Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHA Hash Functions History & Current State Helsinki Institute for Information Technology, November 03, 2009. Sergey Panasenko, independent information.

Similar presentations


Presentation on theme: "SHA Hash Functions History & Current State Helsinki Institute for Information Technology, November 03, 2009. Sergey Panasenko, independent information."— Presentation transcript:

1 SHA Hash Functions History & Current State Helsinki Institute for Information Technology, November 03, Sergey Panasenko, independent information security consultant, Moscow, Russia.

2 SHA Hash Functions 1.Hash functions cryptanalysis review. 2.SHA (SHA-0) & SHA-1. 3.SHA-2. 4.SHA-3 project.

3 Section 1. Hash functions cryptanalysis review typical hash function structure;typical hash function structure; goals of hash functions cryptanalysis;goals of hash functions cryptanalysis; cryptanalysis methods.cryptanalysis methods.

4 Typical hash function structure Merkle-Damgård construction:

5 Primary goals of hash functions cryptanalysis Collision: m1 and m2 with the same hash: h = hash(m1) = hash(m2) Multicollision: several messages with the same hash. Theoretical time consumption: 2 n/2 operations for n-bit hash function.

6 Primary goals of hash functions cryptanalysis First preimage: such m that for given h: hash(m) = h Second preimage: such m2 that for given m1: hash(m2) = hash(m1) Theoretical time consumption: 2 n operations for n-bit hash function.

7 Primary goals of hash functions cryptanalysis Secret key definition – for keyed hash functions or hash functions in keyed mode. Theoretical time consumption: 2 k operations for k-bit key.

8 Secondary goals of hash functions cryptanalysis Near-collision: m1 and m2 with hash values differ in several bits: hash(m1) hash(m2) Pseudo-collision: m1 and m2 with the same hash but with different initial values: hash(m1, IV1) = hash(m2, IV2) Theoretical time consumption: 2 n/2 operations for n-bit hash function.

9 Secondary goals of hash functions cryptanalysis Pseudo-preimage: such m that for given h: hash(IV, m) = h where IV is non-standard initial value. Theoretical time consumption: 2 n operations for n-bit hash function.

10 Attacks on hash functions Brute-force attacks Step-by-step searching over the target space.Step-by-step searching over the target space. They define theoretical time consumption of any goal.They define theoretical time consumption of any goal. Can be used for finding collisions, preimages or secret keys.Can be used for finding collisions, preimages or secret keys. Highly parallelizable.Highly parallelizable. Can be accelerated greatly by specific hardware.Can be accelerated greatly by specific hardware. Can be used in context of other attacks.Can be used in context of other attacks. They define suitable hash or key sizes.They define suitable hash or key sizes.

11 Attacks on hash functions Dictionary attacks A kind of brute-force attacks on a reduced target space (e.g. words of any dictionary).A kind of brute-force attacks on a reduced target space (e.g. words of any dictionary). Typical application: finding a password for given hash value.Typical application: finding a password for given hash value. Offline work – precounting a table for searching the required password.Offline work – precounting a table for searching the required password.

12 Attacks on hash functions Dictionary attacks The simplest case of tables: one hash for every password.

13 Attacks on hash functions Dictionary attacks Hash chains – reducing the memory (Martin Hellman, 1980): p 1 h 1 p 2 h 2 … p N h N

14 Attacks on hash functions Dictionary attacks Hash chains – collision example:

15 Attacks on hash functions Dictionary attacks Strengthening hash chains: Several tables with different R-functions.Several tables with different R-functions. Variable length chains.Variable length chains.

16 Attacks on hash functions Dictionary attacks. Rainbow tables Several R-functions R 1 …R N-1 for every column of strings: cyclic strings are impossible;cyclic strings are impossible; collisions lead to strings coincidence when occur in the same column only – that can be detected.collisions lead to strings coincidence when occur in the same column only – that can be detected.

17 Attacks on hash functions Dictionary attacks. Rainbow tables Invented by Philip Oechslin in Can be further strengthened by combining with variable-length chains. Are in active use for cracking real systems:

18 Attacks on hash functions Dictionary attacks. Rainbow tables Countermeasures: Salt – randomizing hashing;Salt – randomizing hashing; Increasing time to hash – e. g. multiple hashing.Increasing time to hash – e. g. multiple hashing. Example: Niels Provos & David Mazières (1999) – bcrypt hash function. Uses salt & cost variables. Cost defines the number of internal block cipher key extension rounds: 2 cost+1 + 1

19 Attacks on hash functions Birthday paradox Square root attack: O( ) tries required to find the same element from an array with N elements. Application to hash functions (Gideon Yuval, 1979): An adversary prepares r variants of fraud document f and r variants of original document m.An adversary prepares r variants of fraud document f and r variants of original document m. He searches among these variants such m x and f y that hash(m x ) = hash(f y ).He searches among these variants such m x and f y that hash(m x ) = hash(f y ). User signs m x, but his signature is correct when verifying it for f y.User signs m x, but his signature is correct when verifying it for f y.

20 Attacks on hash functions Collision search Another variant of hash chains: m i hash(m i) hash(hash(m i )) … All hash values are compared with previous values and values of other chains. Disadvantage: huge memory requirements. Jean-Jacques Quisquater, Jean-Paul Delescaille, 1987: store distinguished points only. Their coincidence signals about found collision. Low memory requirements.

21 Attacks on hash functions Collisions search Michael Wiener and Paul Van Oorschot, 1994: parallel collision search with specific values:

22 Attacks on hash functions Birthday paradox & collisions search Mihir Bellare and Tadayoshi Kohno, 2004: amount of regularity of hash functions – as output value distribution is regular. The less regular, the easy to find collision.Mihir Bellare and Tadayoshi Kohno, 2004: amount of regularity of hash functions – as output value distribution is regular. The less regular, the easy to find collision. Bart Preneel, 2003: hash value size analysis. 160 bits are enough for at least 20 years.Bart Preneel, 2003: hash value size analysis. 160 bits are enough for at least 20 years.

