# 1 Cryptanalysis Lecture Block 5: Cryptographic Hashes John Manferdelli © 2004-2008, John L. Manferdelli.

## Presentation on theme: "1 Cryptanalysis Lecture Block 5: Cryptographic Hashes John Manferdelli © 2004-2008, John L. Manferdelli."— Presentation transcript:

1 Cryptanalysis Lecture Block 5: Cryptographic Hashes John Manferdelli jmanfer@microsoft.com JohnManferdelli@hotmail.com © 2004-2008, John L. Manferdelli. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only. jlm20090310

JLM 200903102 Cryptographic Hashes A cryptographic hash (“CH”) is a “one way function,” h, from all binary strings (of arbitrary length) into a fixed block of size n (called the size of the hash) with the following properties: 1.Computing h is relatively cheap. 2.Given y=h(x) it is infeasible to calculate x. (“One way,” “non-invertibility” or “pre-image” resistance). Functions satisfying this condition are called One Way Hash Functions (OWHF) 3.Given u, it is infeasible to find w such that h(u)=h(w). (weak collision resistance, 2 nd pre-image resistance). 4.It is infeasible to find u, w such that h(u)=h(w). (strong collision resistance). Note 4  3. Functions satisfying this condition are called Collision Resistant Functions (CRFs).

JLM 20060105 12:163 Cryptographic Hashes h must be compressive (otherwise copy of original binary string satisfies requirement) Just like symmetric ciphers ratio of work factor for computation of hash vs work factor to break hash should be very high. Adversary has complete information on computing hash and (obviously) can compute as many hashes from the target as she wants.

JLM 20060105 12:164 Observations on Cryptographic Hashes Hashes are a strong “checksum” OWHF and CRF conditions make CHs satisfy many of the properties of “random functions ” –Small changes should create large changes (otherwise the pre- image of near neighbors are near neighbors making collisions easy to find) –Small input changes should be statistically unrelated (uncorrelated) to changes in a subset of the hash bits –Analysis of CHs very similar to Symmetric Cipher techniques Popular practical cryptographic hashes –MD4, MD5 (now “broken”) –SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 (last 4 are “SHA-2”) –RIPEMD

JLM 20060105 12:165 Observations Collision Resistance  2 nd pre-image resistance Let f(x)= x 2 -1 (mod p). –f(x) acts like a random function but is not a OWHF since square roots are easy to calculate mod p. Let f(x)= x 2 (mod pq). –f(x) is a OWHF but is neither collision nor 2 nd pre-image resistant If either h 1 (x) or h 2 (x) is a CRHF so is h(x)= h 1 (x)||h 2 (x) MDC+signature & MAC+unknown Key require all three properties Ideal Work Factors: TypeWorkProperty OWHF2n2n Pre-image 2 nd Pre-image CRHF2 n/2 Collision MAC2t2t Key recovery, computational resistance

JLM 20060105 12:166 What are Hash Functions Good for? Modification Detection Codes (MDCs): This is a strong checksum (integrity check). Sometimes called “unkeyed” hashes. Message Authentication Code (MACs): If shared secret is part of the hash, two parties can determine authenticated integrity with CHs. Called “keyed hashes”. Message Digests (MDs): Encrypting (with private key) the CH of a message (its MD) acts as a certification that the message was “approved” by possessor of private key. This is called a Digital Signature. [Note: you could “sign’ the whole message rather than the hash but this would take oodles of time by comparison.]

JLM 20060105 12:167 What are Hash Functions Good for? Uniquely and securely identifies bit streams like programs. Hash is strong name for program. Entropy mixing: Since CHs are random functions into fixed size blocks with the properties of random functions, they are often used to “mix” biased input to produce a “seed” for a psuedo-random number generator. Password Protection: Store salted hash of password instead of password (Needham). Bit Commitment

JLM 20060105 12:168 MACs using Hashes Prefix and suffix attacks Hash(k 1, Hash(k 2, m)) Hash(k|p|m|k) HMAC K (x)= SHA-1(K  opad||SHA-1(K  ipad)||x)

JLM 20060105 12:169 One-Way Functions Hashes come from two basic classes of one-way functions –Mathematical Multiplication: Z=XY Modular Exponentiation: Z = Y X (mod n) (Chaum vP Hash) –Ad-hoc (Symmetric cipher-like constructions) Custom Hash functions (MD4, SHA, MD5, RIPEMD)

JLM 20060105 12:1610 Attacks on Cryptographic Hashes Birthday (Yuval) attacks –Probability of collision determined by “Birthday Paradox” calculation: (1- 1/n) (1- 2/n) … (1-(k-1)/n)= (n!/k!)/n k Probability of collision is >.5 when k 2 > n. Need 2 80 blocks for SHA. 1+x  e x, P i=1 i=k (1-i/n)  e -k(k-1)/(2n) Dobbertin Attacks on MD4 Attacks on 2 nd preimage –(Old) If you hash 2 t messages, the average work to find a 2 nd primage is 2 n-t –(New) If you hash 2 t blocks, the average work to find a 2 nd primage is t2 n/2+1 + 2 n-t+1 [Kelsey Schneier] –Appending length doesn’t help against 2 nd pre-image attacks

JLM 20060105 12:1611 Attacks on Hashes Selective and Existential Forgery Key Recovery for MAC Chaining –Meet in Middle –Fixed Point Padding Differential

JLM 20060105 12:1612 Attacks on Cryptographic Hashes Berson (1992) using differential cryptanalysis on 1 round MD-5. Boer and Bosselaers (1993), Pseudo collision in MD5. Dobbertin (1996), Collisions in compression function. Attacks inspired RIPEMD proposal. Biham and Chen (2004), Collisions in SHA-0. Chabaud and Joux (2004), Collisions in SHA-0. Wang, Feng, Lai, Yu, (2004), MD4, MD5, RIPEMD Wang et al, (2004, 2005), SHA-1 SHA-1 has stood up best: best known theoretical attack (11/05) requires 2 63 operations.

JLM 20060105 12:1613 Birthday Attacks Probability of collision determined by “Birthday Paradox” calculation: –(1-1/n) (1-2/n) … (1-(k-1)/n)= (n!/k!)/n k –Probability of collision is >.5 when k 2 > n. –Need 2 80 blocks for SHA. –1+x  e x, P i=1 i=k (1-i/n)  e -k(k-1)/(2n)

JLM 20060105 12:1614 Chaum-vanHeijst-Pfitzmann Compression Function Suppose p is prime, q=(p-1)/2 is prime, a is a primitive root in F p, b is another primitive root so a x =b (mod p) for some unknown x). g: {1,2,…,q-1} 2  {1,2,…,p-1}, q=(p-1)/2 by: –g(s, t) = a s b t (mod p) Reduction to discrete log: Suppose g(s, t)= g(u, v) can be found. Then a s b t (mod p)= a u b v (mod p). So a s-u (mod p)= b v-t (mod p). Let b= a x (mod p). Then (s-u)=x(y-t) (mod p-1). But p-1= 2q so we can solve for x, thus determining the discrete log of b.

JLM 20060105 12:1615 Merkle/Damgard Construction Compression Function (f) Hash Value Padded n bit blocks H i-1 Graphic by Josh Benaloh Input: x=x 1 ||…||x t Input is usually padded H 0 = IV H i = f(H i-1, x i ) h(x)= g(h t )

JLM 2008102616 Proofs about compression function Theorem: If g: {0,1} m  {0,1} n, for a sequence of n bit blocks, x= x 1, x 2, …, x t, we can define a hash function h: {0,1}*  {0,1} n by H 0 = c, H i+1 = g(H i ||x i ) with h(x)=H t. h is collision resistant if g is. –Proof: Let x= x 1, x 2, …, x t and x’= x 1 ’, x 2 ’, …, x t’ ’ be two strings with h(x)=h(x’) and let H i, H i’ be the intermediate values. Suppose there is an i t and again g is not collision resistant.

