new techniques for cryptanalysis of cryptographic hash
play

New Techniques for Cryptanalysis of Cryptographic Hash Functions - PowerPoint PPT Presentation

Sep 13, 2023 •13 likes •963 views

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of Computer Science, Technion Israel Institute of Technology Joint work with Eli Biham Cryptoday 2011 p. 1/52 Talk Outline Definition and properties

  1. New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of Computer Science, Technion – Israel Institute of Technology Joint work with Eli Biham Cryptoday 2011 – p. 1/52

  2. Talk Outline Definition and properties Applications Hash functions from the 90’s till today Merkle-Damgård construction and its weaknesses Differential cryptanalysis of hash functions. The multi-block technique. The neutral-bits technique. Results. Cryptoday 2011 – p. 2/52

  3. A Cryptographic Hash Function A Cryptographic hash function H takes a message of arbitrary length and generates a short fingerprint. H : { 0 , 1 } ∗ �→ { 0 , 1 } m Cryptoday 2011 – p. 3/52

  4. A Cryptographic Hash Function A Cryptographic hash function H takes a message of arbitrary length and generates a short fingerprint. H : { 0 , 1 } ∗ �→ { 0 , 1 } m H has no secret key or hidden data. Cryptographic applications that use it rely on its properties. Cryptoday 2011 – p. 3/52

  5. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * Cryptoday 2011 – p. 4/52

  6. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * 2nd Preimage resistance ( 2 n ): n M * = H(M ) H(M) H M * Cryptoday 2011 – p. 4/52

  7. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * 2nd Preimage resistance ( 2 n ): n M * = H(M ) H(M) H M * Collision-resistance ( 2 n/ 2 ): n M * = H(M ) H(M) H M * Cryptoday 2011 – p. 4/52

  8. Required Properties Preimage resistance ( 2 n ): n M * = H(M ) H(M) M H M * 2nd Preimage resistance ( 2 n ): n M * = H(M ) H(M) H M * Collision-resistance ( 2 n/ 2 ): n M * = H(M ) H(M) H M * Easy to compute Cryptoday 2011 – p. 4/52 .

  9. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  10. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  11. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  12. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  13. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  14. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  15. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  16. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature Cryptoday 2011 – p. 5/52

  17. Applications - Digital Signature Signer Verifier A Message A Message to Sign to Sign M M Send Hash Func. Hash Func. H(M) H(M) Private Public Signature scheme Verification scheme True Key Key Signature Signature If H ( M ) = H ( M ∗ ) then M and M ∗ have the same signature. Cryptoday 2011 – p. 5/52

  18. Applications Message Integrity: Instead of protecting the whole data, protect the hash of the data. Second preimage resistance is required. Cryptoday 2011 – p. 6/52

  19. Applications Message Integrity: Instead of protecting the whole data, protect the hash of the data. Second preimage resistance is required. Password protection. A password file holds: ( User name , salt, H ( password || salt )) . Passwords are protected in case an attacker accesses the password file. Preimage resistance is required. Cryptoday 2011 – p. 6/52

  20. Applications Commitment A who commit to M sends H ( M || salt ) to B. At the time A reveals his commitment he publishes M and the salt . B verifies the commitment by hashing and comparing. Collision resistance , preimage resistance and second preimage resistance are required. Cryptoday 2011 – p. 7/52

  21. Applications Message Authentication Code - MAC. Preimage resistance is required. Cryptoday 2011 – p. 8/52

  22. Applications Message Authentication Code - MAC. Preimage resistance is required. and there are many more... Cryptoday 2011 – p. 8/52

  23. Hash Functions from the 90’s till Today Cryptoday 2011 – p. 9/52

  24. 1990-2000 (partial list) The hash functions use Merkle-Damgård construction. Hash size 128-192 bits. Optimized for 32-bit machines (except for Tiger). Function Dig. size Designed Broken Complexity 2 12 . 5 − 2 56 . 5 Snefru 128-224 1990 1990 2 20 , 2 8 MD4 128 1990 1995,2004 2 39 , 2 16 MD5 128 1992 2004,2008 2 61 , 2 51 , 2 39 SHA-0 160 1993 1998,2004 2 63 , 2 58 SHA-1 160 1995 2005,2011 Tiger ≤ 192 1995 RIPEMD-160 160 1996 Cryptoday 2011 – p. 10/52

