Cryptography. Summer Term 2010

Similar documents
Cryptographic Hash Functions

Cryptographic Hash Functions. William R. Speirs

Jaap van Ginkel Security of Systems and Networks

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. message. hash. function. Alice. Bob. Alice s public key. Alice s private key

Overview. CSC 580 Cryptography and Computer Security. Hash Function Basics and Terminology. March 28, Cryptographic Hash Functions (Chapter 11)

Data Integrity & Authentication. Message Authentication Codes (MACs)

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

CSC 580 Cryptography and Computer Security

Hash functions & MACs

ECE 646 Lecture 12. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value.

CS408 Cryptography & Internet Security

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Keccak discussion. Soham Sadhu. January 9, 2012

CSCE 715: Network Systems Security

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

Data Integrity. Modified by: Dr. Ramzi Saifan

Network Security. Cryptographic Hash Functions Add-on. Benjamin s slides are authoritative. Chair for Network Architectures and Services

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Winter 2011 Josh Benaloh Brian LaMacchia

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

The SHA-3 Process. Keccak & SHA-3 day Brussels, 27 March 2013

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Cryptography and Network Security

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Outline. Hash Function. Length of Hash Image. AIT 682: Network and Systems Security. Hash Function Properties. Question

Outline. AIT 682: Network and Systems Security. Hash Function Properties. Topic 4. Cryptographic Hash Functions. Instructor: Dr.

Cryptographic Hash Functions

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Integrity of messages

Message Authentication and Hash function 2

Data Integrity & Authentication. Message Authentication Codes (MACs)

Message Authentication Codes and Cryptographic Hash Functions

arxiv: v1 [cs.cr] 5 Feb 2016

e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

Spring 2010: CS419 Computer Security

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. Vocabulary. hash value message digest hash total. m message.

Permutation-based symmetric cryptography

ECE 646 Lecture 11. Hash functions & MACs. Digital Signature. Required Reading. Recommended Reading. m message. hash function hash value

A j-lanes tree hashing mode and j-lanes SHA-256

Jaap van Ginkel Security of Systems and Networks

Observations and Attacks On The SHA-3 Candidate Blender

Security Analysis of Extended Sponge Functions. Thomas Peyrin

Message authentication codes

Generic collision attacks on hash-functions and HMAC

COMP4109 : Applied Cryptography

ENEE 459-C Computer Security. Message authentication

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic Hash Functions

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Enhancing the Security Level of SHA-1 by Replacing the MD Paradigm

Appendix K SHA-3. William Stallings

Lecture 1 Applied Cryptography (Part 1)

Lecture 4: Authentication and Hashing

Multiple forgery attacks against Message Authentication Codes

Chapter 11 Message Integrity and Message Authentication

Skein. John Kevin Hicks

Message Authentication with MD5 *

Computer Security: Hashing

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

CIT 480: Securing Computer Systems. Hashes and Random Numbers

CSE 127: Computer Security Cryptography. Kirill Levchenko

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011

Lecture 1: Course Introduction

Network and System Security

Sponge-based pseudo-random number generators

Network Working Group. Category: Standards Track NIST November 1998

Building a 256-bit hash function on a stronger MD variant

The Customizeable Shake Function (Cshake)

FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

Introduction to Cryptography. Lecture 6

NIST Cryptographic Toolkit

Keccak specifications

Data Encryption Standard (DES)

P2_L8 - Hashes Page 1

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Network Working Group Request for Comments: 2085 Category: Standards Track NIST February HMAC-MD5 IP Authentication with Replay Prevention

Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptography Trends: A US-Based Perspective. Burt Kaliski, RSA Laboratories IPA/TAO Cryptography Symposium October 20, 2000

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Betriebssysteme und Sicherheit. Stefan Köpsell, Thorsten Strufe. Modul 5: Mechanismen Integrität

Security Analysis of a Design Variant of Randomized Hashing

Collision and Preimage Resistance of the Centera Content Address

MasterMath Cryptology /2 - Cryptanalysis

S. Erfani, ECE Dept., University of Windsor Network Security. All hash functions operate using the following general principles:

The road from Panama to Keccak via RadioGatún

Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID

CIS 4360 Secure Computer Systems Symmetric Cryptography

Statistical Analysis of the SHA-1 and SHA-2 Hash Functions

Security Requirements of FIPS PUB 140 & Reconfigurable Hardware. G. Bertoni Politecnico di Milano

NEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES.