JLM 20060105 12:1617 Technique for CHs from Block Ciphers Let input be x= x 1 ||x 2 || … ||x t where each x i is n bits long. Let g be a function taking an n bit input to an m bit input. Let E(k, x) be a block cipher with m bit keyspace and n bit block. Let H 0 = IV. Construction 1: H i = E(g(H i-1 ), x i )  H i-1 Construction 2: H i = E(x i, H i-1 )  H i-1 Construction 3: H i = E(g(H i-1 ), x i )  x i  H i-1 Note: Because of collisions n should be >64. Ideally, m=n and g= id. DES with n= 64 is too small. AES with n=m=128 is better.

DM/MMO constructions for block ciphers 18JLM 20090222 H i-1 E Å HiHi m i (key) Differential attack on C Related key attack on E H i-1 (key) E Å HiHi m i (key) Differential attack on C Differential attack on E

JLM 20060105 12:1619 Nostradamus (“herding") attack Let h be a Merkle-Damgard hash with compression function f and initial value IV. Goal is to hash a prefix value (P) quickly by appending random suffixes (S). Procedure –Phase 1: Pick k, generate K= 2 k random d 0i from each pair of the values f(IV ||d i,i+1 ) and two messages M 0,j ;M 1,j which collide under f. Call this value d 1,j this takes effort 2 n/2 for each pair. Do this (colliding d i,j ; d i+1,j under M i,j ;M i+1,j to produce d i,j+1 until you reach d K,0 ). This is the diamond. –Publish y = w(d K,0 ) where w is the final transformation in the hash as the hash (i.e. - claim y = h(P||S).

JLM 2008102820 Diamond structure h(0,0) h(0,1) h(0,2) h(0,3) h(0,4) h(0,5) h(0,6) h(0,7)h(1, 3) h(1, 2) h(1, 0) h(1, 1) h(2, 1) h(2,0) h(3,0) Published hash w(h(3,0)) P M0M0 M7M7 M5M5

JLM 20060105 12:1621 Nostradamus (“herding") attack The cost of phase 1 is (2 k -1)2 n/2. In phase 2, guess S’ and compute T = f(IV||P||S’). Keep guessing until T is one of the d ij. Once you get a collision, follow a path through the M ij to d K,0. Append these M ij to P||S’ and apply w to get right hash. Total cost: W= 2 n-k-1 +2 n/2+k/2 +k2 n/2+1. k=(n-5)/3 is a good choice. For 160 bit hash, k=52.

JLM 20060105 12:1622 Multicollision (Joux) Iterative construction is vulnerable to multi-collision Suppose M 1 ;M 1 ’; M 2 ;M 2 ’; …; M t ;M t ’ all collide. From these we get 2 t collisions. If r people each have one of N possible birthdays, there is a greater than 50% chance of k collisions if r>N k, k = k-1/k.

JLM 2008102423 Random Oracle Model Let f be a OWF with trapdoor, (y 1, y 2 ) = (f(r); h(r)+m) is used as encryption. An oracle with i requests L. Pr(guess right) = P(r Î L)+½ P(r Ï L). Set p = 1/2+ e, e£ Pr(r Î L). Canetti, Goldreich, Halevi constructed cryptosystem that is secure in the Random Oracle model but any secure for any concrete hash.

JLM 20060105 12:1624 A Cryptographic Hash: SHA-1 Picture from Wikipedia

JLM 20060105 12:1625 A Cryptographic Hash: SHA-1 Compression Function 160-bit Output 512-bit Input (IV ) – 160 bits Slide by Josh Benaloh

JLM 20060105 12:1626 A Cryptographic Hash: SHA-0/1 Picture from Wikipedia

JLM 20060105 12:1627 A Cryptographic Hash: SHA-1 Depending on the round, the “non-linear” function f is one of the following. f(X,Y,Z) = (X  Y)  ((  X)  Z) f(X,Y,Z) = (X  Y)  (X  Z)  (Y  Z) f(X,Y,Z) = X  Y  Z

JLM 20060105 12:1628 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? Take the rightmost word. Add in the leftmost word rotated 5 bits. Add in a round-dependent function f of the middle three words. Add in a round-dependent constant. Add in a portion of the 512-bit message.

JLM 20060105 12:1629 SHA-0 A= 0x67452301, B= 0xefcdab89, C= 0x98badcfe, D= 0x10325476 E= 0xc3d2e1f0 F t (X,Y,Z)= (X  Y)  ((  X)  Z), t= 0,…,19 F t (X,Y,Z)= X  Y  Z, t= 20,…,39 F t (X,Y,Z)= (X  Y)  (X  Z)  (Y  Z), t= 40,…,59 F t (X,Y,Z)= X  Y  Z, t= 60,…,79 K t = 0x5a827999, t= 0,…,19 K t = 0x6ed9eba1, t=20,…,39 K t = 0x8f1bbcdc, t= 40,…,59 K t = 0xca62c1d6, t=60,…,79 Do until no more input blocks { If last input block Pad to 512 bits by adding 1 then 0s then 64 bits of length. M i = input block(32 bits) i= 0,…,15 W t = M t, t= 0,…,15; W t = (W t-3  W t-8  W t-14  W t-16 ) <<<1, t= 16,…,79 a= A; b= B; c= C; d= D; e= E; for(t=0 to 79) { x= (a<<<5)+f t (b,c,d)+e+W t +K t e= d; d=c; c= b<<<30; b=a; a= x; } A+= a; B+=b; C+= c; D+= d; E+= e; } Absence of this term is only difference between SHA-0 and SHA-1

JLM 20060105 12:1630 SHA-1 A= 0x67452301, B= 0xefcdab89, C= 0x98badcfe, D= 0x10325476 E= 0xc3d2e1f0 F t (X,Y,Z)= (X  Y)  ((  X)  Z), t= 0,…,19 F t (X,Y,Z)= X  Y  Z, t= 20,…,39 F t (X,Y,Z)= (X  Y)  (X  Z)  (Y  Z), t= 40,…,59 F t (X,Y,Z)= X  Y  Z, t= 60,…,79 K t = 0x5a827999, t= 0,…,19 K t = 0x6ed9eba1, t=20,…,39 K t = 0x8f1bbcdc, t= 40,…,59 K t = 0xca62c1d6, t=60,…,79 Do until no more input blocks { If last input block Pad to 512 bits by adding 1 then 0s then 64 bits of length. M i = input block(32 bits) i= 0,…,15 W t = M t, t= 0,…,15; W t = (W t-3  W t-8  W t-14  W t-16 )<<<1, t= 16,…,79 a= A; b= B; c= C; d= D; e= E; for(t=0 to 79) { x= (a<<<5)+f t (b,c,d)+e+W t +K t e= d; d=c; c= b<<<30; b=a; a= x; } A+= a; B+=b; C+= c; D+= d; E+= e; } Message expansion

MD4 and Dobbertin Invented by Rivest, ca 1990 Weaknesses found by 1992 –Rivest proposed improved version (MD5), 1992 Dobbertin found 1st MD4 collision in 1998 –Clever and efficient attack –Nonlinear equation solving and differential 31 Slide by Mark Stamp

