Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus Daum Shandong University Shanghai Jiaotong University Ruhr University Bochum
Which Hash Functions will survive? Overview Applications and Properties Hash Functions of the MD4-Family Different Methods of Attacks Attacks on Iterated Hash Functions The Modular Differential Attack 05.11.2004 Which Hash Functions will survive?
Applications and Properties 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? What is a Hash Function? A hash function is efficiently computable compresses information of arbitrary length to some information of fixed length („digital fingerprint“) message Hash function 05.11.2004 Which Hash Functions will survive?
Application in Digital Signature Schemes Alice Bob Alice Alice h h ? = Signature okay? Alice Alice 05.11.2004 Which Hash Functions will survive?
Properties of Cryptographic Hashfunctions preimage-resistance: „Given V, find M such that h(M)=V“ is infeasible 2nd-preimage-resistance: „Given M, find M‘M such that h(M‘)=h(M)“ is infeasible collision-resistance: „Find M‘M such that h(M‘)=h(M)“ is infeasible Implikationen erwähnen!!! 05.11.2004 Which Hash Functions will survive?
Application in Digital Signature Schemes Alice Alice signed the contract about €50k. Signature is okay ! Bob Okay, I will sign the contract about €10k. ? = Alice € 10k € 50k Alice h h € 10k € 50k Alice h Collision! Alice, please sign this contract! Bob, Alice signed this contract! Eve 05.11.2004 Which Hash Functions will survive?
Hash Functions of the MD4 Family 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Of practical interest: Hashfunctions based on blockciphers: Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel MDC-2, MDC-4 Dedicated Hashfunctions: MD4, MD5 RIPEMD-{0,128,160,256,320} SHA-{0,1,224,256,384,512} Tiger Whirlpool Beispiele für Blockcipher-Funktionen einbauen??? MD4-Family 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Overview MD4-Family MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) RIPEMD-0 (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) 05.11.2004 Which Hash Functions will survive?
General Structure Iterated Compression Functions kurz collision-resistance of the compression function collision-resistance of the hash function 05.11.2004 Which Hash Functions will survive?
Common Structure of the Compression Functions kurz Message Expansion 05.11.2004 Which Hash Functions will survive?
Different Message Expansions SHA recursive definition MD / RIPEMD roundwise permu-tations of the Mi wichtig !!! e.g. SHA-1: 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Step Operation MD5: SHA-0/1: Only 1 register changed per step Mixture of different kinds of operations 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Attack Methods 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Collision Attacks „Find M‘M such that h(M‘)=h(M)“ collision-resistance: „Find M‘M such that h(M‘)=h(M)“ is infeasible Three different kinds of (successfull) attacks: Dobbertin (1995/96) Chabaud/Joux (1998), Biham/Chen(2004), Joux(2004) Wang/Feng/Lai/Yu (2004) 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Dobbertin‘s Attacks Idea: Describe the whole compression functions by the means of a huge system of equations Variables: Equations: Message words - Step operation Contents of the registers - Message Expansion - Collision Equations include many very different kinds of operations, e.g. F2-linear, „modulo 232“ operations and bitwise defined Boolean functions Hard to solve with algebraic means Special methods are needed 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Example: Attack on MD5 i=0 Find with Each Mi is used in exactly four steps in the computation Choose and for all other i Computations run in parallel to each other up to the first appearance of i 0 Another special restriction: Require Inner Collisions 150 150 i=0 150 150 i=0 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Overview MD4-Family MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) Kasselman/ Penzhorn‚ 2000 Dobbertin ‚’95/96 RIPEMD (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) 05.11.2004 Which Hash Functions will survive?
Chabaud/Joux-Attack on SHA-0 Idea: Approximate compression function by a linear function Find collisions for this linearised function Find messages with the same „differential behaviour“ in the real compression function 3 non-linear parts in SHA-0: addition modulo 232 Can all be approximated by bitwise © (linear) 05.11.2004 Which Hash Functions will survive?
Elementary Collisions Vielleicht noch Differenzen each collision of the complete (linearised) compression function is a linear combination of such elementary collisions 05.11.2004 Which Hash Functions will survive?
Biham/Chen: Neutral Bits Idea: Find bits of the message that can be changed without changing the „differential behaviour“ up to some step k produce a big number of messages which fulfill some of the needed conditions automatically increased probability of success 05.11.2004 Which Hash Functions will survive?
Which Hash Functions will survive? Overview MD4-Family Joux‚ 2004 MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) Wang/Feng/ Lai/Yu‚ 2004 Chabaud/Joux ‚’98 Biham/Chen‚ 2004 RIPEMD (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) 05.11.2004 Which Hash Functions will survive?