Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contents Introduction

Published byAnissa Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "Contents Introduction"— Presentation transcript:

0 Introduction to Cryptographic Hash Functions
Pukyong National University Kyung Hyune Rhee

1 Contents Introduction
The definition and the general model of hash functions Description of the new hash algorithms The MAC(Message Authentication Code) using the proposed hash algorithms Concluding Remarks

2 Introduction

3 Hash Function map a bitstring of arbitrary finite length into a string of fixed length(128 bits, 160 bits) basic idea : hash value serves as a compressed representative image of an input string uniquely identifying that string unkeyed hash function & keyed hash function applications verification of integrity construction of MAC(Message Authentication Code) increase of the efficiency of digital signatures

4 Existing MDx-family hash functions
iterative process based on the theory of Merkle and Damgard In 1990, MD4 proposed by Rivest attacks against the shortened version by Merkle and Bosselaers In 1991, MD5 : strengthened version of MD4 In 1992, HAVAL designed by Zheng, Pieprzyk and Seberry In 1993, SHA(Secure Hash Algorithm) published by NIST In 1995, SHA-1 : improved version of SHA In 1995, RIPEMD proposed by Europe RIPE consortium a strengthened version of MD4 In 1996, attack against a shortened version of RIPEMD by Dobbertin In 1996, RIPEMD-128/160 by Dobbertin, Bosselaers and Preneel a strengthened version of RIPEMD HAS-160 standardized by TTA

5 MAC(Message Authentication Code)
data integrity and data origin authentication construction based on CBC and CFB modes of a block cipher MAA(Message Authenticator Algorithm) ISO standard relative fast in S/W 32-bit result based on hash functions fast than other schemes additional implementation effort is small adopted in Kerberos and SNMP

6 The definition and the general model of the hash function

7 Cryptographic hash functions
functions that map bit strings of arbitrary finite length into strings of fixed length Given function h and input x, computing h(x) must be easy properties of the cryptographic hash function easy computation pre-image resistance second pre-image resistance collision resistance

8 Structure of hash functions
iterative processes which hash inputs of arbitrary length by processing successive fixed-size blocks of input f : compress function Hi : chaining variable initial value compression function Hash message block 1 message block 2 padding last message part

9 Features of existing hash functions
SHA-1 : the message expansion additional message words are generated from original input message words a strong resistance against existing attacks exploiting the simplicity of applying the message word in the compression function RIPEMD-160 process the input message in two parallel lines in order to improve the security HAVAL variable length fingerprints and variable number of passes use of strong Boolean functions having cryptographically good properties

10 Definition and general model of the hash function(4)
MAC(Message Authentication Code) Keyed hash function a hash function with a secondary input, i.e. , a secret key existing MAC construction Gene Tsudik secret prefix method secret suffix method envelope method Kaliski and Robshaw : MAC constructions using MD5 Preneel, van Oorschot : MDx-MAC Bellare et. al : NMAC, HMAC

11 Description of the new hash algorithms

12 New hash algorithm - SMD
New hash function (SMD;Strengthened Message Digest) based on concrete design principles of MD family hash functions secure against known attacks the message expansion of SHA-1 cryptographically strong Boolean functions similar to that of HAVAL distinguishing feature : data-dependent rotation rotations by variable amounts dependent on input messages

13 New hash algorithm - SMD(cont.)
Notations word : 32-bit string block : 512-bit string used as input of compression function + : addition modulo between two words X<<s : left rotation X by s bits : bitwise logical AND operation of A and B : bitwise logical OR operation of A and B : bitwise logical XOR operation of A and B

14 New hash algorithm – SMD(cont.)
Output length and chaining variable : 160-bit result Initial Value IV=(A,B,C,D,E) A = 0x B = 0xefcdab89 C = 0x98badcfe D = 0x E = 0xc3d2e1f0 Constants K1= 0 , K2= 0x5a ( ), K3= 0x6ed9eba1( ), K4= 0x8f1bbcdc ( ) expansion of message variables a message word affects steps as many as possible additionally generating 8 message variables from 16 input message words

