Introduction to the Design and. Cryptanalysis of Cryptographic Hash Functions
|
|
- Brett Douglas
- 5 years ago
- Views:
Transcription
1 Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions, Algorithms and Devices Insert presenter logo here on slide master Albena, July 2013
2 Hash unctions X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 RIPEMD-160 SHA-256 SHA-512 SHA-3 This is an input to a cryptographic hash unction. The input is a very long string, that is reduced by the hash unction to a string o ixed length. There are additional security conditions: it should be very hard to ind an input hashing to a given value (a preimage) or to ind two colliding inputs (a collision). h 1A3FD4128A198FB3CA
3 Applications short unique identiier to a string digital signatures data authentication one-way unction o a string protection o passwords micro-payments conirmation o knowledge/commitment pseudo-random string generation/key derivation entropy extraction construction o MAC algorithms, stream ciphers, block ciphers, 2005: 800 uses o MD5 in Microsot Windows 3
4 Agenda Deinitions Iterations (modes) Compression unctions Constructions SHA-3 Conclusions 4
5 Hash unction lavors cryptographic hash unction MAC MDC this talk OWHF UOWHF (TCR) CRHF 5
6 Inormal deinitions no secret parameters input string x o arbitrary length output h(x) o ixed bitlength n computation easy One Way Hash Function (OWHF) preimage resistance 2 nd preimage resistance Collision Resistant Hash Function (CRHF): OWHF + collision resistant 6
7 Security requirements (n-bit result) preimage 2 nd preimage collision? x??? h h h h h h(x) h(x) = h(x ) h(x) = h(x ) 2 n 2 n 2 n/2 7
8 Preimage resistance preimage? h in a password ile, one does not store (username, password) but (username,hash(password)) this is suicient to veriy a password an attacker with access to the password ile has to ind a preimage h(x) 2 n 8
9 Second preimage resistance 2 nd preimage x? x h(x) Channel 1: high capacity and insecure h h Channel 2: low capacity but secure (= authenticated cannot be modiied) an attacker can modiy x but not h(x) h(x) = h(x ) he can only ool the recipient i he inds a second preimage o x 2 n 9
10 Collision resistance hacker Alice prepares two versions o a sotware driver or the O/S company Bob x is correct code x contains a backdoor that gives Alice access to the machine Alice submits x or inspection to Bob i Bob is satisied, he digitally signs h(x) with his private key x h collision x h Alice now distributes x to users o the O/S; these users veriy the signature with Bob s public key this signature works or x and or x, since h(x) = h(x ) h(x) = 2 n/2 h(x ) 10
11 Pseudo-random unction computationally indistinguishable rom a random unction $ $ Adv h pr = Pr [ K K: A h K (.) 1] - Pr [ RAND(m,n): A 1] RAND(m,n): set o all unctions rom m-bit to n-bit strings K h? or? D This concept makes only sense or a unction with a secret key 11
12 Indierentiability rom a random oracle or PRO property [Maurer+04] variant o indistinguishability appropriate when distinguisher has access to inner component (e.g. building block o a hash unction) Simulator S, distinguisher D, Adv PRO (H,S) is small H (hash unction) FIL RO VIL RO S? or? D 12
13 Brute orce (2 nd ) preimage multiple target second preimage (1 out o many): i one can attack 2 t simultaneous targets, the eort to ind a single preimage is 2 n-t multiple target second preimage (many out o many): time-memory trade-o with Θ(2 n ) precomputation and storage Θ(2 2n/3 ) time per (2 nd ) preimage: Θ(2 2n/3 ) [Hellman 80] answer: randomize hash unction with a parameter S (salt, key, spice, ) 13
