Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions 1 Introduction On the Design of Hash Functions 2 Iterated hash functions Lars R. Knudsen 3 Based on number-theoretic problems May 8, 2007 4 Block cipher constructions 1 / 43 2 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Definition - hash function Iterated hash functions ✛ ✘ Aboriginal settlers arrived on the conti- nent from Southeast Asia about 40,000 years before the first Europeans began ex- ✲ ✲ x 1 , x 2 , . . . , x t − 1 , x t Message Padding ploration in the 17th century. No formal ✚ ✙ territorial claims were made until 1770, when Capt. James Cook took possession in the name of Great Britain. Six colonies ✲ ✲ 150763210262 H were created in the late 18th and 19th centuries; they federated and became the Commonwealth of Australia in 1901. The new country took advantage of its nat- ural resources to rapidly develop agricul- x 1 x 2 x t tural and manufacturing industries and PPPPP PPPPP PPPPP This slide is shown at the Ecrypt Summer ✲ ✲ ✲ School in Samos, Greece April 30, 2007. P P P ✲ ✲ ✲ · · · ✲ ✲ Compress Compress Compress h 0 h t h 1 h t − 1 H : { 0 , 1 } ∗ → { 0 , 1 } n , for fixed value of n 3 / 43 4 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Generic attacks Damg˚ ard and Merkle (1989) Build H : { 0 , 1 } ∗ → { 0 , 1 } n from h : { 0 , 1 } m → { 0 , 1 } n , m > n For H : { 0 , 1 } ∗ → { 0 , 1 } n and h : { 0 , 1 } m → { 0 , 1 } n , m > n 1 apply padding such that x = x 1 | . . . | x t − 1 and x t − 1 full block attack rough complexity √ 2 n = 2 n / 2 2 append to x integer t − 1 as a string, x = x 1 | . . . | x t − 1 | x t collisions 2 n 2nd preimages 3 define h 0 = IV and h i = h ( h i − 1 | x i ) for 1 ≤ i ≤ t 2 n preimage 4 define H ( x ) = h t Goal: generic attacks are best (known) attacks Theorem : collision for H ⇒ collision for h 5 / 43 6 / 43
Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Number-theoretic, difficult problems Based on number-theoretic problems Factoring: N = pq , p � = q , large odd primes, α fixed, large order mod N . given N = pq , find p and q , where p , q big, (odd) prime numbers, p � = q Public: N , α H : { 0 , 1 } ∗ → Z ∗ Discrete logarithm: N H ( x ) = α x mod N given β = α a mod p , find a , Collision: H ( x ) = H ( x ′ ) ⇒ x − x ′ = k φ ( N ). where p prime, a chosen random from Z p − 1 , α ∈ Z ∗ p primitive With N = pq and φ ( N ) = ( p − 1)( q − 1) easy to find p and q Note that not all instances of these problems are hard 7 / 43 8 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Based on number-theoretic problems (2) Based on number-theoretic problems (3) Goldwasser, Micali, Rivest Pfitzmann, Van Heijst N = pq , p � = q , large primes, a 0 , a 1 random squares modulo N Public primes: p , q = p − 1 2 , s.t. DLP( p ) is hard Public: N , a 0 , a 1 Public primitive elements of Z p : α, β (randomly chosen) h : { 0 , 1 } × Z ∗ N → Z ∗ N h : Z q × Z q → Z ∗ p h ( b , y ) = y 2 a b 0 a 1 − b mod N h ( x , y ) = α x β y mod p 1 Collision gives x , x ′ such that x 2 = x ′ 2 mod N → factoring Find a collision for h ⇒ compute log α ( β ) More efficient variants with more squares a 0 , . . . , a k , Damg˚ ard 9 / 43 10 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Number-theoretic hash functions Based on number-theoretic problems (4) N = pq , p � = q , large primes MASH-1 (Modular Arithmetic Secure Hash) most schemes slow, e.g., no real speed-up for use in digital h i = (( m i ⊕ h i − 1 ) ∨ a ) 2 (mod N ) ⊕ h i − 1 signature schemes some schemes have unfortunate algebraic properties m i : 4 most significant bits in every byte are redundant: equal (may interact badly with other public-key algorithms) to 1111 (last byte 1010 ), a = 0xf00...00 open problem to devise efficient “provably” secure hash MASH-2 : replace exponent 2 by 2 8 + 1 function √ � √ N = N 1 / 2 , collisions N = N 1 / 4 Claims : preimages Both in ISO/IEC 10118-4:1998 11 / 43 12 / 43
Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Newer constructions VSH - iterated hash function VSH - Very Smooth Hash Let N = pq be a public RSA modulus ( p � = q , both secret) Contini, Lenstra, Steinfeld, 2005 Let p 1 , . . . , p k be public primes such that � k i =1 p i < N collision ⇒ nontrivial modular square roots of very smooth Let m = m 1 , m 2 , . . . , m ℓ k be message, m i ∈ { 0 , 1 } numbers modulo N (composite) x 0 = 1 efficient collision finder implies fast factoring algorithm x 1 = x 2 0 ( p m 1 1 p m 2 2 · · · p m k k ) mod N LASH - A Lattice Based Hash Function � k i =1 p m jk + i x j +1 = x 2 mod N j i Bentahar, Page, Saarinen, Silverman, Smart 2006 Hash( m ) = x ℓ based on the problem of finding small vectors in lattices 13 / 43 14 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Block cipher - family of permutations Product ciphers e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n , m = κ + n > n each κ -bit key specifies bijective mapping on n bits e most often some layers of substitutions and permutations must hold for all x and k that e − 1 k ( e k ( x )) = x . one-way function: given x and e k ( x ), hard to find k . example. SP-networks, ‘s’ for substitution, ‘p’ for permutation. k e k ( x ) = s k ◦ p k ◦ s k ◦ p k ◦ . . . ◦ s k ◦ p k ◦ s k ( x ) note that s k and p k must be invertible. ❄ ✲ ✲ y x e 15 / 43 16 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions DES & AES Hash function using a block cipher Why build on a block cipher? DES = Data Encryption Standard AES = Advanced Encryption Standard Advantages: use existing technology transfer security (trust?!) to hash construction system year block size key size DES 1977 64 56 Disadvantages: AES 2001 128 128 , 192 or 256 if “keys” change often, schemes slow (due to key-schedules) weaknesses of block cipher not relevant for encryption 17 / 43 18 / 43
Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Hash rate Single block hash (Rabin) e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n m i Given hash function built from block cipher e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n ❄ Rate is defined as ✲ ✲ h i − 1 e h i # n -bit blocks hashed # invocations of e rate = κ/ n one-way: no, given h i easy to find ( m i , h i − 1 ) attacker has full control over block cipher key 19 / 43 20 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Single block hash, case: κ > n (Merkle) Single block hash e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n ( m i | h i − 1 ) 12 secure ones (Preneel 93, Black et al 2002), here three h i = e m i ( h i − 1 ) ⊕ h i − 1 Davies-Meyer ❄ = e h i − 1 ( m i ) ⊕ m i Matyas-Meyer-Oseas h i ✲ ✲ x 0 e h i h i = e h i − 1 ( m i ) ⊕ m i ⊕ h i − 1 Preneel-Miyaguchi Hash rates. First one: κ/ n , next two: 1 x 0 fixed block Collisions (birthday attack) in 2 n / 2 operations rate = ( κ − n ) / n one-wayness: given h i , hard to find ( m i | h i − 1 ) Insufficient if e is DES or AES collision resistance ?? 21 / 43 22 / 43 Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Introduction Iterated hash functions Based on number-theoretic problems Block cipher constructions Many hash functions have Davies-Meyer form Double block hash Examples: MD4, MD5, SHAs Based on e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n Pros and cons of Davies-Meyer Length of hash, 2 n bits Fixed points easy: Aim: 2 n security level for collisions h i = e m i ( h i − 1 ) ⊕ h i − 1 MDC-2, Brachtl, Coppersmith et al 1988/1990 Choose arbitrary m i , set h i − 1 := d m i (0). Then PBGV, QG, LOKI-DBH, .... h i = h i − 1 . Parallel-DM, 1993 Nandi, Hirose, 2005 Not possible in Matyas-Meyer-Oseas and Preneel-Miyaguchi Hash rates for Davies-Meyer can be (arbitrarily) high 23 / 43 24 / 43
Recommend
More recommend
