Introduction to Practical Cryptography Hash Functions

Agenda Hash Functions Properties Uses General Design Examples: MD4, MD5, SHA-0, SHA-1, SHA-256 Collision Attacks – General Method SHA3 competition

Hash Properties Map bit strings of arbitrary length to fixed-length outputs h = hash(m), h is fixed-length, short Not injective, but collisions unlikely Example: 2160 possible values Computationally infeasible to generate collisions Computationally infeasible to invert

Hash Properties Preimage resistant: given h, hard to find m such that h = hash(m) Second preimage resistant: given m1, hard to find m2 (≠ m1) such that hash(m1) = hash(m2) Collision-resistant: hard to find m1 and m2, m2 ≠ m1, such that hash(m1) = hash(m2)

In Practice Heuristics Simple operations, performance: Iterative, series of rounds Diffusion through logical operations, addition, shifts, rotates

Uses Data integrity: Shorten data for signing Data Structures: Error detection Attacker can still modify file and recompute hash Forgery, modification - MAC Shorten data for signing Data Structures: Hash list Hash (Merkle) Tree Hash Table

Hash - Uses Integrity – Error Detection Hash file/message Attacker can still modify file and recompute hash Integrity – prevent forgery, modification MAC (keyed hash) Authentication Signature: hash data to shorten (for efficiency) then encrypt with public key algorithm Append shared secret to unencrypted data then hash Random bits Data Structures: Hash list Hash (Merkle) Tree Hash Table

MAC Message Authentication Code – keyed hash Examples: Encrypt hash with symmetric key cipher HMAC H(H(K  c1) || H((K  c2) || m))

CBC-MAC (tag) Need to be careful in designing a MAC: Without knowing the key k, can ask to calculate the CBC-MAC tag of any message Produce a MAC for a new message: use two message-tag pairs (m,t) and (m',t’), m and m' : single blocks (can be random) (m || (t  m’), t’) : valid message-tag pair CBC-MAC of m || (t  m’) is t’ (see next slide)

CBC-MAC two message-tag pairs (m,t) and (m',t’), m and m' : single blocks (can be random) CBC-MAC of m || (t  m’) is also t’ when computing CBC, result from m is t (“ciphertext” from block cipher) then continuing CBC mode: t is XORed with t  m’ t  m’  t = m’ and the result is the next input to the block cipher thus the output is t’ therefore, (m || t  m’, t’) is a valid message-tag pair

MAC MAC: H(Key | message) Append attack With most current hashes that “chain” blocks can get a valid MAC for H(Key | message | message’) Put the secret at the end of the message Don’t use all the output bits as the MAC

HMAC H( (key  const1) || H( ((key || 0..0)  const2) || data) ) Append 0’s to key until have 512 bits XOR with constant and prepend to data Hash XOR key with different constant and prepend to result Hash again H( (key  const1) || H( ((key || 0..0)  const2) || data) ) If H is secure, so is HMAC: Collision resistant If given HMAC(key,x), can’t compute HMAC(key,y) without knowing key

Generating “Random” Bits Hash together information containing some randomness Copy of every keystroke, mouse event Time between keystrokes Disk seek latency, sector number, etc. Contents of the display Audio input Packet inter-arrival latency, CPU load Hash all this information together Allows generation of pseudo-random data

Challenge-Response without Encryption Alice Bob Ra ---------------> <--------------- H(K | Ra), Rb H(K | Rb) -----------------> H is a hash function K is a shared secret Ra,Rb are random values

Storing Passwords Idea: hash password and store result When user enters password, hash and compare with stored value

Password Storing Old Unix password algorithm: Store hash of user password Hash typed password, compare with stored hash First 8 bytes of password are the secret key Then encrypt all-zeroes block with DES-like algorithm Salt: 12-bit random number, (used in modified DES) Salt stored with hashed result Later versions used MD5, Blowfish

Hash List h21 h11 h12 h13 h14 h15 h16 h17 h18 m1 m2 m3 m4 m5 m6 m7 m8

Hash Tree h41 h31 h32 h21 h22 h23 h24 h11 h12 h13 h14 h15 h16 h17 h18 m1 m2 m3 m4 m5 m6 m7 m8

