# SHA Hash Functions History & Current State

## Presentation on theme: "SHA Hash Functions History & Current State"— Presentation transcript:

SHA Hash Functions History & Current State
Helsinki Institute for Information Technology, November 03, 2009. Sergey Panasenko, independent information security consultant, Moscow, Russia.

SHA Hash Functions Hash functions cryptanalysis review.
SHA (SHA-0) & SHA-1. SHA-2. SHA-3 project.

Section 1. Hash functions cryptanalysis review
typical hash function structure; goals of hash functions cryptanalysis; cryptanalysis methods.

Typical hash function structure
Merkle-Damgård construction:

Primary goals of hash functions cryptanalysis
Collision: m1 and m2 with the same hash: h = hash(m1) = hash(m2) Multicollision: several messages with the same hash. Theoretical time consumption: 2n/2 operations for n-bit hash function.

Primary goals of hash functions cryptanalysis
First preimage: such m that for given h: hash(m) = h Second preimage: such m2 that for given m1: hash(m2) = hash(m1) Theoretical time consumption: 2n operations for n-bit hash function.

Primary goals of hash functions cryptanalysis
Secret key definition – for keyed hash functions or hash functions in keyed mode. Theoretical time consumption: 2k operations for k-bit key.

Secondary goals of hash functions cryptanalysis
Near-collision: m1 and m2 with hash values differ in several bits: hash(m1) ≈ hash(m2) Pseudo-collision: m1 and m2 with the same hash but with different initial values: hash(m1, IV1) = hash(m2, IV2) Theoretical time consumption: 2n/2 operations for n-bit hash function.

Secondary goals of hash functions cryptanalysis
Pseudo-preimage: such m that for given h: hash(IV, m) = h where IV is non-standard initial value. Theoretical time consumption: 2n operations for n-bit hash function.

Attacks on hash functions
Brute-force attacks Step-by-step searching over the target space. They define theoretical time consumption of any goal. Can be used for finding collisions, preimages or secret keys. Highly parallelizable. Can be accelerated greatly by specific hardware. Can be used in context of other attacks. They define suitable hash or key sizes.

Attacks on hash functions
Dictionary attacks A kind of brute-force attacks on a reduced target space (e.g. words of any dictionary). Typical application: finding a password for given hash value. Offline work – precounting a table for searching the required password.

Attacks on hash functions
Dictionary attacks The simplest case of tables: one hash for every password.

Attacks on hash functions
Dictionary attacks Hash chains – reducing the memory (Martin Hellman, 1980): p1  h1  p2  h2 … pN  hN

Attacks on hash functions
Dictionary attacks Hash chains – collision example:

Attacks on hash functions
Dictionary attacks Strengthening hash chains: Several tables with different R-functions. Variable length chains.

Attacks on hash functions
Dictionary attacks. Rainbow tables Several R-functions R1…RN-1 for every column of strings: cyclic strings are impossible; collisions lead to strings coincidence when occur in the same column only – that can be detected.

Attacks on hash functions
Dictionary attacks. Rainbow tables Invented by Philip Oechslin in 2003. Can be further strengthened by combining with variable-length chains. Are in active use for cracking real systems:

Attacks on hash functions
Dictionary attacks. Rainbow tables Countermeasures: Salt – randomizing hashing; Increasing time to hash – e. g. multiple hashing. Example: Niels Provos & David Mazières (1999) – bcrypt hash function. Uses salt & cost variables. Cost defines the number of internal block cipher key extension rounds: 2cost+1 + 1

Attacks on hash functions
Birthday paradox “Square root attack”: O( ) tries required to find the same element from an array with N elements. Application to hash functions (Gideon Yuval, 1979): An adversary prepares r variants of fraud document f and r variants of original document m. He searches among these variants such mx and fy that hash(mx) = hash(fy). User signs mx, but his signature is correct when verifying it for fy.

Attacks on hash functions
Collision search Another variant of hash chains: mi  hash(mi)  hash(hash(mi))  … All hash values are compared with previous values and values of other chains. Disadvantage: huge memory requirements. Jean-Jacques Quisquater, Jean-Paul Delescaille, 1987: store distinguished points only. Their coincidence signals about found collision. Low memory requirements.

Attacks on hash functions
Collisions search Michael Wiener and Paul Van Oorschot, 1994: parallel collision search with specific values:

Attacks on hash functions
Birthday paradox & collisions search Mihir Bellare and Tadayoshi Kohno, 2004: “amount of regularity” of hash functions – as output value distribution is regular. The less regular, the easy to find collision. Bart Preneel, 2003: hash value size analysis bits are enough for at least 20 years.