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Cryptographic hash functions and MACs

Demise of MD5 and SHA-1. Designing the New Hash. Stanis law Pawe l Radziszowski Department of Computer Science Rochester Institute of Technology

CS408 Cryptography & Internet Security

Transcription:

Summer Term 2010 Chapter 2: Hash Functions

Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 2

Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 3

Definition and applications A hash function h is a function with two properties: Compression: h : {0,1}* {0,1}n Ease of computation: The computation of h(m) is 'fast'. For use in cryptography, we have to impose further conditions (see next slide). Notation: m is a 'document', h(m) its hash value or digest Sample applications: Storage of passwords Electronic signatures (MAC, asymmetric signatures) Forensics 4

Basic properties for use in cryptography Preimage Resistance: Second Preimage Resistance: Given a document m, it is infeasible in practice to find a second document m' with m m' and h(m) = h(m'). Collision Resistance: Given a hash value H, it is infeasible in practice to find an input (a document m) with H = h(m). It is infeasible in practice to find any two documents m, m' with m m' and h(m) = h(m'). Relation to birthday problems A and B? 5

Hardness of basic properties Assumptions: Hash values behave randomly. Security threshold is 2^{100} hash value computations. Expected number of trials of a brute-force-attack: Preimage computation: Second preimage computation: Collision: Lower bound of n to avoid each attack A today's hash function SHALL satisfy n 6

Relationship of basic properties Our proofs make use of the following logical rule: Let A and B be two assertions. Then: Example: ( A => B ) <=> ( B => A ) A: n = 2 B: n is an even integer Preimage resistance vs. Collision resistance Second preimage resistance vs. Collision resistance Preimage resistance vs. Second preimage resistance 7

OWHF and CRHF Let h be a hash function as defined above. One-way hash function (OWHF): If h additionally is preimage resistant and second preimage resistant, then it is called a OWHF. Collision resistant hash function (CRHF): If h additionally is collision resistant, it is called a CRHF. Relationship between OWHF and CRHF as described above. Digital signature schemes like RSA, DSA or ECDSA require a CRHF. 8

MDC and MAC Modification detection code (MDC): A OWHF or a CRHF, which shall provide integrity or authenticity in conjunction with additional mechanisms (e.g. writing the MDC down on a paper). An MDC has only one input: A document. An MDC is unkeyed. Message authentication code (MAC): A OWHF or a CRHF, which shall provide integrity or authenticity without additional mechanisms. A MAC requires two inputs: A document and a secret key (i.e. a MAC is keyed). 9

Classification of cryptographic hash functions Source: Handbook of Applied 10

Avalanche effect Let m and h(m) be given. If m is replaced by m', h(m') behaves pseudo randomly. One has no control over the output, if the input is changed. Hash functions are assumed to be surjective. Example: If only one bit in m is changed to get m', the two outputs h(m) and h(m') look 'very' different. Every bit in h(m') changes with probability 50%, independent of the number of different bits in m'. 11

Sample hash functions MD5: n = 128 SHA-1: n = 160 SHA-2 family: RIPEMD family: RIPEMD-160, RIPEMD-256, RIPEMD-320 Demo: SHA-256, SHA-384, SHA-512 Computation of hash values using openssl Avalanche effect Performance 12