23 Attacks on hash functions Differential cryptanalysis Florent Chabaud & Antoine Joux, 1998: SHI1 algorithm:

24 Attacks on hash functions Differential cryptanalysis

25 Attacks on hash functions Differential cryptanalysis Result: propagation of the difference is cancelled by the corrected bits. After 6 iterations the difference is 0. This is 6-round local collision: two messages differ in 6 bits (after expansion) but lead to the same hash value. Next step: construct messages which can expand with required difference. Attackers use disturbance vector – the table shows which bits of messages must be different to achieve the collision.

26 Attacks on hash functions Differential cryptanalysis F. Chabaud & A. Joux: SHI1 – SHI2 – SHI3 – SHA Step-by-step including non-linear operation into the iterations. From deterministic to probabilistic constructions: the same principles of attack can be applied to real SHA algorithm.

27 Attacks on hash functions Boomerang attack Invented by David Wagner for block ciphers in Applied to hash functions (SHA & SHA-1) by Antoine Joux and Thomas Peyrin, Boomerang attack uses one or more auxiliary differences besides the main difference. This significantly improves the probability of finding collisions.

28 Attacks on hash functions Boomerang attack

29 Attacks on hash functions Algebraic cryptanalysis Uses algebraic properties of an algorithm. Successfully applied to block ciphers (e. g. works of Nicolas Courtois against AES). Can be used in context of other attacks. Example: Makoto Sugita, Mitsuru Kawazoe, Hideki Imai (2006) attacked reduced-round SHA-1 by algebraic and differential cryptanalysis in complex.

30 Attacks on hash functions Message modification Xiaoyun Wang, Hongbo Yu, 2005: step-by-step modifying the message to meet the criteria for differential cryptanalysis. Message modification technique allows to speed up the collision search by fulfilling the required criteria for internal variables.

31 Attacks on hash functions Meet in the middle attack Can be applied when a function can be represent as two subfunctions: and if the second subfunction can be invertible.

32 Attacks on hash functions Meet in the middle attack Finding preimage for a hash value H: 1.Count hash1() for variants of the first half of messages (and store them in a table): T x = hash1(M1 x, IV). 2. Count inverted hash2() for variants of the second half of messages: T y = hash2 -1 (M2 y, H). 3. Searching for equivalent T x and T y.

33 Attacks on hash functions Correcting blocks Allows to find preimages or collisions. Example for collisions: 1. Select arbitrary messages M and M*. 2. Find such corrected blocks X and X* that: hash(M || X) = hash(M* || X*).

34 Attacks on hash functions Fixed points A fixed point occurs when it is possible to find such message block Mi that: hash(M) = hash(M || Mi), i. e. intermediate hash value remains the same after processing Mi block. Can be used for finding collisions.

35 Attacks on hash functions Block-level manipulations inserting,inserting, removing,removing, permutation,permutation, substitutionsubstitution of message blocks without affecting the hash value.

36 Attacks on hash functions Two-block collisions Eli Biham et al., 2004:

37 Attacks on hash functions Multi-block collisions

38 Attacks on hash functions Specific attacks on block cipher based hash functions Allows to find collisions based on some weaknesses of an underlying block cipher: weak keys,weak keys, equivalent keys,equivalent keys, groups of keys,groups of keys, related-keys attacks.related-keys attacks.

39 Attacks on hash functions Side-channel attacks This group of attacks are invented by Paul Kocher, Passive side-channel attacks (an adversary only reads side-channel information): Electromagnetic attacks.Electromagnetic attacks. Power attacks (simple & differential).Power attacks (simple & differential). Timing attacks.Timing attacks. Error-message attacks.Error-message attacks.

40 Attacks on hash functions Side-channel attacks Active side-channel attacks (an adversary influences on hash function realization): Optical, radiation or heating attacks.Optical, radiation or heating attacks. Spike & glitch attacks.Spike & glitch attacks. Fault attacks (simple and differential).Fault attacks (simple and differential). Hardware modification.Hardware modification.

41 Attacks on hash functions Side-channel attacks Countermeasures: Constant time consumption of operations.Constant time consumption of operations. Inserting random delays, noises, random variables etc, redundant computations.Inserting random delays, noises, random variables etc, redundant computations. Error messages without extra information.Error messages without extra information. Doubling calculations with comparing their results.Doubling calculations with comparing their results. Shielding.Shielding. Detecting of external actions.Detecting of external actions.

42 Attacks on hash functions Other cryptanalytic methods Using neutral bits (Eli Biham & Rafi Chen, 2004) – such bits of a message which do not influence on final or intermediate results during some rounds.Using neutral bits (Eli Biham & Rafi Chen, 2004) – such bits of a message which do not influence on final or intermediate results during some rounds. Attacks that can use specifics of hash functions realizations in network protocols, signature schemes etc.Attacks that can use specifics of hash functions realizations in network protocols, signature schemes etc. Length-extension attack – inserting some data to the end of a message to find a collision.Length-extension attack – inserting some data to the end of a message to find a collision.

43 Section 2. SHA & SHA-1 SHA structure;SHA structure; SHA-1 structure;SHA-1 structure; SHA cryptanalysis;SHA cryptanalysis; SHA-1 cryptanalysis.SHA-1 cryptanalysis.