General Structure Message m padded to M, a multiple of a fixed-length block M is divided into segments m1,m2, … mn m1 m2 … … mn IV F F F hash value … Merkle-Damgard, 1989 F is called the compression function Takes inputs mi and output of previous iteration Typically a series of rounds Output called a “chaining variable” Typically, a function operates on chaining variables then adds to mi

General Structure Padding “100…0” MD4, MD5: last 64 bits depend on first block SHA*: last bits depend on length of message

General Structure … … F F F … m1 m2 … … mn IV F F F hash value … Avalanche: All output bits depend on all input bits Diffusion: ideally want change to one input bit to change each output bit with prob. ½

MD4 Rivest, RFC 1320 Fast in software Simple to program Memory efficient - no large data structures

MD4 Notation word = 32 bits Message m XY = X AND Y X v Y = X OR Y

MD4 m’ = m100 … 0 Pad m until it is 64 bits short of a multiple of 512 Message is always padded (i.e. even 448 bits are padded) Append a 1 followed by 0’s : M[0 ... N-1] = m’ with low order 64 bits of m appended to it N is a multiple of 16 Four-word buffer (A,B,C,D) initialize to: A: 01 23 45 67 B: 89 ab cd ef C: fe dc ba 98 D: 76 54 32 10 just counts 0 to 15 and back

MD4 – Internal Functions F(X,Y,Z) = XY v not(X) Z Bitwise conditional: if X then Y else Z. G(X,Y,Z) = XY v XZ v YZ Bitwise majority function: bit positions in which 2 or more bits are 1, output has a 1, else output has a 0 H(X,Y,Z) = X  Y  Z Bit positions with odd number of 1’s are 1, rest are 0 Note: if bits of X, Y, and Z are independent and unbiased, each bit of F(X,Y,Z) and each bit of G(X,Y,Z) also will be independent and unbiased.

MD4 for (i = 0 to N/16-1) { } /* end for i */ Output A,B,C,D /* Copy block i into X. */ For (j = 0 to 15) { X[j] = M[i*16+j] } /* Save A, B, C,D */ AA = A BB = B CC = C DD = D /* Combine Message blocks with A,B,C,D */ Round 1 Round 2 Round 3 Increment A,B,C,D by their values (AA,BB,CC,DD) at start of iteration } /* end for i */ Output A,B,C,D compression function A,B,C,D is chaining variable

MD4 Round 1 Function operates on chaining variable, adds in message block /* [abcd k s] denotes a = (a + F(b,c,d) + X[k]) <<< s. */ /* 16 operations. */ [ABCD 0 3]; [DABC 1 7]; [CDAB 2 11] ; [BCDA 3 19]; [ABCD 4 3]; [DABC 5 7] ; [CDAB 6 11]; [BCDA 7 19]; [ABCD 8 3]; [DABC 9 7]; [CDAB 10 11]; [BCDA 11 19] [ABCD 12 3]; [DABC 13 7]; [CDAB 14 11]; [BCDA 15 19]; Note: each word rotates through each of the four positions for each value of s X[k] (M) combined with A,B,C,D Words sequential in round 1 (i.e. k = 1,2,3,…. 15 in order)

MD4 Round 2 /* [abcd k s] denotes a = (a + G(b,c,d) + X[k] + 0x5A827999) <<< s. */ /* 16 operations. */ [ABCD 0 3]; [DABC 4 5]; [CDAB 8 9]; [BCDA 12 13]; [ABCD 1 3]; [DABC 5 5]; [CDAB 9 9]; [BCDA 13 13]; [ABCD 2 3]; [DABC 6 5]; [CDAB 10 9]; [BCDA 14 13]; [ABCD 3 3]; [DABC 7 5]; [CDAB 11 9]; [BCDA 15 13]; Word ordering altered from round 1

MD4 Round 3 /* Let [abcd k s] denotes a = (a + H(b,c,d) + X[k] + 0x6ED9EBA1) <<< s. */ /* 16 operations. */ [ABCD 0 3]; [DABC 8 9]; [CDAB 4 11]; [BCDA 12 15] [ABCD 2 3]; [DABC 10 9]; [CDAB 6 11]; [BCDA 14 15] [ABCD 1 3]; [DABC 9 9]; [CDAB 5 11]; [BCDA 13 15]; [ABCD 3 3]; [DABC 11 9]; [CDAB 7 11]; [BCDA 15 15] Word ordering partially altered from round 2

MD4 – End of Loop Addition /* increment each of A,B,C,D by the value it had before this block was started. */ A = A + AA B = B + BB C = C + CC D = D + DD

MD4 Constants 5A827999: 32-bit constant, represents the square root of 2. The octal value is 013240474631. 6ED9EBA1: 32-bit constant, represents the square root of 3. The octal value is 015666365641.