MD4 Algorithm After padding message is a multiple of the 512-bit block size –Also a multiple of 32 bit word size Let N be number of 32-bit words Message M = (Y 0,Y 1,…,Y N  1 ) –Each Y i is a 32-bit word 32-bit words Little-endian convention –Leftmost byte is low-order (relevant when generating “meaningful” collisions) Pad M so length is 448 (mod 512) –Single “1” bit followed by “0” bits –At least one bit of padding, at most 512 –Length before padding (64 bits) is appended Slide by Mark Stamp 32

MD4 Algorithm For 32-bit words A,B,C, define F(A,B,C) = (A  B)  (  A  C) G(A,B,C) = (A  B)  (A  C)  (B  C) H(A,B,C) = A  B  C where , , ,  are AND, OR, NOT, XOR Define constants: K 0 = 0x00000000, K 1 = 0x5a827999, K 2 = 0x6ed9eba1. Let W i, i = 0,1,…47 be (permuted) inputs, Y j Slide by Mark Stamp 33

MD4 Algorithm 34

MD4 Algorithm Round 0: Steps 0 thru 15, uses F function Round 1: Steps 16 thru 31, uses G function Round 2: Steps 32 thru 47, uses H function Slide by Mark Stamp 35

MD4: One Step Where Slide by Mark Stamp 36

Dobbertin’s attack strategy Specify a differential condition If condition holds, probability of collision Derive system of nonlinear equations: solution satisfies differential condition Find efficient method to solve equations Find enough solutions to yield a collision Find one-block collision, where M= (X 0,X 1,…,X 15 ), M= (X 0,X 1,…,X 15 ) Difference is subtraction mod 2 32 Blocks differ in only 1 word –Difference in that word is exactly 1 Limits avalanche effect to steps 12 thru 19 –Only 8 of the 48 steps are critical to attack! –System of equations applies to these 8 steps Slide by Mark Stamp 37

Notation Suppose (Q j,Q j  1,Q j  2,Q j  3 ) = MD4 0…j (IV,M) and (Q j,Q j  1,Q j  2,Q j  3 ) = MD4 0…j (IV,M) Define  j = (Q j  Q j, Q j  1  Q j  1, Q j  2  Q j  2, Q j  3  Q j  3 ) where subtraction is modulo 2 32 Let  2 n denote  2 n mod 2 32. –2 25 = 0x02000000 and  2 5 = 0xffffffe0 All arithmetic is modulo 2 32 38

Strategy Try to find one block collision Denote M = (X 0,X 1,…,X 15 ) Define M by X i = X i for i  12 and X 12 = X 12 +1 Word X 12 last appears in steps 12, 19, 35 –This provides a “natural” division of the attack strategy We are freedom to choose X 0,X 1,…,X 11 at our convenience Goal is to find pair M and M with  35 = 0, if  35 = (0,0,0,0) we have a collision Slide by Mark Stamp 39

MD4 Attack Analyze attack in three phases 1.Show:  19 = (2 25,  2 5,0,0) implies probability at least 1/2 30 that the  35 condition holds –Uses differential cryptanalysis 2.“Backup” to step 12: We can start at step 12 and have  19 condition hold –By solving system of nonlinear equations 3.“Backup” to step 0: And find collision –In each phase of attack, some words of M are determined –When completed, have M and M Where M  M but h(M) = h(M) –Equation solving step is tricky part Nonlinear system of equations Must be able to solve efficiently Slide by Mark Stamp40

Steps 19 to 35 Differential phase of the attack Suppose M and M as given above –Only differ in word 12 Assume that  19 = (2 25,  2 5,0,0) –And G(Q 19,Q 18,Q 17 ) = G(Q 19,Q 18,Q 17 ) Then we compute probabilities of “  ” conditions at steps 19 thru 35 Slide by Mark Stamp41

Steps 19 thru 35 For example, consider  35 Suppose j = 34 holds: Then  34 = (0,0,0,1) and Implies  35 = (0,0,0,0) with probability 1 –As summarized in j = 35 row of table Slide by Mark Stamp 42

Steps 12 to 19 Analyze steps 12 to 19, find conditions that ensure  19 = (2 25,  2 5,0,0) –And G(Q 19,Q 18,Q 17 )= G(Q 19,Q 18,Q 17 ), as required in differential phase Step 12 to 19—equation solving phase This is most complex part of attack –Last phase, steps 0 to 11, is easy Slide by Mark Stamp 43

Steps 12 to 19 To apply differential phase, must have  19 = (2 25,  2 5,0,0) which states that Q 19 = Q 19 +2 25 Q 18 +2 5 = Q 18 Q 17 = Q 17 Q 16 = Q 16 Derive equations for steps 12 to 19… At step 12 we have Q 12 = (Q 8 + F(Q 11,Q 10,Q 9 ) + X 12 ) <<< 3 Since X 12 = X 12 +1 and (Q 8,Q 9,Q 10,Q 11 )= (Q 8,Q 9,Q 10,Q 11 ), (Q 12 <<<29)  (Q 12 <<<29)= 1 Slide by Mark Stamp 44

Steps 12 to 19 Similar analysis for remaining steps yields system of equations: Slide by Mark Stamp45

Steps 12 to 19 To solve this system must find so that all equations hold. Since there are 14 variables and 8 equations, we have wiggle room Given such a solution, we determine X j for j = 13,14,15,0,4,8,12 so that we begin at step 12 and arrive at step 19 with  19 condition satisfied This phase reduces to solving (nonlinear) system of equations Can manipulate the equations so that –Choose (Q 14,Q 15,Q 16,Q 17,Q 18,Q 19 ) arbitrary –Which determines (Q 10,Q 13,Q 13,Q 14,Q 15 ) Result is 3 equations must be satisfied (next slide) Slide by Mark Stamp 46

Solving equations for 12 to 19 Using this we can solve for seven message words: –X 13 = anything –X 14 = (Q 14 <<<21)-Q 10 -F(Q 13, Q 12, Q 11 ) –X 15 = (Q 15 <<<21)-Q 11 -F(Q 14, Q 13, Q 12 ) –X 0 = (Q 16 <<<21)-Q 12 -G(Q 15, Q 14, Q 13 ) –K 1 –X 4 = (Q 17 <<<21)-Q 13 -G(Q 16, Q 15, Q 14 ) –K 1 –X 8 = (Q 18 <<<21)-Q 14 -G(Q 17, Q 16, Q 15 ) –K 1 –X 12 = (Q 19 <<<21)-Q 15 -G(Q 18, Q 17, Q 16 ) –K 1 47

Solving equations for 12 to 19 Choose Q 12 = -1, Q 12 ’=0, Q 11 =0. Then –Q 15 ’= Q 15 -G(Q 18 ’,Q 17,Q 16 )+G(Q 18,Q 17,Q 16 )+(Q 19 ’<<<19)-(Q 19 <<<19)-1 –Q 14 ’= Q 14 -G(Q 18 ’,Q 17,Q 16 )+G(Q 18,Q 17,Q 16 )+(Q 18 ’<<<23)-(Q 19 <<<23) –Q 13 = (Q 14 <<<21)-(Q 14 ’<<<21) –Q 13 ’= Q 13 -G(Q 16,Q 15 ’,Q 14 ’)+G(Q 16,Q 15,Q 14 ) –Q 10 = (Q 13 ’<<<25)-(Q 13 <<<25) –F(Q 18 ’,Q 17,Q 16 )-F(Q 18,Q 17,Q 16 )= (Q 15 ’<<<13)-(Q 15 <<<13) –G(Q 18 ’,Q 17,Q 16 )-G(Q 18,Q 17,Q 16 )= Q 12 -Q 11 ’ Choose Q 14, …, Q 19 arbitrarily and solve for Q 10, Q 13, Q 13 ’, Q 14 ’, Q 15 ’ –G(Q 15,Q 14,Q 13 )-G(Q 15 ’, Q 14 ’, Q 13 ’)= 1 –F(Q 14 ’, Q 13 ’, 0)-F(Q 14, Q 13,, -1)= 0 –G(Q 19 ’, Q 18 ’, Q 17 )= G(Q 19, Q 18,, Q 17 ) 48

