Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro 1 Introduction Hash Functions and SHA-3 2 Iterated hash functions 3 Block cipher constructions Lars R. Knudsen 4 SHA-3 February 13, 2008 5 Outtro 1 / 59 2 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Definition - hash function Generic attacks For H : { 0 , 1 } ∗ → { 0 , 1 } n Aboriginal settlers arrived on the conti- nent from Southeast Asia about 40,000 years before the first Europeans began ex- attack rough complexities ploration in the 17th century. No formal territorial claims were made until 1770, √ when Capt. James Cook took possession 2 n = 2 n / 2 collisions ✲ ✲ 150763210262 in the name of Great Britain. Six colonies H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became the Commonwealth of Australia in 1901. The 2 n preimage new country took advantage of its nat- ural resources to rapidly develop agricul- tural and manufacturing industries and to make a major contribution to the British effort in World Wars I and II. Goal: generic attacks are best (known) attacks H : { 0 , 1 } ∗ → { 0 , 1 } n , for fixed value of n 3 / 59 4 / 59
Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Further properties Structure “Behave like” a random oracle Classical Merkle-Damg˚ ard ? Indifferentiable from random oracle Sponge ? Variants of (seond)-preimage resistance Two chains ? aPre, ePre, aSec, and eSec RIPE-MD style Checksums (MD2) Security against Double-pipe Extension attack Multi-collisions 5 / 59 6 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Iterated hash functions - (Merkle-Damg˚ ard schemes) Generic attacks - iterated hash functions For H : { 0 , 1 } ∗ → { 0 , 1 } n ✛ ✘ ✲ ✲ x 1 , x 2 , . . . , x t − 1 , x t Message Padding ✚ ✙ attack rough complexities 2 n / 2 collisions k 2 n / 2 + 2 n − k with 2 k blocks 2nd preimages 2 n preimage x 1 x 2 x t PPPPP PPPPP PPPPP ✲ ✲ ✲ P P P ✲ ✲ ✲ · · · ✲ ✲ Compress Compress Compress h 0 h t h 1 h t − 1 7 / 59 8 / 59
Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Merkle (1989) Damg˚ ard (1989) h : { 0 , 1 } m → { 0 , 1 } t , assume m > t + 1 h : { 0 , 1 } m → { 0 , 1 } t , assume m > t Split message, x , into blocks of m − t − 1 bits. Split message, x , into blocks of m − t bits. If last block incomplete, pad with d zeros. If last block incomplete, pad with zeros. Append extra block containing bin. repr. of d (fixed length) Append extra block containing length of x (bits) Then define Define h i +1 = h ( h i , x i +1 ) , h 1 = h (iv | 0 | x 1 ) H ( x ) = h s . h i +1 = h ( h i | 1 | x i +1 ) Collision for H means collision for h H ( x ) = h s . 10 / 59 13 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Damg˚ ard (1989) (2) Merkle-Damg˚ ard Strengthening, Lai-Massey (1992) Build H : { 0 , 1 } ∗ → { 0 , 1 } n from h : { 0 , 1 } m → { 0 , 1 } n , m > n Merkle’s scheme Parallelizable hash: h : { 0 , 1 } 2 t → { 0 , 1 } t H : { 0 , 1 } N → { 0 , 1 } n Message x of j bits. Pad message with 0s until length is 2 j t for some j . Damg˚ ard’s scheme Let h 0 be padded message of 2 j t bits H : { 0 , 1 } ∗ → { 0 , 1 } n Hash h 0 to h 1 of 2 j − 1 t bits using h Lai-Massey used Merkle’s scheme and named the method Hash h 1 to h 2 of 2 j − 2 t bits using h Merkle-Damg˚ ard Strengthening Gives h j of t bits H ( x ) = h ( h j | length( x )) collision for H ⇒ collision for h NB! Pad with ’1’, then zeros, then add message length (blocks) to message 14 / 59 15 / 59
Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro In the beginning there was ... Diffie-Hellman, κ > n e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n Diffie and Hellman, 1976. New directions in cryptography. ( m i | h i − 1 ) Digital signatures .... for efficiency: “Let g be a one-way mapping from binary N -space to binary ❄ n -space...”. “Take the N bit message m and operate on it with g to obtain the n bit vector m ′ .” ✲ ✲ x 0 e h i “It must be hard even given m to find a different inverse image of m ′ ” x 0 fixed block “Finding such functions appears to offer little trouble” 2nd preimages hard if e secure against known-plaintext attack 19 / 59 20 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Hash function using a block cipher Block cipher based hash functions Why build on a block cipher? “Diffusion is more important than confusion in hash it’s natural ! functions” use existing technology “Confusion is more important than diffusion in block ciphers” Why? Why not have S-boxes in hash functions ? transfer security (trust?!) to hash construction How fast should/can a hash function be ? schemes “slow” (partly due to key-schedules) weaknesses of block cipher not relevant for encryption 21 / 59 22 / 59
Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Speed .. Additive stream cipher k ❄ ✲ ✲ z 1 , z 2 , z 3 , z 4 , . . . iv 23 / 59 24 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Block cipher Hash function m i k ❄ ❄ ✲ ✲ ✲ ✲ h i − 1 p i c i f h i 25 / 59 26 / 59
Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Speed .. DES & AES Additive stream cipher, known/chosen plaintext attack DES = Data Encryption Standard Block cipher, chosen plaintext attack AES = Advanced Encryption Standard Hash function, known/chosen-key attack Stream 4-8 cycles/byte system year block size key size AES 20 cycles/byte DES 1977 64 56 SHA-1 11 cycles/byte AES 2001 128 128 , 192 or 256 SHA-512 18 cycles/byte 27 / 59 28 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Hash rate Rabin, 1978 e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n Given hash function built from block cipher m i e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n Rate usually is defined as ❄ # n -bit blocks hashed ✲ ✲ h i − 1 e h i # invocations of e Ought perhaps be defined as rate = ( κ/ n ) / (1 + 1) # n -bit blocks hashed Yuval: collisions based on birthday paradox (79) (Merkle 79) # invocations of e + # key-schedules Pre-images in approximately same time 29 / 59 30 / 59
Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Davies-Price variant of Rabin’s scheme 1980 Single block hash e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n m 1 m 2 mt − 1 mt ↓ ↓ ↓ ↓ − → e − → e − → · · · · · · · · · − → e − → e − → h t h 0 12 secure ones (Preneel 93, Black et al 02), here three h i = e m i ( h i − 1 ) ⊕ h i − 1 Davies-Meyer mt − 1 m 1 m 2 mt ↓ ↓ ↓ ↓ h t − → e − → e − → · · · · · · · · · − → e − → e − → h 2 t h i = e h i − 1 ( m i ) ⊕ m i Matyas-Meyer-Oseas h i = e h i − 1 ( m i ) ⊕ m i ⊕ h i − 1 Preneel-Miyaguchi Coppersmith 1985: Hash rates. About 1/(1+1) (1/2 for DES and AES) preimage attack on one-chain Rabin ≈ 2 n / 2 Collisions (birthday attack) in 2 n / 2 operations preimage attack on two-chains Rabin ≈ 2 n / 2+ n / 16 using multi-collisions 31 / 59 33 / 59 Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro MD4-family Double block hash - based on block ciphers MD4, Rivest 1990 Based on e : { 0 , 1 } κ × { 0 , 1 } n → { 0 , 1 } n MD5, Rivest 1991 Length of hash, 2 n bits Aim: 2 n security level for collisions SHA-0, 1993 SHA-1, 1994 Merkle, 1989 MDC-2, Brachtl, Coppersmith et al 1988/1990 all hash functions of Davies-Meyer form PBGV, QG, LOKI-DBH, ...., 1990s “block ciphers” with feed-forward Hirose, Nandi, 2005 hash rates for Davies-Meyer can be (arbitrarily) high 34 / 59 35 / 59
Recommend
More recommend