Improving security for given hash functions Two well-known methods: Cascading hash functions HMAC (only for MACs) Cascading hash functions: Let two hash functions h1 and h2 be given Set h(m) = h1(m) h2 (m) The hash function h is collision resistant, if only one of the hash functions h1 or h2 remains collision resistant 13

Extending a MAC to HMAC Idea: Iteratively hash a document Due to Bellare, Canetti, Krawczyk Description: Let h be a hash function There are two fixed padding sequences: Outer padding: Inner padding: opad=3636...36 ipad=5c5c...5c Set HMAC = h ( (k XOR opad) h ( (k XOR ipad) m) ) Security: Harder to find a collision for an HMAC than for the underlying hash function 14

Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 15

Merkle-Damgard construction: Idea The MD-construction requires a compression function: f : {0,1}s {0,1}n with s > n. Remark: The input size (in bits) is fixed. Merkle-Damgard set s = r + n Basic idea to extend f to h (padding is left out): Split up the input m of h to blocks of length r bits: m = m1m2...mt Iteratively apply f to each block, where the current input is: n bits of the previously computed output of f. r bits of the current processed block of m. 16

Merkle-Damgard construction: Overview Notation remarks: Document is referred to as x IV = Initialisation Vector Often g is the identity map Source: Handbook of Applied 17

Merkle-Damgard construction: Formal algorithm 18

Merkle-Damgard construction: Security Fundamental fact: If the compression function f is collision resistant, then the MD-extended hash function h is collision resistant, too. Remark: We have to fix an initial hash block H0: IV. We have to apply an appropriate padding including the length of the input. Almost all current hash functions implement the MD-design: MD4, MD5 RIPEMD-family SHA-family (SHA-1, SHA-2) 19

SHA-1 Standardised in FIPS PUB 180-2 from 2002: Secure Hash Standard (SHS) SHA-1 is based on the same design principles as MD4: Unary operators: Logical NOT, cyclic SHIFT Binary operators: Bitwise AND, bitwise OR, XOR Addition modulo a word of length 32 bit (i.e. mod 2^{32}) SHA-1 is based on four compression functions (see later): Each has n = 160 and r = 512: s = r + n = 672 Each one is applied in one part for 20 rounds SHA-1 comprises 4 parts and 80 rounds in total 20

SHA-1 overview We make use of the notation from SHS For example, a message block is denoted by M ( i ) Three steps (according to Merkle-Damgard): Padding: Expand message length to a multiple of 512 bits. Splitting: Iterative compression: Split message in N blocks of 512 bits These blocks are denoted as M (1) to M ( N ) Apply iteratively the compression function on M (1) to M ( N ) The intermediate hash values are H (1) to H ( N ) The hash value of the message is H ( N ). 21

SHA-1 padding (1/2) Let L be the bit length of the message m. Padding comprises three steps: Append a single '1' to the end of the message. Append minimal number of '0's until length is of the form 512k 64. Write binary encoded L at the end (with least significant bit right). The input to SHA-1 is m 1 0...0 L 22

SHA-1 padding (2/2) Example from SHS: We want to compute SHA-1 ( abc ). abc is the ASCII string of 'a', 'b', 'c' (of bit length 24). Thus we append a '1' and 423 '0's. Finally, we append the length 24. Remarks: The maximum length of a SHA-1 input is This is equivalent to TBytes. 23

Overview of a SHA-1 round Source: en.wikipedia.org 24

SHA-1 round functions SHA-1 consists of 4 parts of 20 rounds, respectively. Each part has its round function: Input of a round function: Three 32 bit words. Output of a round function: A single 32 bit word. Source: Secure Hash Standard 25

SHA-1 constants Each of the 4 SHA-1 parts has its own constant It is a 32 bit word, written in hexadecimal Source: Secure Hash Standard 26

Initial hash value The initial hash value is denoted by H ( 0 ). Used as starting IV to apply the first round function on M (1) H ( 0 ) = H0( 0 ) H1( 0 ) H2( 0 ) H3( 0 ) H4( 0 ) with Source: Secure Hash Standard 27