44 SHA Secure Hash Algorithm. Invented by U.S. National Security Agency in U.S. hashing standard in (FIPS 180). Must be used by U.S. Ministries and Agencies for hashing non-classified information. Recommended for commercial organizations. Renamed to SHA-0 after SHA-1 invention. Overview

45 SHA 160-bit hash value. Input data size – from 0 to ( ) bits. Merkle-Damgaard construction with 512-bit data blocks. Last block is always padded by: 1 bit;1 bit; zero bits when required;zero bits when required; 64-bit input data length in bits.64-bit input data length in bits. High-level structure

46 SHA bit block is represented as 32-bit words W 0 …W The following 32-bit words W 16 …W 79 are calculated: W n = W n-3 W n-8 W n-14 W n-16. Message block expansion

47 SHA 80 iterations: Compression function

48 SHA fi functions: f(x, y, z) = (x & y) | (~x & z), i = 0…19; f(x, y, z) = x y z, i = 20…39, 60…79; f(x, y, z) = (x & y) | (x & z) | (y & z), i = 40…59. Compression function

49 SHA Intermediate hash values: 32-bit registers A…E. Chaining by addition modulo 2 32 : A = A + a; B = B + b, etc. No finalization is performed: output hash value is concatenation of A…E after processing all message blocks. Chaining and finalization

50 SHA-1 U.S. hashing standard since 1995 (FIPS 180-1, FIPS 180-2). Will be withdrawn (for some applications) in All procedures are the same as in SHA algorithm, except the message block expansion. Overview & high-level structure

51 SHA-1 SHA-1 message block expansion: W n = (W n-3 W n-8 W n-14 W n-16 ) <<< 1 Message block expansion Added one-bit left rotation into SHA message block expansion procedure.

52 SHA Cryptanalysis 1. Collisions: Stéphane Manuel, Thomas Peyrin, 2008: 2 33 operations (boomerang attack). 2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: operations to find second preimage for SHA with 49 iterations (differential cryptanalysis, partial pseudo-preimages & meet-in-the-middle attack). Best results

53 SHA-1 Cryptanalysis 1. Collisions: Stéphane Manuel, 2008: 2 51 operations (boomerang attack); Cameron McDonald, Philip Hawkes & Josef Pieprzyk, 2009: 2 52 operations (differential cryptanalysis). 2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: operations to find second preimage for SHA-1 with 44 iterations (complex attack). Best results

54 SHA-1 Cryptanalysis 1. Michael Szydlo & Yiqun Lisa Yin, 2005: Strengthened hash function H * (m): H * (m) = H(φ(m)), where φ(m) is preprocessing function, it can perform: message whitening (inserting specific blocks – SHApp algorithm);message whitening (inserting specific blocks – SHApp algorithm); self-interleaving of message blocks.self-interleaving of message blocks. Collision search countermeasures

55 SHA-1 Cryptanalysis 2. Shai Halevi, Hugo Krawczyk, 2006 (IBM): Randomized hashing: H * (r, m 1,…, m N ) = H(r, m 1 r,…, m N r), where r – block-sized random number. Collision search countermeasures

56 SHA-1 Cryptanalysis Charanjit Jutla, Anandya Patthak, 2005 (IBM) – SHA1- IME (improved message expansion): W n = W n-3 W n-8 W n-14 W n-16 ((W n-1 W n-2 W n-15 ) <<< 1) for n = 16…35; W n = W n-3 W n-8 W n-14 W n-16 ((W n-1 W n-2 W n-15 W n-20 ) <<< 1) for n = 36…79. Strengthening SHA-1

57 SHA-1 Cryptanalysis SHA-1: Strengthening SHA-1 SHA1-IME:

58 Section 3. SHA-2 SHA-2 overview;SHA-2 overview; SHA-256;SHA-256; SHA-224;SHA-224; SHA-512;SHA-512; SHA-384;SHA-384; SHA-2 cryptanalysis.SHA-2 cryptanalysis.

59 SHA-2 U.S. hashing standard since 2002 (FIPS 180-2). SHA-2 is a family of hashing algorithms: SHA-224 (since 2004 – defined in updated version of FIPS 180-2);SHA-224 (since 2004 – defined in updated version of FIPS 180-2); SHA-256, SHA-384, SHA-512.SHA-256, SHA-384, SHA-512. n in SHA-n means n-bit output hash value. Patented by NSA but allowed for free use (U.S. Patent # ) Overview

60 SHA-2 Input data size – from 0 to: ( ) bits for SHA-224 & SHA-256;( ) bits for SHA-224 & SHA-256; ( ) bits for SHA-384 & SHA-512.( ) bits for SHA-384 & SHA-512. Merkle-Damgaard construction. 512-bit or 1024-bit data blocks. Last block is padded by the same way as in SHA, but 128-bit data length (instead of 64-bit) is used for SHA-384 & SHA-512. High-level structure

61 SHA bit block is represented as 32-bit words W 0 …W The following 32-bit words W 16 …W 63 are calculated: W n = Sig 1,256 (W n-2 ) + W n-7 + Sig 0,256 (W n-15 ) + W n-16 mod 2 32, where: Sig 0,256 (x) = (x >>> 7) (x >>> 18) (x >> 3), Sig 1,256 (x) = (x >>> 17) (x >>> 19) (x >> 10). Message block expansion

62 SHA-256

63 SHA iterations: Compression function

64 SHA-256 Functions of the iteration: Sum 0,256 (x) = (x >>> 2) (x >>> 13) (x >>> 22); Sum 1,256 (x) = (x >>> 6) (x >>> 11) (x >>> 25); Ch(x, y, z) = (x & y) (~x & z); Maj(x, y, z) = (x & y) (x & z) (y & z). Compression function

65 SHA-256 Intermediate hash values: 32-bit registers A…H. Chaining by addition modulo 2 32 : A = A + a; B = B + b, etc. No finalization is performed: output hash value is concatenation of A…H after processing all message blocks. Chaining and finalization