MD5 Designed to replace MD4 RFC 1321, Rivest for (i = 0 to N/16-1) { First two and last two rounds of MD4 attacked RFC 1321, Rivest for (i = 0 to N/16-1) { /* Copy block i into X */ For (j = 0 to 15) { X[j] = M[i*16+j] } /* Save A, B, C,D */ AA = A BB = B CC = C DD = D /* Combine Message blocks with A,B,C,D */ Round 1 Round 2 Round 3 Round 4 Increment A,B,C,D by value at start of iteration } /* end for i */ Output A,B,C,D

MD5 Changes to MD4 Fourth round added Each step now has a unique additive constant The function G changed from (XY v XZ v YZ) to (XZ v Y not(Z)) (less symmetric) The order in which input words are accessed in rounds 2 and 3 is changed, to make these less like similar to each other. The shift amounts in each round have been changed to produce a faster avalanche effect. The shifts in different rounds are distinct.

MD5 Internal Functions F(X,Y,Z) = XY v not(X) Z G(X,Y,Z) = XZ v Y not(Z) H(X,Y,Z) = X  Y  Z I(X,Y,Z) = Y  (X v not(Z))

MD5 Uses a 64-element table T[1 ... 64] constructed from the sine function T[i] equals the integer part of 4294967296 times abs(sin(i)), where i is in radians

MD5 Round 1 /* [abcd k s i] denotes a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ /* 16 operations. */ [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16] Constant added, varies

MD5 Round 2 /* [abcd k s i] denotes a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ /*16 operations. */ [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20] [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24] [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28] [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32] not reusing shift amounts across rounds

MD5 Round 3 /* Let [abcd k s t] denotes a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ /* Do the following 16 operations. */ [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36] [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40] [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44] [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48] Word ordering altered from round 2 to greater extent than in MD4

MD5 Round 4 /* [abcd k s t] denotes a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ /* 16 operations. */ [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52] [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56] [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60] [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64] One more round than MD4

MD5 Addition A = A + AA B = B + BB C = C + CC D = D + DD Same as MD4

RIPEMD, Haval RIPEMD - modified MD4 Haval – modified MD5 Rotation changed Order of message words altered Two instances run in parallel with different constants; at end of each block, output of each added to chaining variables Haval – modified MD5 Processes 1024-bit message blocks instead of 512 Internal functions take 7 variables, nonlinear Permutes input to round Chaining variable: 8 segments instead of 4 Different constants

SHA-0 Input m  264 bits Output 160 bits Padded, processed in 512-bit blocks Each iteration takes 160-bit chaining variable and 512-bit block, outputs 160-bit chaining value First chaining value is a fixed constant (IV) Last chaining value is the output

SHA-0 Pad m to multiples of 512 bits N 512-bit blocks Append 1, 0’s, length of m N 512-bit blocks For (j=0 to N-1) { 512-bit block divided into 32-bit segments: m0,m1, … m16 Expand to 80 32-bit segments: for i = 16 to 79: mi = mi-3  mi-8  mi-14  mi-16 80 32-bit words processed by round function }

SHA-0 Round a,b,c,d,e are the chaining variable ki is a round constant function operating on chaining variables Rotating segments of chaining variable a,b,c,d,e are the chaining variable ki is a round constant Function f varies per round – on next slide

SHA-0 Round Function

SHS NIST FIPS 180-2, Secure Hash Standard (SHS) 2002 SHA-1: message < 264 bits, 160-bit output SHA-256: message < 264 bits, 256-bit output SHA-384: message < 2128 bits, 384-bit output SHA-512: message < 2128 bits, 512-bit output

SHA-1 and SHA-256 Padding Message M of l bits Pad to a multiple of 512 bits Append a 1 Append k 0’s where l + 1 + k = 448 mod 512 Append 64 bits equal to the binary representation of l

SHA-1 and SHA-256 Processing N 512-bit blocks Block denoted by M(i) 32-bit segment of block denoted by Mj(i) i = ith block j = jth 32-bit segment of ith block, j = 0,1… 16