Steps 12 to 19 Three conditions must be satisfied: First 2 are “check” equations –Third is “admissible” condition Naïve algorithm: choose six Q j, yields five Q j, Q j until 3 equations satisfied How much work is this? Slide by Mark Stamp49

Continuous Approximation Each equation holds with probability 1/2 32 Appears that 2 96 iterations required –Since three 32-bit check equations –Birthday attack on MD4 is only 2 64 work! Solution –A “continuous approximation” –Small changes, converge to a solution Slide by Mark Stamp 50

Continuous Approximation Generate random Q i values until first check equation is satisfied –Random one-bit modifications to Q i –Save if 1st check equation still holds and 2nd check equation is “closer” to holding –Else try different random modifications Modifications converge to solution –Then 2 check equations satisfied –Repeat until admissible condition holds Slide by Mark Stamp 51

Steps 0 to 11 At this point, we have (Q 8,Q 9,Q 10,Q 11 ) and MD4 12…47 (Q 8,Q 9,Q 10,Q 11,X)= MD4 12…47 (Q 8,Q 9,Q 10,Q 11,X) To finish, we must have MD4 0…11 (IV,X) = MD4 0…11 (IV,X)= (Q 8,Q 9,Q 10,Q 11 ) Recall, X 12 is only difference between M, M Also, X 12 first appears in step 12 Have already found X j for j= 0,4,8,12,13,14,15 Free to choose X j for j= 1,2,3,5,6,7,9,10,11 so that MD4 0…11 equation holds easily! Slide by Mark Stamp 52

All Together Now Attack proceeds as follows… 1.Steps 12 to 19: Find (Q 8,Q 9,Q 10,Q 11 ) and X j for j= 0,4,8,12,13,14,15 2.Steps 0 to 11: Find X j for remaining j 3.Steps 19 to 35: Check  35 = (0,0,0,0) –If so, have found a collision! –If not, go to 2. Slide by Mark Stamp 53

Meaningful Collision Different contracts, same hash value Slide by Mark Stamp 54

JLM 20060105 12:1655 SHA-0 Strategy (Chabaud and Joux) Basic idea is to look for small differences that can be tracked through rounds like differential cryptanalysis. Consider three approximations to the SHA-0 compression function. –SHI-1 Use Xor instead of Add Make f (i) linear –SHI-2 Use Xor instead of Add Restore f (i) to original values –SHI-3 Restore Add Make f (i) linear

JLM 2006010556 SHI-1 Finding Collisions Assume the W (i) are unrelated and follow progress of a change to W (1). ABCDE 1W 1 +ROL 5 (A)+f(B,C,D)+ E+K AROL 30 (B)CD 2W 2 + … 3ROL 30 (-) 4 5ROL 30 (W 1 +ROL5(A)+ f(B,C,D)+E+K) 6W 6 + … - fixes W 1 perturbation

JLM 20060105 12:1657 SHI-1 Error Propagation in Hash D State W 1 (i) W 6 (i+1) W 1 (i+2) W 31 (i+3) W 31 (i+4) W 31 (i+5) A (i) A 1 (i) A (i+1) A (i+2) A (i+3) A (i+4) A (i+5) B (i) B 31 (i+1) B (i+5) C (i) C 31 (i+2) C (i+5) D (i) D 31 (i+3) D (i+5) E (i) E 31 (i+4) E (i+5) Perturbation On bit 1 Corrections defining masks

JLM 20060105 12:1658 SHI-1 Restoring Expansion Flip bit 1 of W 1. This modified A in round “0” resulting, potentially to different (A, B, C, D, E) in round 6. By following linear process we can determine bits in W 1,, W 6 which, when flipped, produce the same (A,B,C,D,E) in round 6. Let M (i) be 0 in all positions that are unchanged in round i and 1 where bits are flipped to restore the result in round 6. This is called a local collision. This is easy to do, as we’ve seen if there is no expansion. Question: If there is expansion, what successful masks are preserved by expansion if bits are flipped in W (1) ? Answer: M (i) = M (i-3)  M (i-8)  M (i-14)  M (i-16), 10 { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4393879/slides/slide_58.jpg", "name": "JLM 20060105 12:1658 SHI-1 Restoring Expansion Flip bit 1 of W 1.", "description": "This modified A in round 0 resulting, potentially to different (A, B, C, D, E) in round 6. By following linear process we can determine bits in W 1,, W 6 which, when flipped, produce the same (A,B,C,D,E) in round 6. Let M (i) be 0 in all positions that are unchanged in round i and 1 where bits are flipped to restore the result in round 6. This is called a local collision. This is easy to do, as we’ve seen if there is no expansion. Question: If there is expansion, what successful masks are preserved by expansion if bits are flipped in W (1) . Answer: M (i) = M (i-3)  M (i-8)  M (i-14)  M (i-16), 10

JLM 20060105 12:1659 SHI-2 Restore f (i) and note that rounds 0-19, 40-59 are no longer Xors When does f (i) behave like an Xor for IF and MAJ? Again the action on each of the 32 bits is independent RoundNamef (i) (X,Y,Z)K (i) 0-19IF (X Ù Y Ú (X Ù Z) 0x5a827999 20-39XOR XYZXYZ 0x6ed9eba1 40-59MAJ (X Ù Y) Ú (X Ù Z) Ú (Y Ù Z) 0x8f1bbcdc 60-79XOR XYZXYZ 0xca62c1d6

JLM 20060105 12:1660 SHI-2 Finding Collisions What inputs make IF and MAJ act like Todoand XOR –B (i) ’= B (i), C (i) ’= C (i), D (i) ’= D (i) –Single bit change in B (i), e.g. B (i)  2 1. –Single bit change in C (i) 31 or D (i) 31, e.g. C (i)  2 31 or D (i)  2 31 or both. The mask becomes probabilistic: We can find a pattern that has the probability with p=2 -24 from these. Must check every perturbation has foregoing effect: 2,6,14,16,17,18,19,21,22,26,27,28,35,37,41,45,48, 51,54,55,56,58,59,62,63,68,69,70,71,72. Perturbations in positions 2, 6 occurs with p=2 -6. Try many W (15). Collision! 1a6191b0 3c4a331c 1f228ea2 403b760904 062ec496 48611ca8 583401bc 399879d04d9 2270fdbd 2a8090f0 4b12fd98 473cc7a1acc 002831a9 50fe1535 61ac0d3d f26700ecfa

JLM 20060105 12:1661 SHI-3 Change the Xor back to add and f back to linear Perturbation in bit 1 of W (i) leading to corrections in W 31 (i+3), W 31 (i+4), W 31 (i+5). To prevent carries, non linear constraints must hold on W 1 (i), W 6 (i+1), W 1 (i+2). So we fix these. Collision 53c29e14 44fe051b 4a8ce882 576e194391 0c0abc30 3806260d 76cbeb2f 1b8379a88bfe 0da433ac 6337b011 1041e2a9 20b44364e596 1a3f8b70 0e7a4620 25e81245 289acb2b9382aa9

JLM 20060105 12:1662 SHA-0 Perturbations must be inserted without carry. Case in SHI-2 where bit 31 in both C and D flip doesn’t work Yields two good patterns with probability 2 -69. Trick to suppress perturbations in rounds 16 and 17 reduces probability to 2 -61. Probability of finding on is 2 -22 using basic 2 -14 collision Partial Collision (35 rounds) 78fb1285 77a2dc84 4035a90b b61f0b39 97 4a4d1c83 186e8429 74326988 7f220f7919fa7 a08e7920 16a3e469 2ed4213d 4a75b90429ac 38bef788 2274a40c 4c14e934 cee12cec6a None of this works in SHA-1 because of interleaved bits.

