Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication

Similar documents
Vortex. A New Family of One-Way Hash Functions. Based on AES Rounds and Carry-less Multiplication. Intel Corporation, IL

Security Enhancement of the Vortex Family of Hash Functions

Winter 2011 Josh Benaloh Brian LaMacchia

Elastic Block Ciphers: Method, Security and Instantiations

Cryptographic Algorithms - AES

NEW COMPRESSION FUNCTION TO SHA-256 BASED ON THE TECHNIQUES OF DES.

Journal of Global Research in Computer Science A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION

Computer and Data Security. Lecture 3 Block cipher and DES

Cryptography and Network Security

Content of this part

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

A Related Key Attack on the Feistel Type Block Ciphers

Data Encryption Standard (DES)

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Permutation-based symmetric cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

Keywords :Avalanche effect,hamming distance, Polynomial for S-box, Symmetric encryption,swapping words in S-box

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Improved Truncated Differential Attacks on SAFER

CSC 474/574 Information Systems Security

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 4 The Advanced Encryption Standard (AES) ver. October 28, 2009

Cryptography. Summer Term 2010

A New Technique for Sub-Key Generation in Block Ciphers

Spring 2010: CS419 Computer Security

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Elastic Block Ciphers: The Feistel Cipher Case

A METHOD FOR SECURITY ESTIMATION OF THE SPN-BASED BLOCK CIPHER AGAINST RELATED-KEY ATTACKS

On the Design of Secure Block Ciphers

Lecture 1 Applied Cryptography (Part 1)

Practical Aspects of Modern Cryptography

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

Chapter 6. New HASH Function. 6.1 Message Authentication. Message authentication is a mechanism or service used for verifying

Cryptographic Hash Functions

Symmetric Cryptography. Chapter 6

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

CSCE 715: Network Systems Security

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Security Analysis of Extended Sponge Functions. Thomas Peyrin

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic Hash Functions. William R. Speirs

Security Analysis of a Design Variant of Randomized Hashing

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

FPGA Based Design of AES with Masked S-Box for Enhanced Security

Delineation of Trivial PGP Security

Cryptographic Hash Functions

Integral Cryptanalysis of the BSPN Block Cipher

Chapter 6: Contemporary Symmetric Ciphers

Implementing AES : performance and security challenges

Security. Communication security. System Security

Symmetric Cryptography

Two Attacks on Reduced IDEA (Extended Abstract)

Content of this part

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

The Security of Elastic Block Ciphers Against Key-Recovery Attacks

Elastic Block Ciphers: The Feistel Cipher Case

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Block Ciphers. Secure Software Systems

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Keccak discussion. Soham Sadhu. January 9, 2012

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Lecture 2: Secret Key Cryptography

AIT 682: Network and Systems Security

CENG 520 Lecture Note III

A SIMPLIFIED IDEA ALGORITHM

The road from Panama to Keccak via RadioGatún

Secret Key Cryptography

Design of block ciphers

Cryptanalysis of Block Ciphers Based on SHA-1 and MD5

Speeding Up AES By Extending a 32 bit Processor Instruction Set

Hill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and Key

in a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a

Block Ciphers Introduction

Private-Key Encryption

Cryptography and Network Security. Sixth Edition by William Stallings

Multiple forgery attacks against Message Authentication Codes

P2_L6 Symmetric Encryption Page 1

CPSC 467b: Cryptography and Computer Security

The Grindahl hash functions

Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

Secret Key Algorithms (DES)

Introduction to Modern Symmetric-Key Ciphers

Introduction to cryptology (GBIN8U16)

Message Authentication Codes and Cryptographic Hash Functions

Implementation of Full -Parallelism AES Encryption and Decryption

Optimized AES Algorithm Using FeedBack Architecture Chintan Raval 1, Maitrey Patel 2, Bhargav Tarpara 3 1, 2,

Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures

Differential Cryptanalysis

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Differential-Linear Cryptanalysis of Serpent

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Transcription:

Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less ultiplication Shay Gueron 2, 3, 4 and ichael E. Kounavis 1 1 Corresponding author, Corporate Technology Group, Intel Corporation, Hillsboro, OR, USA 2 Department of athematics, University of Haifa, Haifa, ISRAEL, 3 Applied Security Research Group, Center for Computational athematics and Scientific Computations, University of Haifa, Haifa, ISRAEL 4 obility Group, Intel Corporation, IDC, Haifa, ISRAEL Abstract. We present Vortex a new family of one way hash functions that can produce message digests of 256 bits. The main idea behind the design of these hash functions is that we use well known algorithms that can support very fast diffusion in a small number of steps. We also balance the cryptographic strength that comes from iterating block cipher rounds with SBox substitution and diffusion (like Whirlpool) against the need to have a lightweight implementation with as small number of rounds as possible. We use only 3 AES rounds as opposed to 10 since our goal is not to protect a secret symmetric key but to support perfect mixing of the bits of the input into the hash value. Three AES rounds are followed by our variant of Galois Field multiplication. This achieves cross-mixing between 128-bit sets. We present a set of qualitative arguments why we believe Vortex supports collision resistance and first pre-image resistance. 1 Introduction Guaranteeing message and code integrity is very important for the security of applications, operating systems and the network infrastructure of the future Internet. Protection against intentional alteration of data is typically supported using one way hash functions. A one way hash function is a mathematical construct that accepts as input a message of some length and returns a digest of much smaller length. One way hash functions are designed in such a way that it is computationally infeasible to find the input message by knowing the digest only. One way hash functions which have been in use today include algorithms like D-5 and SHA1. One way hash functions which are likely to be used in the future include SHA256, SHA384 and SHA512 [10].The problem with using these algorithms is that they are time consuming when implemented in software. One way hash functions typically involve multiple shifts, XOR and ADD operations which they combine in multiple rounds in order to produce message digests. Because of this reason, one way hash functions consume a substantial number of processor clocks when executing which limits their applicability to high speed secure network applications (e.g., 10 Gbps e-commerce transactions), or protection against malware (e.g., hashed code execution). In this document we describe an alternative approach where a family of one way hash function is built from other security algorithms used as building blocks, which help with achieving fast mixing across a large number of input bits. Using the erkle-damgård construction [6, 7]

as a framework we construct a compression function from AES rounds and a novel merging technique based on Galois Field (GF(2)) multiplication. Using three successive AES rounds we provide mixing across 128 bits. Using a merging function based on Galois Field (GF(2)) multiplication we provide mixing across sets of 128 bits. Perfect mixing is accomplished through combinations of AES rounds and our merging function. We have conducted 2 20 experiments computing the collision resistance and the pseudorandom oracle preserving property of our family. Whereas our work is in progress our first results indicate that there is no experimental evidence that Vortex is inferior in terms of its collision resistance and pseudorandom oracle preserving property when compared to SHA256. Performance-wise, however, the difference is substantial. SHA256 operates at 21 cycles per byte on a Core 2 Duo processor. Vortex is expected to operate at a speed of 1.5 cycles per byte in future CPUs with instruction set support for AES round computation and Galois Field (GF(2)) multiplication, which is the current trend in processor industry. We believe that the design of the Vortex family is important because it represents a scalable on-the-cpu solution for message and code integrity and can be used for supporting both high speed secure networking and protection against malware in next generation computing systems. The document is structured as follows: In Section 2 we describe the design methodology of the Vortex family. In Section 3 we describe the algorithm. In Section 4 we describe our experiments and present qualitative arguments why we believe the Vortex family is secure. Finally in Section 5 we provide some concluding remarks. 2 Design ethodology of the Vortex Family Vortex represents a new family of one way hash functions that can produce message digests of 256 bits. The main idea behind the design of these hash functions is that well known algorithms can support very fast diffusion in a small number of steps. Our intent is to allow each bit of an input block to affect all bits of a hash after a small number of computations. The algorithms we use in our design are: The AES round due to its capability to perform very fast mixing across 32-bits as a stand-alone operation and 128-bits if combined with at least one more round; and: A variant of Galois Field (GF(2)) multiplication due to its capability to cross mix bits of different sets (i.e., the input operands) in a manner that is cryptographically stronger than the simpler Feistel reordering proposed in modes like DC-2 [3]. We also balance the cryptographic strength that comes from iterating block cipher rounds with SBox substitution and diffusion (like Whirlpool) against the need to have a lightweight implementation with as small number of rounds as possible. We use only 3 AES rounds as opposed to 10 since our goal is not to protect a secret symmetric key but to support perfect mixing of the bits of the input into the hash value. The design choice of 3 comes from the fact that 2 rounds is the bare minimum number needed for 128-bit wide mixing. Our design, however, is open for introducing more rounds if this is proven necessary in the future. Three AES rounds are followed by our variant of Galois Field ultiplication. This achieves cross-mixing between 128-bit sets. Our transformation is not simple carry-less multiplication but is combined with some bit reordering and combination of XORs and additions with carries. In this way our variant of Galois Field ultiplication: achieves better cross-mixing than the straightforward carry-less multiplication between the 128-bit inputs is a non commutative operation protecting against attacks based on swapping the order of the chaining variables in the processing of a message.