Attacks on hash functions
Differential cryptanalysis Florent Chabaud & Antoine Joux, 1998: SHI1 algorithm:

Attacks on hash functions
Differential cryptanalysis

Attacks on hash functions
Differential cryptanalysis Result: propagation of the difference is cancelled by the corrected bits. After 6 iterations the difference is 0. This is 6-round local collision: two messages differ in 6 bits (after expansion) but lead to the same hash value. Next step: construct messages which can expand with required difference. Attackers use disturbance vector – the table shows which bits of messages must be different to achieve the collision.

Attacks on hash functions
Differential cryptanalysis F. Chabaud & A. Joux: SHI1 – SHI2 – SHI3 – SHA Step-by-step including non-linear operation into the iterations. From deterministic to probabilistic constructions: the same principles of attack can be applied to real SHA algorithm.

Attacks on hash functions
Boomerang attack Invented by David Wagner for block ciphers in 1999. Applied to hash functions (SHA & SHA-1) by Antoine Joux and Thomas Peyrin, 2007. Boomerang attack uses one or more auxiliary differences besides the main difference. This significantly improves the probability of finding collisions.

Attacks on hash functions
Boomerang attack

Attacks on hash functions
Algebraic cryptanalysis Uses algebraic properties of an algorithm. Successfully applied to block ciphers (e. g. works of Nicolas Courtois against AES). Can be used in context of other attacks. Example: Makoto Sugita, Mitsuru Kawazoe, Hideki Imai (2006) attacked reduced-round SHA-1 by algebraic and differential cryptanalysis in complex.

Attacks on hash functions
Message modification Xiaoyun Wang, Hongbo Yu, 2005: step-by-step modifying the message to meet the criteria for differential cryptanalysis. Message modification technique allows to speed up the collision search by fulfilling the required criteria for internal variables.

Attacks on hash functions
Meet in the middle attack Can be applied when a function can be represent as two subfunctions: and if the second subfunction can be invertible.

Attacks on hash functions
Meet in the middle attack Finding preimage for a hash value H: Count hash1() for variants of the first half of messages (and store them in a table): Tx = hash1(M1x, IV). 2. Count inverted hash2() for variants of the second half of messages: Ty = hash2-1(M2y, H). 3. Searching for equivalent Tx and Ty.

Attacks on hash functions
Correcting blocks Allows to find preimages or collisions. Example for collisions: 1. Select arbitrary messages M and M*. 2. Find such corrected blocks X and X* that: hash(M || X) = hash(M* || X*).

Attacks on hash functions
Fixed points A fixed point occurs when it is possible to find such message block Mi that: hash(M) = hash(M || Mi), i. e. intermediate hash value remains the same after processing Mi block. Can be used for finding collisions.

Attacks on hash functions
Block-level manipulations inserting, removing, permutation, substitution of message blocks without affecting the hash value.

Attacks on hash functions
Two-block collisions Eli Biham et al., 2004:

Attacks on hash functions
Multi-block collisions

Attacks on hash functions
Specific attacks on block cipher based hash functions Allows to find collisions based on some weaknesses of an underlying block cipher: weak keys, equivalent keys, groups of keys, related-keys attacks.

Attacks on hash functions
Side-channel attacks This group of attacks are invented by Paul Kocher, 1996. Passive side-channel attacks (an adversary only reads side-channel information): Electromagnetic attacks. Power attacks (simple & differential). Timing attacks. Error-message attacks.

Attacks on hash functions
Side-channel attacks Active side-channel attacks (an adversary influences on hash function realization): Optical, radiation or heating attacks. Spike & glitch attacks. Fault attacks (simple and differential). Hardware modification.

Attacks on hash functions
Side-channel attacks Countermeasures: Constant time consumption of operations. Inserting random delays, noises, random variables etc, redundant computations. Error messages without extra information. Doubling calculations with comparing their results. Shielding. Detecting of external actions.

Attacks on hash functions
Other cryptanalytic methods Using neutral bits (Eli Biham & Rafi Chen, 2004) – such bits of a message which do not influence on final or intermediate results during some rounds. Attacks that can use specifics of hash functions realizations in network protocols, signature schemes etc. Length-extension attack – inserting some data to the end of a message to find a collision.

Section 2. SHA & SHA-1 SHA structure; SHA-1 structure;
SHA cryptanalysis; SHA-1 cryptanalysis.

SHA Overview Secure Hash Algorithm.
Invented by U.S. National Security Agency in 1992. U.S. hashing standard in (FIPS 180). Must be used by U.S. Ministries and Agencies for hashing non-classified information. Recommended for commercial organizations. Renamed to SHA-0 after SHA-1 invention.

SHA High-level structure 160-bit hash value.
Input data size – from 0 to (264-1) bits. Merkle-Damgaard construction with 512-bit data blocks. Last block is always padded by: “1” bit; zero bits when required; 64-bit input data length in bits.

SHA Message block expansion
512-bit block is represented as 32-bit words W0…W15. The following 32-bit words W16…W79 are calculated: Wn = Wn-3  Wn-8  Wn-14  Wn-16.

