Cryptography. Summer Term 2010

Transcription

1 Summer Term 2010 Chapter 2: Hash Functions

2 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2

3 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 3

4 Definition and applications A hash function h is a function with two properties: Compression: h : {0,1}* {0,1}n Ease of computation: The computation of h(m) is 'fast'. For use in cryptography, we have to impose further conditions (see next slide). Notation: m is a 'document', h(m) its hash value or digest Sample applications: Storage of passwords Electronic signatures (MAC, asymmetric signatures) Forensics 4

5 Basic properties for use in cryptography Preimage Resistance: Second Preimage Resistance: Given a document m, it is infeasible in practice to find a second document m' with m m' and h(m) = h(m'). Collision Resistance: Given a hash value H, it is infeasible in practice to find an input (a document m) with H = h(m). It is infeasible in practice to find any two documents m, m' with m m' and h(m) = h(m'). Relation to birthday problems A and B? 5

6 Hardness of basic properties Assumptions: Hash values behave randomly. Security threshold is 2^{100} hash value computations. Expected number of trials of a brute-force-attack: Preimage computation: Second preimage computation: Collision: Lower bound of n to avoid each attack A today's hash function SHALL satisfy n 6

7 Relationship of basic properties Our proofs make use of the following logical rule: Let A and B be two assertions. Then: Example: ( A => B ) <=> ( B => A ) A: n = 2 B: n is an even integer Preimage resistance vs. Collision resistance Second preimage resistance vs. Collision resistance Preimage resistance vs. Second preimage resistance 7

8 OWHF and CRHF Let h be a hash function as defined above. One-way hash function (OWHF): If h additionally is preimage resistant and second preimage resistant, then it is called a OWHF. Collision resistant hash function (CRHF): If h additionally is collision resistant, it is called a CRHF. Relationship between OWHF and CRHF as described above. Digital signature schemes like RSA, DSA or ECDSA require a CRHF. 8

9 MDC and MAC Modification detection code (MDC): A OWHF or a CRHF, which shall provide integrity or authenticity in conjunction with additional mechanisms (e.g. writing the MDC down on a paper). An MDC has only one input: A document. An MDC is unkeyed. Message authentication code (MAC): A OWHF or a CRHF, which shall provide integrity or authenticity without additional mechanisms. A MAC requires two inputs: A document and a secret key (i.e. a MAC is keyed). 9

10 Classification of cryptographic hash functions Source: Handbook of Applied 10

11 Avalanche effect Let m and h(m) be given. If m is replaced by m', h(m') behaves pseudo randomly. One has no control over the output, if the input is changed. Hash functions are assumed to be surjective. Example: If only one bit in m is changed to get m', the two outputs h(m) and h(m') look 'very' different. Every bit in h(m') changes with probability 50%, independent of the number of different bits in m'. 11

12 Sample hash functions MD5: n = 128 SHA-1: n = 160 SHA-2 family: RIPEMD family: RIPEMD-160, RIPEMD-256, RIPEMD-320 Demo: SHA-256, SHA-384, SHA-512 Computation of hash values using openssl Avalanche effect Performance 12

13 Improving security for given hash functions Two well-known methods: Cascading hash functions HMAC (only for MACs) Cascading hash functions: Let two hash functions h1 and h2 be given Set h(m) = h1(m) h2 (m) The hash function h is collision resistant, if only one of the hash functions h1 or h2 remains collision resistant 13

14 Extending a MAC to HMAC Idea: Iteratively hash a document Due to Bellare, Canetti, Krawczyk Description: Let h be a hash function There are two fixed padding sequences: Outer padding: Inner padding: opad= ipad=5c5c...5c Set HMAC = h ( (k XOR opad) h ( (k XOR ipad) m) ) Security: Harder to find a collision for an HMAC than for the underlying hash function 14

15 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 15

16 Merkle-Damgard construction: Idea The MD-construction requires a compression function: f : {0,1}s {0,1}n with s > n. Remark: The input size (in bits) is fixed. Merkle-Damgard set s = r + n Basic idea to extend f to h (padding is left out): Split up the input m of h to blocks of length r bits: m = m1m2...mt Iteratively apply f to each block, where the current input is: n bits of the previously computed output of f. r bits of the current processed block of m. 16

17 Merkle-Damgard construction: Overview Notation remarks: Document is referred to as x IV = Initialisation Vector Often g is the identity map Source: Handbook of Applied 17

18 Merkle-Damgard construction: Formal algorithm 18

19 Merkle-Damgard construction: Security Fundamental fact: If the compression function f is collision resistant, then the MD-extended hash function h is collision resistant, too. Remark: We have to fix an initial hash block H0: IV. We have to apply an appropriate padding including the length of the input. Almost all current hash functions implement the MD-design: MD4, MD5 RIPEMD-family SHA-family (SHA-1, SHA-2) 19

20 SHA-1 Standardised in FIPS PUB from 2002: Secure Hash Standard (SHS) SHA-1 is based on the same design principles as MD4: Unary operators: Logical NOT, cyclic SHIFT Binary operators: Bitwise AND, bitwise OR, XOR Addition modulo a word of length 32 bit (i.e. mod 2^{32}) SHA-1 is based on four compression functions (see later): Each has n = 160 and r = 512: s = r + n = 672 Each one is applied in one part for 20 rounds SHA-1 comprises 4 parts and 80 rounds in total 20

