Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University."— Presentation transcript:

1 Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University

2 2 Results from CRYPTO 2004 “Near-collisions” in SHA-0 [Biham] Collisions in SHA-0 [Joux, rump session] Collisions in reduced-round SHA-1 [Biham, rump session] Collisions in MD4, MD5, RIPEMD, HAVAL-128 [Wang et al., rump session] Multicollisions in iterated constructions [Joux]

3 3 Today What are these objects? What cryptographic properties do we like for them to have? How do we build them (particularly, from a blockcipher) What do we currently understand about proofs, models, bounds on efficiency, etc.? A call to action!

4 4 What are cryptographic hash functions? Cryptographic “Fingerprint” File e.g., md5sum,SHA-1 Hash

5 5 T  A << 5 + g t (B, C, D) + E + K t + W t SHA-1 [NIST]... M1M1 M2M2 MmMm for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 0 to 79 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end return H 0 m H 1 m H 2 m H 3 m H 4 m 512 bits 160 bits

6 6 Today What are these objects? What cryptographic properties do we like for them to have? How do we build them (particularly, from a blockcipher) What do we currently understand about proofs, models, bounds on efficiency, etc.? A call to action! 

7 7 2 nd -preimage resistance strong hash weak collision resistance strong collision resistance collision resistance target collision resistance one-way function universal one-way hash function inversion resistance collision-free preimage resistance ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? collision-intractable ? ? ?

8 8 A motivating quote, and a “fact” This “fact” depends on how you answer the above questions! “Fact Collision resistance implies 2nd-preimage resistance of hash functions” [MOV] “2 nd -preimage resistance — it is computationally infeasible to find any second-input which has the same output as any specified input, i.e., given x, to find a 2 nd -preimage x ’  x such that h(x) = h(x ’ ).” [MOV] How are inputs specified? How is h selected?

9 9 A cryptographic property BAD: H(M) = M mod 701 (quite informal) 1. Preimage resistance: given a hash function and given a hash output it is hard to invert that output

10 10 Preimage resistance HKHK {0,1} m M Y {0,1} n HKHK M’M’ This direction is “hard” for any “reasonable” adversary (intuition, but slightly more formal) : a finite, nonempty set Strings : set of strings   * n : the hash length H :  Strings  {0,1} n keyed-SHA1: {0,1} 160  {0,1} *  {0,1} 160 SHA1 is one particular function from this family

11 11 Preimage resistance: a definition “name of game” (formal) probabilistic game event: did A win (find preimage)? - random key - random domain pt - hash the domain pt - A runs, returns domain pt

12 12 A formal framework aPre ePrePre fixed range point random range point fixed key random key Preimage “ a ” = “always” “ e ” = “everywhere” [RS04] Every range point is hard to invert Every hash function in the family is hard to invert

13 13 More cryptographic properties 3. Collision resistance given a hash function it is hard to find two colliding inputs 1. Preimage resistance given a hash function and given an hash output it is hard to invert that output 2. Second-preimage given a hash function and resistance given a first input, it is hard to find a second input that collides with the first 

14 Pre ePre aPre fixed key random key Preimage Collision aSec eSecSec Second Preimage Coll fixed key random key fixed key random key fixed domain point fixed range point random range point random domain point Also known as UOWHF

15 15 Our results Coll aSeceSec aPre ePre Sec Pre Conventional Provisional Separation [no arrow] [RS04]

16 16 What about near-collisions? HKHK M Y {0,1} n HKHK M’M’ This should be “hard” for any “reasonable” adversary Strings Y’ Such that Y  Y’ (Hmm.. what does this mean now?)

17 17 Research project #1 Continue definitional work What’s the “right” definition for the task? How do we make it formal?

18 18 Today What are these objects? What cryptographic properties do we like for them to have? How do we build them (particularly, from a blockcipher) What do we currently understand about proofs, models, bounds on efficiency, etc.? A call to action!  