66 SHA-224 The same structure as SHA-256 excluding the following differences: Another initial value.Another initial value. Output hash value is concatenation of A…G registers (instead of A…H) – i. e. truncated SHA-256 hash value.Output hash value is concatenation of A…G registers (instead of A…H) – i. e. truncated SHA-256 hash value. SHA-224 compared to SHA-256

67 SHA bit block is represented as 64-bit words W 0 …W The following 64-bit words W 16 …W 79 are calculated: W n = Sig 1,512 (W n-2 ) + W n-7 + Sig 0,512 (W n-15 ) + W n-16 mod 2 64, where: Sig 0,512 (x) = (x >>> 1) (x >>> 8) (x >> 7), Sig 1,512 (x) = (x >>> 19) (x >>> 61) (x >> 6). Message block expansion

68 SHA iterations: Compression function

69 SHA-512 Slightly modified Sum-functions: Sum 0,512 (x) = (x >>> 28) (x >>> 34) (x >>> 39); Sum 1,512 (x) = (x >>> 14) (x >>> 18) (x >>> 41). Compression function

70 SHA-512 Intermediate hash values: 64-bit registers A…H. Chaining by addition modulo 2 64 : A = A + a; B = B + b, etc. No finalization is performed: output hash value is concatenation of A…H after processing all message blocks. Chaining and finalization

71 SHA-384 The same structure as SHA-512 excluding the following differences: Another initial value.Another initial value. Output hash value is concatenation of A…F registers (instead of A…H) – i. e. truncated SHA-512 hash value.Output hash value is concatenation of A…F registers (instead of A…H) – i. e. truncated SHA-512 hash value. SHA-384 compared to SHA-512

72 SHA-2 Cryptanalysis Collisions. Somitra Sanadhya, Palash Sarkar: 2 16 operations & 2 35 bytes of memory to find a collision for SHA-256 with 24 iterations;2 16 operations & 2 35 bytes of memory to find a collision for SHA-256 with 24 iterations; 2 23 operations & 2 68 bytes of memory to find a collision for SHA-512 with 24 iterations.2 23 operations & 2 68 bytes of memory to find a collision for SHA-512 with 24 iterations. Best results

73 SHA-2 Cryptanalysis SShash algorithm by Somitra Sanadhya & Palash Sarkar: Strengthening SHA-2

74 Section 4. SHA-3 SHA-3 project overview;SHA-3 project overview; algorithms not selected to round 1;algorithms not selected to round 1; algorithms of round 1;algorithms of round 1; algorithms of round 2;algorithms of round 2; summarizing;summarizing; round 2 algorithms performance;round 2 algorithms performance; conclusion.conclusion.

75 SHA-3 SHA-3 project is an open competition for a new SHA-3 hash function. Main project timelines: November 2007: submission requirements were published;November 2007: submission requirements were published; October 2008: the deadline for algorithm submissions;October 2008: the deadline for algorithm submissions; 2010: selecting finalists of the project;2010: selecting finalists of the project; 2012: selecting a winner.2012: selecting a winner. Overview

76 Algorithms not in round 1 Author: Neil Sholer (WaveStrong). High-level structure: cryptographic sponge. Compression function based on feedback shift registers. Conceded broken by Ivica Nikolić & Dmitry Khovratovich: meet-in-the-middle attack allows to find second preimage by operations. Abacus

77 Algorithms not in round 1 Author: Gregory Rose (Qualcomm). High-level structure: cryptographic sponge. Compression function based on non-linear feedback shift register. Broken by Tomislav Nad: collision attack: 2 34 operations for 256-bit hash;2 34 operations for 256-bit hash; 2 66 operations for 512-bit hash.2 66 operations for 512-bit hash. Boole

78 Algorithms not in round 1 Author: David Wilson. High-level structure: Merkle-Damgård construction. Compression function: substitution-permutation network block cipher. Broken by Mario Lamberger & Florian Mendel: just 521 operations to find collision or preimage. DCH

79 Algorithms not in round 1 Author: Natarajan Vijayarangan (Tata Consultancy Services, Ltd.). High-level structure: Merkle-Damgård construction. Compression function: linear feedback shift register. Broken by: Nicky Mouha – collision example;Nicky Mouha – collision example; Prasanth Thandra & Satya Murty: instant collisions or second preimages.Prasanth Thandra & Satya Murty: instant collisions or second preimages. Khichidi-1

80 Algorithms not in round 1 Author: Robert Jenkins Jr. High-level structure: original iterative structure. Compression function: internal states fragments parallel substitution by 8 X 8 S-boxes. Broken by Sebastiaan Indesteege: instant finding preimage. Maraca

81 Algorithms not in round 1 Author: Björn Fay. High-level structure: cryptographic sponge. Compression function: multistream processing of the internal state with permutations between data streams. Conceded broken by its author because of certification meet-in-the-middle attacks by Søren Thomsen: e. g. 2 nd preimage for 256-bit hash value for operations. MeshHash

82 Algorithms not in round 1 Author: Geoffrey Park. High-level structure: stream hashing. Compression function: two-dimensional cellular automata. Broken by: Christophe De Cannière: collision example for 224- bit hash;Christophe De Cannière: collision example for 224- bit hash; Brandon Enright: collision example for 512-bit hash.Brandon Enright: collision example for 512-bit hash. NKS 2D

83 Algorithms not in round 1 Author: Peter Schmidt-Nielsen. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: shift registers. Certification attacks by María Naya-Plasencia: operations & memory blocks to find 2 nd preimage for 512-bit hash. Ponic

84 Algorithms not in round 1 Authors: Adem Atalay, Orhun Kara, Ferhat Karakoç and Cevat Manap (National Research Institute of Electronics and Cryptology, Turkey). High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: feedback shift registers. Broken by Florian Mendel, Martin Schläffer, Christian Rechberger, Sebastiaan Indesteege: collision example for 256-bit hash (2 40 operations). SHAMATA