Our family of one way hash functions uses the AES round as specified in the standard FIPS- 197 as a building block but also introduces new a merging functions for combining the outputs of AES round transformations into 256-bit digests as explained in detail below. A B A B A B W 0, W 1, W W 4m, W 4m+1, 4, W 5, W 2, W W 3 W 4m+2, W 4m+3, 6, W 7 Figure 1: Vortex as a erkle-damgård construction 3 Algorithm Description Vortex processes an input stream as a sequence of 512-bit blocks. The stream is padded with a 1. If the length of the stream is not a multiple of 512 minus 96, then the stream is padded with zeros following the 1. The last 96 bits indicate the configuration of the hash (32 bits) and the length of the stream (64 bits). Each block is divided into two sub-blocks of 256 bits each and each sub-block is divided into words W 0 and W 1 of 128 bits each. Vortex operates on 2 128-bit variables A and B initialized to some constant values. It processes each block using AES rounds modifying the values of A and B. In the end it returns the concatenation of A and B A B.The algorithm for processing a sub-block is the following: Vortex sub-block(a, B, W 0, W 1 ) { ; W 0, W 1 be the words of the current sub-block to be processed A AW ( A) 0 B A ( } W1 A B V return(a, ( A) ( A, The algorithm for processing a block is the following: Vortex block(a, B, W 0, W 1, W 2, W 3 ) { ( A, ( A, Vortex sub-block(a, B, W 0, W 1 ) ; uses W 0 and W 1 ( A, ( A, Vortex sub-block(a, B, W 2, W 3 ) ; uses W 2 and W 3 }

As one can see the Vortex block is essentially a erkle-damgård construction. It accepts a chaining variable A B and four input words W 0, W 1, W 2, W 3 and returns an updated value of the chaining variable A B. Such construction in illustrated in Figure 1. The other aspect that can be observed is that Vortex block incorporates a Davies-eyer structure around the Vortex sub-block in order to make the transformation non-reversible. Such structure is repeated twice as shown in Figure 2: A B vortex-1 sub-block vortex-1 sub-block A B W 0, W 1 W 2, W 3 Figure 2: Davies-eyer structure of the Vortex block A B W 0 AW0 (A) W 1 A W1 ( V (A) (A, A B Figure 3: Vortex sub-block The Vortex sub-block is built upon two mathematical functions: The transformation AK ( x ) ( ) which is a lightweight block cipher and the merging function V A ( A,. There are two instances of the transformation AK ( x ) in the Vortex sub-block. Each instance processes a different chaining variable among A, B. Each instance of the transformation AK ( x ) treats its input chaining variable as a plaintext and its input word, which is one from W 0, W 1, W 2, W 3, as