Message contribution Each message block M ( i ) is 512 bits long. Write M ( i ) as a concatenation of 16 words of bit length 32: M ( i ) = M0( i ) M1( i ) M2( i )... M 15 ( i ) Each of the 80 SHA-1 requires a 32 bit word Wt : Set Wt = Mt(i) for t = 0 to 15 Rounds t = 16 to 79 require a left-shifted and XORed combination of previously computed input words Wt Source: SHS 28

SHA-1 round function to compute H ( i ) SHA-1 makes use of 5 registers of 32 bits initialised as: a = H0 ( i 1), b = H1 ( i 1), c = H2 ( i 1), d = H3( i 1), e = H4( i 1) The registers are manipulated within 80 rounds as: Source: Secure Hash Standard 29

SHA-1 computation of intermediate and final hash Computation of intermediate hash H ( i ) : H0( i ) = a + H0( i 1), H1( i ) = b + H1( i 1), H2( i ) = c + H2( i 1), H3( i ) = d + H3( i 1), H4( i ) = e + H4( i 1) The final SHA-1 hash is the final intermediate hash: h(m) = H0( N ) H1( N ) H2( N ) H3( N ) H4( N ) Source: Secure Hash Standard 30

Overview of different hash functions Source: Handbook of Applied Wording: Handbook Round Step vs. Lecture vs. vs. Part Round 31

Source: Handbook of Applied Test vectors and subtleties $ echo abc sha1sum 03cfd743661f07975fa2f1220c5194cbaff48451-32

Security remarks on SHA-1 Birthday attack = Brute force attack: 2^{80} trials X. Wang et al. (February 2005): 2^{69} trials X. Wang et al. (August 2005): 2^{63} trials C. McDonald et al. (May 2009): 2^{52} trials (however, they withdraw their estimation later) General observations: Finding collisions for SHA-1 is much easier than using brute force We need a new long-term hash function: SHA-3 33

Contents Definition and basic properties Basic design principles and SHA-1 The SHA-3 competition 34

Overview The SHA-3 competition started on November 2, 2007 Publication by NIST in the Federal Register: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) family General requirements: Output hash values of 224, 256, 384, 512 bits Replacement of SHA-2 (although SHA-2 is not withdrawn) No 160 bit output allowed (this fits to the security threshold of 100 bits) Similar process as the AES competition 35

NIST expectations Security strength is at least as good as SHA-2 Attacks on SHA-2 are unlikely to work on SHA-3 More efficient than SHA-2 Maximum message length at least 2^{64} 1 bits Interoperability: Implementable in a wide range of hardware and software platforms A single hash family is preferred Worldwide availability and royalty free use 36

Time schedule NIST hash workshop: 2005-10-31 Initial publication: 2007-11-02 Submission deadline for first round: 2008-08-31 First candidate conference (KU Leuven): 2009, Feb. Second candidate conference: 2010, 2Q Candidate conference of finalists: 2012, 1Q Publication: 2012, 4Q 37

Round 1 64 submissions Announcement of 51 first round candidates on 2008-12-09 First SHA-3 candidate conference: Feb. 25-28, 2009 at KU Leuven, Belgium All submitters of 51 first round candidates were invited to defend their proposals Preneel's statement at CASED distinguished lecture (May 14, 2009): From 30 candidates 50 % follow MD-design 25 % sponge design 25 % Haifa July 24, 2009: 14 candidates were selected for round 2 38

Round 2 Sample candidates: by N. Ferguson, S. Lucks, B. Schneier, D. Whiting, M. Bellare, T. Kohno, J. Callas and J. Walker CubeHash by Dan Bernstein Keccak by G. Bertoni, J. Daemen, M. Peeters, G. Van Assche Second SHA-3 candidate conference: August 23-24, 2010 at Santa Barbara in the scope of Crypto 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback