Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption
Outline Compression functions and iterated hashes Creating a hash function from a block cipher Secure Hash Algorithm-2 (SHA-2) –Overall structure –Message expansion into round keys –Initial digest creation –Individual round structure Rotation function Majority function Conditional function
3 Goals of Hashing Functions Hashing function must be “one way” Easy to compute y = h(M) Following must be computationally infeasible: –Given message M, find M´ such that h(M) = h(M´) (not vulnerable to preimage attack) –Finding any M 1 and M 2 such that h(M 1 ) = h(M 2 ) (not vulnerable to collision attack)
4 Compression Functions What is a hash algorithm? Function that compresses message of arbitrary length to m-bit digest Problem: Difficult to assure collision resistance for arbitrary compression function f Message of arbitrary size m-bit digest
5 Compression Functions Easier to create function that compresses block of fixed size k > m Break message into blocks of fixed size Apply compression function to each in some way f k-bit message m-bit digest
6 Iterated Hash Function Merkle-Damgard scheme
7 Iterated Hash Function Compression function of form h(M i, H i-1 ) –M i = i th message block –H i-1 = previous message digest –H 0 = initial vector known to sender, recipient If f is collision resistant, so is entire algorithm f n-bit message block M i m-bit digest H i m-bit digest H i-1
8 Types of Hash Algorithms Based on block ciphers –Rebuild existing cipher into compression function –Already has desirable properties of cryptographic hash Confusion, diffusion –Example: Whirlpool “Made from scratch” –Specifically designed for hashing –Often no clear structure for maximum confusion –Examples: Message Digest (MD) by Ron Rivest (obsolete) Secure Hash Algorithm (SHA-2, SHA-3)
9 Block Ciphers for Hashing Rabin scheme –“Plaintext” = output of previous stage –“Key” = current message block Potentially vulnerability: –Since encryption reversible, could use meet in middle attack –Work backwards from final message digest to find another M with same digest
10 Block Ciphers for Hashing Miyaguchi-Preneel scheme (used by Whirlpool) –Output of each stage based on XOR of: Output of encryption function Output of previous stage Current message –Prevents “meet in middle” attacks Cannot work backwards through encryption functions without knowing input to previous stage
11 SHA-2 Background: –Based on Merkle-Damgard scheme, Rivest MD5 Ideas: –Large number of rounds (80) for maximum confusion –Heavy use of non-invertible functions Combinations of rotation and XOR Condition and majority functions –Appearance of “randomness” in initial vector Designed for efficiency –All operations are very fast in hardware
12 SHA bit message digest (secure against brute force attack) –Block size: 1024 bits –Digest broken down into 64 bit “words” called A – H
13 SHA-2 Initial Digest Initial values of message digest H 0 Designed for appearance of “randomness” –Created from first 8 primes (2, 3, 5, 7, 11, 13, 17, 19) –Take square root –Take first 64 digits of fractional part A 6A09E667F3BCC908 B BB67AE8584CAA73B C 3C6EF372EF94F828 D A54FE53A5F1D36F1 E 510E527FADE682D1 F 9B05688C2B3E6C1F G 1F83D9ABFB41BD6B H 5BE0CD19137E2179
14 SHA-2 Compression Function 80 rounds –Each creates new “intermediate” message digest Each round uses “round word” w i created from the message block Final stage is sum (mod 2 64 ) of: –Initial round digest –Final round digest
15 Word Expansion in SHA-2 Block of 16 words expanded to 80 words –Used by 80-round compression function
16 SHA-2 RotShift Function Confusion added with rotation and shifting Three different rotations/shifts with results XORed together Not invertible RotShift i-j-k Right rotation i bits Right rotation j bits Left shift k bits (adding 0’s to end)
17 SHA-2 Round Function Each round i function of: –Previous message digest –Word W i –Round “key” K i created from fractional parts of square root of first 80 prime numbers (like initial message digest values) –Insures different values each round
18 SHA-2 Round Structure Blocks A – C and E – G shifted over one –No real effect, other than to make sure every block affected by more complex operations
19 SHA-2 Round Structure New blocks A and E created as function of: –All previous blocks A – G –Round word W i and round key K i using addition mod 2 64
20 SHA-2 Rotation Function Rotate 64-bit block by i, j, and k bits Combine with XOR to mix up bits A rotated by 28, 34, and 39 bits E rotated by 14, 18, and 41 bits Rot i-j-k Right rotation i bits Right rotation j bits Right rotation k bits
21 SHA-2 Majority Function Majority function of (A, B, C): –i th bit of result = 1 if at least 2 of i th bits of A, B, C = 1 0 otherwise –Example: A = B = C = majority = –Idea: No way to reconstruct A, B, C from majority
22 SHA-2 Conditional Function Conditional function of (E, F, G): –i th bit of result = i th bit of F if i th bit of E = 1 = i th bit of G otherwise –Like “If E then F else G” –Example: E = F = G = Conditional = –Idea: No way to reconstruct E, F, G from conditional
Addition Mod 2 64 Binary addition –Not same as XOR Example: … … …10010 = …