( ) a key as it is the norm in the Davies-eyer structure. The merging function V A ( A, combines the outputs of the two instances of AK ( x ) into the new value of the concatenation A B of the chaining variables A, B. The structure of the Vortex sub-block is shown in Figure 3. The transformation AK ( x ) is a lightweight block cipher based on an AES round that encrypts x, which is 128 bits long, using the key K. AK ( x ) uses three AES rounds as specified in the standard FIPS-197 [1]. Each AES round consists of a round key addition in GF(2), followed by an SBox substitution phase, followed by the ShiftRows transformation, followed by the ixcolumns transformation. The key schedule algorithm used by AK ( x ) is different from that of AES. AK ( x ) uses three 128-bit wide Rcon values RC 1, RC 2 and RC 3 to derive three round keys RK 1, RK 2 and RK 3 as follows: RK 1 SBox(K RC 1 ) RK 2 SBox(RK 1 RC 2 ) RK 3 SBox(RK 2 RC 3 ) where by we mean addition modulo 2 128. As explained before, a single AES round performs diffusion across 32 bits. This is accomplished through the combination of the S-Box and ix Columns transformations. Two AES rounds diffuse across 128 bits. This is accomplished through the combination of the subsequent Shift Rows and ix Columns transformations. Three rounds further strengthen the diffusion performed. The Rcon values can be considered fixed or deriving from A and B. The exact relationship between Rcon, A, B is yet to be determined. B 1 B 0 A 1 A 0 I 1 I 0 O 1 O 0 new B 1 new B 0 new A 1 new A 0 Figure 4: The erging Function of Vortex ( ) The merging function, shown in Figure 4, V A ( A, operates as follows: ( ) V A { ( A,

} let A = [A 1, A 0 ] let B = [B 1, B 0 ] O A0 B1 I A1 B0 let I = [I 1, I 0 ] let O = [O 1, O 0 ] return [B 1 I 1, B 0 O 0, A 1 O 1, A 0 I 0 ] where by we mean addition modulo 2 64, and we mean carry-less multiplication. The merging g function is based on carry-less multiplication. This is stronger than Feistel reordering which is a simple bit permutation. Our merging function makes sure that the bits of A impact the bits of B and vice versa. In fact, each bit of one variable affects a significant number of the bits of the other variable in a non-linear manner. This makes our design better than a straightforward XOR or other simple mathematical operation. One can also observe that even though our merging function is strong cryptographically, it does not accomplish perfect mixing by itself. This is because each bit of A or B affects a large number of bits of the other variable but not all of them. Perfect mixing is accomplished by the 3 AES rounds that follow our merging function. So, for a pair of input words W 0, W 1 perfect mixing is accomplished after a sequence of 3 AES rounds (mix across 128 bits), merging using Galois Field multiplication (cross-mix across 128 bit sets but not perfect mixing) and another set of 3 AES rounds as part of the sub-block processing to follow. For this reason whereas a regular Vortex sub-block is processed using 3 AES rounds and a merging function, the last Vortex sub-block is processed using 3 AES rounds, merging, yet another 3 AES rounds and subsequent merging again. 4 Security and Performance of Vortex The security of the Vortex family was investigated experimentally by conducting a large number of experiments (2 20 ) hashing the Vortex specification document with random perturbations, which were superimposed on it. For these experiments we computed the probability of collision and the distribution of the output differentials. Subsequently we compared the numbers we got from Vortex with numbers we got from SHA256. No collision occurred in our experiments. Our first results indicated that there is no experimental evidence that Vortex is inferior in terms of its collision resistance and pseudorandom oracle preserving property when compared to SHA256. In fact our results can be interpreted that there is strong indication that the Vortex family is at least as secure as SHA256 even though it uses a small number of block cipher rounds. There are several reasons for this. First AES round is a good mixing function. The key used is completely data dependent and hence our scheme does not suffer from known attacks on compression functions that use a small set of keys [8]. The key schedule transformation of Vortex is stronger than AES due to the fact that the SBox transformation is applied across each 128 bit round key as opposed to 32 bits only and that round constants are added using integer addition modulo 2 128 as opposed to XOR. It is the combination of two independent sources of nonlinearities in the key schedule, i.e., addition with carries and inversion in GF(256) that makes the key schedule transformation provides potentially effective against differential attacks -even though the number of AES rounds is reduced for achieving better performance. The merging function of Vortex combines linear (XORs) and non-linear (adds with carries) transformations with 64-bit carry-less multiplication building blocks. This operation is non-

