Download presentation
Presentation is loading. Please wait.
1
Which Hash Functions will survive?
Xiaoyun Wang Xuejia Lai Magnus Daum Shandong University Shanghai Jiaotong University Ruhr University Bochum
2
Which Hash Functions will survive?
Overview Applications and Properties Hash Functions of the MD4-Family Different Methods of Attacks Attacks on Iterated Hash Functions The Modular Differential Attack Which Hash Functions will survive?
3
Applications and Properties
Which Hash Functions will survive?
4
Which Hash Functions will survive?
What is a Hash Function? A hash function is efficiently computable compresses information of arbitrary length to some information of fixed length („digital fingerprint“) message Hash function Which Hash Functions will survive?
5
Application in Digital Signature Schemes
Alice Bob Alice Alice h h ? = Signature okay? Alice Alice Which Hash Functions will survive?
6
Properties of Cryptographic Hashfunctions
preimage-resistance: „Given V, find M such that h(M)=V“ is infeasible 2nd-preimage-resistance: „Given M, find M‘M such that h(M‘)=h(M)“ is infeasible collision-resistance: „Find M‘M such that h(M‘)=h(M)“ is infeasible Implikationen erwähnen!!! Which Hash Functions will survive?
7
Application in Digital Signature Schemes
Alice Alice signed the contract about €50k. Signature is okay ! Bob Okay, I will sign the contract about €10k. ? = Alice € 10k € 50k Alice h h € 10k € 50k Alice h Collision! Alice, please sign this contract! Bob, Alice signed this contract! Eve Which Hash Functions will survive?
8
Hash Functions of the MD4 Family
Which Hash Functions will survive?
9
Which Hash Functions will survive?
Of practical interest: Hashfunctions based on blockciphers: Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel MDC-2, MDC-4 Dedicated Hashfunctions: MD4, MD5 RIPEMD-{0,128,160,256,320} SHA-{0,1,224,256,384,512} Tiger Whirlpool Beispiele für Blockcipher-Funktionen einbauen??? MD4-Family Which Hash Functions will survive?
10
Which Hash Functions will survive?
Overview MD4-Family MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) RIPEMD-0 (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) Which Hash Functions will survive?
11
General Structure Iterated Compression Functions
kurz collision-resistance of the compression function collision-resistance of the hash function Which Hash Functions will survive?
12
Common Structure of the Compression Functions
kurz Message Expansion Which Hash Functions will survive?
13
Different Message Expansions
SHA recursive definition MD / RIPEMD roundwise permu-tations of the Mi wichtig !!! e.g. SHA-1: Which Hash Functions will survive?
14
Which Hash Functions will survive?
Step Operation MD5: SHA-0/1: Only 1 register changed per step Mixture of different kinds of operations Which Hash Functions will survive?
15
Which Hash Functions will survive?
Attack Methods Which Hash Functions will survive?
16
Which Hash Functions will survive?
Collision Attacks „Find M‘M such that h(M‘)=h(M)“ collision-resistance: „Find M‘M such that h(M‘)=h(M)“ is infeasible Three different kinds of (successfull) attacks: Dobbertin (1995/96) Chabaud/Joux (1998), Biham/Chen(2004), Joux(2004) Wang/Feng/Lai/Yu (2004) Which Hash Functions will survive?
17
Which Hash Functions will survive?
Dobbertin‘s Attacks Idea: Describe the whole compression functions by the means of a huge system of equations Variables: Equations: Message words - Step operation Contents of the registers - Message Expansion - Collision Equations include many very different kinds of operations, e.g. F2-linear, „modulo 232“ operations and bitwise defined Boolean functions Hard to solve with algebraic means Special methods are needed Which Hash Functions will survive?
18
Which Hash Functions will survive?
Example: Attack on MD5 i=0 Find with Each Mi is used in exactly four steps in the computation Choose and for all other i Computations run in parallel to each other up to the first appearance of i 0 Another special restriction: Require Inner Collisions 150 150 i=0 150 150 i=0 Which Hash Functions will survive?
19
Which Hash Functions will survive?
Overview MD4-Family MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) Kasselman/ Penzhorn‚ 2000 Dobbertin ‚’95/96 RIPEMD (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) Which Hash Functions will survive?
20
Chabaud/Joux-Attack on SHA-0
Idea: Approximate compression function by a linear function Find collisions for this linearised function Find messages with the same „differential behaviour“ in the real compression function 3 non-linear parts in SHA-0: addition modulo 232 Can all be approximated by bitwise © (linear) Which Hash Functions will survive?
21
Elementary Collisions
Vielleicht noch Differenzen each collision of the complete (linearised) compression function is a linear combination of such elementary collisions Which Hash Functions will survive?
22
Biham/Chen: Neutral Bits
Idea: Find bits of the message that can be changed without changing the „differential behaviour“ up to some step k produce a big number of messages which fulfill some of the needed conditions automatically increased probability of success Which Hash Functions will survive?
23
Which Hash Functions will survive?
Overview MD4-Family Joux‚ 2004 MD4 (Rivest ‚‘90) Ext. MD4 (Rivest ‚‘90) SHA-0 (NIST, ’93) Wang/Feng/ Lai/Yu‚ 2004 Chabaud/Joux ‚’98 Biham/Chen‚ RIPEMD (RIPE, ‘92) SHA-1 (NIST, ’95) MD5 (Rivest ‚‘92) HAVAL (Zheng, Pieprzyk, Seberry ‚‘93) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96) SHA-224 SHA-256 SHA-384 SHA-512 (NIST, ’02/04) Which Hash Functions will survive?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.