15 New hash algorithm – SMD(cont.)
the order of message words applied to each round refer to the design principle of RIPEMD-160 additionally generated words sufficiently disperse the same word is not close by in each round In each step of each round, the same message word is not used

16 New hash algorithm – SMD(cont.)
Step operation Boolean functions based on those of HAVAL satisfy cryptographically good properties 0-1 balanced , high nonlinearity , satisfy SAC(Strict Avalanche Criterion) for the efficiency, use f1 repeatedly

17 New hash algorithm – SMD(cont.)
rotation A distinguished feature : message-dependent rotations variable rotations dependent on the input message Because the hash result is more dependent on the input message, the security can be improved Using different message words from those used in the step operation The order of message word Xi

18 Compression Function of ISMD
Round 1 Round 2 Round 3 Round 4 24 words 메시지 확장 16 words

19 Step Operation of ISMD A B C D E

20 New hash algorithm – SMD(cont.)
Security secure against known attacks by Boer and Bosselaers, and by Dobbertin frustrate differential cryptanalysis and linear cryptanalysis  data-dependent rotations the best way to find a collision pairs the birthday attack In such an attack, attacker prepares two sets of 280 distinct messages, and calculates their fingerprints

21 New hash algorithm – SMD(cont.)
Performance compare the performance of MD5, SHA-1, RIPEMD-160, HAVAL(5 pass, 160 bits), and our scheme Implementation was written in C language on the Pentium (100MHz) Our scheme is about 27% faster than RIPEMD-160 , about 2% faster than SHA-1

22 Secure hash function based on CA
Cellular Automata(CA) a linearly connected array of L cells and a Boolean function f(x) with q variables each cell takes the value 0 or 1 q = 2r + 1 , r : the radius of the function f(x) new value of the ith cell is calculated using the value of the ith cell and the values of r neighboring cells to the right and left of the ith cell For L cell, there are possible state vectors : state vector at the time step k forms a cycle  P : period, which is a function of the initial value, the updating function, and the number of cells

23 Secure hash function based on CA(cont.)
CA with q=3 function f : combinatorial logic associated with the CA updating rule for transiting to the next state If the next state function of a cell is expressed in the form of a truth table, then the decimal equivalent of the output column in the truth table is called a CA rule number. Rule 90 Rule 60 Rule 150 Rule 204

24 Secure hash function based on CA(cont.)
Uniform and Hybrid CA Uniform CA : the same rules applied to all cells in a CA Hybrid CA : otherwise boundary condition : Null and Periodic null : extreme cells are connected to logic ‘0’ periodic : extreme cells are adjacent Additive CA next-state transition rules employs only XOR or XNOR operation uniquely represented by a transition matrix over GF(2) every transition matrix has a characteristic polynomial

25 Secure hash function based on CA(cont.)
L-cell additive CA with XOR operations characterized by L x L Boolean matrix T i th rows specifies the neighborhood dependency of the i th cell x(t) : column vector representing the state of the CA at time t next state of CA Maximal length CA the characteristic polynomial of CA is primitive generates all states in the successive cycles excluding the all zero state Programmable CA(PCA) realizing different CA configurations on the same structure can be achieved using a control logic

26 Secure hash function based on CA(cont.)
Example of PCA : Rule 90 and Rule 150 Cell#i Control Signal If Control Signal is ‘0’, apply Rule 90 if Control Signal is ‘1’, apply Rule 150

27 Secure hash function based on CA(cont.)
Applications of CA design block ciphers, stream ciphers and hash functions first cryptographic application of CA: Crypto’85, Wolfram In 1994, Nandi, et al proposed block and stream cipher based on CA hash function based on CA first proposal : Damgard In 1991, Daemen analyzed the vulnerability of Damgard’s scheme and proposed new CA-based hash function In 1997, Hirose proposed a hash function based on two-dimensional CA In 1998, Mihaljevic proposed CA-based hash function the compression function is the combination of nonlinear function and PCA and the output function is a key stream generator

