Theory and practice for hash functions
|
|
- Andrew Sims
- 6 years ago
- Views:
Transcription
1 Theory and practice for hash functions Bart Preneel eu Title of Presentation Katholieke Universiteit it it Leuven - COSIC firstname.lastname@esat.kuleuven.be Cambridge, 1 February 2012 Insert presenter logo here on slide master
2 Hash functions X.509 Annex D RIPEMD-160 MDC-2 SHA-256 MD2, MD4, MD5 SHA-512 SHA-1 SHA-3 This is an input to a cryptographic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). h 1A3FD4128A198FB3CA
3 Applications short unique identifier to a string digital signatures data authentication one-way function of a string protection of passwords micro-payments confirmation of knowledge/commitment t pseudo-random string generation/key derivation entropy extraction construction of MAC algorithms, stream ciphers, block ciphers, 2005: 800 uses of MD5 in Microsoft Windows 3
4 Bridging theory and practice? 4
5 Agenda Definitions Iterations (modes) Compression functions Hash functions SHA-3 5
6 Security requirements (n-bit result) preimage 2 nd preimage collision? x??? h h h h h h(x) () h(x) () = h(x ) h(x) () = h(x ) 2 n 2 n 2 n/2 6
7 Length extension length extension: if one knows h(x), easy to compute h(x y) without knowing x or IV IV f H 1 f H 2 f H 3 = h(x) x 1 x 2 x 3 IV H 1 H 2 H 3 H 4 = h(x y) f x 1 x 2 x 3 y solution: output transformation f f f IV f H 1 f H 2 f H 3 f g x 1 x 2 x 3 x 4 7
8 Informal definitions: NIST requirements for SHA-3 One Way Hash Function (OWHF) preimage resistance (2 n ) 2 nd preimage resistance (2 n-l for 2 L -bit message) Collision Resistant Hash Function (CRHF): collision resistant Resistance to length extension Properties scale well with truncationti HMAC-PRF indistinguishable up to 2 n/2 queries Secure in randomized hashing mode 8
9 Brute force (2 nd ) preimage multiple target second preimage (1 out of M): if one can attack 2 t simultaneous targets, the effort to find a single preimage is 2 n-t multiple target second preimage (M out of M): time-memory memory trade-off with Θ(2 n ) precomputation and storage Θ(2 2n/3 ) time per (2 nd ) preimage: Θ(2 2n/3 ) [Hellman 80] full cost per (2 nd ) preimage from Θ(2 n ) to Θ(2 2n/5 ) [Wiener 02] (if Θ(2 3n/5 )t targets t are attacked) answer: randomize hash function with a parameter S (salt, key, spice, ) 9
10 Formal definition: (2 nd ) preimage resistance Notation: Σ = {0,1}, l(n)>n A one-way hash function (OWFH) h is a function with domain D=Σ l(n) and range R=Σ n that satisfies the following conditions: Pre: let x be selected uniformly in D and let M be an adversary that on input h(x) uses time t and outputs M(h(x)) D. For each adversary M, Pr x D { h(m(h(x)))=h(x) } < ε. Here the prob. is also taken over the random choices of M. Sec: letxx be selected uniformly in D=ΣΣ l(n) and let M' be an adversary who on input x uses time t and outputs x' D with x' x. For each adversary M', Pr x D {h(m'(x))=h(x) (x)) h(x) } < ε. Here the prob. is taken over the random choices of M'. 10
11 Formal definitions: collision resistance A collision-resistant hash function (col) h is a function with domain D=Σ l(n) and range R=Σ n that that satisfies the following conditions: for each collision string finder F that uses time t and outputs either? or a pair x, x' Σ l(n) with x' x such that h(x )=h(x) we have that Pr{ F(H)? } < ε. Here the prob. is taken over the random choices of F. Is this correct? No! For every h there are many (short) colliding strings, and so there exist many very simple collision string finders F that output a collision with probability 1 11
12 Formal definitions: collision resistance A collision-resistant hash function family (CRHF) H is a function family {h S } with domain D=Σ l(n) and range R=Σ n and indexed by a key S that that satisfies the following conditions: let F be a collision string finder that on input S Σ s uses time t and outputs either? or a pair x, x' Σ l(n) with x' x such that h S (x )=h S (x). For each F, Pr S { F(H)? } < ε. Here the prob. is also taken over the random choices of F. 12