21 SHA-1 overview We make use of the notation from SHS For example, a message block is denoted by M ( i ) Three steps (according to Merkle-Damgard): Padding: Expand message length to a multiple of 512 bits. Splitting: Iterative compression: Split message in N blocks of 512 bits These blocks are denoted as M (1) to M ( N ) Apply iteratively the compression function on M (1) to M ( N ) The intermediate hash values are H (1) to H ( N ) The hash value of the message is H ( N ). 21

22 SHA-1 padding (1/2) Let L be the bit length of the message m. Padding comprises three steps: Append a single '1' to the end of the message. Append minimal number of '0's until length is of the form 512k 64. Write binary encoded L at the end (with least significant bit right). The input to SHA-1 is m L 22

23 SHA-1 padding (2/2) Example from SHS: We want to compute SHA-1 ( abc ). abc is the ASCII string of 'a', 'b', 'c' (of bit length 24). Thus we append a '1' and 423 '0's. Finally, we append the length 24. Remarks: The maximum length of a SHA-1 input is This is equivalent to TBytes. 23

24 Overview of a SHA-1 round Source: en.wikipedia.org 24

25 SHA-1 round functions SHA-1 consists of 4 parts of 20 rounds, respectively. Each part has its round function: Input of a round function: Three 32 bit words. Output of a round function: A single 32 bit word. Source: Secure Hash Standard 25

26 SHA-1 constants Each of the 4 SHA-1 parts has its own constant It is a 32 bit word, written in hexadecimal Source: Secure Hash Standard 26

27 Initial hash value The initial hash value is denoted by H ( 0 ). Used as starting IV to apply the first round function on M (1) H ( 0 ) = H0( 0 ) H1( 0 ) H2( 0 ) H3( 0 ) H4( 0 ) with Source: Secure Hash Standard 27

28 Message contribution Each message block M ( i ) is 512 bits long. Write M ( i ) as a concatenation of 16 words of bit length 32: M ( i ) = M0( i ) M1( i ) M2( i )... M 15 ( i ) Each of the 80 SHA-1 requires a 32 bit word Wt : Set Wt = Mt(i) for t = 0 to 15 Rounds t = 16 to 79 require a left-shifted and XORed combination of previously computed input words Wt Source: SHS 28

29 SHA-1 round function to compute H ( i ) SHA-1 makes use of 5 registers of 32 bits initialised as: a = H0 ( i 1), b = H1 ( i 1), c = H2 ( i 1), d = H3( i 1), e = H4( i 1) The registers are manipulated within 80 rounds as: Source: Secure Hash Standard 29

30 SHA-1 computation of intermediate and final hash Computation of intermediate hash H ( i ) : H0( i ) = a + H0( i 1), H1( i ) = b + H1( i 1), H2( i ) = c + H2( i 1), H3( i ) = d + H3( i 1), H4( i ) = e + H4( i 1) The final SHA-1 hash is the final intermediate hash: h(m) = H0( N ) H1( N ) H2( N ) H3( N ) H4( N ) Source: Secure Hash Standard 30

31 Overview of different hash functions Source: Handbook of Applied Wording: Handbook Round Step vs. Lecture vs. vs. Part Round 31

32 Source: Handbook of Applied Test vectors and subtleties $ echo abc sha1sum 03cfd743661f07975fa2f1220c5194cbaff

33 Security remarks on SHA-1 Birthday attack = Brute force attack: 2^{80} trials X. Wang et al. (February 2005): 2^{69} trials X. Wang et al. (August 2005): 2^{63} trials C. McDonald et al. (May 2009): 2^{52} trials (however, they withdraw their estimation later) General observations: Finding collisions for SHA-1 is much easier than using brute force We need a new long-term hash function: SHA-3 33

34 Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 34

35 Overview The SHA-3 competition started on November 2, 2007 Publication by NIST in the Federal Register: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) family General requirements: Output hash values of 224, 256, 384, 512 bits Replacement of SHA-2 (although SHA-2 is not withdrawn) No 160 bit output allowed (this fits to the security threshold of 100 bits) Similar process as the AES competition 35

36 NIST expectations Security strength is at least as good as SHA-2 Attacks on SHA-2 are unlikely to work on SHA-3 More efficient than SHA-2 Maximum message length at least 2^{64} 1 bits Interoperability: Implementable in a wide range of hardware and software platforms A single hash family is preferred Worldwide availability and royalty free use 36

37 Time schedule NIST hash workshop: Initial publication: Submission deadline for first round: First candidate conference (KU Leuven): 2009, Feb. Second candidate conference: 2010, 2Q Candidate conference of finalists: 2012, 1Q Publication: 2012, 4Q 37

38 Round 1 64 submissions Announcement of 51 first round candidates on First SHA-3 candidate conference: Feb , 2009 at KU Leuven, Belgium All submitters of 51 first round candidates were invited to defend their proposals Preneel's statement at CASED distinguished lecture (May 14, 2009): From 30 candidates 50 % follow MD-design 25 % sponge design 25 % Haifa July 24, 2009: 14 candidates were selected for round 2 38

39 Round 2 Sample candidates: by N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno, J. Callas and J. Walker CubeHash by Dan Bernstein Keccak by G. Bertoni, J. Daemen, M. Peeters, G. Van Assche Second SHA-3 candidate conference: August 23-24, 2010 at Santa Barbara in the scope of Crypto 39