SHA Compression function 80 iterations:

SHA Compression function fi functions:
f(x, y, z) = (x & y) | (~x & z), i = 0…19; f(x, y, z) = x  y  z, i = 20…39, 60…79; f(x, y, z) = (x & y) | (x & z) | (y & z), i = 40…59.

SHA Chaining and finalization
Intermediate hash values: 32-bit registers A…E. Chaining by addition modulo 232: A = A + a; B = B + b, etc. No finalization is performed: output hash value is concatenation of A…E after processing all message blocks.

SHA-1 Overview & high-level structure
U.S. hashing standard since 1995 (FIPS 180-1, FIPS ). Will be withdrawn (for some applications) in 2010. All procedures are the same as in SHA algorithm, except the message block expansion.

Wn = (Wn-3  Wn-8  Wn-14  Wn-16) <<< 1
SHA-1 Message block expansion SHA-1 message block expansion: Wn = (Wn-3  Wn-8  Wn-14  Wn-16) <<< 1 Added one-bit left rotation into SHA message block expansion procedure.

SHA Cryptanalysis Best results 1. Collisions:
Stéphane Manuel, Thomas Peyrin, 2008: 233 operations (boomerang attack). 2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: operations to find second preimage for SHA with 49 iterations (differential cryptanalysis, partial pseudo-preimages & meet-in-the-middle attack).

SHA-1 Cryptanalysis Best results 1. Collisions:
Stéphane Manuel, 2008: 251 operations (boomerang attack); Cameron McDonald, Philip Hawkes & Josef Pieprzyk, 2009: 252 operations (differential cryptanalysis). 2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: operations to find second preimage for SHA-1 with 44 iterations (complex attack).

SHA-1 Cryptanalysis Collision search countermeasures
1. Michael Szydlo & Yiqun Lisa Yin, 2005: Strengthened hash function H*(m): H*(m) = H(φ(m)), where φ(m) is preprocessing function, it can perform: message whitening (inserting specific blocks – SHApp algorithm); self-interleaving of message blocks.

H*(r, m1,…, mN) = H(r, m1  r,…, mN  r),
SHA-1 Cryptanalysis Collision search countermeasures 2. Shai Halevi, Hugo Krawczyk, 2006 (IBM): Randomized hashing: H*(r, m1,…, mN) = H(r, m1  r,…, mN  r), where r – block-sized random number.

SHA-1 Cryptanalysis Strengthening SHA-1
Charanjit Jutla, Anandya Patthak, 2005 (IBM) – SHA1- IME (improved message expansion): Wn = Wn-3  Wn-8  Wn-14  Wn-16  ((Wn-1  Wn-2  Wn-15) <<< 1) for n = 16…35; Wn = Wn-3  Wn-8  Wn-14  Wn-16  ((Wn-1  Wn-2  Wn-15  Wn-20) <<< 1) for n = 36…79.

SHA-1 Cryptanalysis Strengthening SHA-1 SHA-1: SHA1-IME:

Section 3. SHA-2 SHA-2 overview; SHA-256; SHA-224; SHA-512; SHA-384;
SHA-2 cryptanalysis.

SHA-2 Overview U.S. hashing standard since 2002 (FIPS 180-2).
SHA-2 is a family of hashing algorithms: SHA-224 (since 2004 – defined in updated version of FIPS 180-2); SHA-256, SHA-384, SHA-512. n in SHA-n means n-bit output hash value. Patented by NSA but allowed for free use (U.S. Patent #  )

SHA-2 High-level structure Input data size – from 0 to:
(264-1) bits for SHA-224 & SHA-256; (2128-1) bits for SHA-384 & SHA-512. Merkle-Damgaard construction. 512-bit or 1024-bit data blocks. Last block is padded by the same way as in SHA, but 128-bit data length (instead of 64-bit) is used for SHA-384 & SHA-512.

Wn = Sig1,256(Wn-2) + Wn-7 + Sig0,256(Wn-15) + Wn-16 mod 232,
SHA-256 Message block expansion 512-bit block is represented as 32-bit words W0…W15. The following 32-bit words W16…W63 are calculated: Wn = Sig1,256(Wn-2) + Wn-7 + Sig0,256(Wn-15) + Wn-16 mod 232, where: Sig0,256(x) = (x >>> 7)  (x >>> 18)  (x >> 3), Sig1,256(x) = (x >>> 17)  (x >>> 19)  (x >> 10).

SHA-256 Message block expansion

SHA-256 Compression function 64 iterations:

SHA-256 Compression function Functions of the iteration:
Sum0,256(x) = (x >>> 2)  (x >>> 13)  (x >>> 22); Sum1,256(x) = (x >>> 6)  (x >>> 11)  (x >>> 25); Ch(x, y, z) = (x & y)  (~x & z); Maj(x, y, z) = (x & y)  (x & z)  (y & z).

