CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Transcription

1 Lecture 5: Hash Functions Céline Blondeau Department of Computer Science Aalto University, School of Science

2 Hash Functions Birthday Paradox Design of Hash Functions SHA-3 SHA-2 2/38

3 Outline Hash Functions Birthday Paradox Design of Hash Functions SHA-3 SHA-2 3/38

4 Uses of cryptographic hash functions User authentication (e.g., passwords) Message authenticity (e.g., hash MACs) Compact file identifiers (e.g., in Git, ) Used in digital signatures Certain obfuscation schemes rely on provably secure hash functions 4/38

5 Hash functions An b-bit hash function is a map h : {0, 1} {0, 1} b. Given a message m anyone can compute h(m) since h is public. Cryptographic hash function security requirements 1. Preimage resistance: Given h(m) it is computationally infeasible to find m. 2. Second preimage resistance: Given m it is computationally infeasible to find m such that h(m) = h(m ) holds. 3. Collision resistance: It is computationally infeasible to find m and m such that m m and h(m) = h(m ) both hold. 5/38

6 Hash function security A modern b-bit cryptographic hash function is generally expected to provide the following: 1. b-bits of preimage security. 2. b-bits of second preimage security. 3. b/2-bits of collision security. We will see that a cryptographic hash function cannot hope to be better than b/2-bit collision resistant. 6/38

7 Outline Hash Functions Birthday Paradox Design of Hash Functions SHA-3 SHA-2 7/38

8 The birthday paradox Sampling with replacement An urn has N balls numbered 1 to N. Suppose that balls are drawn from the urn one at a time, with replacement, and their numbers are listed. As N increases the expected number of draws before a coincidence (i.e., drawing a ball that was previously drawn) πn approaches asymptotically 2. Nomenclature This phenomenon is termed the birthday paradox due to fact that the probability that at least 2 people in a group of 23 share the same birthday is roughly /38

9 Another birthday paradox type phenomenon Sampling with replacement from two urns Two urns has N balls each numbered 1 to N. One urn has blue balls and the other has red balls. Suppose that balls are drawn from both urns, with replacement, and their numbers are listed. After about N balls have been drawn from both urns the probability that the list of blue ball numbers and the list of red ball number have at least one number in common is roughly 0.5. This phenomenon can be exploited in forgery attacks. 9/38

10 Forgery attacks by collisions Collision context The goal is to find a collision, i.e., messages x and y such that x y and h(x) = h(y) both hold. Messages x and y may or may not be meaningful. It depends on how the collision is used in an attack. Collisions in a meaningful context Mallory has messages x and y. Bob is willing to digitally sign x but not y. Mallory wants to find ˆx and ŷ such that h(ˆx) = h(ŷ) where ˆx is equivalent to x and ŷ to y. The forgery The assumption is that if Bob is willing to sign (the hash of) x then he is willing to sign equivalent message ˆx. Denote s Bob s signature on ˆx. Since h(ˆx) = h(ŷ), s is also a valid signature on ŷ, the message equivalent to y that Bob was unwilling to sign. 10/38

11 Equivalent messages: example Equivalent messages can be derived using minor modifications: changing part of the message that does not affect its true meaning. (Serial-type numbers, comment fields, anything not rendered.) They can be exploited in Yuval s attack (next page). Document 1.1 Document 2.1 <html> <html> <body> <body> Bob agrees to pay Mallory 1000 EUR. Bob agrees to pay Mallory EUR. </body> </body> </html> </html> Document 1.2 Document 2.2 <html> <html> <body> <body> Bob agrees to pay Mallory 1000 EUR. Bob agrees to pay Mallory EUR. <!-- foo --> <!-- bar --> </body> </body> </html> </html> Document 1.3 Document 2.3 <html> <html> <body> <body> Bob agrees to pay Mallory 1000 EUR. Bob agrees to pay Mallory EUR. <!-- cat --> <!-- dog --> </body> </body> </html> </html> 11/38

12 Yuval s birthday attack (G. Yuval (1979)) With h an b-bit hash function, Mallory has messages x and y and wants to find equivalent messages ˆx and ŷ such that h(ˆx) = h(ŷ). 1. Generate x i for 1 i 2 b/2 that are minor modifications of x. 2. Store T [h(x i )] = x i for all x i where T is a hash table. 3. Generate y i for 1 i 2 b/2 that are minor modifications of y. 4. If h(y i ) is in T, denote x j = T [h(y i )]. Then h(x j ) = h(y i ) and x j y i both hold: a collision. The above algorithm should terminate when y i for i 2 b/2 is reached. There are also memoryless (using cycle-finding algorithms) and parallel versions. 12/38

13 Outline Hash Functions Birthday Paradox Design of Hash Functions SHA-3 SHA-2 13/38

14 Hash function design: Merkle-Damgård R. Merkle (1979), I. Damgård (1989) Provably secure construction: resulting hash function h is collision-resistant if compression function f is collision-resistant. Many popular hash functions use this construction. (MD5, SHA-1, Whirlpool) Preparing the message 1. Append a 1 bit to the message. (Termination) 2. Append the fewest number of 0 bits until the message length is precisely L bits less than a full block. (Padding) 3. Append the bit length of the original message as a L-bit integer. This results in the n-block message m = m 1 m 2... m n. (This padding and length appending method is different from CMS (RFC 5652), see Lecture 3.) 14/38