85 Algorithms not in round 1 Author: Michal Trojnara High-level structure: stream hashing. Compression function: original structure based on S- boxes. Broken by Tor Bjørstad: collision example for 256-bit hash. StreamHash

86 Algorithms not in round 1 Authors: Rafael Alvarez, Gary McGuire, Antonio Zamora. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network. Broken by Søren Thomsen: collision example (2 13 – 2 28 operations required). Tangle

87 Algorithms not in round 1 Author: John Washburn High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: original structure based on matrix operations. Broken by David Wilson: several operations to find a collision or second preimage for all sizes of hash value. WaMM

88 Algorithms not in round 1 Author: Bob Hattersley (Opta Consulting) High-level structure: original iterative structure. Compression function: shift registers and entropy arrays (pools). Conceded broken by Scott Fluhrer: 2 70 operations to find a collision. Waterfall

89 Round 1 algorithms Authors: Specialists from Korea University, Seoul. High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network with feed-forward operations. ARIRANG (structure)

90 Round 1 algorithms Attacks: Jian Guo et al.: instant near-collisions (256 or 512- bit hash), 2 23 operations to find pseudo-collisions (224 or 384-bit hash);Jian Guo et al.: instant near-collisions (256 or 512- bit hash), 2 23 operations to find pseudo-collisions (224 or 384-bit hash); Deukjo Hong, Woo-Hwan Kim, Bonwook Koo: operations to find a preimage for 512-bit reduced- round (33 of 40 iterations) algorithm.Deukjo Hong, Woo-Hwan Kim, Bonwook Koo: operations to find a preimage for 512-bit reduced- round (33 of 40 iterations) algorithm. Relatively high security margin, but simple near- & pseudo-collision attacks. ARIRANG (cryptanalysis)

91 Round 1 algorithms Authors: Specialists from Sony Corporation & Nagoya University, Japan. High-level structure: Merkle-Damgård construction with finalization (AURORA-224, 256);Merkle-Damgård construction with finalization (AURORA-224, 256); Double-Mix wide-pipe Merkle-Damgård construction with finalization (AURORA-224M, 256M, 384, 512).Double-Mix wide-pipe Merkle-Damgård construction with finalization (AURORA-224M, 256M, 384, 512). Compression function: substitution-permutation network. AURORA (structure)

92 Round 1 algorithms Several certification attacks: Yu Sasaki: operations to find 512-bit key of keyed AURORA-512 (HMAC mode); operations & huge memory to find 8-block message collision for 512-bit hash;Yu Sasaki: operations to find 512-bit key of keyed AURORA-512 (HMAC mode); operations & huge memory to find 8-block message collision for 512-bit hash; Niels Ferguson & Stefan Lucks: operations to find 2 nd preimage for 512-bit hash.Niels Ferguson & Stefan Lucks: operations to find 2 nd preimage for 512-bit hash. Medium security margin. AURORA (cryptanalysis)

93 Round 1 algorithms Author: Colin Bradbury. High-level structure: original iterative structure (2 streams with mixing operations, using checksums while padding the message). Compression function: one strong iteration with permutation operations for each block processing. Broken by Vlastimil Klima: 10 * 2 n/4 operations to find n- bit hash preimage (i. e. 10 * 2 56 operations for 224- bit hash); also near-collision example. Blender

94 Round 1 algorithms Authors: Dmitry Khovratovich, Alex Biryukov, Ivica Nikolić (University of Luxembourg). High-level structure: iterative structure with feed- forward & pre-finalization before last block processing. Compression function: substitution-permutation network based on AES functions. No attacks on full-round Cheetah found. Cheetah

95 Round 1 algorithms Authors: Phil Hawkes & Cameron McDonald (Qualcomm, Australia). High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network. No attacks found. CHI

96 Round 1 algorithms Authors: large group of experts. High-level structure: Merkle-Damgård construction. Compression function: unbalanced Feistel network. No attacks on the main requirements found (but Mustafa Çoban found that length-extension attacks on CRUNCH are possible). CRUNCH

97 Round 1 algorithms Author: Zijie Xu. High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network. Broken by: Jean-Philippe Aumasson et al.: collision examples (2 22 operations for 512-bit hash, 2 21 – for 256-bit);Jean-Philippe Aumasson et al.: collision examples (2 22 operations for 512-bit hash, 2 21 – for 256-bit); Length-extension attack by Vlastimil Klima;Length-extension attack by Vlastimil Klima; Sebastiaan Indesteege: collision examples.Sebastiaan Indesteege: collision examples. Dynamic SHA

98 Round 1 algorithms Author: Zijie Xu. High-level structure: Merkle-Damgård construction. Compression function: generalized Feistel network. Broken by: Jean-Philippe Aumasson et al.: 2 52 operations to find a collision for 256-bit hash;Jean-Philippe Aumasson et al.: 2 52 operations to find a collision for 256-bit hash; Hongbo Yu & Xiaoyun Wang: 2 45 operations to find a near-collision for 256-bit hash;Hongbo Yu & Xiaoyun Wang: 2 45 operations to find a near-collision for 256-bit hash; Length-extension attack by Vlastimil Klima.Length-extension attack by Vlastimil Klima. Dynamic SHA2

99 Round 1 algorithms Authors: Daniel Brown, Matt Campagna, Rene Struik (Certicom Corp., Canada). High-level structure: original iterative structure. Compression function: computations over a group of elliptic curve points. Attacked by Michael Halcrow & Niels Ferguson: operations to find 2 nd preimage for 256-bit hash (2 287 – for 512-bit hash). Relatively low security margin. ECOH

100 Round 1 algorithms Author: Danilo Gligoroski. High-level structure: Merkle-Damgård construction. Compression function: quasigroup operations. Edon-R (structure)