SHA-256 Chaining and finalization
Intermediate hash values: 32-bit registers A…H. Chaining by addition modulo 232: A = A + a; B = B + b, etc. No finalization is performed: output hash value is concatenation of A…H after processing all message blocks.

SHA-224 SHA-224 compared to SHA-256
The same structure as SHA-256 excluding the following differences: Another initial value. Output hash value is concatenation of A…G registers (instead of A…H) – i. e. truncated SHA-256 hash value.

Wn = Sig1,512(Wn-2) + Wn-7 + Sig0,512(Wn-15) + Wn-16 mod 264,
SHA-512 Message block expansion 1024-bit block is represented as 64-bit words W0…W15. The following 64-bit words W16…W79 are calculated: Wn = Sig1,512(Wn-2) + Wn-7 + Sig0,512(Wn-15) + Wn-16 mod 264, where: Sig0,512(x) = (x >>> 1)  (x >>> 8)  (x >> 7), Sig1,512(x) = (x >>> 19)  (x >>> 61)  (x >> 6).

SHA-512 Compression function 80 iterations:

SHA-512 Compression function Slightly modified Sum-functions:
Sum0,512(x) = (x >>> 28)  (x >>> 34)  (x >>> 39); Sum1,512(x) = (x >>> 14)  (x >>> 18)  (x >>> 41).

SHA-512 Chaining and finalization
Intermediate hash values: 64-bit registers A…H. Chaining by addition modulo 264: A = A + a; B = B + b, etc. No finalization is performed: output hash value is concatenation of A…H after processing all message blocks.

SHA-384 SHA-384 compared to SHA-512
The same structure as SHA-512 excluding the following differences: Another initial value. Output hash value is concatenation of A…F registers (instead of A…H) – i. e. truncated SHA-512 hash value.

SHA-2 Cryptanalysis Best results
Collisions. Somitra Sanadhya, Palash Sarkar: 216 operations & 235 bytes of memory to find a collision for SHA-256 with 24 iterations; 223 operations & 268 bytes of memory to find a collision for SHA-512 with 24 iterations.

SHA-2 Cryptanalysis Strengthening SHA-2
SShash algorithm by Somitra Sanadhya & Palash Sarkar:

Section 4. SHA-3 SHA-3 project overview;
algorithms not selected to round 1; algorithms of round 1; algorithms of round 2; summarizing; round 2 algorithms performance; conclusion.

SHA-3 Overview SHA-3 project is an open competition for a new SHA-3 hash function. Main project timelines: November 2007: submission requirements were published; October 2008: the deadline for algorithm submissions; 2010: selecting finalists of the project; 2012: selecting a winner.

Algorithms not in round 1
Abacus Author: Neil Sholer (WaveStrong). High-level structure: cryptographic sponge. Compression function based on feedback shift registers. Conceded broken by Ivica Nikolić & Dmitry Khovratovich: meet-in-the-middle attack allows to find second preimage by 2172 operations.

Algorithms not in round 1
Boole Author: Gregory Rose (Qualcomm). High-level structure: cryptographic sponge. Compression function based on non-linear feedback shift register. Broken by Tomislav Nad: collision attack: 234 operations for 256-bit hash; 266 operations for 512-bit hash.

Algorithms not in round 1
DCH Author: David Wilson. High-level structure: Merkle-Damgård construction. Compression function: substitution-permutation network block cipher. Broken by Mario Lamberger & Florian Mendel: just 521 operations to find collision or preimage.

Algorithms not in round 1
Khichidi-1 Author: Natarajan Vijayarangan (Tata Consultancy Services, Ltd.). High-level structure: Merkle-Damgård construction. Compression function: linear feedback shift register. Broken by: Nicky Mouha – collision example; Prasanth Thandra & Satya Murty: instant collisions or second preimages.

Algorithms not in round 1
Maraca Author: Robert Jenkins Jr. High-level structure: original iterative structure. Compression function: internal state’s fragments parallel substitution by 8 X 8 S-boxes. Broken by Sebastiaan Indesteege: instant finding preimage.

Algorithms not in round 1
MeshHash Author: Björn Fay. High-level structure: cryptographic sponge. Compression function: multistream processing of the internal state with permutations between data streams. Conceded broken by its author because of certification meet-in-the-middle attacks by Søren Thomsen: e. g. 2nd preimage for 256-bit hash value for operations.

Algorithms not in round 1
NKS 2D Author: Geoffrey Park. High-level structure: stream hashing. Compression function: two-dimensional cellular automata. Broken by: Christophe De Cannière: collision example for 224- bit hash; Brandon Enright: collision example for 512-bit hash.

Algorithms not in round 1
Ponic Author: Peter Schmidt-Nielsen. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: shift registers. Certification attacks by María Naya-Plasencia: operations & 2256 memory blocks to find 2nd preimage for 512-bit hash.

