Presentation on theme: "JHReview Group 3. Outline Why we choose JH Description of JH Comments of NIST and MIT students Preimage Attack by Mendel and Thomsen Analysis of Author."— Presentation transcript:
Description of JH (Jump this) Our Description 2 The main hash ﬁrst pad the message to be a multiple of 512 bits, in which the length of the message is padded to the message. After padding, the message is split into blocks of 512 bits. Then, starting from an initial hash value H (0) (1024-bit), the algorithm itera- tively uses a compression function F8 to compress each block, resulting in a ﬁnal hash value H (N ). Finally H (N ) is truncated into message digest of designated length.
Compression Function E is a permutation of 1024 elements
Comments of NIST “JH uses a novel construction, somewhat reminiscent of a sponge construction, to build a hash algorithm out of a single, large, fixed permutation. The fixed permutation is an SP network, combining two 4-bit S-boxes with a set of linear mixing operations and bit permutations. All nonlinearity in this design is derived from the S-boxes. The most innovative part of this design is the compression function construction, which XORs a 512-bit message block into the left half of the input of the fixed permutation, and then XORs the same message block into the right half of the output of the fixed permutation. The design of the fixed permutation is also new.”
Comments of NIST JH’s performance is good, and has modest memory requirements. Unlike most second-round candidates, all output sizes of JH use the same function, but with different initial hash values and different amounts of truncation at the end. The most serious cryptanalytic result on JH is a theoretical preimage attack on the 512-bit version, which is barely cheaper than a brute force attack. As this attack does not appear to threaten the design, it does not concern us. However, the compression function construction of JH is not well-understood, and the submitter did not provide a great deal of analysis of this construction.
Comments of MIT Students (?) “We found that in terms of quality and depth of proofs, Lesamnta o ﬀ ered the best security analysis. The authors o ﬀ ered extensive analysis of the security features of all parts of the Lesamnta algorithm, including the modes of operation and the underlying compression function. In addition, they showed that Lesamnta was provably secure against both common and emerging attacks against hash functions. Particularly impressive was that Lesamnta was shown to be provably secure against known key distinguisher attacks, something that we did not even see mentioned in other papers.”
Comments of MIT Students (?) “Among the other submissions, SHAvite-3 was a close second in terms of security analysis. Though they too o ﬀ ered a good number of proofs against many common attacks, their analysis was not quite as in depth as that of Lesamnta. The other algorithms, FSB and JH, were often very simplistic in their assumptions and limited in the types of attacks that they were able to prove security against.”
Keywords Compression Function New, not well understood Security Analysis Not enough Simplicity and Performance Good
Preimage Attack by Mendel and Thomsen “we present a generic preimage attack on JH-512. We do not claim that our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting properties in the design principles of JH- 512 which do not exist in other hash functions, e.g., the SHA-2 family.” Compression Function
Attack Detail Given H_4 (final hash value), use M_4 to get H_3(Obs.1) where M_4 is arbitrary block satisfying padding scheme. Enumerate M_3 to get enough pairs of (H_2, M_3) where f(H_2, M_3) = H_3 Find multiple collisions H_1^k (0 <= k < r), preparing for Obs.2 Using Obs.2 to enumerate M_2^k satisfying f(H_1^k, M_2^k) = (H_2, M_3)
Attack Analysis Suppose that f satisfies POISSON distribution => multiple collission Use Obs.2 to skip some Compression Function calculation. However, very poor: 2^510.3 => (2^510.3) * 51 The reason of 51 and 510.3 : the balance of the complexity of finding multiple collission
Attack Result No effect on JH's security (So we ignore Author's defence) Just some interesting things about Compression Function “Nevertheless, we think that the attack shows some interesting properties of JH-512, which do not exist in other hash functions. Maybe these properties can be combined with a dedicated preimage attack on JH-512 in the future. At the moment, our attack does not compromise the security claims of JH-512.”
Author's Analysis Paullznand Chimney Liu's Reports (click the hyperlink above to see the report)
Compare With CubeHash What is Cube Hash? A very SIMPLE cryptographic hash function. Algorithm introduction in 2 pages. Process Initialization Padding & Blocking Identical rounds to change states. Finalization Ten steps per round with only xor, add, and rotate “That's it”
Compare With CubeHash JHCubeHash PerformanceHardware optimized (Bit-Slice) SSE2 optimized Modest memory requirements SIMD optimized SecurityMost serious result barely cheaper than brute force. Lack of analysis on compression function. Best-understood candidate. Semi-free-start collision and the symmetry properties the mose troubling. Variants (Performance & security trade-off) Relatively fixed (Algorithm limitation) Variable (2 tunable parameters) Easy to choose parameters for different requirements A little bit hard to design proper combination of parameters InnovationCompression function construction
Reference JH ： http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/ NIST 官方评价： http://csrc.nist.gov/groups/ST/hash/sha- 3/Round1/documents/sha3_NISTIR7620.pdf MIT Students Summary ： http://courses.csail.mit.edu/6.857/2009/sha3/group7.pdf http://courses.csail.mit.edu/6.857/2009/sha3/group7.pdf Preimage Attack by Mendel and Thomsen ： http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Author's defence of Preimage Attack ： http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity. pdf