101 Round 1 algorithms Attacks: Dmitry Khovratovich, Ivica Nikolić, Ralf-Philipp Weinmann: 2 2n/3 operations to find a preimage for n- bit hash; pseudo-attacks with minimum time consumption.Dmitry Khovratovich, Ivica Nikolić, Ralf-Philipp Weinmann: 2 2n/3 operations to find a preimage for n- bit hash; pseudo-attacks with minimum time consumption. Gaëtan Leurent: practical key-recovery attack (for keyed version of Edon-R).Gaëtan Leurent: practical key-recovery attack (for keyed version of Edon-R). Relatively high security margin, but some doubts about pseudo-attacks. Impossible to use the keyed version attacked by G. Leurent. Edon-R (attacks)

102 Round 1 algorithms Authors: Sean ONeil, Karsten Nohl, Luca Henzen. High-level structure: stream hashing. Compression function: some permutation operations while inserting input word into the internal state. Broken by Sebastiaan Indesteege: collision example for 256-bit hash (2 40 operations). EnRUPT

103 Round 1 algorithms Authors: Jason Martin. High-level structure: balanced binary tree. Compression function: feedback shift registers. Attacked by María Naya-Plasencia et al.: 2 91 operations to find a collision for 256-bit hash, operations – for 512-bit hash. Low security margin. ESSENCE

104 Outline Tree-based structure of hash functions

105 Round 1 algorithms Authors: several experts from French National Institute for Research in Computer Science and Control. High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: based on vector operations. No attacks found. FSB

106 Round 1 algorithms Author: Sebastiaan Indesteege, Catholic University of Leuven, Belgium. High-level structure: Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions. No attacks found. LANE

107 Round 1 algorithms Authors: Shoichi Hirose, Hidenori Kuwakado, Hirotaka Yoshida. High-level structure: Merkle-Damgård construction with finalization. Compression function: unbalanced Feistel network. No attacks found. Lesamnta

108 Round 1 algorithms Authors: Ivica Nikolić, Alex Biryukov, Dmitry Khovratovich (University of Luxembourg). High-level structure: stream hashing. Compression function: two arrays of the internal state are updated by one AES round for every input word. Attacked by Dai Watanabe: operations to find a collision for 256-bit hash (2 200 – for 2 nd preimage), – for 512-bit hash. Relatively low security margin. LUX

109 Round 1 algorithms Author: Mikhail Maslennikov. High-level structure: stream hashing. Compression function: non-linear feedback shift register. Attacked by Jean-Philippe Aumasson & María Naya- Plasencia: 2 3n/8 operations to find a collision, 2 3n/4 – to find 2 nd preimage for n-bit hash. Relatively low security margin. MCSSHA-3

110 Round 1 algorithms Authors: large group of experts with leadership of Ronald Rivest. High-level structure: tree. Compression function: non-linear feedback shift register. No attacks found. Algorithm was withdrawn from SHA-3 project by its authors. MD6

111 Round 1 algorithms Authors: Smile Markovski & Aleksandra Mileva. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: unbalanced Feistel network. Attacked by Zhimin Li et al.: operations to find a collision for 512-bit NaSHA. Authors of NaSHA disproved the results of Li Z. et al. NaSHA

112 Round 1 algorithms Authors: large group of experts, mainly from Sandia National Laboratories, U. S. High-level structure: tree. Compression function: original structure with substitution-permutation operations. No attacks found. SANDstorm

113 Round 1 algorithms Authors: Kerem Varıcı, Onur Özen, Çelebi Kocair (Middle East Technical University, Turkey). High-level structure: wide-pipe Merkle-Damgård construction modification with feed-forward. Compression function: generalized Feistel network. Attacked by Florian Mendel & Martin Schläffer: 2 n/3 operations & 2 n/3 memory blocks to find a collision for n-bit hash. Low security margin. Sarmal

114 Round 1 algorithms Author: Peter Maxwell. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network. Attacked by its author: instant collision for all hash sizes. The algorithm was modified by its author. Attacks on the modified version are not found. Sgàil

115 Round 1 algorithms Authors: large group of experts from University of California at Santa Barbara, U. S. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: 3-dimensional array processed by discrete Fourier transform. Broken independently by Brandon Enright, Tor Bjørstad & Ethan Heilman: instant collisions. Spectral Hash

116 Round 1 algorithms Authors: large group of experts from Israel and U. S. High-level structure: slightly modified Merkle-Damgård construction with finalization. Compression function: original construction based on fast Fourier transform. No attacks found. SWIFFTX

117 Round 1 algorithms Authors: Miguel Montes, Daniel Penazzi (Cordoba University, Spain). High-level structure: Merkle-Damgård construction with feed-forward & finalization. Compression function: generalized Feistel network. Attacked by Florian Mendel, Martin Schläffer: operations & 2 53 memory to find a collision for 256- bit hash. Medium security margin. TIB3

118 Round 1 algorithms Authors: Ewan Fleischmann, Christian Forler & Michael Gorski. High-level structure: Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions. Twister (structure)

119 Round 1 algorithms Several certification attacks by Florian Mendel, Christian Rechberger & Martin Schläffer, e. g operations to find 2 nd preimage for 512-bit hash. Relatively high security margin. Twister (attacks)

120 Round 1 algorithms Authors: Shay Gueron & Michael Kounavis (Intel Corp.). High-level structure: Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions. Attacked by Lars Knudsen, Florian Mendel, Christian Rechberger, Søren Thomsen: 2 3n/4 operations to find a preimage for n-bit hash. Relatively low security margin. Vortex

121 Round 2 algorithms Authors: Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael Phan. High-level structure: modified Merkle-Damgård construction: local wide-pipe with finalization. Compression function: permutation operations. One of the fastest round 2 algorithms. BLAKE (overview)

122 Round 2 algorithms BLAKE (structure) G-function – the basis of round permutation. 10 or 14 rounds with 8 G-function calls each.