13 Formal definitions - continued for collision resistance: formalization requires a family, but see [Stinson 06], [Rogaway 06]: formalizing i human ignorance for (2nd) preimage resistance, one can choose the challenge (x) and/or the key (S) that selects the function, resulting in 3 flavors [Rogaway-Shrimpton 04]: 1. random challenge, random key (Pre and Sec) 2. random key, fixed challenge (epre and esec - everywhere) (esec=uowhf) 3. fixed key, random challenge (apre and asec - always) complex relationship (see figure on next slide) 13
14 Relations between security properties [Rogaway-Shrimpton 04] [Andreeva-Stam 10] Even if Coll esec/pre: bound always 2 n/2 << 2 n Q Easy to prove d Relevant in practice rpre How does epre (theoretically easy to prove) relate to dpre (practically relevant)? For sufficiently Col secure H, epre implies dpre (if the message space has sufficient Rényi 2 entropy > Y ) 14
15 Collision resistance more complex to formalize hard to achieve in theory [Simon 98] one cannot derive collision resistance from general preimage resistance (there exists no black box reduction) hard to achieve in practice requires double output length 2 n/2 versus 2 n many attacks Good news: not always necessary Even better news: rarely necessary 15
16 How to solve collision problem in digital signatures? SK A Message m UOWHF TCR $ Random r r {0,1} k esec Signature Sig SK A ( r h r (m)) Hash function is only chosen after the message has been committed to, so collisions for a particular hash function are useless If two messages m, m are found with the same signature, the signer must have cheated by first choosing r and then finding a collision Fine in theory, but will this work in practice? 16
17 Courts and second preimage resistance 17
18 Pseudo-random function computationally indistinguishable from a random function $ $ Adv prf h = Pr [ K K: A h K (.) 1] - Pr [ f RAND(m,n): A f 1] RAND(m,n): set of all functions from m-bit to n-bit strings K h f?or?? D This concept makes only sense for a function with a secret key 18
19 Indifferentiability from a random oracle or PRO property [Maurer+04] variant of indistinguishability appropriate when distinguisher has access to inner component (e.g. building block of a hash function) Simulator S, distinguisher DAdv D, PRO (H,S) is small H (hash function) FIL RO VIL RO S? or? D!! But [Ristenpart-Shacham- Shrimpton 11]: not always sufficient for ROM security 19
20 Properties in practice other properties are needed: near-collision i resistance partial preimage resistance (most of input known) multiplication freeness MAC property Which properties are relevant? How to formalize these requirements and the relation between all these properties? Keyed or unkeyed? Who chooses the key? What about the salt? 20
21 21
22 Iterationti (mode of compression function) 22 22
23 Hash function: iterated structure IV H 1 H 2 H f f f H 3 f g x 1 x 2 x 3 x 4 Fix IV Unambiguous padding Suffix-free encoding [Merkle 89-Damgård 89] f is collision resistant h is collision resistant Are the roles of the 2 inputs of the compression function really equivalent? 23
24 Attacks on MD-type iterations multi-collision attack and impact on concatenation [Joux 04] ] long message 2 nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier 05] Sec security degrades lineary with number 2 t of message blocks hashed: 2 n-t+1 +t2 n/2+1 appending the length does not help! herding attack [Kelsey-Kohno 06] reduces security of commitment using a hash function from 2 n on-line 2 n-t + precomputation ti (n+t)/2 + storage 2 t 24
25 Improving MD iteration salt + output transformation + counter + wide pipe IV salt salt salt salt salt H 1 H 2 H 3 f 2n f f f 2n 2n 2n 2n n g x 1 x 2 x 3 x x 25