14 The birthday paradox how many people r do I need to have in a room to have a probability o p=50% to have at least 2 people with the same birthday? answer: 23 what is the probability that the birthdays o r people are distinct? r terms q = 1 - p = / / /365 (365-(r-1))/365 q = 1-p 0.5 or r = 23 intuition: number o distinct pairs o people is 23.22/2 = 253; each pair has probability 1/365 to have the same birthday exercise: how many people do you need in a room to have a probability o 0.50 to have 3 people with the same birthday? 14
15 The birthday paradox (2) given a set with S elements choose r elements at random (with replacements) with r «S the probability p that there are at least 2 equal elements (a collision) 1 - exp (- r(r-1)/2s) more precisely, it can be shown that p 1 - exp (- r(r-1)/2s) i r < 2S then p 0.6 r (r-1)/2s or a hash unction with an n-bit result, a collision can be ound in time 2 n/2 and memory 2 n/2 15
16 Brute orce attacks in practice (2 nd ) preimage search n = 128: 23 B$ or 1 year i one can attack 2 40 targets in parallel parallel collision search: small memory using cycle inding algorithms (distinguished points) n = 128: 1 M$ or 8 hours (or 1 year on 100K PCs) n = 160: 90 M$ or 1 year need 256-bit result or long term security (30 years or more) 16
17 Relation between properties [Rogaway-Shrimpton 04] [Stinson 06] [Reyhanitabar-Susilo-Mu 10] [Andreeva-Stam 10] Even i Coll xsec/pre: bound always 2 n/2 << 2 n 17
18 Properties in practice collision resistance is not always necessary other properties may be needed: PRF: pseudo-randomness i keyed (with secret key) PRO: pseudo-random oracle property (indierentiable rom a random oracle) but see [Ristenpart-Shacham-Shrimpton 11] near-collision resistance partial preimage resistance (most o input known) multiplication reeness how to ormalize these requirements and the relation between them? 18
19 Iteration (mode o compression unction) 19 19
20 How not to construct a hash unction Divide the message into t blocks x i o n bits each Message block 1: x 1 Message block 2: x 2 Message block t: x t = Hash value h(x) 20
21 Hash unction: iterated structure IV H 1 H 2 H 3 g x 1 x 2 x 3 x 4 split messages into blocks o ixed length and hash them block by block with a compression unction need padding at the end eicient and elegant. but 21
22 Security relation between and h iterating can degrade its security trivial example: 2 nd preimage IV H 1 H 2 H 3 g x 1 x 2 x 3 x 4 IV = H 1 H 2 H 3 g x 2 x 3 x 4 22
23 Security relation between and h (2) solution: Merkle-Damgård (MD) strengthening ix IV, use unambiguous padding and insert length at the end is collision resistant h is collision resistant [Merkle 89-Damgård 89] is ideally 2 nd preimage resistant? h is ideally 2 nd preimage resistant [Lai-Massey 92] 23
24 Security relation between and h (3) length extension: i one knows h(x), easy to compute h(x y) without knowing x or IV IV H 1 H 2 H 3 = h(x) x 1 IV x 2 H 1 x 3 H 2 H 3 H 4 = h(x y) x 1 x 2 x 3 y solution: output transormation IV H 1 H 2 H 3 g x 1 x 2 x 3 x 4 24
25 More on property preservation PRO preservation Col, Sec and Pre or ideal compression unction but or narrow pipe bounds or Sec and Pre are at most 2 n/2 rather than 2 n many more results 25
26 Attacks on MD-type iterations long message 2 nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier 05] Sec security degrades lineary with number 2 t o message blocks hashed: 2 n-t+1 + t 2 n/2+1 appending the length does not help here! multi-collision attack and impact on concatenation [Joux 04] herding attack [Kelsey-Kohno 06] reduces security o commitment using a hash unction rom 2 n on-line 2 n-t + precomputation 2.2 (n+t)/2 + storage 2 t 26
27 How (NOT) to strengthen a hash unction? [Coppersmith 85][Joux 04] answer: concatenation h 1 (n1-bit result) and h 2 (n2-bit result) intuition: the strength o g against collision/(2 nd ) preimage attacks is the product o the strength o h 1 and h 2 i both are independent but. h 1 h 2 g(x) = h 1 (x) h 2 (x) 27
28 Multiple collisions multi-collision Assume ideal hash unction h with n-bit result Θ(2 n/2 ) evaluations o h (or steps): 1 collision h(x)=h(x ) Θ(r. 2 n/2 ) steps: r 2 collisions h(x 1 )=h(x 1 ) ; h(x 2 )=h(x 2 ) ; ; h(x r 2)=h(x r 2 ) Θ(2 2n/3 ) steps: a 3-collision h(x)= h(x )=h(x ) Θ(2 n(t-1)/t ) steps: a t-old collision (multi-collision) h(x 1 )= h(x 2 )= =h(x t ) 28
29 Multi-collisions on iterated hash unction (2) IV H 1 H 2 H 3 x 1, x 1 x 2, x 2 x 3, x 3 x 4, x 4 or IV: collision or block 1: x 1, x 1 or H 1 : collision or block 2: x 2, x 2 or H 2 : collision or block 3: x 3, x 3 or H 3 : collision or block 4: x 4, x 4 now h(x 1 x 2 x 3 x 4 ) = h(x 1 x 2 x 3 x 4 ) = h(x 1 x 2 x 3 x 4 ) = = h(x 1 x 2 x 3 x 4 ) a 16-old collision (time: 4 collisions) 29
30 Multi-collisions [Coppersmith 85][Joux 04] inding multi-collisions or an iterated hash unction is not much harder than inding a single collision (i the size o the internal memory is n bits) algorithm generate R = 2 n1/2 -old multi-collision or h 2 in R: search by brute orce or h 1 R Time: n1. 2 n2/2 + 2 n1/2 << 2 (n1 + n2)/2 h 1 h 2 g(x) = h 1 (x) h 2 (x) 30
31 Multi-collisions [Coppersmith 85][ Joux 04] consider h 1 (n1-bit result) and h 2 (n2-bit result), with n1 n2. concatenation o 2 iterated hash unctions (g(x)= h 1 (x) h 2 (x)) is as most as strong as the strongest o the two (even i both are independent) cost o collision attack against g at most n1. 2 n2/2 + 2 n1/2 << 2 (n1 + n2)/2 cost o (2nd) preimage attack against g at most n1. 2 n2/2 + 2 n1 + 2 n2 << 2 n1 + n2 i either o the unctions is weak, the attacks may work better 31
32 Summary 32
33 Improving MD iteration salt + output transormation + counter + wide pipe IV salt salt salt salt salt H 1 H 2 H 3 2n 2n 2n 2n 2n n g x 1 1 x 2 x 3 x x security reductions well understood many more results on property preservation impact o theory limited 33
34 Improving MD iteration degradation with use: salting (amily o unctions, randomization) or should a salt be part o the input? PRO: strong output transormation g also solves length extension long message 2 nd preimage: preclude ix points counter i [Biham-Dunkelman 07] multi-collisions, herding: avoid breakdown at 2 n/2 with larger internal memory: known as wide pipe e.g., extended MD4, RIPEMD, [Lucks 05] 34
35 Tree structure: parallelism [Damgård 89], [Pal-Sarkar 03][Bertoni+13] x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 35
36 Permutation (π) based: sponge x 1 x 2 x 3 x 4 h1 h2 H1 0 H2 0 π π π π π π π π example: RadioGatun absorb buer squeeze generalization ( Parazoa ) JH, Cubehash, Fuge, Grindahl, Hamsi, Lua 36
37 Permutation (π) based: sponge x 1 x 2 x 3 x 4 h1 h2 H1 0 r H2 0 π π π π π π c absorb squeeze i H1 has r bits (rate), H2 has c bits (capacity) and the permutation π is ideal, then a sponge unction has security O(2 c ) against (2 nd ) preimage attacks and O(2 c/2 ) against collision attacks 37