15 Merkle-Damgård operation Hashing the message 1. Set H 0 = IV. 2. Set H i = f (H i 1, m i ) for 1 i n. 3. Output g(h n ) as the hash value, where g is a finalisation function. H i is called the chaining value. f is called the compression function. 15/38

16 Compression functions A compression function is a map {0, 1} l {0, 1} b from l bits to b bits with l > b. Usually l = 2b. Realizing compression functions There are two common ways to obtain a compression function. 1. It can be dedicated construction specifically designed for a hash function (MD5, SHA-1, SHA-2). 2. It can be constructed using a block cipher (Whirlpool, Grøstl use the AES). There are many such constructions with good one-way properties. 16/38

17 Compression function design: Davies-Meyer (1984) Uses the current message block as the key and encrypts the previous chaining value. The XOR-sum of this output and the previous chaining value yields the next chaining value. H i = f (m i, H i 1 ) = E mi (H i 1 ) H i 1 where E K (x) is the encryption of x with key K. 17/38

18 Other similar designs Matyas-Meyer-Oseas (1985) Miyaguchi-Preneel (1993) Block-size and key-size of the block cipher can be different. 18/38

19 Different approach: The sponge construction M: message c: capacity r: rate Z : digest f: permutation of b = r + c bits 19/38

20 The sponge construction The message is padded to form a multiple of r-bit blocks Absorbing phase: At each step r-bits of the message are Xored to r bits of the state When we finish to process the message we change to the squeezing phase Squeezing phase: At each step r-bits of the state are output to form the digest 20/38

21 The security of sponge constructions The security of sponge constructions depends on c and l. Attack type Generic complexity Pre-image 2 l and 2 c Second-preimage 2 l and 2 c/2 Collision 2 l/2 and 2 c/2 21/38

22 History MD4 (1990) MD5 (1991), SHA-0 (1993), SHA-1(1995), SHA-2 (2001): Part of the same family MD5: security of 64 bit. Now broken SHA-0: security of 80 bits. Now broken SHA-1: security of 80 bits. First practical collision in 2017 SHA-2: security of 112, 128, 192,256 bits also referred as SHA-224, SHA-256, 22/38

23 Hash functions: NIST & Community design effort NIST SHA-3 competition ( ) NIST run a public contest to adopt a new standard hash function Nov Official call for submissions Oct Candidates due: 64 submissions, 51 entries selected for round 1. (Subsequently, many were completely broken.) 2009 Jul 14 entries selected for round Dec 5 entries selected for round 3: finalists are BLAKE, Grøstl, JH, Keccak, Skein Oct Announcing the winner: Keccak Observations Many AES-based submissions. Not many classical Merkle-Damgård submissions. 23/38

24 Outline Hash Functions Birthday Paradox Design of Hash Functions SHA-3 SHA-2 24/38

25 Keccak and the SHA3-standard SHA3 subset of the different Keccak versions. Standardized by the NIST in 2015 Based on the Sponge construction The description given in this lecture is not complete. http: //nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf for the full description. 25/38

26 SHA-3 parameters f is a permutation (KeccakF) l is the output length (digest length) Name l c r Security (bits) SHA SHA SHA SHA In all these versions c + r = /38

27 The KeccakF function Description of the 1600-bit permutation bits Each square =1 bit 0 x, y 4, 0 z 63 Idea: Can be represented by 25 integer values 27/38

28 The round function The f function: 24 rounds 1 round: Given the state A and the round index ir Rnd(A, ir) = ι ir χ π ρ θ(a) The different functions are given in the next slides. 28/38

29 The θ function y z z x Sum all columns Add the sum of 2 columns (x 1, z) (x + 1, z 1) to a bit value (x, y, z) 29/38

30 The ρ function Rotate each lane by a given value (25 lanes) 30/38

31 The π function Rearrange the positions of the lanes 31/38

32 The χ function x 1 x 2 x 3 x 1 XOR each bit with a non-linear function of two other bits in its row Coordinate, example, x 1 x 1 + x 2 x 3 Behave like a 5-bit Sbox 32/38

33 The ι function Modify some of the bits of Lane (0, 0) in a manner that depends on the round index ir If the lane are represented as 64-bit integer then the step consists of 1 Xor with the round constant. 33/38

34 Outline Hash Functions Birthday Paradox Design of Hash Functions SHA-3 SHA-2 34/38

35 Design of SHA-256 Classical Merkle-Damgård construction. H 0 = IV, H j+1 = f (H j, m j ), hash = H t. Each m j is 512 bits (16 32 bits) The state update starts from the previous 256-bit chaining value H j = (A, B, C, D, E, F, G, H) and apply 64 times the step function described in the next slides. K i : 32-bit step constants W i : 32-bit expanded message block 35/38

36 One step of the compression function of SHA /38

37 The internal components Ch(E, F, G) = (E F) ( E G) Ma(A, B, C) = (A B) (A C) (B C) Σ 0 (A) = (A 2) (A 13) (A 22) Σ 1 (E) = (E 6) (E 11) (E 25) is the addition modulo /38

38 Supplemental reading Understanding cryptography Chapter 11 Handbook of applied cryptography Chapter 9 38/38