Algorithms not in round 1
SHAMATA Authors: Adem Atalay, Orhun Kara, Ferhat Karakoç and Cevat Manap (National Research Institute of Electronics and Cryptology, Turkey). High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: feedback shift registers. Broken by Florian Mendel, Martin Schläffer, Christian Rechberger, Sebastiaan Indesteege: collision example for 256-bit hash (240 operations).

Algorithms not in round 1
StreamHash Author: Michal Trojnara High-level structure: stream hashing. Compression function: original structure based on S- boxes. Broken by Tor Bjørstad: collision example for 256-bit hash.

Algorithms not in round 1
Tangle Authors: Rafael Alvarez, Gary McGuire, Antonio Zamora. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network. Broken by Søren Thomsen: collision example (213 – 228 operations required).

Algorithms not in round 1
WaMM Author: John Washburn High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: original structure based on matrix operations. Broken by David Wilson: several operations to find a collision or second preimage for all sizes of hash value.

Algorithms not in round 1
Waterfall Author: Bob Hattersley (Opta Consulting) High-level structure: original iterative structure. Compression function: shift registers and entropy arrays (“pools”). Conceded broken by Scott Fluhrer: 270 operations to find a collision.

Round 1 algorithms ARIRANG (structure)
Authors: Specialists from Korea University, Seoul. High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network with feed-forward operations.

Round 1 algorithms ARIRANG (cryptanalysis) Attacks:
Jian Guo et al.: instant near-collisions (256 or 512- bit hash), 223 operations to find pseudo-collisions (224 or 384-bit hash); Deukjo Hong, Woo-Hwan Kim, Bonwook Koo: operations to find a preimage for 512-bit reduced- round (33 of 40 iterations) algorithm. Relatively high security margin, but simple near- & pseudo-collision attacks.

Round 1 algorithms AURORA (structure)
Authors: Specialists from Sony Corporation & Nagoya University, Japan. High-level structure: Merkle-Damgård construction with finalization (AURORA-224, 256); “Double-Mix” wide-pipe Merkle-Damgård construction with finalization (AURORA-224M, 256M, 384, 512). Compression function: substitution-permutation network.

Round 1 algorithms AURORA (cryptanalysis)
Several certification attacks: Yu Sasaki: 2259 operations to find 512-bit key of keyed AURORA-512 (HMAC mode); 2236 operations & huge memory to find 8-block message collision for 512-bit hash; Niels Ferguson & Stefan Lucks: 2291 operations to find 2nd preimage for 512-bit hash. Medium security margin.

Round 1 algorithms Blender Author: Colin Bradbury.
High-level structure: original iterative structure (2 streams with mixing operations, using checksums while padding the message). Compression function: one strong iteration with permutation operations for each block processing. Broken by Vlastimil Klima: 10 * 2n/4 operations to find n- bit hash preimage (i. e. 10 * 256 operations for 224- bit hash); also near-collision example.

Round 1 algorithms Cheetah
Authors: Dmitry Khovratovich, Alex Biryukov, Ivica Nikolić (University of Luxembourg). High-level structure: iterative structure with feed- forward & pre-finalization before last block processing. Compression function: substitution-permutation network based on AES functions. No attacks on full-round Cheetah found.

Round 1 algorithms CHI Authors: Phil Hawkes & Cameron McDonald (Qualcomm, Australia). High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network. No attacks found.

Round 1 algorithms CRUNCH Authors: large group of experts.
High-level structure: Merkle-Damgård construction. Compression function: unbalanced Feistel network. No attacks on the main requirements found (but Mustafa Çoban found that length-extension attacks on CRUNCH are possible).

Round 1 algorithms Dynamic SHA Author: Zijie Xu.
High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network. Broken by: Jean-Philippe Aumasson et al.: collision examples (222 operations for 512-bit hash, 221 – for 256-bit); Length-extension attack by Vlastimil Klima; Sebastiaan Indesteege: collision examples.

Round 1 algorithms Dynamic SHA2 Author: Zijie Xu.
High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network. Broken by: Jean-Philippe Aumasson et al.: 252 operations to find a collision for 256-bit hash; Hongbo Yu & Xiaoyun Wang: 245 operations to find a near-collision for 256-bit hash; Length-extension attack by Vlastimil Klima.

Round 1 algorithms ECOH Authors: Daniel Brown, Matt Campagna, Rene Struik (Certicom Corp., Canada). High-level structure: original iterative structure. Compression function: computations over a group of elliptic curve points. Attacked by Michael Halcrow & Niels Ferguson: operations to find 2nd preimage for 256-bit hash (2287 – for 512-bit hash). Relatively low security margin.

Round 1 algorithms Edon-R (structure) Author: Danilo Gligoroski.
High-level structure: Merkle-Damgård construction. Compression function: quasigroup operations.