38 Modes: summary growing theory to reduce security properties o hash unction to that o compression unction (MD) or permutation (sponge) preservation o large range o properties relation between properties it is very nice to assume multiple properties o the compression unction, but unortunately it is very hard to veriy these still no single comprehensive theory 38
39 Agenda Deinitions Iterations (modes) Compression unctions Constructions SHA-3 Conclusions 39
40 Compression unctions 40 40
41 Block cipher (E K ) based: single block length Davies-Meyer Miyaguchi-Preneel H i H i H i-1 E x i E x i H i-1 output length = block length m; rate 1; 1 key schedule per encryption 12 secure compression unctions (in ideal cipher model) lower bounds: collision 2 m/2, (2nd) preimage 2 m [Preneel+ 93], [Black-Rogaway-Shrimpton 02], [Duo-Li 06], [Stam 09], 41
42 Permutation (π) based parazoa JH small permutation Grøstl x i H1 i-1 H1 i x i π 1 H2 i-1 π H2 i H i H i-1 π 2 42
43 Iteration modes and compression unctions security o simple modes well understood powerul tools available analysis o slightly more complex schemes very diicult which properties are meaningul? which properties are preserved? MD versus sponge is still open debate 43
44 Hash unction constructions 44 44
45 Hash unction history 101 DES RSA HARDWARE SOFTWARE AES single block length double block length permutations ad hoc schemes security reduction or actoring, DLOG, lattices MD2 MD4 MD5 Dedicated SHA-1 SNEFRU RIPEMD-160 SHA-2 Whirlpool 2010 SHA-3 45
46 MDx-type hash unction history MD4 Ext. MD4 90 MD5 91 HAVAL RIPEMD 92 SHA(-0) SHA-1 RIPEMD SHA-2 SHA
47 MD5 [Rivest 91]: 4 rounds o 16 steps x 0 x 15 H i-1 A 0 B 0 C 0 D 0 A 1 B 1 C 1 D 1 A 16 B 16 C 16 D 16 x p(0) x p(15) g g A 17 B 17 C 17 D 17 A 32 B 32 C 32 D 32 x i K x q(0) x q(15) h h A 33 B 33 C 33 D 33 A 48 B 48 C 48 D 48 i x r(0) x r(15) j j A 49 B 49 C 49 D 49 A 64 B 64 C 64 D 64 + H i 47
48 Slide credit: C. Rechberger State updates in the MD4 amily MD4 SHA/SHA-1 SHA-256 K W << s KN+1 WN+1 + << >> 2 Σ 0 + M A J Σ 1 C H K W + + A N B N C N D N E N F N G N H N Design principles copied in MD5, RIPEMD, HAVAL, SHA, SHA-1, SHA-256,... All hash unctions in use today 48
49 The complexity o collision attacks brute orce: 1 million PCs (1 year) or US$ 100,000 hardware (4 days) MD4 MD5 SHA-0 SHA-1 Brute orce 49
50 log 2 complexity SHA-1 designed by NIST (NSA) in 94 [Wang+ 04] [Wang+ 05] [Mendel+ 08] [Manuel+ 09] [Stevens 12] [Sugita+ 06] [McDonald+ 09] Most attacks unpublished/withdrawn prediction: collision or SHA-1 in the next 12 months 50
51 Rogue CA attack [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger 08] request user cert; by special collision this results in a ake CA cert (need to predict serial number + validity period) Sel-signed root key CA1 CA2 Rogue CA impact: rogue CA that can issue certs that are trusted by all browsers User1 User2 User x 6 CAs have issued certiicates signed with MD5 in 2008: Rapid SSL, Free SSL (ree trial certiicates oered by RapidSSL), TC TrustCenter AG, RSA Data Security, Verisign.co.jp 51
52 Upgrades RIPEMD-160 is good replacement or SHA-1 upgrading algorithms is always hard TLS uses MD5 SHA-1 to protect algorithm negotiation (up to v1.1) upgrading negotiation algorithm is even harder: need to upgrade TLS 1.1 to TLS
53 SHA-2 [NIST 02] SHA-224, SHA-256, SHA-384, SHA-512 non-linear message expansion 64/80 steps SHA-384 and SHA-512: 64-bit architectures SHA-256 collisions: 31/64 steps [Mendel+ 13] ree start collision: 52/64 steps (2 12x ) [Li+12] non-randomness 47/64 steps (practical) [Biryukov+11][Mendel+11] SHA-256 preimages: 45/64 steps (2 25x ) [Khovratovich+ 12] implementations today aster than anticipated adoption industry slow in migrating; may be now implementing SHA-3 very slow or TLS/IPsec (no pressing need) 53