SHA-1 Internal functions, each operating on three 32-bit words

SHA-1 Constants used in the rounds:

SHA-1 Initialization of array containing the hash value Five 32-bit words

SHA-1 Algorithm Pad the message M Break into N 512-bit blocks Initialize H for i = 1 to N { Populate W with block i and rotate Initialize intermediate variables a,b,c,d,e 80 rounds Update H } Output H

SHA-1 for i = 1 to N: Change from SHA-0, rotate 1 bit

SHA-1 Operating on chaining variable then adding in message block

SHA-1 Update chaining variable end of for i loop Output :

SHA-256 Pad the message M Break into N 512-bit blocks Initialize H for i = 1 to N { Populate W with block i and rotate Initialize intermediate variables a,b,c,d,e,f,g,h 64 rounds Update H } Output H

SHA-256 logical functions, inputs are 32-bit words Change from SHA1

SHA-256 Constants used in the rounds: 64 32-bit constants K0, K1 .. K63 Change from SHA1

SHA-256 Initialization of chaining variable Eight 32-bit words

SHA-256 for i = 1 to N: Change from SHA1

SHA-256 Operating on chaining variable then adding in message block Change from SHA1

SHA-256 Update chaining variable end of for i loop Output :

Collisions - Uses Generate meaningful files with the same hash Example: Code download – replace code, hash file remains unchanged

Birthday Paradox  23 people in a room probability 2 have same birthday is  50% In general: Given “random” mapping H(xi) = yi n inputs, k possible outputs n(n-1)/2 possible input pairs probability H(xi) = H(xj) is 1/k Approximation: need k/2 pairs for 50% probability so want n > (k) ½ (for match) Hash functions: want low probability of a match Larger k is, the more inputs an attacker must try

Collisions - Uses Generate certificates with same hash X.509 certificate: Name, usage, extension… RSA public key: (n, e) Signature of CA Attack Two certificates identical except for RSA modulus: n1, n2 n1 ≠n2 MD5(n1) = MD5(n2) Lenstra, Wang, Weger, Colliding X.509 Certificates, eprint March 2005 Certificates available at http://www.win.tue.nl/~bdeweger/CollidingCertificates/ The CA certificate is self-signed MD5 hashes are not identical when include 4 byte ASN.1 header *certificate image from Yin, ACNS 2005

Collisions Differentials Recall differential cryptanalysis from block ciphers Look at  of inputs,  of outputs after each round In block ciphers, 1 to1 mapping, Never have in ≠ 0  out = 0 In hash functions, round output shorter than input There exists in ≠ 0  out = 0 Need to find these ‘s

Collisions - Differentials m ≠ 0 for two inputs can produce =0 in an intermediate value of the hash MD4, MD5, SHA* … are of the form: M = [m0,m1, … mn] For (i=0 to n) { Process mi, produce Hi (the chaining variable) Process mi+1, combine with Hi to get Hi+1 … } Furthermore, mi is only added into chaining variables

Collisions Differentials M = [m0,m1, … mn] M’ = [m’0,m’1, … m’n] Find m0, m’0 that produce same chaining variable, Set mi = m’i for remaining blocks In MD4, MD5 – issue of padding includes bits from unpadded message In SHA* - length is append

Collisions - Differentials Processing block M in blocks M = [m0,m1, … mn] M’ = [m’0,m’1, … m’n] Find messages that produce x through block i with high probability Set jth block of messages to cancel x Remaining blocks of both messages can be =

Existing Hashes: General Structure Message m padded to M, a multiple of a fixed-length block M is divided into segments m1,m2, … mn m1 m2 … … mn IV F F F hash value … F is called the compression function Takes inputs mi and output of previous iteration Typically a series of rounds Output called a “chaining variable”

Collisions Find M1 ≠ M2 that produce x through block i with high probability Set subsequent blocks of m1, m2 to cancel x Remaining blocks of m1, m2 can be = m11 m1i m1i+1 m1i+2 m1n x1i+1 = Z IV x1i F F F F F H m21 m2i m2i+1 m1i+2 m1n x2i+1 = Z IV x2i F F F F F H x1i  x2i = x x1i+1 = x2i+1

Workload of Known Attacks (2005) Hash function Expected strength Known attacks MD4 264 O(3) MD5 O(230+) SHA-0 280 O(239) SHA-1 O(263)