JLM 20060105 12:1663 SHA-0 Finding Collisions Change the Xor back to add Prob of finding on is 2 -22 using basic 2 -14 collision Partial Collision (35 rounds) 78fb1285 77a2dc84 4035a90b b61f0b39 97 4a4d1c83 186e8429 74326988 7f220f7919fa7 a08e7920 16a3e469 2ed4213d 4a75b90429ac 38bef788 2274a40c 4c14e934 cee12cec6a

JLM 20060105 12:1664 SHA-0 Collisions --- Comments Message Expansion: W i-3  W i-8  W i-14  W i-16 means any round can be determined from any consecutive 16 rounds of message expansion. The expanded rounds (all 80) can be represented using a linear transformation, A on 512 bits: (w, Aw, A 2 w, A 3 w, A 4 w) T. When the round functions are linearized, a change in bit j of word W i can be “corrected” by changes in bits j+6, j, j+30, j+30, j+30 in rounds i+1, i+2, i+3, i+4 and i+5. When the round functions are replaced by their non-linear versions a change in bit 1 can be corrected by the same pattern with probability between 2 -2 and 2 -5. If change is made to position j ¹ 1, the probability of correction is reduced by 2 -3. For SHA-1, because of rotation, one bit change propagates to 107 bits in expansion.

JLM 20060105 12:1665 SHA-0 Biham and Chen Introduces “disturbance vectors” –Collision when last 5 vectors is 0 Full collision on 65 rounds 82 round SHA-0 is weaker than 80 round Neutral Bits: Bit i is neutral if disturbance pattern unchanged with complemented i. 2-neutral set. Size k(r) of maximal 2-neutral set.

JLM 20060105 12:1666 Other Cryptographic Hashes and Performance Hash NameBlock SizeRelative Speed MD41281 MD5128.68 RIPEMD-128128.39 SHA-1160.28 RIPEMD-160160.24

JLM 20060105 12:1667 Padding Standard technique –Let last message block have k bits. If k=n, make a new block and set k= 0. –Append a 1 to last block leaving r=n-k-1 remaining bits in block. –If r ³ 64, append r-64 0s then append bit length of input expressed as 64 bit unsigned integer –If r<64, append n-r 0’s (to fill out block), append n-64 0’s at beginning of next block then append bit length of input expressed as 64 bit unsigned integer

JLM 20060105 12:1668 Winnowing and Chaffing (Rivest) Want to send 1001. Pick random stream (m i ) and embed message at positions (say) 3, 7, 8 14 MAC each packet (mm i ). Make sure MAC is correct only in message positions

JLM 20060105 12:1669 Lai-Massey Assume the padding contains the length of the input string and that the input to the CH function, h, is at least two blocks long. Finding a 2 nd pre-image for h with fixed IV requires 2 n operations iff finding a 2 nd pre-image for the compression function, f, with arbitrarily chosen H i-1 requires 2 n operations where n is the number of bits of h’s output.

JLM 20060105 12:1670 Breaking news on Hashes Don’t use MD4 or you’ll look really, really, silly. Don’t use MD5. Don’t use RIPEMD-128 SHA-1 appears to have collision attacks of the order 2 61 Use SHA-2 functions –Truncate to provide legacy compatibility if you have to (i.e. – gun to head) –Required by “Suite B” Standards

JLM 20060105 12:1671 Message Expansion Process of expanding from 16 32 bit words to 80 32 bit words in the compression function is called message expansion –MD5 Permutations –SHA-0 Linear code (LFSR) –SHA-1 Linear code with rotation Has profound effect on possible disturbance vectors in Differential attacks Being studied to provide greater protection Replace xor with modular addition to prevent codeword difference propagation Conditions on chaining variables for local collision (Probability between 2 -39 and 2 -42 )

JLM 20060105 12:1672 SHA-2 FIPS 180-2, 8/02. –Defines SHA-256, SHA-384, SHA-512. –SHA-224 (truncated) added 2/04 Great increase in mixing between bits of the words compared to SHA-1. US Patent 6,829,355 Inventor: Glenn Lilly Assignee: NSA Can obtain source from –http://en.wikipedia.org/wiki/SHA-2

JLM 20060105 12:1673 SHA-256 //Initialize variables: h0 := 0x6a09e667 //232 times the square root of the first 8 primes 2..19 h1 := 0xbb67ae85, h2 := 0x3c6ef372, h3 := 0xa54ff53a, h4 := 0x510e527f h5 := 0x9b05688c, h6 := 0x1f83d9ab,h7 := 0x5be0cd19 //Initialize table of round constants: k(0..63) := //232 times the cube root of the first 64 primes 2..311 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2

JLM 20060105 12:1674 SHA-256 //Pre-processing: append a single "1" bit to message append "0" bits until message length ≡ 448 ≡ -64 (mod 512) append length of message (before pre-processing), in bits as 64-bit big-endian integer to message //Process the message in successive 512-bit chunks: break message into 512-bit chunks; For(each chunk) break chunk into sixteen 32-bit big-endian words w(i), 0≤i≤15 //Extend the sixteen 32-bit words into sixty-four 32-bit words: for i from 16 to 63 s0 := (w(i-15>>>7) Å (w(i-15)>>>18) Å (w(i-15)>>3) s1 := (w(i-2)>>>17) Å (w(i-2)>>>19) Å (w(i-2)>>10) w(i) := w(i-16)+s0+w(i-7)+s1 //Initialize hash value for this chunk: a := h0, b := h1, c := h2, d := h3, e := h4, f := h5, g := h6, h := h7

JLM 20060105 12:1675 SHA-256 //Main loop: for 0 £ i £ 63 s0:= (a>>>2) Å (a>>>13) Å (a>>>22) maj:= (a Ù b) Ú (b Ù c) Ú (c Ù a) t0:= s0+maj s1:= (e>>>6) Å (e>>>11) Å (e>>>25) ch:= (e Ù f) Ú (( Ø e) Ù g) t1:= h+s1+ch+k(i)+w(i) h:= g, g := f, f := e, e := d t1, d:= c, c := b, b := a, a := t0+t1 //Add this chunk's hash to result so far: h0:= h0+a, h1:= h1+b, h2:= h2+c, h3:= h3+d h4:= h4+e, h5:= h5+f, h6:= h6+g, h7:= h7+h //Output the final hash value (big-endian): digest = hash = h0||h1||h2||h3||h4||h5||h6||h7;

JLM 20051124 14:1676 Chinese Attack-1 Find M, M': H(M)=H(M'). Select Message difference M'=M ÅD Differential path b i '=b i ÅD b i For MD5: H i = f(H i-1, M i ), 0 £ i<16, f: (a,b,c,d, w i, w i+1, w i+2, w i+3 ) is computed as follows: a= b+((a+ y i (b,c,d)+w i + t i )<< { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4393879/slides/slide_76.jpg", "name": "JLM 20051124 14:1676 Chinese Attack-1 Find M, M : H(M)=H(M ).", "description": "Select Message difference M =M ÅD Differential path b i =b i ÅD b i For MD5: H i = f(H i-1, M i ), 0 £ i<16, f: (a,b,c,d, w i, w i+1, w i+2, w i+3 ) is computed as follows: a= b+((a+ y i (b,c,d)+w i + t i )<<