28 Secure hash function based on CA(cont.)
Uses the Davies-Meyer type compression function imply secure hash function construction assuming that the compression function and the output function are secure The compression function and output function are based on the CA features of CA-based hash function very fast hashing the application of CA theory for the security analysis the preimage and collision resistance due to the employed principles and building blocks

29 Secure hash function based on CA(cont.)
Notations n : an output length of the hash function (n=160 bits) l : an integer such that n/l is also an integer (l = 8 bits) : nonlinear Boolean functions each of which maps five l-dimensional binary vectors into an l-dimensional binary 0-1 balanced , high nonlinearity, satisfy SAC, pairwise linearly non-equivalent

30 Secure hash function based on CA(cont.)
Notations (cont.) : a maximal length CA : a PCA controlled by binary vector X and Y and the applied configuration rules are as follows: if the i th bit of both X and Y are 0, then Rule 204 is applied to i th PCA cell if the i th bit of both X is 0 and the i th bit of both Y is 1, then Rule 60 is applied to i th PCA cell if the i th bit of both X is 1 and the i th bit of both Y is 0, then Rule 102 is applied to i th PCA cell if the i th bit of both X and Y are 1, then Rule 150 is applied to i th PCA cell

31 Secure hash function based on CA(cont.)
Notations (cont.) : an ith 4n-bit block of the input message : an n-bit chaining variable after the ith iteration Cell#i Cell # i-1 Cell # i+1

32 Secure hash function based on CA(cont.)
Message padding has a variable-length hash result The process of the message padding is equal to that of existing hash functions except for appending a bit-length of the hash result to the end of a message a 2-byte output-length L is appended to the next of the length of the original message(8-byte) Compression function f() input : 4n-bit message block and a n-bit chaining variable output : n-bit chaining variable

33 Secure hash function based on CA(cont.)
Compression function f() (cont.) and are split into successive nonoverlapping equal length blocks of l-bit, respectively Using two input and , each n-bit X, Y, Z are computed as the following procedure: (1) Compute an n-bit X , k=0, 1, …, 9 : l-bit constants, respectively (2) Compute an n-bit Y

34 Secure hash function based on CA(cont.)
(3) Apply X, Y, to PHT(Pseudo-Hadamard Transform) split n-bit X, Y, into 8-bit , , , respectively (4) Compute an n-bit V (5) Compute an n-bit Z

35 Secure hash function based on CA(cont.)
Output function g() (1) Load as the initial value of PCA (2) uses X, Y, V, Z when the last is computed split n-bit X, Y, V, Z into 8-bit , , , , respectively (3) Operating the following by the output-length L Each cycle outputs the middle bit of state values of PCA()

36 Secure hash function based on CA(cont.)
Input : message M , n-bit initial value IV Preprocessing : MD-strengthening and padding splitting the message into m blocks of 4n-bit, Iterative Processing : , i=1,2,…,m , do the following: calculate the compression function f() : If is the all zero vector, recalculate Output function : calculate Output : L-bit message digest

37 Block Diagram of CA-based Hash Function
Padding original input M hash function h formatted input compression function f output function g

38 Secure hash function based on CA(cont.)
the security of the proposed hash function is determined by the security of its compression function and output function the followings imply the security of the compression function The CA has primitive characteristic polynomial to have a maximal length The pattern generated by maximal length CA's meets the cryptographic criteria High nonlinearity due to the employed Boolean functions and PCA So far known methods for reconstruction of certain CA/PCA state can not work in f() The compression function is a cryptographic transformation Given f() output, finding the preimage requires about 2n operations and finding collision requires about 2n/2 operations.