Collisions Wang, Feng, Lai, Yu, 2004 Collisions for MD4, MD5, Haval-256, RIPEMD Message Modification Find differential path that produces possible collision Identify conditions for path to hold Modify message words to follow path in first round (and second round as much as possible) Setting messages in this manner increases chance collision holds

MD4 Collisions M’ = M + C C = (0,231,-228+231,0,0,0,0,0,0,0,0,0,-216,0,0,0) MD4(M) = MD4(M’) mi for i = 1,2,12 differ between M and M’

MD4 Collision Example m0[16] = { 0xa8b1b641, 0x88d2ecaf, 0xb7d7c1a1, 0x99044241, 0xffef1639, 0x1934bdcf, 0x30e2adb8, 0x252ac4b4, 0x7bad86a5, 0x7883f30e, 0x8b37f23b, 0xd694dce0, 0x701d8b69, 0x045095eb, 0x92012e03, 0x71ed419e } m1[16] = { 0xa8b1b641, 0x08d2ecaf, 0x27d7c1a1, 0x99044241, 0x701c8b69, 0x045095eb, 0x92012e03, 0x71ed419e

MD5 – Prior Collisions Bert den Boer and Bosselaers: pseudo-collision for MD5 - same message with different IVs Dobbertin: two different 512-bit messages with a chosen initial value different from that in MD5

MD5 Collisions M,N each 512 bits N,N’ cancels differential from M,M’ Uses initial IV of MD5 Two 1024-bit messages ~ 1 hour to find M’s, 5-15 minutes to find N’s

SHA-0 Collisions 2004 Joux pair of 2048 bit inputs 80K CPU hours (3 weeks) Work equivalent of 251 hashes Local differentials of 6 steps

SHA-0 Collisions Wang, Yu, Yin 2005 Full collision in equivalent work of 239 hashes Impossible differential in rounds 2-4 Local collisions in round 1 Conditions that this differential path holds

SHA-0 Local Collisions Wang 1997 Let mi,j = ith message word, jth bit 6 step local collision that can start at any step i used to construct full collisions If a message difference in bit j first occurs in step i Difference will affect chaining variables a,b,c,d,e consecutively in the next five steps To offset these differences and reach a local collision, differences introduced in subsequent message words Probability associated with the local collision depends on the boolean function, j, and conditions on the message bits One attack: j = 2 Conditions mi,2 = ⌐mi+1,7 and mi,2 = ⌐mi+2,2

SHA-0 Local Collision nc = no carry

SHA-0 Collisions Biham and Chen 2004 started at i > 17 start at i = 22, work O(256) hashes near collisions with work O(240) hashes Biham and Chen (2004), Joux (2004), Wang and Yu (2005) Multi-block collisions Use near collisions in several blocks to produce overall collision Used with above, Joux had first full collision, work O(251) hashes

SHA-1 Collisions Rijmen and Oswald 2005: collisions for 53 reduced-round version Wang, Yin, Yu 2005: Collisions without padding on full 80 rounds, work  O(269) hashes Wang, Yao, Yao 2005: Improved above attack to work  O(263) hashes Rechberger and De Cannière 2006: way to choose part of the message

SHA-256 Round function has local collision with probability in the range 2-9 to 2-39 Message expansion is more complicated than SHA-0, SHA-1 Expansion block from 16 to 64 words

Colliding Certificates Fill in all fields except for RSA public key modulus, n signature (except for first zero byte - to prevent bit string from being a negative integer) Three requirements: compliant to X.509 and the ASN.1 DER byte lengths of modulus, n, and public exponent, e, fixed in advance Can fix e as “Fermat-4” number e = 65537. Same e used in both certificates. position where public key modulus starts is an exact multiple of 64 bytes after the beginning of the “to be signed” part – do by adding dummy information to the subject Distinguished Name. i.e. want part prior to n to be an integral number of message blocks to which the message blocks containing n are appended when computing the MD5 hash Run MD5 on the first portion of the “to be signed” part, truncated at the position where n starts This input to MD5 is an exact multiple of 512 bits. Suppress the padding normally used in MD5, use output as IV to for the next step. i.e. this would be the chaining variable input to the iteration in which n starts to be processed Construct two different 1024 bit strings b1 and b2 for which the MD5 compression function with the IV from the previous step produces a collision