26 Improving MD iteration degradation with use: salting (family of functions, randomization) or should a salt be part of the input? PRO/Indif: strong output transformation g also solves length extension long message 2 nd preimage: preclude fix points counter f f i [Biham-Dunkelman 07] multi-collisions, herding: avoid breakdown at 2 n/2 with larger internal memory: known as wide pipe e.g., extended MD4, RIPEMD, [Lucks 05] 26
27 Some Domain Extender Security Results [Andreeva-Neven-P-Shrimpton07], [Andreeva-Mennink-P11] Col Sec asec esec Pre apre epre Indif 1. SMD [M90, D90] Linear hash [BR97] XOR Linear hash [BR97] Shoup's hash [Sho00] BCM [AP08] ? 6. Prefix-free MD [CDMP05] Randomized hash [HK06] HAIFA [BD06] Enveloped MD [BR06] Str. Merkle Tree [Mer80] ? 11. Linear Tree [BR97] ? 12. ROX [ANPS07] ? 27
28 Preservation which constructions preserve which properties? or is it ok if we can prove security for the iteration? assumptions on compression function f for PRO/Indif f is preimage aware (MD) f is FIL-PRO (variant of MD) Impact of results in ideal model? Can tight reductions be made? Is it meaningful to preserve Pre? 28
29 Compression function 29 29
30 Block cipher (E K ) based: single block length Davies-Meyer Miyaguchi-Preneel H H i-1 E i x i E H i x i H i-1 output length = block length m; rate 1; 1 key schedule per encryption 12 secure compression functions (in ideal cipher model) lower bounds: collision 2 m/2, (2nd) preimage 2 m [Preneel+ 93], [Black-Rogaway-Shrimpton 02], [Duo-Li 06], [Stam 09], 30
31 Blake Davies-Meyer + double pipe internally H i-1 E H i x i 31
32 Permutation (π) based: sponge x 1 x 2 x 3 x 4 h1 h2 H1 0 π π π π π π π π H2 0 absorb buffer squeeze Examples: Panama, RadioGatun Keccak (no buffer) Generalization called Parazoa JH, Cubehash, Fuge, Grindahl, Hamsi, Luffa 32
33 Permutation (π) based parazoa JH small permutation Grøstl x i H1 i-1 H1 i x i π 1 H2 i-1 π i H2 i H i-1 π 2 H i 33
34 MDC-2 and MDC-4 [Brachtl+ 89] E 1,E 2 E 1, E 2 n-bit block cipher with n-bit key
35 Some security results [Steinberger 07,Mennink+ 11]
36 2n-to-n bit compression function with 3 permutations Earlier work: [RogawaySteinberger 08, Stam 08, Steinberger 10] Slide credit: Bart Mennink
37 Slide credit: Bart Mennink 2n-to-n bit compression function with 3 permutations and XORs [Mennink+ 11]
38 Iteration modes and compression functions security of simple modes well understood powerful tools available analysis of slightly more complex schemes very difficult need strong assumptions imho not justified is there a point to build larger hash functions from small building blocks? why not construct large permutations (e.g. Keccack = 1600 bits)? what if the building block is not ideal (the larger they are the more risky)? MD versus sponge? 38
39 Hash function constructions 39 39
40 Hash function history 101 DES RSA HA ARDWAR RE SOFTWA ARE AES single block length double block length permu- tations ad hoc schemes security reduction for factoring, DLOG, lattices MD2 MD4 MD5 Dedicated SHA-1 SNEFRU RIPEMD-160 SHA-2 Whirlpool 2010 SHA-3 40
41 Performance of hash functions [Bernstein-Lange] (cycles/byte) AMD Intel Pentium D 2992 MHz (f64) MD4 MD5 SHA-1 RMD- DES SHA- SHA- 160 (estimated) Whirlpool AES AES- hash 41
42 The complexity of collision attacks brute force: 1 million PCs (1 year) or US$ 100,000 hardware (4 days) MD4 MD5 SHA-0 SHA-1 Brute force
43 MD5 advice (RIPE since 92, RSA since 96): stop using MD5 largely ignored by industry until 2009 (click on a cert...) 43
44 Rogue CA attack [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger 08] request user cert; by special Self-signed collision this results in a fake CA root key cert (need to predict serial number + validity period) CA1 CA2 Rogue CA impact: rogue CA that can issue certs that are trusted by all browsers User1 User2 User x 6 CAs have issued certificates signed with MD5 in 2008: Rapid SSL, Free SSL (free trial certificates offered by RapidSSL), TC TrustCenter AG, RSA Data Security, Verisign.co.jp 44
