sound hashing modes of arbitrary functions permutations
play

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block - PowerPoint PPT Presentation

Mar 01, 2023 •10 likes •800 views

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1 Bart Mennink 1 Gilles Van Assche 2 Fast Software Encryption Paris, March 2019 1 Radboud University 2 STMicroelectronics 1 M 4 pad Hash function

  1. Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1 Bart Mennink 1 Gilles Van Assche 2 Fast Software Encryption Paris, March 2019 1 Radboud University 2 STMicroelectronics 1

  2. M 4 pad Hash function example 1: SHA-256 F Underlying primitive: block cipher with 256-bit block and 512-bit key 1 CV i data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : digest CV Hash function h from compression function F with Merkle-Damgård : F CV M 3 F CV M 2 F M 1 IV 2

  3. Hash function example 1: SHA-256 M 3 Underlying primitive: block cipher with 256-bit block and 512-bit key 1 CV i data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : F CV F Hash function h from compression function F with Merkle-Damgård : CV 2 F CV IV M 1 F M 2 M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest

  4. Hash function example 1: SHA-256 F Underlying primitive: block cipher with 256-bit block and 512-bit key data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : F CV Hash function h from compression function F with Merkle-Damgård : F CV M 3 2 IV M 1 CV M 2 F M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ❍❍❍❍❍❍❍ ❍ ✲ ✲ ✲ ✲ CV i + 1 ⊕ ✻

  5. Hash function example 1: SHA-256 F Underlying primitive: block cipher with 256-bit block and 512-bit key data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : F CV Hash function h from compression function F with Merkle-Damgård : F CV M 3 2 IV M 1 CV M 2 F M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ❍❍❍❍❍❍❍ ❍ ✲ ✲ ✲ ✲ CV i + 1 ⊕ ✻

  6. � � π π Example 2: MD6 [Rivest et al. 2008] Hash function h from CF F with dedicated tree hash mode: CF F from permutation P with dedicated construction: Underlying primitive: 5696-bit permutation 3

  7. π π Example 2: MD6 [Rivest et al. 2008] Hash function h from CF F with dedicated tree hash mode: Underlying primitive: 5696-bit permutation CF F from permutation P with dedicated construction: 3 � � Location (level,index) input to each node level (2,0) (2,1) (2,2) (2,3) 3 2 1 0

  8. Example 2: MD6 [Rivest et al. 2008] CF F from permutation P with dedicated construction: Underlying primitive: 5696-bit permutation Hash function h from CF F with dedicated tree hash mode: 3 � � Location (level,index) input to each node level (2,0) (2,1) (2,2) (2,3) 3 2 1 0 key+UV data const 15 8+2 64 89 words N Map 1-1 map π Prepend 89 words π ( N ) 16 words C Chop

  9. Example 2: MD6 [Rivest et al. 2008] CF F from permutation P with dedicated construction: Underlying primitive: 5696-bit permutation Hash function h from CF F with dedicated tree hash mode: 3 � � Location (level,index) input to each node level (2,0) (2,1) (2,2) (2,3) 3 2 1 0 key+UV data const 15 8+2 64 89 words N Map 1-1 map π Prepend 89 words π ( N ) 16 words C Chop

  10. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: XOF from permutation with sponge [KT 2008] : Underlying primitive: 1600-bit permutation Keccak- p 12 4

  11. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: Underlying primitive: 1600-bit permutation Keccak- p 12 XOF from permutation with sponge [KT 2008] : 4 S 1 S 2 S 3 S n -2 S n -1 110 110 110 110 110 110 * S 0 CV CV CV … CV CV n -1 FFFF 01

  12. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: Underlying primitive: 1600-bit permutation Keccak- p 12 XOF from permutation with sponge [KT 2008] : 4 S 1 S 2 S 3 S n -2 S n -1 110 110 110 110 110 110 * S 0 CV CV CV … CV CV n -1 FFFF 01 M pad trunc Z r 0 f f f f f f outer inner c 0 absorbing squeezing

  13. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: XOF from permutation with sponge [KT 2008] : 4 S 1 S 2 S 3 S n -2 S n -1 110 110 110 110 110 110 * S 0 CV CV CV … CV CV n -1 FFFF 01 M pad trunc Z r 0 f f f f f f outer inner c 0 absorbing squeezing Underlying primitive: 1600-bit permutation Keccak- p [ 12 ]

  14. Basis for security of hash functions Trust in security based on public scrutiny and cryptanalysis But we can prove security of idealized version of the function … is h with underlying primitive replaced by random one Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure

  15. Basis for security of hash functions But we can prove security of idealized version of the function … is h with underlying primitive replaced by random one Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis

  16. Basis for security of hash functions Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function • … H is h with underlying primitive replaced by random one

  17. Basis for security of hash functions In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function • … H is h with underlying primitive replaced by random one ▶ Ideal hash function: random oracle RO ▶ Upper bound on advantage of distinguishing H from RO • this bound says something about the mode only • better attacks must exploit specific properties of primitive

  18. attacks Basis for security of hash functions 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function • … H is h with underlying primitive replaced by random one ▶ Ideal hash function: random oracle RO ▶ Upper bound on advantage of distinguishing H from RO • this bound says something about the mode only • better attacks must exploit specific properties of primitive ▶ In other words, they bound the success probability of generic

  19. M 4 pad What can happen if you don’t have a good bound? digest Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC MAC function h K M not secure against forgery Length extension property CV F IV F CV M 3 F CV M 2 F M 1 6

  20. What can happen if you don’t have a good bound? CV Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC MAC function h K M not secure against forgery Length extension property F CV F IV 6 M 3 CV F M 1 F M 2 M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest

  21. What can happen if you don’t have a good bound? M 3 Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC MAC function h K M not secure against forgery F CV F IV CV 6 F CV M 1 F M 2 M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ▶ Length extension property

  22. What can happen if you don’t have a good bound? M 3 Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC F CV F IV CV 6 F M 1 F M 2 CV M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ▶ Length extension property • MAC function h ( K | M ) not secure against forgery

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the (In)Security of IDEA in Various Hashing Modes Lei Wei 1 , Thomas Peyrin 1 , Przemysaw

On the (In)Security of IDEA in Various Hashing Modes Lei Wei 1 , Thomas Peyrin 1 , Przemysaw

On the (In)Security of IDEA in Various Hashing Modes On the (In)Security of IDEA in Various Hashing Modes Lei Wei 1 , Thomas Peyrin 1 , Przemysaw Sokoowski 2 , San Ling 1 , Josef Pieprzyk 2 , and Huaxiong Wang 1 1 Division of Mathematical

524 views • 25 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
Universal hashing Problem: if h is fixed there are with many collisions Idea of

Universal hashing Problem: if h is fixed there are with many collisions Idea of

Universal hashing Problem: if h is fixed there are with many collisions Idea of universal hashing: Choose hash function h randomly H finite set of hash functions Definition: H is universal, if for arbitrary x , y U : Hence:

759 views • 14 slides
Hash Tables Outline Definition Hash functions Open hashing Closed hashing

Hash Tables Outline Definition Hash functions Open hashing Closed hashing

Hash Tables Outline Definition Hash functions Open hashing Closed hashing collision resolution techniques Efficiency EECS 268 Programming II 1 Overview Implementation style for the Table ADT that is good in a wide

237 views • 20 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M.

Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M.

Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M. Gessel Department of Mathematics Brandeis University Workshop on Quasisymmetric Functions Bannf International Research Station November 17, 2010

983 views • 77 slides
Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table

Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table

Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table ADT Records with keys (priorities) basic operations insert search create generic operations common to many ADTs test if empty

474 views • 13 slides
Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8 Hashing I 6.006 Fall 2011 Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing Hashing Chaining Simple uniform hashing Good hash functions Dictionary Problem Abstract

452 views • 21 slides
Union-Find [10] In the last class Hashing Collision Handling for Hashing Closed

Union-Find [10] In the last class Hashing Collision Handling for Hashing Closed

Algorithm : Design & Analysis Union-Find [10] In the last class Hashing Collision Handling for Hashing Closed Address Hashing Open Address Hashing Hash Functions Array Doubling and Amortized Analysis Union-Find

618 views • 33 slides
Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL Story So far m Enc SC PRG (i.e., a Stream Cipher) for one-time SKE K Mode of operation: msg pseudorandom pad PRF (i.e., a Block Cipher)

426 views • 13 slides
Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL Story So far m Enc SC PRG (i.e., a Stream Cipher) for one-time SKE K Mode of operation: msg pseudorandom pad PRF (i.e., a Block Cipher)

251 views • 12 slides
On APN permutations Marco Calderini University of Trento Boolean Functions and their

On APN permutations Marco Calderini University of Trento Boolean Functions and their

On APN permutations Marco Calderini University of Trento Boolean Functions and their Applications July 3-8, 2017 Cryptographic motivations Some cryptographic primitives, as block ciphers, have components called S-boxes. Often an S-box is a