Round 1 algorithms Edon-R (attacks) Attacks:
Dmitry Khovratovich, Ivica Nikolić, Ralf-Philipp Weinmann: 22n/3 operations to find a preimage for n- bit hash; pseudo-attacks with minimum time consumption. Gaëtan Leurent: practical key-recovery attack (for keyed version of Edon-R). Relatively high security margin, but some doubts about pseudo-attacks. Impossible to use the keyed version attacked by G. Leurent.

Round 1 algorithms EnRUPT
Authors: Sean O’Neil, Karsten Nohl, Luca Henzen. High-level structure: stream hashing. Compression function: some permutation operations while inserting input word into the internal state. Broken by Sebastiaan Indesteege: collision example for 256-bit hash (240 operations).

Round 1 algorithms ESSENCE Authors: Jason Martin.
High-level structure: balanced binary tree. Compression function: feedback shift registers. Attacked by María Naya-Plasencia et al.: 291 operations to find a collision for 256-bit hash, 2168 operations – for 512-bit hash. Low security margin.

Outline Tree-based structure of hash functions

Round 1 algorithms FSB Authors: several experts from French National Institute for Research in Computer Science and Control. High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: based on vector operations. No attacks found.

Round 1 algorithms LANE Author: Sebastiaan Indesteege, Catholic University of Leuven, Belgium. High-level structure: Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions. No attacks found.

Round 1 algorithms Lesamnta
Authors: Shoichi Hirose, Hidenori Kuwakado, Hirotaka Yoshida. High-level structure: Merkle-Damgård construction with finalization. Compression function: unbalanced Feistel network. No attacks found.

Round 1 algorithms LUX Authors: Ivica Nikolić, Alex Biryukov, Dmitry Khovratovich (University of Luxembourg). High-level structure: stream hashing. Compression function: two arrays of the internal state are updated by one AES round for every input word. Attacked by Dai Watanabe: 2100 operations to find a collision for 256-bit hash (2200 – for 2nd preimage), – for 512-bit hash. Relatively low security margin.

Round 1 algorithms MCSSHA-3 Author: Mikhail Maslennikov.
High-level structure: stream hashing. Compression function: non-linear feedback shift register. Attacked by Jean-Philippe Aumasson & María Naya- Plasencia: 23n/8 operations to find a collision, 23n/4 – to find 2nd preimage for n-bit hash. Relatively low security margin.

Round 1 algorithms MD6 Authors: large group of experts with leadership of Ronald Rivest. High-level structure: tree. Compression function: non-linear feedback shift register. No attacks found. Algorithm was withdrawn from SHA-3 project by its authors.

Round 1 algorithms NaSHA Authors: Smile Markovski & Aleksandra Mileva.
High-level structure: wide-pipe Merkle-Damgård construction. Compression function: unbalanced Feistel network. Attacked by Zhimin Li et al.: 2128 operations to find a collision for 512-bit NaSHA. Authors of NaSHA disproved the results of Li Z. et al.

Round 1 algorithms SANDstorm
Authors: large group of experts, mainly from Sandia National Laboratories, U. S. High-level structure: tree. Compression function: original structure with substitution-permutation operations. No attacks found.

Round 1 algorithms Sarmal
Authors: Kerem Varıcı, Onur Özen, Çelebi Kocair (Middle East Technical University, Turkey). High-level structure: wide-pipe Merkle-Damgård construction modification with feed-forward. Compression function: generalized Feistel network. Attacked by Florian Mendel & Martin Schläffer: 2n/3 operations & 2n/3 memory blocks to find a collision for n-bit hash. Low security margin.

Round 1 algorithms Sgàil Author: Peter Maxwell.
High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network. Attacked by its author: instant collision for all hash sizes. The algorithm was modified by its author. Attacks on the modified version are not found.

Round 1 algorithms Spectral Hash
Authors: large group of experts from University of California at Santa Barbara, U. S. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: 3-dimensional array processed by discrete Fourier transform. Broken independently by Brandon Enright, Tor Bjørstad & Ethan Heilman: instant collisions.

Round 1 algorithms SWIFFTX
Authors: large group of experts from Israel and U. S. High-level structure: slightly modified Merkle-Damgård construction with finalization. Compression function: original construction based on fast Fourier transform. No attacks found.

Round 1 algorithms TIB3 Authors: Miguel Montes, Daniel Penazzi (Cordoba University, Spain). High-level structure: Merkle-Damgård construction with feed-forward & finalization. Compression function: generalized Feistel network. Attacked by Florian Mendel, Martin Schläffer: operations & 253 memory to find a collision for 256- bit hash. Medium security margin.

Round 1 algorithms Twister (structure)
Authors: Ewan Fleischmann, Christian Forler & Michael Gorski. High-level structure: Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions.

Round 1 algorithms Twister (attacks)
Several certification attacks by Florian Mendel, Christian Rechberger & Martin Schläffer, e. g operations to find 2nd preimage for 512-bit hash. Relatively high security margin.