39 Secure hash function based on CA(cont.)
The security of output function g() a key stream generator which consists of two stages using CA and PCA It has primitive characteristic polynomial to have a maximal length high nonlinearity due to the employed PCA a cryptographic transformation for given n-bit hash value, finding the input of g() , i.e, Hm , requires about 2n operations and finding collision requires about 2n/2 operations. For an n-bit hash value, the security of the proposed hash function finding preimage requires about operations finding collision requires about operations

40 Secure hash function based on CA(cont.)
Computational complexity of the compression function Boolean functions of n/5l times and mod 256 addition of 2n/l times n-bit CA(= 3n XOR operations) mod 256 addition of 8n/16 times and 1-bit left shift of 4n/16 times n-bit PCAXY (= 3n XOR operations) n-bit XOR operations mod 256 addition of (4n/l + n/2) times, 1-bit left shift of n/4 times, two n-bit CA calculations, n-bit PCA computation, bitwise AND of 30n/5l times, bitwise XOR of 26n/5l times, bitwise OR of 4n/5l times, NOT operation of 2n/5l times, and n-bit XOR computations

41 Secure hash function based on CA(cont.)
Computational complexity of the output function mod 256 addition of 8n/16 times and 1-bit left shift of 4n/16 times 2L-cycle CA and L-cycle PCAX’Y’ (L : bit-length of the hash result) Complexity for processing m message blocks(n=160, l=8, L=n) 80(2m+1) mod 256 addition + 40(m+1) 1-bit left shift + (2m+320) CA + (m+160) PCA + 248m bitwise logical operation + m 160-bit XOR Memory requirement 4n bits , n bits , X, Y, V, Z, n bits temporary buffer => total 10n bits memory is required

42 Secure hash function based on CA(cont.)
Comparing with Daemen’s, Hirose’s and Mihaljevic’s scheme Daemen's scheme : uses nonlinear CA and linear CA Herose's scheme : employs two nonlinear CA the used nonlinear CA belong to a class of nonlinear CA for an algorithm for inversion of the CA iterations published recently The compression function of the proposed hash function employs the Davies-Meyer type and the combined form of nonlinear functions and PCA more secure than Daemen's scheme and Hirose's scheme Both schemes do not employ the output function, but the proposed hash function has the output function based on CA/PCA

43 Secure hash function based on CA(cont.)
Mihaljevic’s scheme employs the Davies-Meyer type compression function and cascade of the nonlinear function and PCA requires ROM and memory reading operation for nonlinear functions (which is similar with S-Box of DES) employs PCAX() controlled by binary vector X output function : PCA based key stream generator The proposed scheme employs 5-variable Boolean functions which uses only bitwise logical operations use more complex PCAXY () which apply one of four cases dependent on binary vector X and Y output function : the combination of CA and PCA

44 Secure hash function based on CA(cont.)
The computational complexity, for n=160, l=8, k=3 Mihaljevic’s scheme the compression function 40 times ROM reading 20 times ROM reading 160-bit CA(=480 XOR operation) 160-bit PCA(=480 XOR operation) 160 times XOR operation the output function 160 times mod addition, 160 times ROM reading, 160-cycle PCA operation, and 160-bit permutation

45 Secure hash function based on CA(cont.)
The proposed scheme the compression function 40 times mod 256 addition and 124 times XOR operation 160-bit CA(=480 XOR operation) 80 times mod 256 addition and 40 times 1-bit shift 160-bit PCA(=480 XOR operation) 160 times XOR operation the output function 360-cycle CA operation and 160-cycle PCA operation

46 Secure hash function based on CA(cont.)
When processing the compression function, the proposed scheme processes the 4n bits input data Mihaljevic’s scheme processes the 2n bits input data when processing the same length of the input data, Mihaljevic’s scheme 2 times computation of the compression function than the proposed scheme Assuming 640 bits input data Mihaljevic’s scheme : 80 times ROM reading times XOR operation proposed scheme : 160 times mod 256 addition + 40 times 1-bit shift XOR operation

47 Secure hash function based on CA(cont.)
Memory requirement for n=160, l=8, k=3 Mihaljevic’s scheme : about 1546Kbits ROM memory and 800bits buffer proposed scheme : about 1600bits buffer However, the proposed scheme has more complex control logic than Mihaljevic’s scheme, and the implementational complexity is increased due to PHT and nonlinear function The proposed scheme has the variable-length hash result It can be used to various applications