54 Agenda Deinitions Iterations (modes) Compression unctions Constructions SHA-3 Conclusions 54
55 SHA-3 (bits and bytes) 55 55
56 NIST AHS competition (SHA-3) SHA-3: 224, 256, 384, and 512-bit message digests (similar to SHA-2) Call: 02/11/07 Deadline (64): 31/10/08 Round 1 (51): 09/12/08 Round 2 (14): 24/7/09 Final (5): 10/12/10 Selection: 02/10/ Q4/08 Q3/09 Q4/10 Q4/12 round 1 round 2 inal 56
57 The candidates Slide credit: Christophe De Cannière 57
58 Preliminary cryptanalysis Slide credit: Christophe De Cannière 58
59 End o Round 1 candidates a Slide credit: Christophe De Cannière 59
60 Round 2 candidates a Slide credit: Christophe De Cannière 60
61 Properties: bits and bytes [Watanabe 10] 61
62 Sotware perormance ebash [Bernstein-Lange] logarithmic scale slower actor 4 in cycles/byte 62
63 Hardware: post-place & route results ASIC 130nm [Guo-Huang-Nazhandali-Schaumont 10] Throughput (Gbps) Keccak SHA256 Blake BMW CubeHash Blake JH Grøstl ECHO Fugue Grostl Hamsi JH Keccak Lua Shabal SHAvite SIMD Skein ,000 80, , , ,000 Slide credit: Patrick Schaumont, Virginia Tech Skein Area (GateEqv) 63
64 Keccak permutation: 25, 50, 100, 200, 400, 800, 1600 nominal version: 5x5 array o 64 bits 18 rounds o 5 steps 64
65 new number (not 180-x) Keccak: FIPS lexible output length and tree structure (Sakura) allowed by additional encoding six versions n=256; c = 256; r = 1344 (84%) n=256; c = 256; r = 1344 (84%) n=384; c = 512; r = 1088 (68%) n=512; c = 512; r = 1088 (68%) n=x; c = 256; r = 1344 (84%) n=x; c = 512; r = 1088 (68%) I H1 has r bits (rate), H2 has c bits (capacity) and the permutation π is ideal, then a sponge unction has security O(2 c ) against (2 nd ) preimage attacks and O(2 c/2 ) against collision attacks 65
66 Perormance o hash unctions [Bernstein-Lange] (cycles/byte) Intel Core 2 Quad Q9550; 4 x 2833MHz (2008) 2001 (estimated) 66
67 Hash unctions: conclusions SHA-1 would have needed steps instead o attacks: cryptographic meltdown but not dramatic or most applications theory is developing or more robust iteration modes and extra eatures; still early or building blocks Nirwana: eicient hash unctions with security reduction 67
Title of Presentation
The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition Title of Presentation Bart Preneel COSIC/Kath. Univ. Leuven (Belgium) Session ID: CRYP-202 Session Classification: Hash
More informationRIPEMD-160 MDC-2 SHA-256 SHA-3
Has unctions Introduction to te Design and Cryptanalysis o Cryptograpic Has Functions Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 Tis is an
More informationTheory and practice for hash functions
Theory and practice for hash functions Bart Preneel www.ecrypt.eu.org eu Title of Presentation Katholieke Universiteit it it Leuven - COSIC firstname.lastname@esat.kuleuven.be Cambridge, 1 February 2012
More informationHash function design and cryptanalysis: basic topics. Applications. June Hash Functions Bart Preneel
Has unctions Has unction design and cryptanalysis: basic topics Title o Presentation X.509 Anne D MDC-2 MD2, MD4, MD5 SHA-1 RIPMD-160 SHA-256 SHA-512 SHA-3 KU Leuven - COSIC irstname.lastname@esat.kuleuven.be
More information2 n 2 n 2 n/2. Bart Preneel Generic Constructions for Iterated Hash Functions. Generic Constructions for Iterated Hash Functions.