45 log 2 complexity [Wang+ 04] [Wang+ 05] [Sugita+ 06] 20 Most attacks unpublished/withdrawn 10 0 SHA-1 [Mendel+ 08] [Manuel+ 09] [McDonald+ 09] SHA-1 prediction: collision for SHA-1 in the next months 45
46 46
47 SHA
48 NIST AHS competition (SHA-3) SHA-3 must support 224, 256, 384, and 512-bit message digests, and must support a maximum message length of at least 2 64 bits Call: 02/11/07 Deadline (64): 31/10/08 Round 1 (51): 9/12/08 Round 2 (14): 24/7/09 60 Final (5): 9/12/10 0 Standard: Q Q4/08 Q3/09 Q4/10 Q3/12 round d1 round 2 final 48
49 The candidates Slide credit: Christophe De Cannière 49
50 Preliminary cryptanalysis Slide credit: Christophe De Cannière 50
51 End of Round 1 candidates a Slide credit: Christophe De Cannière 51
52 Round 2 candidates a Slide credit: Christophe De Cannière 52
53 Properties: bits and bytes [Watanabe 10] 53
54 Security Analysis of the 2 nd Round SHA-3 Candidates [Andreeva-Mennink-P 10] 54
55 Security results for 256-bit versions l-state size m-bl. size Pre Sec Col Indif BLAKE Grøstl L JH Keccak Skein NIST requirements L L: # msg blocks E. Andreeva, A. Luykx and B. Mennink, "Provable Security of BLAKE with Non- Ideal Compression Function", eprint Archive, Report 2011/620. D. Chang, M. Nandi and M. Yung: Indifferentiability of the hash algorithm BLAKE, eprint Archive, Report 2011/623. E. Andreeva, B. Mennink and B. Preneel, "Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein ", Slide credit: Elena Andreeva 55
56 Security Results for 512-bit Versions l-state size m-bl. size Pre Sec Col Indif BLAKE Grøstl L JH Keccak Skein NIST requirements L L: # msg blocks E. Andreeva, A. Luykx and B. Mennink, "Provable Security with Non-Ideal Compression Function", eprint Archive, Report 2011/620. D. Chang, M. Nandi and M. Yung: Indifferentiability of the hash algorithm BLAKE, eprint Archive, Report 2011/623. E. Andreeva, B. Mennink and B. Preneel, "Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein ", Slide credit: Elena Andreeva
57 Open questions standard model security proofs (other than Col preservation) improved Indif bounds JH-512 optimality for Sec and Pre security in the ideal model Slide credit: Elena Andreeva 57 57
58 SWIFFTX [Arbitman-Dogon-Lyubashevsky-Micciancio- Peikert-Rosen 08] compression function: SWIFFT: FFT-like operation from (Z 32 2 ) 64 to Z sandwich: 3xSWIFFT - S-boxes - 1xSWIFFT asymptotic proof of security: it can be formally proved that finding a collision in a randomly- chosen compression function from the SWIFFTX family is at least as hard as finding short vectors in cyclic/ideal lattices over the ring Z[α]/(α n +1) is in the worst case. note: SWIFFT mapping is linear and some heuristics are needed to kill the linearity speed: 57 cpb 58
59 FSB [Augot-Finiasz-Gaborit-Manuel-Sendrier 08] compression function: multiplication of vector of Hamming weight w with a truncated quasi-cyclic binary matrix can be interpreted as a syndrome computation of error pattern with weight w MD iteration with Whirlpool as output transformation security can be reduced to: (Computational Syndrome Decoding) Given a binary r x n matrix H, a word s {0,1} r and an integer w > 0, find a word e {0,1} n of Hamming weight w such that eh T = s. (Codeword Finding) Given a binary r x n matrix H and an integer w > 0, and a non-zero word e {0,1} n of Hamming weight w with an all zero H- syndrome. speed 324 cycles/byte RFSB: cycles/byte on Core 2 Q9550 [Bernstein-Lange 11] 59
60 Hash functions: conclusions attacks: cryptographic meltdown but not dramatic for most applications half-life of a hash function is < 1 year solid progress in theory, but still quite a large gap between theory and practice nirwana: efficient i hash h functions with security reductions 60
Title of Presentation
The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition Title of Presentation Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash
More informationIntroduction to the Design and. Cryptanalysis of Cryptographic Hash Functions
Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions,
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More information2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.
or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks
More informationRIPEMD-160 MDC-2 SHA-256 SHA-3
Has unctions Introduction to te Design and Cryptanalysis o Cryptograpic Has Functions Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 Tis is an
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationSecurity Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein
Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationHash function design and cryptanalysis: basic topics. Applications. June Hash Functions Bart Preneel
Has unctions Has unction design and cryptanalysis: basic topics Title o Presentation X.509 Anne D MDC-2 MD2, MD4, MD5 SHA-1 RIPMD-160 SHA-256 SHA-512 SHA-3 KU Leuven - COSIC irstname.lastname@esat.kuleuven.be
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationContributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions
Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy
More informationRebound Attack on Reduced-Round Versions of JH
Rebound Attack on Reduced-Round Versions of JH Vincent Rijmen 1,2, Deniz Toz 1 and Kerem Varıcı 1, 1 Katholieke Universiteit Leuven Department of Electronical Engineering ESAT SCD-COSIC, and Interdisciplinary
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationProvable Chosen-Target-Forced-Midfix Preimage Resistance
Provable Chosen-Target-Forced-Midfix Preimage Resistance Elena Andreeva and Bart Mennink Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva, bart.mennink}@esat.kuleuven.be
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More informationHASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationH Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.
Definition - hash function Cryptographic Hash Functions - Introduction Lars R. Knudsen April 21, 2008 Located in the southernmost part of Europe with an artic climate, Hotel Finse 1222 provides the perfect
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationImproved Generalized Birthday Attack
Improved Generalized Birthday Attack Paul Kirchner July 11, 2011 Abstract Let r, B and w be positive integers. Let C be a linear code of length Bw and subspace of F r 2. The k-regular-decoding problem
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.11-2012 or Whirlpool Markku-Juhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationMix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles
Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles Mohammad Reza Reyhanitabar and Willy Susilo Centre for Computer and Information Security Research School of Computer
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationKeccak sponge function family main document
Keccak sponge function family main document Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 http://keccak.noekeon.org/ Version 1.1 January 9, 2009 1 STMicroelectronics 2 NXP Semiconductors
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationNew Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafael Chen New Techniques for Cryptanalysis of Cryptographic Hash Functions Research Thesis Submitted in partial fulfillment of the requirements
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationProvable Security of BLAKE with Non-Ideal Compression Function
Provable Security o BLAKE with No-Ideal Compressio Fuctio Elea Adreeva, Atul Luykx, ad Bart Meik (KU Leuve) Selected Areas i Cryptography Widsor, Caada August 17, 2012 1 13 Prelimiaries BLAKE H : {0, 1}
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationCryptanalysis of Dedicated Cryptographic Hash Functions
Cryptanalysis of Dedicated Cryptographic Hash Functions Markku-Juhani Olavi Saarinen Technical Report RHUL MA 2009 22 10 November 2009 Department of Mathematics Royal Holloway, University of London Egham,