Round 1 algorithms Vortex
Authors: Shay Gueron & Michael Kounavis (Intel Corp.). High-level structure: Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions. Attacked by Lars Knudsen, Florian Mendel, Christian Rechberger, Søren Thomsen: 23n/4 operations to find a preimage for n-bit hash. Relatively low security margin.

Round 2 algorithms BLAKE (overview)
Authors: Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael Phan. High-level structure: modified Merkle-Damgård construction: local wide-pipe with finalization. Compression function: permutation operations. One of the fastest round 2 algorithms.

Round 2 algorithms BLAKE (structure)
G-function – the basis of round permutation. 10 or 14 rounds with 8 G-function calls each.

Round 2 algorithms BLAKE (attacks)
Certification attacks on reduced-round BLAKE: Ji Li & Liangyu Xu: preimage for 512-bit BLAKE with 2.5 rounds – 2481 operations; Jian Guo & Krystian Matusiewicz: near-collision for compression function of 256-bit BLAKE with 4 rounds – 242 operations. Very high security margin.

Round 2 algorithms Blue Midnight Wish (overview)
Authors: large group of experts, mainly from Norwegian University of Science and Technology. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: sequential processing of the current state by 3 different functions with feed- forward. One of the fastest round 2 algorithms.

Round 2 algorithms Blue Midnight Wish (structure)
Compression function structure:

Round 2 algorithms Blue Midnight Wish (attacks)
Certification attacks by Søren Thomsen: instant near collision for compression function of 256-bit Blue Midnight Wish (11 different bits); pseudo-collision (23n/8+1 operations) or pseudo- preimage (23n/4+1 operations) for n-bit Blue Midnight Wish. Very high security margin.

Round 2 algorithms CubeHash (overview)
Author: Daniel Bernstein (University of Illinois at Chicago). High-level structure: stream hashing. Compression function: Feistel network. Relative performance greatly depends on the platform and on the size of the test message – from the fastest round 2 algorithm to the slowest one.

Round 2 algorithms CubeHash (structure) CubeHash round:

Round 2 algorithms CubeHash (structure) CubeHashr/b parameters:
r – number of rounds; b – message block size in bytes. The original submitted variant is CubeHash8/1 – is very slow. It was replaced with CubeHash16/32 – about 16 times faster.

Round 2 algorithms CubeHash (attacks)
Several attacks (include practical) on the variants with reduced rounds and larger blocks (e. g. CubeHash2/4 or CubeHash1/45). Several certification preimage attacks on submitted versions of CubeHash – by Jean-Philippe Aumasson et al. and by Dmitry Khovratovich et al. Security margin can be considered high.

Round 2 algorithms ECHO (overview & attacks)
Authors: big groups of experts from Orange Labs (France). High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network based on AES functions. One of the slowest round 2 algorithms. No attacks found.

Round 2 algorithms ECHO (structure)
Internal state: 4 X 4 array of 128-bit words. 8 rounds of substitution (on the figure) and permutation operations similar to AES round.

Round 2 algorithms Fugue
Authors: Shai Halevi, William Hall, Charanjit Jutla (IBM). High-level structure: stream hashing. Compression function: substitution-permutation network based on AES functions. Features: 32-bit blocks; relatively large internal state; strengthened AES transforms. Relatively low performance. No attacks found.

Round 2 algorithms Grøstl (overview & attacks)
Authors: several experts from Technical University of Denmark & Graz University of Technology, Austria. High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions. Relatively low performance. No attacks found.

Round 2 algorithms Grøstl (structure)
P and Q functions performs 10 or 14 rounds of modified AES transformations. P and Q differ from each other in round constants only.

Round 2 algorithms Hamsi (overview & attacks)
Author: Özgül Küçük (Catholic University of Leuven, Belgium). High-level structure: concatenate-permute-truncate. Compression function: substitution-permutation network. Relatively low performance. No attacks found.

Round 2 algorithms Hamsi (structure)
C, P, and T-functions (“concatenate-permute-truncate”) form Hamsi compression function. 32- or 64-bit message blocks (are expanded to 256 or 512 bits each).

Round 2 algorithms JH (overview)
Author: Hongjun Wu (Institute for Infocomm Research, Singapore). High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network. Medium performance.

Round 2 algorithms JH (structure) Compression function structure:

Round 2 algorithms JH (attacks)
Certification attack by Florian Mendel and Søren Thomsen: 2510 operations & 2510 memory blocks to find a preimage for 512-bit JH. Hongjun Wu disproved the attack.

Round 2 algorithms Keccak (overview & attacks)
Authors: Guido Bertoni, Joan Daemen, Michaël Peeters & Gilles Van Assche. High-level structure: cryptographic sponge. Compression function: permutation operations. Relatively high performance. No attacks found.