48 The MAC(Message Authentication Code) using the proposed hash algorithms

49 The MAC construction using SMD
Design goals The secret key should be involved at the beginning and end, and at every iteration of the hash function The deviation from the original hash function should be minimal in order to minimize implementation effort and maximize on confidence previously gained The performance should be close to that of the hash function The additional memory requirements should be minimized The approach should be generic, i.e. should apply to any MD-family hash functions

50 The MAC construction using SMD(cont.)
Key extraction concatenate K to itself a sufficient number of times, and build a 512-bit block size apply it to the hash function, and construct 160-bit key used to MAC generating random permutation of the order of message words use the leftmost 10 bytes (k1 ) of 160 bits key k (in practice, 75 bits) use the Knuth algorithm, which biject any permutation of size m to an integer between 0 and (m!-1) After applying the permutation, which corresponds, one-to-one, to the random number generated from the linear congruential equation, to Knuth algorithm, compose two resulting permutations of the algorithm and use it as the order of message words

51 The MAC construction using SMD(cont.)

52 The MAC construction using SMD(cont.)
Modifying the constants take 8 bytes ( k2 ) next to k1 split into four 16-bit substrings Each substring is concatenated to itself repeatedly in order to build 32-bit word each word is added mod 232 to the constants used in each round computing the MAC key elements are prepended and appended to a message M MAC result is the leftmost m bits of the hash value. m=n/2 is recommended for most applications.

53 The MAC construction using SMD(cont.)
The computational overhead of the proposed MAC one block operation for the key extraction two blocks prepended and appended to a message the generation of random permutations for the order of message words requires a multiprecision operation for converting 75-bit k1 to the factorial number system one division (multiprecision / int) one modulo operation (multiprecision mod int) only 10% slower than that of the original hash function Security In the final step, key elements prepended and appended to a message are similar to the envelope method

54 The MAC construction using SMD(cont.)
To add key component to constants provides additional protection over the envelope method In each round, the random permutation of the order of message words trapdoor one-way function the probability that the order of message words is equal or reversed to that of the previous round, is negligible 160-bit key K is secure against an exhaustive search 160-bit key K has an advantage when comparing with 672 bits( ) previously proposed for the envelope method If a MAC result is equal to m=n/2, a forgery attack on the proposed MAC requires chosen text-MAC pairs and known texts strong against attack exploiting the internal structure of the hash function keep the order of message words applied to each round securely

55 Concluding Remarks

56 Concluding Remarks Proposed new hash functions
SMD based on the design principles of existing MD family hash functions processes the arbitrary length message by 512-bit block and outputs 160-bit message digest 4 rounds , each round executes 24 step operations message expansion and the cryptographically strong Boolean functions data-dependent rotation improves the security because the hash result is more dependent on the input message CA-based hash function compression function and output function are constructed by cellular automata(CA) fast processed by hardware implementation the application of CA theory for the security analysis the pre-image and collision resistance due to the employed principles and building blocks

57 Concluding Remarks(cont.)
Proposed MAC The secret key should be involved at the beginning and end, and at every iteration of the hash function The deviation from the original hash function should be minimal in order to minimize implementation effort and maximize on confidence previously gained The performance should be close to that of the hash function The additional memory requirements should be minimized The approach should be generic, i.e. should apply to any MD-family hash functions

58 Thanks a lot !!!

59 Compression Function of MD4

60 Compression Function of MD5

61 Compression Function of RIPEMD-160

62 Compression Function of SHA-1

63 The structure of the proposed MAC
10 bytes bytes hash( ) Generating random permutations for the order of message words Modifying the constants 160 bits hash result

Download ppt "Contents Introduction"

Similar presentations

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash and MAC Algorithms

Hash and MAC Algorithms
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11

Information Security and Management 11
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

Similar presentations

Ads by Google