123 Round 2 algorithms Certification attacks on reduced-round BLAKE: Ji Li & Liangyu Xu: preimage for 512-bit BLAKE with 2.5 rounds – operations;Ji Li & Liangyu Xu: preimage for 512-bit BLAKE with 2.5 rounds – operations; Jian Guo & Krystian Matusiewicz: near-collision for compression function of 256-bit BLAKE with 4 rounds – 2 42 operations.Jian Guo & Krystian Matusiewicz: near-collision for compression function of 256-bit BLAKE with 4 rounds – 2 42 operations. Very high security margin. BLAKE (attacks)

124 Round 2 algorithms Authors: large group of experts, mainly from Norwegian University of Science and Technology. High-level structure: wide-pipe Merkle-Damgård construction. Compression function: sequential processing of the current state by 3 different functions with feed- forward. One of the fastest round 2 algorithms. Blue Midnight Wish (overview)

125 Round 2 algorithms Blue Midnight Wish (structure) Compression function structure:

126 Round 2 algorithms Certification attacks by Søren Thomsen: instant near collision for compression function of 256-bit Blue Midnight Wish (11 different bits);instant near collision for compression function of 256-bit Blue Midnight Wish (11 different bits); pseudo-collision (2 3n/8+1 operations) or pseudo- preimage (2 3n/4+1 operations) for n-bit Blue Midnight Wish.pseudo-collision (2 3n/8+1 operations) or pseudo- preimage (2 3n/4+1 operations) for n-bit Blue Midnight Wish. Very high security margin. Blue Midnight Wish (attacks)

127 Round 2 algorithms Author: Daniel Bernstein (University of Illinois at Chicago). High-level structure: stream hashing. Compression function: Feistel network. Relative performance greatly depends on the platform and on the size of the test message – from the fastest round 2 algorithm to the slowest one. CubeHash (overview)

128 Round 2 algorithms CubeHash (structure) CubeHash round:

129 Round 2 algorithms CubeHash (structure) CubeHashr/b parameters: r – number of rounds;r – number of rounds; b – message block size in bytes.b – message block size in bytes. The original submitted variant is CubeHash8/1 – is very slow. It was replaced with CubeHash16/32 – about 16 times faster.

130 Round 2 algorithms Several attacks (include practical) on the variants with reduced rounds and larger blocks (e. g. CubeHash2/4 or CubeHash1/45). Several certification preimage attacks on submitted versions of CubeHash – by Jean-Philippe Aumasson et al. and by Dmitry Khovratovich et al. Security margin can be considered high. CubeHash (attacks)

131 Round 2 algorithms Authors: big groups of experts from Orange Labs (France). High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network based on AES functions. One of the slowest round 2 algorithms. No attacks found. ECHO (overview & attacks)

132 Round 2 algorithms ECHO (structure) Internal state: 4 X 4 array of 128-bit words. 8 rounds of substitution (on the figure) and permutation operations similar to AES round.

133 Round 2 algorithms Authors: Shai Halevi, William Hall, Charanjit Jutla (IBM). High-level structure: stream hashing. Compression function: substitution-permutation network based on AES functions. Features: 32-bit blocks; relatively large internal state; strengthened AES transforms. Relatively low performance. No attacks found. Fugue

134 Round 2 algorithms Authors: several experts from Technical University of Denmark & Graz University of Technology, Austria. High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: substitution-permutation network based on AES functions. Relatively low performance. No attacks found. Grøstl (overview & attacks)

135 Round 2 algorithms Grøstl (structure) P and Q functions performs 10 or 14 rounds of modified AES transformations. P and Q differ from each other in round constants only.

136 Round 2 algorithms Author: Özgül Küçük (Catholic University of Leuven, Belgium). High-level structure: concatenate-permute-truncate. Compression function: substitution-permutation network. Relatively low performance. No attacks found. Hamsi (overview & attacks)

137 Round 2 algorithms Hamsi (structure) C, P, and T-functions (concatenate-permute-truncate) form Hamsi compression function. 32- or 64-bit message blocks (are expanded to 256 or 512 bits each).

138 Round 2 algorithms Author: Hongjun Wu (Institute for Infocomm Research, Singapore). High-level structure: wide-pipe Merkle-Damgård construction. Compression function: substitution-permutation network. Medium performance. JH (overview)

139 Round 2 algorithms JH (structure) Compression function structure:

140 Round 2 algorithms Certification attack by Florian Mendel and Søren Thomsen: operations & memory blocks to find a preimage for 512-bit JH. Hongjun Wu disproved the attack. JH (attacks)

141 Round 2 algorithms Authors: Guido Bertoni, Joan Daemen, Michaël Peeters & Gilles Van Assche. High-level structure: cryptographic sponge. Compression function: permutation operations. Relatively high performance. No attacks found. Keccak (overview & attacks)

142 Round 2 algorithms Keccak (structure) Compression function round:

143 Round 2 algorithms Authors: Christophe De Cannière, Hisayoshi Sato & Dai Watanabe. High-level structure: cryptographic sponge. Compression function: substitution-permutation network. High performance. Luffa (overview)

144 Round 2 algorithms Luffa (structure) Compression function structure:

145 Round 2 algorithms Luffa (structure) Round of Q-functions:

146 Round 2 algorithms Several pseudo-attacks by Keting Jia: instant pseudo-collisions and 2 nd pseudo-preimages;instant pseudo-collisions and 2 nd pseudo-preimages; instant pseudo-preimages for 224- or 256-bit hash;instant pseudo-preimages for 224- or 256-bit hash; 2 64 operations and 2 64 memory to find pseudo- preimage for 384-bit hash.2 64 operations and 2 64 memory to find pseudo- preimage for 384-bit hash. No attacks found on main security requirements. But pseudo-attacks can be used in context of other attacks. Luffa (attacks)

