256
JH-256
K
Keccak-256
k 256
Skein-256
pre
sec
coll.
indiff. assumption
256
256
256
256
256
256
256-L
256
256
256
128
128
128
128
128
128
128
256
256
256
E ideal
, ideal
ideal
ideal
id l
E ideal
ideal
SHAKE-128
128
128
128
128
NIST
256
256-L
128
57
58
Software performance
eBash [Bernstein-Lange]
Blake-512
Grstl-512
JH-512
K
Keccak-512
k 512
Skein-512
pre
sec
coll.
512
512
256
512
512
512
512-L
256
512
512
256
256
256
256
256
256
256
256
512
256
E ideal
, ideal
ideal
ideal
id l
E ideal
ideal
logarithmic scale
indiff. assumption
SHAKE-512
256
256
256
256
NIST
512
512-L
256
slower
59
factor 4 in cycles/byte
60
10
November 2014
Keccak
SHA256
Blake
Keccak
BMW
16
CubeHash
ECHO
Fugue
12
Grostl
Grstl
Hamsi
JH
Keccak
Luffa
Blake
Shabal
SIMD
nominal version:
Skein
Skein
0
0
SHAvite
JH
40,000
80,000
120,000
160,000
200,000
Area
(GateEqv)
24 rounds of 5 steps
61
62
2001
6 versions
SHA3-224: n=224; c =
SHA3-256: n=256; c =
SHA3 384: n=384; c =
SHA3-384:
SHA3-512: n=512; c =
SHAKE128: n=x; c =
SHAKE256: n=x; c =
448;
512;
768;
1024;
256;
512;
r = 1152
r = 1088
r = 832
r = 576
r = 1344
r = 1088
(72%)
(68%)
(52%)
(36%)
(84%)
(68%)
pad 01
if result has n bits, H1 has r bits (rate), H2 has c bits (capacity) and
the permutation is ideal collisions
min (2c/2 , 2n/2)
2nd preimage min (2c/2 , 2n)
preimage
min (2c , 2n)
(estimated)
63
64
11