JLM 20051124 14:1677 Chinese Attack-2 y i (X,Y,Z)= (X Ú Y) Ù ( Ø X Ú Z), 0 £ i £ 15, y i (X,Y,Z)= (X Ú Z) Ù (Y ÚØ Z), 16 £ i £ 31, y i (X,Y,Z)= (X Å Y Å Z), 32 £ i £ 47, y i (X,Y,Z)= Y Å (X ÚØ Z), 48 £ i £ 63 and w i is the expanded message, w i, t i are round dependant constants. Now, define D X = X'-X.  H 0  [(M 0, M 0 ‘)] D H 1  [(M 1, M 1 ‘)] D H 2 …  [(M i-1, M i-1 ‘)]  D H i = H with each composed of D H i  [P 2 ] D R i+1,1  [P 2 ] D R i+1,2  [P 3 ] D R i+1,3  [P 4 ] D R i+1,4 = D H i+1.

JLM 20051124 14:1678 Chinese Attack-3 Let D i,j =x i,j ’-x i,j =±1 and D x i [ j 1, j 2, …,j l ]= x i [j 1, j 2, …, j l ]-x i. Collision is caused by 1024 bit input: (M 0, M 1 ) with D M 0 = (0,0,0,0,2 31, 0,0,0,0,0,0,2 15,0,0,2 31,0) D M 1 = (0,0,0,0,2 31, 0,0,0,0,0,0,-2 15,0,0,2 31,0). Sufficient conditions insure that differential holds with high probability. At 8th iteration, b 2 = c 2 +(b 1 +F(c 2,d 2,a 2 )+m 7 +t 7 )<<<22 Try to control ( D c 2, D d 2, D a 2, D b 1 )  D b 2 as indicated in next slide

JLM 20051124 14:1679 Chinese Attack-4 (A) Non-zero bits of D b 2 : d 2,11 =1, b 2,1 =0, d 2,26 = overline a 2,26 =1, b 2,16 =0. d 2,28 = overline a 2,28 =0, b 2,i =0. d 2,11 =1, b 2,24 =0. (B) Zero bits of D b 2 : c 2,i =0, d 2,i = a 2,I, c 2,i =1. d 2,6 =overline a 2,6 =0. d 2,i = 0, d 2,12 = 1, a 2,24 = 0. 7th bit of c 2, d 2, a 2 result in no change in b 2.

JLM 20051124 14:1680 Chinese Attack-5 Algorithm 1: Repeat until first block is found (a) Select random M 0, (b) Modify M 0, (c) M 0, M 0 '= M 0 + D M 0 produce D M 0  ( D H 1, D M 1 ) with probability 2 -37, (d) Test characteristics. 2: Repeat until first block is found (a) Select random M 1, (b) Modify M 1, (c) M 1, M 1 '= M 1 + D M 1 produce D M 1  0 with probability 2 -30 (d) Test characteristics.

JLM 20060212 14:1681 SHA-2 FIPS 180-2, 8/02. –Defines SHA-256, SHA-384, SHA-512. –SHA-224 (truncated) added 2/04 Great increase in mixing between bits of the words compared to SHA-1. US Patent 6,829,355 –Inventor: Glenn Lilly –Assignee: NSA Can obtain source from –http://en.wikipedia.org/wiki/SHA-2

JLM 20051124 14:1682 SHA-256 Definitions Ch(x,y,z)= (x Ù y) Å ( Ø x Ù z), Maj(x,y,z)= (x Ù y) Ú (x Ù z) Ú (y Ù z). y 256 {i, j, k} (x)= ROTR i (x) Å ROTR j (x) Å ROTR k (x), y 256 {i, j, k} (x)= ROTR i (x) Å ROTR j (x) Å SHR k (x). S 0 256 (x)= y 256 {2, 13, 22} (x), S 1 256 x)= y 256 {6, 11, 25} (x). s 0 256 (x)= y 256 {7, 18, 3} (x), s 1 256 (x)= y 256 {17, 19, 10} (x).

JLM 20051124 14:1683 SHA-512 Definitions Ch(x,y,z)= (x Ù y) Å ( Ø x Ù z), Maj(x,y,z)= (x Ù y) Ú (x Ù z) Ú (y Ù z). y 512 {i, j, k} (x)= ROTR i (x) Å ROTR ij (x) Å ROTR k (x), y 512 {i, j, k} (x)= ROTR i (x) Å ROTR j (x) Å SHR k (x). S 0 512 (x)= y 512 {28,34,39} (x), S 1 512 (x)= y 512 {14, 18, 41} (x). s 0 512 (x)= y 512 {1,8,7} (x), s 1 512 (x)= y 512 {19, 61, 6} (x).

JLM 20051124 14:1684 SHA-256 SHA-256(M 1 ||M 2 ||…||M N ): for(i=1; i £ N; i++) { W t = M t (i), 0 £ t £ 15, W t = s 1 256 (W t-2 ) Å W t-7 Ås 0 256 (W t-15 ) Å W t-1,16 £ t £ 63; a= H 0 (i-1) ; b= H 1 (i-1) ; c= H 2 (i-1) ; d= H 2 (i-1) ; e= H 4 (i-1) ; f= H 5 (i-1) ; g= H 6 (i-1) ; e= H 7 (i-1) ; for(t=0; t<64;t++) { T 1 =h+ s 1 256 (e)+Ch(e,f,g)+K t 256 +W t ; T 2 = s 0 256 (a)+Maj(e,f,g); h= g; g= f; f=e; e= d+T 1 ; d=c; c=b; b=a; a= T 1 +T 2 ; } H 0 (i) = a+H 0 (i-1) ;H 1 (i) = b+H 1 (i-1) ;H 2 (i) = c+H 2 (i-1) ;H 3 (i) = d+H 3 (i-1) ; H 4 (i) = e+H 4 (i-1) ;H 5 (i) = f+H 5 (i-1) ;H 6 (i) = g+H 6 (i-1) ;H 7 (i) = h+H 7 (i-1) ; } SHA-512 is the same except there are 79 rounds and the words are 64 bits long.

JLM 20060212 14:1685 Other Cryptographic Hashes and Performance Hash NameBlock SizeRelative Speed MD41281 MD5128.68 RIPEMD-128128.39 SHA-1160.28 RIPEMD-160160.24

JLM 20060212 14:1686 What to take home Symmetric ciphers and hashes provide key ingredients for “distributed security” –Fast data transformation to provide confidentiality –Integrity –Public key crypto provides critical third component (trust negotiation, key distribution) It’s important to know properties of cryptographic primitives and how likely possible attacks are, etc. –Most modern ciphers are designed so that knowing output of n-1 messages provides no useful information about n th message. –This has an effect on some modes of operation.