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Author manuscript, published in "Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference 4622 (2007) 13-30" DOI : 10.1007/978-3-540-74143-5_2 Full Key-Recovery Attacks on
More informationRebound Distinguishers: Results on the Full Whirlpool Compression Function
Rebound Distinguishers: Results on the Full Whirlpool Compression Function Mario Lamberger 1, Florian Mendel 1, Christian Rechberger 1, Vincent Rijmen 1,2,3, and Martin Schläffer 1 1 Institute for Applied
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationPractical consequences of the aberration of narrow-pipe hash designs from ideal random functions
Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions Danilo Gligoroski 1 and Vlastimil Klima 2 1 Faculty of Information Technology, Mathematics and Electrical
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationOnline Cryptography Course. Collision resistance. Introduc3on. Dan Boneh
Online Cryptography Course Collision resistance Introduc3on Recap: message integrity So far, four MAC construc3ons: PRFs ECBC- MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationThe Hash Function Fugue
The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationImproved Collision Attacks on the Reduced-Round Grøstl Hash Function
Improved Collision Attacks on the Reduced-Round Grøstl Hash Function Kota Ideguchi 1,3, Elmar Tischhauser 1,2,, and Bart Preneel 1,2 1 Katholieke Universiteit Leuven, ESAT-COSIC and 2 IBBT Kasteelpark
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationReset Indifferentiability and its Consequences
Reset Indifferentiability and its Consequences ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Arno Mittelbach Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationA Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA
A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA Souradyuti Paul 1, Ekawat Homsirikamol 2, and Kris Gaj 2 1 University of Waterloo, Canada, and K.U. Leuven, Belgium souradyuti.paul@esat.kuleuven.be
More informationLinear Analysis of Reduced-Round CubeHash
Linear Analysis of Reduced-Round CubeHash Tomer Ashur and Orr Dunkelman, Faculty of Mathematics and Computer Science Weizmann Institute of Science P.O. Box, Rehovot 00, Israel tomerashur@gmail.com Computer
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationHash-based Signatures
Hash-based Signatures Andreas Hülsing Summer School on Post-Quantum Cryptography June 2017, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Q. Nguyen École Normale Supérieure Département d Informatique, 45 rue d Ulm, 75230 Paris Cedex 05, France
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationImproved Indifferentiability Security Bound for the JH Mode
Improved Indifferentiability Security Bound for the JH Mode Dustin Moody Souradyuti Paul Daniel Smith-Tone National Institute of Standards and Technology Gaithersburg, MD, USA dustin.moody@nist.gov National
More informationNew Preimage Attacks Against Reduced SHA-1
New Preimage Attacks Against Reduced SHA-1 Simon Knellwolf 1 and Dmitry Khovratovich 2 1 ETH Zurich and FHNW, Switzerland 2 Microsoft Research Redmond, USA Abstract. This paper shows preimage attacks against
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationOn the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model
On the ollision and Preimage Security o in the Ideal ipher Model art Mennink Dept. Electrical Engineering, EST/OSI and IT Katholieke Universiteit Leuven, elgium bart.mennink@esat.kuleuven.be bstract. We
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationOn the Security of Hash Functions Employing Blockcipher Postprocessing
On the Security of Hash Functions mploying Blockcipher Postprocessing Donghoon Chang 1, Mridul Nandi 2, and Moti Yung 3 1 National Institute of Standards and Technology, USA pointchang@gmail.com 2 C R
More information