Colliding Certificates Construct two RSA moduli from b1 and b2 by appending to each the same 1024-bit string b Generate random primes p1 and p2 of ~512 bits, such that e is coprimeto p1 − 1 and p2 − 1 Compute b0 between 0 and p1p2 such that p1|b121024 + b0 and p2|b221024 + b0 For k = 0, 1, 2, . . ., compute b = b0 + kp1p2; Check if both q1 = (b121024 + b)/p1 and q2 = (b221024 + b)/p2 are primes Check if e is coprime to both q1 − 1 and q2 − 1 If k is such that b  21024, restart with new random primes p1, p2 Stop when q1 and q2 have been found; output n1 = b121024 + b n2 = b221024 + b p1, p2, q1, q2 Expect that this algorithm will produce in a reasonable time, two RSA moduli n1 = p1q1 and n2 = p2q2, that will form an MD5-collision with the specified IV p1 and p2 are around 500 bits in size, usually takes a few minutes few days when 512 bit p1, p2 and 1536 bit q1, q2 (search space for k nearly empty)

Colliding Certificates Insert the modulus n1 into the certificate - “to be signed” part is complete Compute the MD5 hash of the entire “to be signed” part (including MD5-padding, standard MD5-IV) Apply PKCS#1v1.5-padding3, and perform a modular exponentiation using the issuing Certification Authority’s private key. This gives the signature, which is added to the certificate. First certificate now is complete. Second certificate – use n2 as the public key modulus and signature still valid

NIST Hash Workshop Proposed competition – SHA3 Call for proposals – Nov. 2007 Allow time for public comments on hash function requirements Review submissions starting in 2009 Select winner end of 2011 Standard released in 2012 Then time to integrate into applications 6+ years before standard replacement

SHA3 Requirements NIST does not currently plan to withdraw SHA-2 SHA-3 can be directly substituted for SHA-2 in current applications must provide message digests of 224, 256, 384 and 512-bits to allow substitution for the SHA-2 family 160-bit hash value produced by SHA-1 is becoming too small to use for digital signatures a 160-bit replacement hash algorithm is not contemplated.

SHA3 Requirements Certain properties of the SHA-2 hash functions must be preserved input parameters, output sizes collision resistance, preimage resistance, second-preimage resistance “one-pass” streaming mode of execution successful attack on the SHA-2 hash functions is unlikely to be applicable to SHA-3. be suitably flexible for a wide variety of implementations, May offer additional properties randomized hashing parallelizable more efficient to implement on some platforms more suitable for certain applications may avoid some of the incidental “generic” properties (such as length extension) of the Merkle-Damgard construct that often result in insecure applications For interoperability, prefer a single hash algorithm family (different size message digests be internally generated in as similar a manner as possible)

Approaches Augment existing hash functions: Add bit count to input – part of chaining value Padding: 1, 0’s, hash size, message length New algorithms, with approach similar to past hashes – chaining New approaches that avoid Merkle-Damgard chaining Algorithm related to mathematically hard problems

Alternatives CMC mode Binary tree Forward and backward diffusion Use last block Inefficient – memory requirements > double computational work Binary tree Block cipher, PRP construct as nodes double computational work m1 m2 m3 m4 T X1 X4 M M M M T hash m1 m2 m3 m4 hash

Alternatives Hybrid CMC mode or chaining on segments Subset of output forms next layer m blocks m blocks m blocks m blocks m blocks m blocks m blocks m blocks m blocks

Segment Processing CMC mode: forward and backward diffusion across blocks collision implies weakness in block cipher m1 m2 m3 m4 T X1 X4 M M M M T segment output

Segment Processing … … … … Elastic Chaining mode: IV 128 128 128 input … 128 128 128 128 128 128 … … 128 128 128 128 128 128 segment output 128 Elastic Chaining mode: Only forward diffusion … but less memory/intermediate state than CMC mode If key is based on first block, collision implies weakness in block cipher Use elastic version of 128-bit cipher or a 256-bit cipher

Segment Processing Don’t use existing forward chaining in segment – differential attack applies to segment m11 m12 m13 m14 m1l x13 = Z IV x12 segment output F F F F F m21 m22 m23 m24 m2l x23 = Z IV x22 segment output F F F F F x12  x22 = x