  25. 2000-2003 Whirlpool, Nessie(2000) and SHA-2, NIST (2002) The hash functions still use Merkle-Damgård construction. Whirlpool is based on the Square block cipher. SHA-224, SHA-256, SHA-384, SHA-512 are based on the MD/SHA concept with more complex operations. Hash size 224-512. No real motivation to upgrade till the first attacks on SHA-1 in 2005. Cryptoday 2011 – p. 11/52

  26. SHA-3 Competition (2007) The break of SHA-1 motivated NIST to establish a public competition to choose the next generation of hash functions. 64 proposals were submitted. 51 passed Round 1, 14 passed Round 2, five passed Round 3, and the final decision will be given in 2012. Cryptoday 2011 – p. 12/52

  27. Recommendations Do not use broken hash functions, not SHA-1 and certainly not MD5. Midterm solution - Upgrade to Whirlpool or SHA-2. Upgrade to SHA-3 when it is available. Cryptoday 2011 – p. 13/52

  28. Merkle-Damgård Construction and Its Weaknesses Cryptoday 2011 – p. 14/52

  29. Merkle-Damgård Construction (1989) The hash function iterates a compression function C C : { 0 , 1 } m c + b �→ { 0 , 1 } m c , on a chaining value h k − 1 and a message block M k . Cryptoday 2011 – p. 15/52

  30. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C E E E Hash Result IV h 1 h 0 h 2 h n−1 h n The first chaining value is initialized to h 0 = IV . For each M k and h k − 1 compute: h k = C ( M k , h k − 1 ) . Cryptoday 2011 – p. 15/52

  31. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C E E E Hash Result IV h 1 h 0 h 2 h n−1 h n h 1 = C ( M 1 , h 0 ) Cryptoday 2011 – p. 15/52

  32. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C E E Hash Result IV h 0 h 1 h n−1 h 2 h n h 2 = C ( M 2 , h 1 ) Cryptoday 2011 – p. 15/52

  33. Merkle-Damgård Construction (1989) M padding with 0 ’s M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C C E Hash Result IV h 0 h 1 h n−1 h 2 h n h n − 1 = C ( M n − 1 , h n − 2 ) Cryptoday 2011 – p. 15/52

  34. Merkle-Damgård Construction (1989) M padding with 1, 0 ’s, and message length M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C C C Hash Result IV h 0 h 1 h n−1 h 2 h n h n = C ( M n , h n − 1 ) Cryptoday 2011 – p. 15/52

  35. Merkle-Damgård Construction (1989) M M 1 M 2 M n−1 M n b b b b m c m c m c m c m c m c C C C C Hash Result IV h 0 h 1 h n−1 h 2 h n h n is the output of the hash function. H ( M ) = h n Cryptoday 2011 – p. 15/52

  36. Merkle-Damgård construction is the de-facto standard for hash functions. Cryptoday 2011 – p. 16/52

  37. Merkle-Damgård Construction The hash size should be long enough to prevent Yuval’s type attacks. The padding of the length prevents some long messages second preimage attacks. The compression function is not invertible to prevent meet-in the middle attacks. H ( M ) is collision free if C ( M k , h k − 1 ) is collision free. Cryptoday 2011 – p. 17/52

  38. Wang’s MD5 Collision In 2005 Wang found a collision of MD5 with a complexity 2 39 . Cryptoday 2011 – p. 18/52

  39. Wang’s MD5 Collision In 2005 Wang found a collision of MD5 with a complexity 2 39 . Wang’s novel technique was exciting. However, was it more than academic achievement? Cryptoday 2011 – p. 18/52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices

982 views • 67 slides
Tools in Cryptanalysis Florian Mendel - Tomislav Nad - Martin Schlffer Christoph Dobraunig -

Tools in Cryptanalysis Florian Mendel - Tomislav Nad - Martin Schlffer Christoph Dobraunig -

Tools in Cryptanalysis Florian Mendel - Tomislav Nad - Martin Schlffer Christoph Dobraunig - Maria Eichlseder Hash Functions A cryptographic hash function produces cryptographic checksums or fingerprints m Fast H Secure h Security

696 views • 42 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

Improved Cryptanalysis of Reduced RIPEMD-160 Florian Mendel, Thomas Peyrin, Martin Schlffer, Lei Wang, and Shuang Wu ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long messages Output: short random

840 views • 50 slides
Cryptographic Hash Functions Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Cryptographic Hash Functions Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Cryptographic Hash Functions Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 17, 2018 1 / 15 Cryptographic Hash Functions Important building block in cryptography

270 views • 15 slides
Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash Functions June 2013 Bart Preneel Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis: basic topics Bart Preneel This is an input to

402 views • 14 slides
Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and

Cryptocurrency Technologies Cryptography and Cryptocurrencies Intro to Cryptography and Cryptocurrencies Cryptographic Hash Functions Hash Pointers and Data Structures Block Chains Merkle Trees Digital Signatures Public

489 views • 27 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar & Pelzl. & Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
On recent attacks against Cryptographic Hash Functions Martin Eker & Henrik Ygge 1

On recent attacks against Cryptographic Hash Functions Martin Eker & Henrik Ygge 1

On recent attacks against Cryptographic Hash Functions Martin Eker & Henrik Ygge 1 Outline First part Preliminaries Which cryptographic hash functions exist? What degree of security do they offer? An

1.68k views • 98 slides
Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity Cryptographic Hash Function: Provides assurance of data integrity Let h be a hash function and x some data. The hash creates a fingerprint of the data,

564 views • 31 slides
Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger

Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger

Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger DTU - Technical University of Denmark September 12, 2014 Cryptographic Hash Functions Today is the 12th of September... h 4981A99EDA782

1.01k views • 34 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
Napoleon Bonaparte (1769 - 1821) "On Judgement Day, before God's throne, There stood at

Napoleon Bonaparte (1769 - 1821) "On Judgement Day, before God's throne, There stood at

Napoleon Bonaparte (1769 - 1821) "On Judgement Day, before God's throne, There stood at last Napoleon, The Devil had his list-begun Of crime the Bonaparte had done. When God the Father, or God the Son Cut Satan short, before Gods throne!

794 views • 19 slides
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jrmy Jean 1 joint work with: Jian Guo 1 Gatan Leurent 2 Thomas Peyrin 1 Lei Wang 1 1 Nanyang Technological University, Singapore 2 INRIA, France

847 views • 40 slides
SPM and Data Sharing Guillaume Flandin Wellcome Trust Centre for Neuroimaging University College

SPM and Data Sharing Guillaume Flandin Wellcome Trust Centre for Neuroimaging University College

SPM and Data Sharing Guillaume Flandin Wellcome Trust Centre for Neuroimaging University College London Brainhack Warwick, 3 rd March 2017 Reproducible Research An article about computational science in a scientific publication is not the

590 views • 32 slides
The use of DRG for identifying clinical trials centres with high recruitment potential: a

The use of DRG for identifying clinical trials centres with high recruitment potential: a

The use of DRG for identifying clinical trials centres with high recruitment potential: a feasability study Philippe Aegerter 1,2 , Noelle Bendersky 2 , Thi-Chien Tran 1,2 , Jacques Ropers 2 , Namik Taright 3 and Gilles Chatellier 4 1. Univ.

349 views • 15 slides
Incremental Physical Design Jason Cong UCLA Majid Sarrafzadeh Northwestern Jason Cong C ISPD

Incremental Physical Design Jason Cong UCLA Majid Sarrafzadeh Northwestern Jason Cong C ISPD

Incremental Physical Design Jason Cong UCLA Majid Sarrafzadeh Northwestern Jason Cong C ISPD 2000: April 10-12 Majid Sarrafzadeh 1 Outline PART I: Introduction & Motivation PART II: Partitioning, Floorplanning, and Placemenet

708 views • 43 slides
Outline Computer Security: Hashing Hashes Hash applications Bart Jacobs Road pricing example

Outline Computer Security: Hashing Hashes Hash applications Bart Jacobs Road pricing example

Hashes Hashes Road pricing example Road pricing example Radboud University Nijmegen Radboud University Nijmegen Hashing in Java Hashing in Java Outline Computer Security: Hashing Hashes Hash applications Bart Jacobs Road pricing example

110 views • 7 slides
Computer Security: Hashing B. Jacobs Institute for Computing and Information Sciences Digital

Computer Security: Hashing B. Jacobs Institute for Computing and Information Sciences Digital

Hashes Voting with hashes: RIES Radboud University Nijmegen Road pricing example Hashing in Java and in Python Computer Security: Hashing B. Jacobs Institute for Computing and Information Sciences Digital Security Radboud University

709 views • 53 slides
Translations Requiring Paraphrasing A student who studies hard will learn to tango. Mark Criley

Translations Requiring Paraphrasing A student who studies hard will learn to tango. Mark Criley

Translations Requiring Paraphrasing A student who studies hard will learn to tango. Mark Criley tango. 6 Read It Back! But now, lets check our work: Translations Requiring Paraphrasing Mark Criley 5 Substitute Translations 4 Translate

274 views • 11 slides

More recommend