87 SHA-3 Competition JLM 20090310

Notes Message expansion and related key attacks Rebound attacks, bottleneck attacks (FSE 2009) Extension attacks: permutations, output function Multicollision resistance Indifferentiability attacks Bijective Feistel  5R impossible differential Matsui: How far can we go on the x64. FSE 2006, v4047. Matsui: Power of bitslice. CHES 2007, v4727. 88JLM 20090222

Haifa Dean 2 nd Pre-image on fixed points H=E M -1 (0) 1.Find 2 mc/2 fixed points, A= (h,m) 2.Find 2 mc/2 single block outputs B= C MD (IVM|m’) 3.Obtain collision h i+1 = C(h i,M i,nBitsSoFar,salt) Wide path. C 1 : {0,1} mc x {0,1} n  {0,1} mc ; C 2 : {0,1} mc  {0,1} n. 89JLM 20090222

RadioGatun Compression (state, message to state) Expand (message expansion, 3- 5x) IMF has given capacity l c Alternating input construction –Internal collision –State guessing –Decorrelation –Difference propagation Operates on l s bit state State guess infeasible implies that pre-image is infeasible 90 JLM 20090222 Alternating input construction In: l i -bit input blocks. p 0, …, p np-1 Out: l o -bit input blocks. z 0, …, z nz-1 R is round function S= 0; for(i=0;i { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4393879/slides/slide_90.jpg", "name": "RadioGatun Compression (state, message to state) Expand (message expansion, 3- 5x) IMF has given capacity l c Alternating input construction –Internal collision –State guessing –Decorrelation –Difference propagation Operates on l s bit state State guess infeasible implies that pre-image is infeasible 90 JLM 20090222 Alternating input construction In: l i -bit input blocks.", "description": "p 0, …, p np-1 Out: l o -bit input blocks. z 0, …, z nz-1 R is round function S= 0; for(i=0;i

Blake Haifa design. h 0 = IV for(i=0;i>>16 –c= c+d –b= (b Å c)>>>12 –a= a+b+(m s r (2i+1) Å c s r (2i+1)) –d= (d Å a)>>>8 –c= c+d –b= (b Å c)>>>7 91JLM 20090222 h 0 ’= h 0 Å s 0 Å v 0 Å v 8 h 1 ’= h 1 Å s 1 Å v 1 Å v 9 h 2 ’= h 2 Å s 2 Å v 2 Å v 10 h 3 ’= h 3 Å s 3 Å v 3 Å v 11 h 4 ’= h 4 Å s 4 Å v 4 Å v 12 h 5 ’= h 5 Å s 5 Å v 5 Å v 13 h 6 ’= h 6 Å s 6 Å v 6 Å v 14 h 7 ’= h 7 Å s 7 Å v 7 Å v 15 v 0 v 1 v 2 v 3 h 0 h 1 h 2 h 3 v 4 v 5 v 6 v 7 h 4 h 5 h 6 h 7 v 8 v 9 v 10 v 11 c 0 Å s 0 c 1 Å s 1 c 2 Å s 2 c 3 Å s 3 v 12 v 13 v 14 v 15 c 4 Å t 0 c 5 Å t 1 c 6 Å t 2 c 7 Å t 3 chain valueInit saltctr RoundsFinalnext chain value M salt ctr

Grostl 92JLM 20090222 Å H i-1 P Å HiHi MtMt Q h 0 = IV, h i = f(h i-1,m i ), H(M)= G(h t ). Compression: f(h,m)= P(h Å m) Å Q(m) Å h G(x)=trunc n (P(x) Å x) R(x)=Mix(Shift(Subbyte(AddRoundKey(x)))) Mix: 8 x 8 MDS over GF(2 8 ) P and Q only differ by use of constants in 10 rounds of applying R(x).

Sponge A sponge function takes a variable length input, p, of characters from A and produces an infinite length output z, z j Î A, f: A x C  A, | p| ³ 1 and final character is ¹ 0. State is S=(S A,S C ). –Absorbing: S= f(S A +p i,S C ) –Squeezing: S=f(S). –Rate: lg(| A |). –Capacity: lg(| C |). –S f [p]: state after absorbing p. –z j = S A,f [p|0 j ]. –State collision: S f [p]=S f [q]. –Inner collision: S f, c [p]=S f, c [q]. –Simultates Random oracle 93JLM 20090222

T/P-Sponge A P-sponge is a permutation selected uniformly and randomly from ( AC )!. A T-sponge is a function selected uniformly and randomly from ( AC ) AC. Theorem: The output returned by a random sponge to a sequence of queries are uniformly and randomly distributed if no inner collision occurs. Theorem: The probability of success of distinguishing between a RS and a random oracle (RO) is P £ ½+½P(IC|RS). For a randome T- sponge, P(IC)=1-exp(- S i=1 q i/|C|) 2 nd pre-image: Find 2 nd path to some inner state: T=S C,f [p’] 94 JLM 20090222 CaseInner collisionPath FindOut cycleOut bind (rm>c) Out bind (rm { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4393879/slides/slide_94.jpg", "name": "T/P-Sponge A P-sponge is a permutation selected uniformly and randomly from ( AC )!.", "description": "A T-sponge is a function selected uniformly and randomly from ( AC ) AC. Theorem: The output returned by a random sponge to a sequence of queries are uniformly and randomly distributed if no inner collision occurs. Theorem: The probability of success of distinguishing between a RS and a random oracle (RO) is P £ ½+½P(IC|RS). For a randome T- sponge, P(IC)=1-exp(- S i=1 q i/|C|) 2 nd pre-image: Find 2 nd path to some inner state: T=S C,f [p’] 94 JLM 20090222 CaseInner collisionPath FindOut cycleOut bind (rm>c) Out bind (rm

Sponge 95JLM 20090222 SASA Å p0p0 SCSC absorbing f SASA Å z0z0 SCSC squeezing f rc r is bit rate c is capacity

Sponge Theorem: A random sponge can only be distinguished from a random oracle by the presence of an inner collision which is unlikely if q<<2 c/2. Theorem: A random sponge can be differentiated from a random oracle with probability p ~ –q (q+1) 2 -(c+1), N<2 c. 96JLM 20090222 TP Output collision2 (min(n,c)+3)/2 Pre-image2n2n min(2 c/2 +2 n, 2 n ) 2 nd pre-imagemin(2 c /l, 2 n )min(2 (min(n,c)+3)/2, 2 n )

Sponge Simulate:: make interface the same as to an ideal compression function, F. Def: A Turing Machine C with oracle access to an ideal primitive, F, is said to be (t D, t S, q, e )- indifferentiable from an ideal primitive, G, if there is a simulator P[G] such that " D, | Pr[D[C(F); F]=1]- Pr[D[G,P[G]]=1]; F]=1]|< e. 97JLM 20090222

Keccak Keccak-f(r+c). r+c= 25, 50, 100, 200, 400,800, 1600 –r=1024, c=575 –r=512, c=1088 State: 5 x 5 x 2 l bits – q for diffusion – r for inter slice dispersion – p for disturbing vertical/horizontal alignment – c for non-linearity – i for symmetry breaking 98JLM 20090222

Keccak c : for(y=0; y<5; y++){ for(x=0;x<5;x++) A[x][y]= a[x][y] Å ( Ø (a[x+1][y]) )Ù a[x+2][y]); } q : for(x=0; x<5; x++){ p[x]= a[x][0]; for(y=0;y<5;y++) p[x]= a[x][y] Å p[x]; } for(x=0; x<5; x++){ p[x]= p[x-1] Å ( p[x+1]<<1; for(y=0;y<5;y++) p[x]= a[x][y] Å p[x]; } 99JLM 20090222

Keccak p : for(x=0;x<5;x++) { for(y=0; y<5; y++) [X, Y] T = [0 1] [X, Y] T [2 3] } A[X][Y]= a[X][Y] r : A[0][0]= a[0][0]; [X, Y] T = [1, 0] T ; for(t=0; t<5; t++){ A[x][y]= a[x][y]<<<[(t+1)(t+2)]/2; } i : Add round constants; 100JLM 20090222