147 Round 2 algorithms Authors: large group of experts of Saphir project funded by French National Research Agency. High-level structure: strengthened Merkle-Damgård construction (includes some sponge-like operations and feed-forward). Compression function: shift registers with different kinds of feedback. One of the fastest round 2 algorithms. No attacks found. Shabal (overview & attacks)

148 Round 2 algorithms Shabal (structure) Compression function structure:

149 Round 2 algorithms Authors: Eli Biham & Orr Dunkelman. High-level structure: Merkle-Damgård construction with finalization. Compression function: Feistel network (224- or 256-bit hash) or generalized Feistel network (384- or 512-bit hash) based on AES operations. One of the slowest round 2 algorithms. No attacks found. SHAvite-3 (overview & attacks)

150 Round 2 algorithms SHAvite-3 (structure) Compression function for 224- or 256-bit hash:

151 Round 2 algorithms SHAvite-3 (structure) Compression function round for 384- or 512-bit hash:

152 Round 2 algorithms Authors: Gaëtan Leurent, Pierre-Alain Fouque & Charles Bouillaguet (École Normale Supérieure, Paris). High-level structure: wide-pipe Merkle-Damgård construction with finalization. Compression function: generalized Feistel network. Relatively high performance. No attacks found. SIMD (overview & attacks)

153 Round 2 algorithms SIMD (structure) Compression function structure:

154 Round 2 algorithms Authors: Large group of experts. High-level structure: Unique Block Iteration. Compression function: substitution-permutation network. Relatively high performance. Skein (overview)

155 Round 2 algorithms Skein (structure) Compression function based on Threefish block cipher. 72 or 80 rounds based on permutations and parallel mix operations:

156 Round 2 algorithms Several attacks on reduced-round Skein procedures by Jean-Philippe Aumasson et al.: near-collision for 17-round compression function of Skein – 2 24 operations;near-collision for 17-round compression function of Skein – 2 24 operations; key recovery attack on 34-round Threefish – operations.key recovery attack on 34-round Threefish – operations. Very high security margin. Skein (attacks)

157 Structures tables High-level structures Merkle-Damgård construction and its variants.

158 Structures tables High-level structures Other structures.

159 Structures tables High-level structures statistics

160 Structures table Compression function structures

161 Structures table Compression function structures statistics

162 Performance tables Claimed performance by authors. Source: Ewan Fleischmann et al. Classification of the SHA-3 candidates.

163 Performance tables 64-bit platform: AMD Athlon 64 X MHz. Source: eBASH project (http://bench.cr.yp.to), July 2009.

164 Performance tables 32-bit platform: Intel Core 2 Duo 3000 MHz. Source: eBASH project (http://bench.cr.yp.to), July 2009.

165 Performance tables ARM: XScale-PXA MHz. Source: eBASH project (http://bench.cr.yp.to), February 2009.

166 Round 2 algorithms Can we divide the round 2 algorithms to the following categories? most probable, andmost probable, and less probable algorithms to be SHA-3 standard.less probable algorithms to be SHA-3 standard. Conclusion

167 Round 2 algorithms Possible factors to exclude algorithms from the further concerning: relatively low performance;relatively low performance; not high security margin;not high security margin; too complex structure of algorithm – difficult to analyze or realize;too complex structure of algorithm – difficult to analyze or realize; similarity to SHA-2 in structure.similarity to SHA-2 in structure. Conclusion

168 Round 2 algorithms Performance factor: ECHO, Grøstl, Hamsi, SHAvite-3 – relatively low practical performance;ECHO, Grøstl, Hamsi, SHAvite-3 – relatively low practical performance; Fugue – relatively low theoretical performance;Fugue – relatively low theoretical performance; CubeHash – relatively slow while hashing short messages.CubeHash – relatively slow while hashing short messages. Conclusion

169 Round 2 algorithms Security margin factor: Luffa: no attacks on main security requirements, but simple attacks allow to find pseudo-collisions and pseudo-preimages; pseudo-attacks can be theoretically used while mounting future attacks on Luffa, so its security margin can not be considered high.Luffa: no attacks on main security requirements, but simple attacks allow to find pseudo-collisions and pseudo-preimages; pseudo-attacks can be theoretically used while mounting future attacks on Luffa, so its security margin can not be considered high. Conclusion

170 Round 2 algorithms Other factors – no algorithms to exclude: all algorithms have clear and relatively simple structures;all algorithms have clear and relatively simple structures; no algorithms are very similar to SHA-2.no algorithms are very similar to SHA-2. Conclusion

171 Round 2 algorithms Therefore the following algorithms can be considered less probable to be SHA-3: CubeHash, ECHO, Fugue, Grøstl, Hamsi, SHAvite-3 – relatively low performance;CubeHash, ECHO, Fugue, Grøstl, Hamsi, SHAvite-3 – relatively low performance; Luffa – some doubts about security margin.Luffa – some doubts about security margin. Conclusion

172 Round 2 algorithms As a result, the following algorithms can be considered more probable to be SHA-3 standard: Blake;Blake; Blue Midnight Wish;Blue Midnight Wish; JH;JH; Keccak;Keccak; Shabal;Shabal; SIMD;SIMD; Skein.Skein. Conclusion

173 Acknowledgements to Andrei Gurtov, who invited me to give a talk about hash functions.to Andrei Gurtov, who invited me to give a talk about hash functions.

174 Thank you! Sergey Panasenko, independent information security consultant, Moscow, Russia.


Download ppt "SHA Hash Functions History & Current State Helsinki Institute for Information Technology, November 03, 2009. Sergey Panasenko, independent information."

Similar presentations


Ads by Google