Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus.

Similar presentations


Presentation on theme: "Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus."— Presentation transcript:

1 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus Daum Shanghai Jiaotong University Shandong University Ruhr University Bochum

2 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?2 Overview Applications and Properties Hash Functions of the MD4-Family Different Methods of Attacks Attacks on Iterated Hash Functions The Modular Differential Attack

3 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?3 Applications and Properties

4 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?4 What is a Hash Function? A hash function –is efficiently computable –compresses information of arbitrary length to some information of fixed length (digital fingerprint) message Hash function

5 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?5 Application in Digital Signature Schemes Bob Alice Signature okay? ?=?= h h

6 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?6 Properties of Cryptographic Hashfunctions preimage-resistance: Given V, find M such that h(M)=V is infeasible 2 nd -preimage-resistance: Given M, find M M such that h(M)=h(M) is infeasible collision-resistance: Find M M such that h(M)=h(M) is infeasible

7 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?7 Application in Digital Signature Schemes Bob Alice ?=?= Eve 10k 50k h h Alice, please sign this contract! 10k Bob, Alice signed this contract! 50k Alice h h Okay, I will sign the contract about 10k. Alice signed the contract about 50k. Signature is okay ! Collision!

8 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?8 Hash Functions of the MD4 Family

9 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?9 Hash Functions MD4-Family Of practical interest: –Hashfunctions based on blockciphers: Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel MDC-2, MDC-4 –Dedicated Hashfunctions: MD4, MD5 RIPEMD-{0,128,160,256,320} SHA-{0,1,224,256,384,512} Tiger Whirlpool

10 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?10 SHA-224 SHA-256 SHA-384 SHA-512 (NIST, 02/04) SHA-0 (NIST, 93) Overview MD4-Family MD4 (Rivest 90) Ext. MD4 (Rivest 90) RIPEMD-0 (RIPE, 92) MD5 (Rivest 92) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel 96) SHA-1 (NIST, 95) HAVAL (Zheng, Pieprzyk, Seberry 93)

11 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?11 General Structure Iterated Compression Functions collision-resistance of the compression function collision-resistance of the hash function

12 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?12 Common Structure of the Compression Functions Message Expansion

13 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?13 Different Message Expansions MD / RIPEMD roundwise permu- tations of the M i SHA recursive definition e.g. SHA-1:

14 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?14 Step Operation SHA-0/1:MD5: Only 1 register changed per step Mixture of different kinds of operations

15 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?15 Attack Methods

16 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?16 collision-resistance: Find M M such that h(M)=h(M) is infeasible Find M M such that h(M)=h(M) Three different kinds of (successfull) attacks: –Dobbertin (1995/96) –Chabaud/Joux (1998), Biham/Chen(2004), Joux(2004) –Wang/Feng/Lai/Yu (2004) Collision Attacks

17 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?17 Dobbertins Attacks Idea: Describe the whole compression functions by the means of a huge system of equations Variables:Equations: –Message words- Step operation –Contents of the registers- Message Expansion - Collision Equations include many very different kinds of operations, e.g. F 2 -linear, modulo 2 32 operations and bitwise defined Boolean functions Hard to solve with algebraic means Special methods are needed

18 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?18 Example: Attack on MD5 Find with Each M i is used in exactly four steps in the computation Choose and for all other i Computations run in parallel to each other up to the first appearance of i 0 Another special restriction: Require Inner Collisions i =0 15 0

19 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?19 SHA-224 SHA-256 SHA-384 SHA-512 (NIST, 02/04) SHA-0 (NIST, 93) Overview MD4-Family MD4 (Rivest 90) Ext. MD4 (Rivest 90) RIPEMD (RIPE, 92) MD5 (Rivest 92) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel 96) SHA-1 (NIST, 95) HAVAL (Zheng, Pieprzyk, Seberry 93) Dobbertin 95/96 Kasselman/ Penzhorn 2000

20 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?20 Chabaud/Joux-Attack on SHA-0 Idea: –Approximate compression function by a linear function –Find collisions for this linearised function –Find messages with the same differential behaviour in the real compression function 3 non-linear parts in SHA-0: –addition modulo 2 32 – – Can all be approximated by bitwise © (linear)

21 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?21 Elementary Collisions each collision of the complete (linearised) compression function is a linear combination of such elementary collisions

22 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?22 Biham/Chen: Neutral Bits Idea: –Find bits of the message that can be changed without changing the differential behaviour up to some step k –produce a big number of messages which fulfill some of the needed conditions automatically –increased probability of success

23 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive?23 SHA-224 SHA-256 SHA-384 SHA-512 (NIST, 02/04) SHA-0 (NIST, 93) Overview MD4-Family MD4 (Rivest 90) Ext. MD4 (Rivest 90) RIPEMD (RIPE, 92) MD5 (Rivest 92) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel 96) SHA-1 (NIST, 95) HAVAL (Zheng, Pieprzyk, Seberry 93) Chabaud/Joux 98 Biham/Chen 2004 Joux 2004 Wang/Feng/ Lai/Yu 2004


Download ppt "Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus."

Similar presentations


Ads by Google