commutative and when combined with previous and subsequent AES rounds and Galois Field multiplication achieves perfect mixing across 256 bits. By designing the merging function to be non-commutative we destroy any symmetry in the computation of the Vortex sub-block that could be a potential source of collision. If Vortex was designed such that its merging function is commutative, then an attacker could easily create a collision by generating a message that swaps the position of chaining variables A and B as compared to another given message. A more thorough analytical study on the security of the Vortex family is yet to be conducted. As past of future work we plan to develop a methodology for computing the collision resistance and the first pre-image resistance of our construction based on the divide-and-conquer approach that was first developed in the study of the DC-2 mode by Steinberger [3]. Such approach helps with reasoning about the collision and pre-image resistance of specific components of hash functions. Components of hash functions include adders, shifters, XORs, S- Boxes, linear diffusers, bit permutations etc. Whereas our merging function is more complex than the DC-2 mode of operation we believe that it can be potentially analyzed due to the fact that it combines relatively simple building blocks (i.e., multipliers adders and XORs). In addition multipliers are carry-less accepting small size input operands (i.e., 64 bits). These facts make the collision and pre-image resistance of our construction potentially easier to compute than DC-2. This is work in progress. We believe that future designs of the Vortex family may be different than what is described in this paper. As part of future work we want to investigate the optimal relationship between the Rcon constants of the Vortex key schedule and the chaining variables A, B. We would like to also investigate whether the presence of simple carry-less multiplication is sufficient in the merging function or not. Any non-zero operand multiplied with zero results in zero. Such fact can increase the collision probability associated with merging function of Vortex. If this is proven to be a design deficiency it can be potentially corrected with simple modifications to the algorithm. For example, a single carry-less multiplication can be replaced by two multiplications where in one of the two operands are XOR-ed with a correcting constant and the results of the multiplications are XOR-ed with each other. We estimate that the Vortex family of algorithms can have substantial performance gain when implemented in software in future processors with support for AES round computation and Galois Field multiplication. This is the current trend in the industry. Expected performance is at 1.5 cycles per byte which is approximately 14X gain as compared to SHA256. 5 Concluding Remarks We presented Vortex a new family of one way hash functions that can produce message digests of 256 bits. The main idea behind the design of these hash functions is that we use well known algorithms that can support very fast diffusion in a small number of steps. We presented a set of qualitative arguments why we believe Vortex supports collision resistance and first preimage resistance and described a setoff experiments that gave us confidence that the Vortex design is not inferior to SHA256 in terms of its security properties. Performance-wise the expected difference between Vortex and earlier work is substantial. SHA256 operates at 21 cycles per byte on a Core 2 Duo processor. Vortex is expected to operate at a speed of 1.5 cycles per byte in future CPUs with instruction set support for AES round computation and Galois Field (GF(2)) multiplication. We believe that the design of the Vortex family is important because it represents a scalable on-the-cpu solution for message and code integrity and can be used for supporting both high speed secure networking and protection against malware in next generation computing systems.

References 1. Advanced Encryption Standard, Federal Information Processing Standards Publication 197, available at: http://csrc.nist.gov/publication/fips 2. J. Daemen and V. Rijman, The Wide Trail Design Strategy, B. Honary (Ed.): Cryptography and Coding 2001, LNCS 2260, pp. 222-238, Springer Verlag 2001. 3. J. P. Steinberger, The Collision Intractability of DC-2 in the Ideal Cipher odel, Advances in Cryptology - EUROCRYPT 2007, LNCS 4515, pp. 35-41, 2007 4. L. Knudsen, X. Lai and B. Preneel, Attacks on Fast Double Block Length Hash Functions, Journal of Cryptology, No. 11, pp. 59-72, International Association for Cryptologic Research, 1998. 5. S. Lucks, Design Principles for Iterated Hash Functions, Cryptology eprint Archive, Report 2004/253, 2004. Available at: http://eprint.iacr.org 6. I. Damgård, A Design Principle for Hash Functions, Advances in Cryptology CRYPTO 1989, LNCS 435, pp. 416-427, 1989. 7. R. erkle, One Way Hash Functions and DES, Advances in Cryptology CRYPTO 1989, LNCS 435, pp. 428-446, 1989. 8. J. Black,. Cochran and T. Shrimpton, On the Impossibility of Highly Efficient Block Cipher-based Hash Functions, Advances in Cryptology EUROCRYPT 2005, LNCS 3494, pp. 526-541, 2005. 9.. Bellare and T. Ristenpart, ulti-property-preserving Hash Domain Extension and the ED Transform, Advances in Cryptology ASIACRYPT 2006, LNCS 4284, pp. 299-314, 2006. 10. Secure Hash Standard, Federal Information Processing Standards Publication 180-2, available at: http://csrc.nist.gov/publication/fips

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback