Download presentation

Presentation is loading. Please wait.

1
**Which Hash Functions will survive?**

Xiaoyun Wang Xuejia Lai Magnus Daum Shandong University Shanghai Jiaotong University Ruhr University Bochum

2
**Which Hash Functions will survive?**

Overview Applications and Properties Hash Functions of the MD4-Family Different Methods of Attacks Attacks on Iterated Hash Functions The Modular Differential Attack Which Hash Functions will survive?

3
**Applications and Properties**

Which Hash Functions will survive?

4
**Which Hash Functions will survive?**

What is a Hash Function? A hash function is efficiently computable compresses information of arbitrary length to some information of fixed length („digital fingerprint“) message Hash function Which Hash Functions will survive?

5
**Application in Digital Signature Schemes**

Alice Bob Alice Alice h h ? = Signature okay? Alice Alice Which Hash Functions will survive?

6
**Properties of Cryptographic Hashfunctions**

preimage-resistance: „Given V, find M such that h(M)=V“ is infeasible 2nd-preimage-resistance: „Given M, find M‘M such that h(M‘)=h(M)“ is infeasible collision-resistance: „Find M‘M such that h(M‘)=h(M)“ is infeasible Implikationen erwähnen!!! Which Hash Functions will survive?

7
**Application in Digital Signature Schemes**

Alice Alice signed the contract about €50k. Signature is okay ! Bob Okay, I will sign the contract about €10k. ? = Alice € 10k € 50k Alice h h € 10k € 50k Alice h Collision! Alice, please sign this contract! Bob, Alice signed this contract! Eve Which Hash Functions will survive?

8
**Hash Functions of the MD4 Family**

Which Hash Functions will survive?

9
**Which Hash Functions will survive?**

Of practical interest: Hashfunctions based on blockciphers: Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel MDC-2, MDC-4 Dedicated Hashfunctions: MD4, MD5 RIPEMD-{0,128,160,256,320} SHA-{0,1,224,256,384,512} Tiger Whirlpool Beispiele für Blockcipher-Funktionen einbauen??? MD4-Family Which Hash Functions will survive?

10
**Which Hash Functions will survive?**

Overview MD4-Family MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) RIPEMD-0 (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) Which Hash Functions will survive?

11
**General Structure Iterated Compression Functions**

kurz collision-resistance of the compression function collision-resistance of the hash function Which Hash Functions will survive?

12
**Common Structure of the Compression Functions**

kurz Message Expansion Which Hash Functions will survive?

13
**Different Message Expansions**

SHA recursive definition MD / RIPEMD roundwise permu-tations of the Mi wichtig !!! e.g. SHA-1: Which Hash Functions will survive?

14
**Which Hash Functions will survive?**

Step Operation MD5: SHA-0/1: Only 1 register changed per step Mixture of different kinds of operations Which Hash Functions will survive?

15
**Which Hash Functions will survive?**

Attack Methods Which Hash Functions will survive?

16
**Which Hash Functions will survive?**

Collision Attacks „Find M‘M such that h(M‘)=h(M)“ collision-resistance: „Find M‘M such that h(M‘)=h(M)“ is infeasible Three different kinds of (successfull) attacks: Dobbertin (1995/96) Chabaud/Joux (1998), Biham/Chen(2004), Joux(2004) Wang/Feng/Lai/Yu (2004) Which Hash Functions will survive?

17
**Which Hash Functions will survive?**

Dobbertin‘s Attacks Idea: Describe the whole compression functions by the means of a huge system of equations Variables: Equations: Message words - Step operation Contents of the registers - Message Expansion - Collision Equations include many very different kinds of operations, e.g. F2-linear, „modulo 232“ operations and bitwise defined Boolean functions Hard to solve with algebraic means Special methods are needed Which Hash Functions will survive?

18
**Which Hash Functions will survive?**

Example: Attack on MD5 i=0 Find with Each Mi is used in exactly four steps in the computation Choose and for all other i Computations run in parallel to each other up to the first appearance of i 0 Another special restriction: Require Inner Collisions 150 150 i=0 150 150 i=0 Which Hash Functions will survive?

19
**Which Hash Functions will survive?**

Overview MD4-Family MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) Kasselman/ Penzhorn‚ 2000 Dobbertin ‚’95/96 RIPEMD (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) Which Hash Functions will survive?

20
**Chabaud/Joux-Attack on SHA-0**

Idea: Approximate compression function by a linear function Find collisions for this linearised function Find messages with the same „differential behaviour“ in the real compression function 3 non-linear parts in SHA-0: addition modulo 232 Can all be approximated by bitwise © (linear) Which Hash Functions will survive?

21
**Elementary Collisions**

Vielleicht noch Differenzen each collision of the complete (linearised) compression function is a linear combination of such elementary collisions Which Hash Functions will survive?

22
**Biham/Chen: Neutral Bits**

Idea: Find bits of the message that can be changed without changing the „differential behaviour“ up to some step k produce a big number of messages which fulfill some of the needed conditions automatically increased probability of success Which Hash Functions will survive?

23
**Which Hash Functions will survive?**

Overview MD4-Family Joux‚ 2004 MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) Wang/Feng/ Lai/Yu‚ 2004 Chabaud/Joux ‚’98 Biham/Chen‚ RIPEMD (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) Which Hash Functions will survive?

Similar presentations

OK

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google