816 views • 37 slides
Machine Learning for NLP Readings in unsupervised Learning Aurlie Herbelot 2018 Centre for

Machine Learning for NLP Readings in unsupervised Learning Aurlie Herbelot 2018 Centre for

Machine Learning for NLP Readings in unsupervised Learning Aurlie Herbelot 2018 Centre for Mind/Brain Sciences University of Trento 1 Hashing 2 Hashing: definition Hashing is the process of converting data of arbitrary size into

845 views • 48 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
Quantum permutations of two elements Tomasz Maszczyk UNB, June 27, 2014 Tomasz Maszczyk Quantum

Quantum permutations of two elements Tomasz Maszczyk UNB, June 27, 2014 Tomasz Maszczyk Quantum

Quantum permutations of two elements Tomasz Maszczyk UNB, June 27, 2014 Tomasz Maszczyk Quantum permutations of two elements 1. Frobenius algebras Let k be an arbitrary base field. Theorem (Nakayama) The following are equivalent: A =

327 views • 32 slides
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help better understand SW behavior

350 views • 24 slides
h-DDSS: Heterogeneous Dynamic Dedicated Servers Scheduling in Cloud Computing Husnu S aner Narman

h-DDSS: Heterogeneous Dynamic Dedicated Servers Scheduling in Cloud Computing Husnu S aner Narman

h-DDSS: Heterogeneous Dynamic Dedicated Servers Scheduling in Cloud Computing Husnu S aner Narman Md. Shohrab Hossain Mohammed Atiquzzaman School of Computer Science University of Oklahoma, USA. atiq@ou.edu www.cs.ou.edu/~atiq June 2014

707 views • 37 slides
Image Enhancement in the Frequency Domain Chaiwoot Boonyasiriwat November 9, 2020 Discrete

Image Enhancement in the Frequency Domain Chaiwoot Boonyasiriwat November 9, 2020 Discrete

Image Enhancement in the Frequency Domain Chaiwoot Boonyasiriwat November 9, 2020 Discrete Fourier Transform DFT and IDFT of a signal x ( n 1 ), n 1 = 1, , N 1, are DFT and IDFT of a 2D signal x ( n 1 ,n 2 ) are 2 Discrete Fourier

227 views • 18 slides
An Overview of Semantic Image Segmentation with Deep Learning Simone Bonechi Outline

An Overview of Semantic Image Segmentation with Deep Learning Simone Bonechi Outline

An Overview of Semantic Image Segmentation with Deep Learning Simone Bonechi Outline Semantic Image Segmentation Deep Network for Semantic Segmentation FCN (Fully Convolutional Neural Network) DeconvNet PSPNet (Pyramid Scene

746 views • 22 slides
Network-Assisted MPTCP IETF#98, Chicago, March 2017 M. Boucadair (Orange) C. Jacquenet (Orange)

Network-Assisted MPTCP IETF#98, Chicago, March 2017 M. Boucadair (Orange) C. Jacquenet (Orange)

IETF 98 th Network-Assisted MPTCP IETF#98, Chicago, March 2017 M. Boucadair (Orange) C. Jacquenet (Orange) O. Bonaventure (Tessares) W. Henderickx (ALU/Nokia) R. Skog (Ericsson) D. Behaghel (OneAccess) S. Secci (Universite Pierre et Marie

351 views • 31 slides
Symmetric encrypBon CS642: Computer Security Professor

Symmetric encrypBon CS642: Computer Security Professor

Symmetric encrypBon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

554 views • 42 slides
On Base & Limit Base & Bound MAX sys Contiguous Allocation: contiguous virtual addresses

On Base & Limit Base & Bound MAX sys Contiguous Allocation: contiguous virtual addresses

More Multiplexing More Multiplexing At different times, different processes can map At different times, different processes can map part of their virtual address space into the part of their virtual address space into the same physical memory

411 views • 7 slides
Multi-Purpose Keccak for Modern FPGAs Panasayya Yalla Ekawat Homsirikamol Jens-Peter Kaps

Multi-Purpose Keccak for Modern FPGAs Panasayya Yalla Ekawat Homsirikamol Jens-Peter Kaps

Introduction Modes of Operation Implementation Results and Conclusion Multi-Purpose Keccak for Modern FPGAs Panasayya Yalla Ekawat Homsirikamol Jens-Peter Kaps Cryptographic Engineering Research Group (CERG) http://cryptography.gmu.edu

648 views • 36 slides

More recommend