Round 2 algorithms Keccak (structure) Compression function round:

Round 2 algorithms Luffa (overview)
Authors: Christophe De Cannière, Hisayoshi Sato & Dai Watanabe. High-level structure: cryptographic sponge. Compression function: substitution-permutation network. High performance.

Round 2 algorithms Luffa (structure) Compression function structure:

Round 2 algorithms Luffa (structure) Round of Q-functions:

Round 2 algorithms Luffa (attacks)
Several “pseudo”-attacks by Keting Jia: instant pseudo-collisions and 2nd pseudo-preimages; instant pseudo-preimages for 224- or 256-bit hash; 264 operations and 264 memory to find pseudo- preimage for 384-bit hash. No attacks found on main security requirements. But “pseudo”-attacks can be used in context of other attacks.

Round 2 algorithms Shabal (overview & attacks)
Authors: large group of experts of Saphir project funded by French National Research Agency. High-level structure: strengthened Merkle-Damgård construction (includes some sponge-like operations and feed-forward). Compression function: shift registers with different kinds of feedback. One of the fastest round 2 algorithms. No attacks found.

Round 2 algorithms Shabal (structure) Compression function structure:

Round 2 algorithms SHAvite-3 (overview & attacks)
Authors: Eli Biham & Orr Dunkelman. High-level structure: Merkle-Damgård construction with finalization. Compression function: Feistel network (224- or 256-bit hash) or generalized Feistel network (384- or 512-bit hash) based on AES operations. One of the slowest round 2 algorithms. No attacks found.

Round 2 algorithms SHAvite-3 (structure)
Compression function for 224- or 256-bit hash:

Round 2 algorithms SHAvite-3 (structure)
Compression function round for 384- or 512-bit hash:

Round 2 algorithms SIMD (overview & attacks)
Authors: Gaëtan Leurent, Pierre-Alain Fouque & Charles Bouillaguet (École Normale Supérieure, Paris). High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: generalized Feistel network. Relatively high performance. No attacks found.

Round 2 algorithms SIMD (structure) Compression function structure:

Round 2 algorithms Skein (overview) Authors: Large group of experts.
High-level structure: Unique Block Iteration. Compression function: substitution-permutation network. Relatively high performance.

Round 2 algorithms Skein (structure)
Compression function based on Threefish block cipher. 72 or 80 rounds based on permutations and parallel mix operations:

Round 2 algorithms Skein (attacks)
Several attacks on reduced-round Skein procedures by Jean-Philippe Aumasson et al.: near-collision for 17-round compression function of Skein – 224 operations; key recovery attack on 34-round Threefish – operations. Very high security margin.

Structures tables High-level structures
Merkle-Damgård construction and its variants.

Structures tables High-level structures Other structures.

Structures tables High-level structures statistics

Structures table Compression function structures

Structures table Compression function structures statistics

Performance tables Claimed performance by authors. Source: Ewan Fleischmann et al. “Classification of the SHA-3 candidates”.

Performance tables 64-bit platform: AMD Athlon 64 X MHz. Source: eBASH project ( July 2009.

Performance tables 32-bit platform: Intel Core 2 Duo 3000 MHz. Source: eBASH project ( July 2009.

Performance tables ARM: XScale-PXA MHz. Source: eBASH project ( February 2009.

Round 2 algorithms Conclusion
Can we divide the round 2 algorithms to the following categories? most probable, and less probable algorithms to be SHA-3 standard.

Round 2 algorithms Conclusion
Possible factors to exclude algorithms from the further concerning: relatively low performance; not high security margin; too complex structure of algorithm – difficult to analyze or realize; similarity to SHA-2 in structure.

Round 2 algorithms Conclusion Performance factor:
ECHO, Grøstl, Hamsi, SHAvite-3 – relatively low practical performance; Fugue – relatively low theoretical performance; CubeHash – relatively slow while hashing short messages.

Round 2 algorithms Conclusion Security margin factor:
Luffa: no attacks on main security requirements, but simple attacks allow to find pseudo-collisions and pseudo-preimages; “pseudo”-attacks can be theoretically used while mounting future attacks on Luffa, so its security margin can not be considered high.

Round 2 algorithms Conclusion
Other factors – no algorithms to exclude: all algorithms have clear and relatively simple structures; no algorithms are very similar to SHA-2.

Round 2 algorithms Conclusion
Therefore the following algorithms can be considered less probable to be SHA-3: CubeHash, ECHO, Fugue, Grøstl, Hamsi, SHAvite-3 – relatively low performance; Luffa – some doubts about security margin.

Round 2 algorithms Conclusion
As a result, the following algorithms can be considered more probable to be SHA-3 standard: Blake; Blue Midnight Wish; JH; Keccak; Shabal; SIMD; Skein.

Acknowledgements to Andrei Gurtov, who invited me to give a talk about hash functions.

Thank you! Sergey Panasenko, independent information security consultant, Moscow, Russia.

Similar presentations