or Iterated Hash Functions or Iterated Hash Functions COSIC Kath. Univ. Leuven, Belgium & ABT Crypto bart.preneel(at)esat.kuleuven.be April 2007 Outline deinitions applications generic attacks attacks
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationRIPEMD-160 MDC-2 SHA-256 SHA-3
Has unctions Introduction to te Desin and Cryptanalysis o Cryptorapic Has Functions Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 Tis is an input
More informationWeek 12: Hash Functions and MAC
Week 12: Hash Functions and MAC 1. Introduction Hash Functions vs. MAC 2 Hash Functions Any Message M Hash Function Generate a fixed length Fingerprint for an arbitrary length message. No Key involved.
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationHASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More informationHash functions. Cryptographic Hash Functions and the SHA-3 Competition. Agenda. Applications. Hash function flavors. Informal definitions (1)
Cryptorapic Has Functions and te SHA-3 Competition Bart Preneel bart.preneel(at)esat.kuleuven.be COSIC/Kat. Univ. Leuven (Belium) X.509 Anne D MDC-2 MD2, MD4, MD5 SHA-1 Tis is an input to a cryptorapic
More informationIntroduction to Information Security
Introduction to Information Security Lecture 4: Hash Functions and MAC 2007. 6. Prof. Byoungcheon Lee sultan (at) joongbu. ac. kr Information and Communications University Contents 1. Introduction - Hash
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SHA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationH Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.
Definition - hash function Cryptographic Hash Functions - Introduction Lars R. Knudsen April 21, 2008 Located in the southernmost part of Europe with an artic climate, Hotel Finse 1222 provides the perfect
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationHashes and Message Digests Alex X. Liu & Haipeng Dai
Hashes and Message Digests Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Integrity vs. Secrecy Integrity: attacker cannot
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationCryptanalysis of the GOST Hash Function
Cryptanalysis o the GOST Hash Function Florian Mendel 1, Norbert Pramstaller 1, Christian Rechberger 1, Marcin Kontak 2, and Janusz Szmidt 2 1 Institute or Applied Inormation Processing and Communications
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationProvably Secure Double-Block-Length Hash Functions in a Black-Box Model
Provably Secure Double-Block-ength Hash Functions in a Black-Box Model Shoichi Hirose Graduate School o Inormatics, Kyoto niversity, Kyoto 606-8501 Japan hirose@i.kyoto-u.ac.jp Abstract. In CRYPTO 89,
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationContributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions
Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy
More informationAttacks on hash functions: Cat 5 storm or a drizzle?
Attacks on hash functions: Cat 5 storm or a drizzle? Ilya Mironov Microsoft Research, Silicon Valley Campus September 15, 2005 1 Outline Hash functions: Definitions Constructions Attacks What to do 2 Outline
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationRebound Attack on Reduced-Round Versions of JH
Rebound Attack on Reduced-Round Versions of JH Vincent Rijmen 1,2, Deniz Toz 1 and Kerem Varıcı 1, 1 Katholieke Universiteit Leuven Department of Electronical Engineering ESAT SCD-COSIC, and Interdisciplinary
More informationWeaknesses in the HAS-V Compression Function
Weaknesses in the HAS-V Compression Function Florian Mendel and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, A-8010
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationSecurity Reductions of the Second Round SHA-3 Candidates
Security Reductions o the Second Round SA-3 Candidates Elena Andreeva, Bart Mennink and Bart Preneel Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva,
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationNew Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafael Chen New Techniques for Cryptanalysis of Cryptographic Hash Functions Research Thesis Submitted in partial fulfillment of the requirements
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationPreimage Attacks on Reduced Tiger and SHA-2
Preimage Attacks on Reduced Tiger and SHA-2 Takanori Isobe and Kyoji Shibutani Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Kyoji.Shibutani}@jp.sony.com Abstract. This
More informationThe Impact of Carries on the Complexity of Collision Attacks on SHA-1
The Impact o Carries on the Complexity o Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger and Vincent Rijmen Norbert.Pramstaller@iaik.tugraz.at Institute or Applied