Lane IV n,S = f(0, f ||bin 32 (n)||0 k |S,0), f is the salt. P-6 round, Q- 3 round. M i = m 1 || m 2 || m 3 || m 4 H i = h 0 || h 1 W 0 = h 0 Å m 0 Å m 1 Å m 2 Å m 3 || h 1 Å m 0 Å m 2 W 1 = h 0 Å h 1 Å m 0 Å m 2 Å m 3 || h 0 Å m 1 Å m 2 W 2 = h 0 Å h 1 Å m 0 Å m 1 Å m 2 || h 0 Å m 0 Å m 3 W 3 = h 0 || h 1 W 4 = m 0 || m 1 W 5 = m 2 || m 3 101JLM 20090222

Lane 102JLM 20090222 H i-1 E Å HiHi P0P0 M P1P1 P2P2 P3P3 P4P4 P5P5 Q1Q1 Å Q0Q0 Å

Lane Round(r, X) 1: X ← SubBytes(X) 2: X ← ShiftRows(X) 3: X ← MixColumns(X) 4: X ← AddConstants(r,X) 5: X ← AddCounter(r,X) 6: X ← SwapColumns(X) 7: return X function LastRound(X) 1: X ← SubBytes(X) 2: X ← ShiftRows(X) 3: X ← MixColumns(X) 4: X ← SwapColumns( 103JLM 20090222 function Pj(X) 1: for i = 0 to 4 do 2: r ← 5j + i 3: X ← Round (r,X) 4: end for 5: X ← LastRound(X) 6: return X function Qj(X) 1: for i = 0 to 1 do 2: r ← 30 + 2j + i 3: X ← Round (r,X) 4: end for 5: X ←LastRound(X) Return x;

Lane 1: k0 ← 07fc703dx 2: for i = 1 to 272 (resp. 768 for Lane-384 and Lane-512) do 3: ki = ki−1 ≫ 1 4: if ki−1 ∧ 00000001x then 5: ki = ki ⊕ d0000001x 6: end if 7: end for Figure 2.4: Pseudocode 104JLM 20090222

Shavite Use Haifa mode/MD-construction. Compression: C 256, Encrypt: E 256. E: (L i+1, R i+1 ) = (R i, L i Å F 3 rk[i] (R i ). F 3 k0,k1,k2 (x)= AESR(0 128, AESR(k1, AESR(k2, x Å k0))) C 256 (M, cnt, salt) –Message expansion –Repeat 4 times Repeat 2 times 1.rk[i]= M, i= 0,…,15 2.i=16 3.t[0…3]= AESR(0 128, rk[i-15], rk[i-14], rk[i-13], rk[i-16]) Å salt[0…3] 4.rk[i+j]=t[j] Å rk[i+j-4] 5.if(i==16) rk[16] Å= cnt[0]; rk[17] Å= cnt[1]; 6.if(i==84) rk[86] Å= cnt[1]; rk[87] Å= cnt[0]; 7.i+= 4; 8.t[0…3]= AESR(0 128, rk[i-15], rk[i-14], rk[i-13], rk[i-16]) Å salt[4…7] 9.rk[i+j]=t[j] Å rk[i+j-4] 10.if(i==56) rk[57] Å= cnt[0]; rk[58] Å= cnt[1]; 11.if(i==124) rk[124] Å= cnt[1]; rk[127] Å= cnt[0]; 12.i+= 1; 105JLM 20090222

Shavite Repeat 2 times 1.rk[i]=rk[i-16] Å rk[i-3] 2.i++; Pad M’=M|1|0 k |len(M)|len(m) b= 0; h 0 = IV for(i=0; i<|M|/512; i++) b+= 512; h i =C 256 (h i-1, M i, b, salt) if(|M|=0 (mod512)) h l-1 =C 256 (h l-2, M l, b, salt) h l =C 256 (h l-1, M l, b, salt) 106JLM 20090222

Shavite Message expansion X(M,cnt,salt256)  144 32 bit words rk[0…143] Theorem for C 256 : The exact maximal expected 2 round differential characteristic has probability (53/2 34 )=1.656 x 2 -29. The exact maximal expected 4 round differential characteristic has probability (53/2 34 ) 4 =1.881 x 2 -114. The best 3 round differential characteristic has probability <2 -49. Theorem: Except for the 0  0 characteristic: 1.There is no iterative 2 round characteristic of E 256. 2.There is no four round characteristic of E 256. with probability > 2 -147. 3.There is no 3 round characteristic of E 256. with probability > 2 -98. 4.There is no 9 round characteristic of E 256. with probability > 2 -294. With MD construction, there is no preimage if block cipher is safe. In wide pipe need m c ³ 2m for safety against pre-image. Need salt ³ 1/2 m c for safety against herding attack. MIV 256 = C 256 (0,0,0,0) 107JLM 20090222

Skein 108JLM 20090222 <<< + Mix Å + Round-Key 0 Mix … Permute UBI M0M0 G Å M1M1 Å MkMk … Å Len First Final

DM/MMO 109JLM 20090222 H i-1 E Å HiHi m i (key) Differential attack on C Related key attack on E H i-1 (key) E Å HiHi m i (key) Differential attack on C Differential attack on E

MD6 has… Bottom-up tree-based mode of operation (like Merkle-tree) 4-to-1 compression ratio at each node 110JLM 20090228

MD6 has… 1024-bit intermediate (chaining) values root truncated to desired final length Location (level,index) input to each node (2,2) (2,0) (2,1) (2,3) 111JLM 20090228

Prepend Constant + Map + Chop  1-1 map  const key+UVdata 15 8+2 64 89 words 16 words Prepend Map Chop 112JLM 20090228

Constants Taps 17, 18, 21, 31, 67 optimize diffusion Constants S i defined by simple recurrence; change at end of each 16-step round Shift amounts repeat each round (best diffusion of 1,000,000 such tables): 0123456789101112131415 riri 10513101112271415713117612 lili 1124916159271562298155319 113JLM 20090228

Large Memory (sliding window) 23145321 2 033422 Array of 16r + 89 64-bit words. Each computed as function of preceding 89 words. Last 16 words computed are output. 114JLM 20090228

Small memory (shift register) 232156327132631401 Si   Shifts Shift-register of 89 words (712 bytes) Data moves right to left 89 words 115JLM 20090228

MD6 Description Compress –Input: A[0], …, A[88], A[0]..A[14]- constants, A[15]..A[22] key/level, A[25]..A[88] – data –One step: for (i=89; i<= 16r+88) { x= S i Å A[i-17] Å A[i-88] Å (A[i-18] Ù A[i-21) Å A[i-67] x= x Å (x>>r i ) A[i]= x Å (x<63) Å (S i-1 Ù 7311c2812425cfa) JLM 20090222 116 s0123456789101112131415 riri 10513101112271415713117612 lili 1124916159271562298155319

117 End JLM 20081006

JLM 20090201118 Next Quarter 2-4 weeks to cover 16, 17, 18 and results on boolean functions. Rest on major reports: –Full Linear cryptanalysis of DES. –Full Differential cryptanalysis of DES. –Full Linear and differential cryptanalysis of FEAL. –Intro Algebraic cryptanalysis (including SFLASH) – John. –An algebraic cryptanalysis. –Dobbertin’s attack on MD4. –Chinese (Wang et. al) attack on SHA-1. Other topics (final quarter?) –Full factoring attack. –Full Elliptic Curve crypto selection, attacks, etc (3 weeks). –Full Discrete Log attack. –Full Re-estimation attack. –Random number analysis. –NIST Hash analysis. –Full Stream cipher analysis.