19 19 How to do this? n-bit string arbitrary length string H :  Strings  {0,1} n

20 20 Merkle-Damgard construction IV M1M1 M2M2 M3M3 h1h1 h2h2 h 3 = H (M) n k Fixed initial value Chaining value Compression function [Me89],[Da89] fff k MD Theorem: if f is CR, then so is H

21 21 MiMi T  A << 5 + g t (B, C, D) + E + K t + W t... M1M1 M2M2 MmMm for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 0 to 79 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end return H 0 m H 1 m H 2 m H 3 m H 4 m 512 bits 160 bits H 0..4 i- 1 160 bits

22 22 Why build hash function from blockciphers? –weak keys causes design difficulties –small blocksize  easier wins for adversary “Do as much as possible with as little as possible” Economy of primitives (late 70s-early 90s): DES (now): AES has changed the playing field –no known weak keys –bigger blocksize  harder wins for adversary

23 23 M1M1 M2M2 Blockcipher-based compression function #1 (CBC) Is this collision-resistant? EE K IV K 0 E K ( E K (0)) 0 E K ( IV )  E K (0) = E K ( E K (0)) [Akl83]

24 24 E 0 (0)  IV M1M1 M2M2 Attempt #2 How about this? IV IV  1 E 1 (1)  IV = IV [PGV93] EE IV

25 25 12 provably-secure compression functions

26 26 Davies-Meyer compression function E MiMi h i-1 hihi [PGV93],[BRS02]

27 27 MiMi T  A << 5 + g t (B, C, D) + E + K t + W t for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 0 to 79 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end H 0..4 i- 1 SHA-0, SHA-1 are blockcipher-based hash functions! Davies-Meyers feedforward Blockcipher 512-bit key, 160-bit block

28 28 Collision resistance in the “ideal cipher” model E A E -1E -1 EK(x)EK(x) EK (y)EK (y) K, x K, y M, M ’ Adv coll ( A ) = Pr [ A E, E -1 finds a collision in H E ] H Adv coll ( q ) = max { Adv coll ( A )} H H A at most q queries... Model blockcipher as a random permutation for each key... Computationally unbounded adversary Only counted resource is oracle queries E

29 29 Why such a strong model? PRP assumption isn’t enough in general [Simon] Specifically, for each of the 12 there is a PRP that makes collisions easy [Hopwood][Wagner] More importantly, PRP is the wrong tool Security depends on a random, secret key

30 30 Research project #2 Find new models and/or assumptions What properties does a blockcipher need for hashing? How can we abstract them to models/assumptions? Can we prove things?

31 31 E MiMi h i-1 hihi E M i+1 h i+1 Expensive operations Moving theory towards practice

32 32 No secure rate-1, fixed-key constructions [BCS 04] Secure rate-1, fixed-key constructions? EKEK f1f1 MiMi h i-1 f2f2 hihi iterated function — collisions in  (n + lg(n)) calls In the black-box model: compression function — collision after 2 blockcipher calls nnnn n

33 33 Research project #3 Find secure, fixed-key, rate < 1, iterated constructions (some progress being made)

34 34 128 bits too small? Cascaded constructions! No! Joux: for MD constructions, n/2 bits of CR n bits of CR H K1 (M) || H K2 (M) = G (K1,K2) (M) n bits    ?

35 35 Multicollisions IV M1M1 M2M2 MmMm h1h1 h2h2 h m = H (M) n n fff n h m-1 For m(2 n/2 ) work, we can make 2 m messages that collide …

36 36 Collisions in cascaded constructions For G (K1,K2) (M) = H K1 (M) || H K2 (M) : 160 bits 1. Create 2 81 -way multicollision under H K1 2. Hash these messages under H K2 Collision in G for work O(2 80 ) << O(2 160 )

37 37 What about MDC-2? E MiMi h i-1 hihi E gigi g i-1

38 38 Huge opportunities for research Continue definitional work –Formalize “near collisions”, etc. –What are the right properties for specific tasks? Flesh out the theoretical landscape –Ideal cipher model  proofs –PRP assumption  no proofs Find secure, fixed-key, rate < 1, iterated scheme Analysis of MDC-2

39 39

40 40

Download ppt "Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University."

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.

Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Cryptographic Hash Functions Rocky K. C. Chang, February 2013 1.

Cryptographic Hash Functions Rocky K. C. Chang, February
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.

Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 16 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 16 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 14 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 14 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

Similar presentations

Ads by Google