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationImproved characteristics for differential cryptanalysis of hash functions based on block ciphers
1 Improved characteristics for differential cryptanalysis of hash functions based on block ciphers Vincent Rijmen Bart Preneel Katholieke Universiteit Leuven ESAT-COSIC K. Mercierlaan 94, B-3001 Heverlee,
More informationSMASH - A Cryptographic Hash Function
SMASH - A Cryptographic Hash Function Lars R. Knudsen Department of Mathematics, Technical University of Denmark Abstract. 1 This paper presents a new hash function design, which is different from the
More informationQuantum Preimage and Collision Attacks on CubeHash
Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, Gaetan.Leurent@uni.lu Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity
More informationCryptanalysis of a class of cryptographic hash functions
Cryptanalysis o a class o cryptographic hash unctions Praveen Gauravaram 1 and John Kelsey 2 1 Technical University o Denmark, Denmark Inormation Security Institute, Australia p.gauravaram@gmail.com 2
More informationSecurity Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein
Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT
More informationKeccak sponge function family main document
Keccak sponge function family main document Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 http://keccak.noekeon.org/ Version 1.1 January 9, 2009 1 STMicroelectronics 2 NXP Semiconductors
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #4 Sep 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list Quiz #1 will be on Thursday, Sep 9 th
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationA (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationNew Preimage Attacks Against Reduced SHA-1
New Preimage Attacks Against Reduced SHA-1 Simon Knellwolf 1 and Dmitry Khovratovich 2 1 ETH Zurich and FHNW, Switzerland 2 Microsoft Research Redmond, USA Abstract. This paper shows preimage attacks against
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationSymmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)
Symmetric Ciphers Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5) Symmetric Cryptography C = E(P,K) P = D(C,K) Requirements Given C, the only way to obtain P should be with the knowledge of K Any
More informationHow to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland
How to Improve Rebound Attacks María Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More informationPractical consequences of the aberration of narrow-pipe hash designs from ideal random functions
Practical consequences of the aberration of narrow-pipe hash designs from ideal random functions Danilo Gligoroski 1 and Vlastimil Klima 2 1 Faculty of Information Technology, Mathematics and Electrical
More informationFurther progress in hashing cryptanalysis
Further progress in hashing cryptanalysis Arjen K. Lenstra Lucent Technologies, Bell Laboratories February 26, 2005 Abstract Until further notice all new designs should use SHA-256. Existing systems using
More informationA new Design Criteria for Hash-Functions
A new Design Criteria or Hash-Functions Jean-Sébastien Coron 1, Yevgeniy Dodis 2, Cécile Malinaud 3, and Prashant Puniya 2 1 University o Luxembourg, coron@clipper.ens.r 2 New-York University, {dodis,puniya}@cs.nyu.edu
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework Zheng Yuan 1,2,3, Haixia Liu 1, Xiaoqiu Ren 1 1 Beijing Electronic Science and Technology Institute, Beijing 100070,China
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationInnovations in permutation-based crypto
Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores,
More informationSPCS Cryptography Homework 13
1 1.1 PRP For this homework, use the ollowing PRP: E(k, m) : {0, 1} 3 {0, 1} 3 {0, 1} 3 000 001 010 011 100 101 110 111 m 000 011 001 111 010 000 101 110 100 001 101 110 010 000 111 100 001 011 010 001
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationTheImpactofCarriesontheComplexityof Collision Attacks on SHA-1
TheImpactoCarriesontheComplexityo Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute or Applied Inormation Processing and Communications
More informationMartin Cochran. August 24, 2008
Notes on the Wang et al. 2 63 SHA-1 Differential Path Martin Cochran August 24, 2008 Abstract Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a2 63 attack by Wang
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationRebound Distinguishers: Results on the Full Whirlpool Compression Function
Rebound Distinguishers: Results on the Full Whirlpool Compression Function Mario Lamberger 1, Florian Mendel 1, Christian Rechberger 1, Vincent Rijmen 1,2,3, and Martin Schläffer 1 1 Institute for Applied
More information