Hash Functions Vincent Rijmen Challenges and Perspectives for - - PowerPoint PPT Presentation

Hash Functions

Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May 27th, 2008

A cryptographic hash function produces cryptographic checksums or fingerprints cryptographic checksums or fingerprints

• Fast
• Secure

Hash Hash

• Secure

Hash Hash Function Function

Common uses of a hash function

98246

Representative Commitment

?

012345

?

012345 6789…

Randomiser

First security property:

• ne-wayness
• ne wayness

Hash Hash Hash Hash Function Function

Second security property: collision resistance collision resistance

Hash Hash Function Function Hash Hash Function Function Function Function Function Function

Some definition problems

• Information-theoretic

– Collisions always exist

C l it th ti

• Complexity-theoretic

– Standardised hash functions are fixed algorithms, not classes – Finding a collision is difficult only the first time

• Largely ignored by “practical” people

Some other problems

• Designs with provable security often ignore

properties which are important in practice

• Near-collisions: two inputs give almost the same
• utput

– May interact badly with applications

• One-wayness: for all outputs most outputs most
• One-wayness: for all outputs, most outputs, most

probable outputs?

Hash function design: Davies-Meyer (1979) Davies Meyer (1979)

Hi Encryption (DES)

Key sched

Mi

+

Hi+1

MD4 (R. Rivest,1990)

Hi State Update

Expan sion

Mi

+

Hi+1

MD4 state update: Unbalanced Feistel Network (48 iterations) Feistel Network (48 iterations)

• No arguments

for its security for its security

• Fast on 32-bit

CPUs

State updates in the MD4 family

SHA/SHA-1 SHA-256 MD4 SHA/SHA 1 SHA 256 MD4

+ << 5 +

K

+

K

Σ1 Σ0 f >> 2

KN+1 WN+1

+ + + f

W

+ + << s + + + C H

K W

+ M A J + + DN EN FN GN HN AN BN CN

Design principles copied in MD5 RIPEMD HAVAL SHA Design principles copied in MD5, RIPEMD, HAVAL, SHA, SHA-1, SHA-256, ...

– All hash functions in use today

Hash function crisis [2004-2005]

• New cryptanalysis technique announced

– Novel method to do differential cryptanalysis

C lli i f MD4 MD5 RIPEMD i i t

• Collisions for MD4, MD5, RIPEMD in minutes
• Collisions for SHA (SHA-0) in hours

C lli i f SHA 1 “ h i ll ibl ”

• Collisions for SHA-1 “theoretically possible”

– 269 hashing operations

Impact

• These collisions have a very specific structure
• Many applications rely on one-wayness only
• Hiding structure might turn out to be the easiest part of

the problem p

• Educating people that collisions may not endanger some

applications might turn out to be a most difficult task

• Impact should not be underestimated

Situation now: SHA-1

• Collisions for reduced variants:

– 58 iterations in 2005, – 64 iterations in 2006, – 70 iterations in 2007

• Collisions for SHA-1 still “theoretically possible”

– Estimated work for 80 iterations: 261 hashing operations – Distributed effort http://boinc.iaik.tugraz.at

Situation now: alternatives

39

SHA-256

• SHA-256 (64 iterations)

– Best result now is on 39 iterations

31

Best result now is on 39 iterations – Best result 4 months ago: collision

• n 18 iterations

22 24

• RIPEMD-160

– Surprisingly (?) resistant 2006 2008

18

• Whirlpool

S 2006 2008 – Based on AES-like block cipher

STVL activities on hash functions

• Work group on hash functions
• Two workshops (Krakow 2005, Barcelona 2007),

sponsoring a third (Leiden 2008) sponsoring a third (Leiden 2008)

• ECRYPT Position Paper on Recent Collision Attacks on

Hash Functions (2004, 2005)

• 30 internal documents, leading to 24 publications/talks at

international conferences h h iki htt // h h i ik t t

• ehash wiki http://ehash.iaik.tugraz.at
• To be continued in ECRYPT2
• To be continued in ECRYPT2

STVL papers on hash functions

• Cryptanalysis of SMASH, LASH, FORK-256, VSH,

GOST GOST

• Analysis of MD4, SHA-1, SHA-256
• Syndrome based hash functions
• Syndrome based hash functions
• Iteration modes
• Impact on APOP, NMAC, HMAC

p , ,

• ...

Challenge 1: break SHA-256

• Security of SHA-256 is based on the fact that many

l ld th t li th d f ll it people would rather eat liver than do a full security analysis

• Automatic searching tools have been useful before

– DES, MD4, MD5, SHA-1

Challenge 2: proofs & properties

• How to define security when

– Nothing is secret – Everything is deterministic

• What properties do we want

– Required in applications P l d fi bl d bl – Properly definable and provable

• Develop a usable hash function design theory

p g y

Hash function theory

• What is the best we can hope for?
• Study generic attacks

– Optimal one-wayness – Meet-in-the-middle attacks Meet in the middle attacks

• Good iteration modes:

– Relation between properties of compression function and properties of hash function

• Leverage results from block cipher theory

– Known-key security of block ciphers

Challenge 3: practical design

• SHA-3 development process organized by NIST

– Aim to be as successful as with AES process

• Design & submission of new proposals
• Design & submission of new proposals

– Optimized MD4-style designs, or – New types of designs

• Evaluation: security & performance

Design question: S-boxes?

• Can be made strongly non-linear
• Tailored towards any criterion
• Question: which properties are relevant?

Design question: state size

• Output size n
• Message block size m

Ho m ch state do e need in order to e cl de generic

• How much state do we need in order to exclude generic

attacks against the one-wayness?

• Can we do less than 2n+m?

Design question: relevant attacks

• Current attacks on hash function follow from differential

t l i cryptanalysis

• First results with higher-order attacks are promising
• What about saturation attacks?
• Linear cryptanalysis?

yp y

Challenge 4: changing the real world changing the real world

• Propagate new insights and new designs into

applications

• Faster than with AES ☺
• Different output size
• Additional inputs?

Additional inputs?