Introduction to the Design and. Cryptanalysis of Cryptographic Hash Functions

Transcription

1 Introduction to the Design and Bart Preneel KU Leuven - COSIC irstname.lastname@esat.kuleuven.be Title o Presentation Cryptanalysis o Cryptographic Hash Functions Design and Security o Cryptographic Functions, Algorithms and Devices Insert presenter logo here on slide master Albena, July 2013

2 Hash unctions X.509 Annex D MDC-2 MD2, MD4, MD5 SHA-1 RIPEMD-160 SHA-256 SHA-512 SHA-3 This is an input to a cryptographic hash unction. The input is a very long string, that is reduced by the hash unction to a string o ixed length. There are additional security conditions: it should be very hard to ind an input hashing to a given value (a preimage) or to ind two colliding inputs (a collision). h 1A3FD4128A198FB3CA

3 Applications short unique identiier to a string digital signatures data authentication one-way unction o a string protection o passwords micro-payments conirmation o knowledge/commitment pseudo-random string generation/key derivation entropy extraction construction o MAC algorithms, stream ciphers, block ciphers, 2005: 800 uses o MD5 in Microsot Windows 3

4 Agenda Deinitions Iterations (modes) Compression unctions Constructions SHA-3 Conclusions 4

5 Hash unction lavors cryptographic hash unction MAC MDC this talk OWHF UOWHF (TCR) CRHF 5

6 Inormal deinitions no secret parameters input string x o arbitrary length output h(x) o ixed bitlength n computation easy One Way Hash Function (OWHF) preimage resistance 2 nd preimage resistance Collision Resistant Hash Function (CRHF): OWHF + collision resistant 6

7 Security requirements (n-bit result) preimage 2 nd preimage collision? x??? h h h h h h(x) h(x) = h(x ) h(x) = h(x ) 2 n 2 n 2 n/2 7

8 Preimage resistance preimage? h in a password ile, one does not store (username, password) but (username,hash(password)) this is suicient to veriy a password an attacker with access to the password ile has to ind a preimage h(x) 2 n 8

9 Second preimage resistance 2 nd preimage x? x h(x) Channel 1: high capacity and insecure h h Channel 2: low capacity but secure (= authenticated cannot be modiied) an attacker can modiy x but not h(x) h(x) = h(x ) he can only ool the recipient i he inds a second preimage o x 2 n 9

10 Collision resistance hacker Alice prepares two versions o a sotware driver or the O/S company Bob x is correct code x contains a backdoor that gives Alice access to the machine Alice submits x or inspection to Bob i Bob is satisied, he digitally signs h(x) with his private key x h collision x h Alice now distributes x to users o the O/S; these users veriy the signature with Bob s public key this signature works or x and or x, since h(x) = h(x ) h(x) = 2 n/2 h(x ) 10

11 Pseudo-random unction computationally indistinguishable rom a random unction $ $ Adv h pr = Pr [ K K: A h K (.) 1] - Pr [ RAND(m,n): A 1] RAND(m,n): set o all unctions rom m-bit to n-bit strings K h? or? D This concept makes only sense or a unction with a secret key 11

12 Indierentiability rom a random oracle or PRO property [Maurer+04] variant o indistinguishability appropriate when distinguisher has access to inner component (e.g. building block o a hash unction) Simulator S, distinguisher D, Adv PRO (H,S) is small H (hash unction) FIL RO VIL RO S? or? D 12

13 Brute orce (2 nd ) preimage multiple target second preimage (1 out o many): i one can attack 2 t simultaneous targets, the eort to ind a single preimage is 2 n-t multiple target second preimage (many out o many): time-memory trade-o with Θ(2 n ) precomputation and storage Θ(2 2n/3 ) time per (2 nd ) preimage: Θ(2 2n/3 ) [Hellman 80] answer: randomize hash unction with a parameter S (salt, key, spice, ) 13

14 The birthday paradox how many people r do I need to have in a room to have a probability o p=50% to have at least 2 people with the same birthday? answer: 23 what is the probability that the birthdays o r people are distinct? r terms q = 1 - p = / / /365 (365-(r-1))/365 q = 1-p 0.5 or r = 23 intuition: number o distinct pairs o people is 23.22/2 = 253; each pair has probability 1/365 to have the same birthday exercise: how many people do you need in a room to have a probability o 0.50 to have 3 people with the same birthday? 14

15 The birthday paradox (2) given a set with S elements choose r elements at random (with replacements) with r «S the probability p that there are at least 2 equal elements (a collision) 1 - exp (- r(r-1)/2s) more precisely, it can be shown that p 1 - exp (- r(r-1)/2s) i r < 2S then p 0.6 r (r-1)/2s or a hash unction with an n-bit result, a collision can be ound in time 2 n/2 and memory 2 n/2 15

16 Brute orce attacks in practice (2 nd ) preimage search n = 128: 23 B$ or 1 year i one can attack 2 40 targets in parallel parallel collision search: small memory using cycle inding algorithms (distinguished points) n = 128: 1 M$ or 8 hours (or 1 year on 100K PCs) n = 160: 90 M$ or 1 year need 256-bit result or long term security (30 years or more) 16

17 Relation between properties [Rogaway-Shrimpton 04] [Stinson 06] [Reyhanitabar-Susilo-Mu 10] [Andreeva-Stam 10] Even i Coll xsec/pre: bound always 2 n/2 << 2 n 17

18 Properties in practice collision resistance is not always necessary other properties may be needed: PRF: pseudo-randomness i keyed (with secret key) PRO: pseudo-random oracle property (indierentiable rom a random oracle) but see [Ristenpart-Shacham-Shrimpton 11] near-collision resistance partial preimage resistance (most o input known) multiplication reeness how to ormalize these requirements and the relation between them? 18

19 Iteration (mode o compression unction) 19 19

20 How not to construct a hash unction Divide the message into t blocks x i o n bits each Message block 1: x 1 Message block 2: x 2 Message block t: x t = Hash value h(x) 20

21 Hash unction: iterated structure IV H 1 H 2 H 3 g x 1 x 2 x 3 x 4 split messages into blocks o ixed length and hash them block by block with a compression unction need padding at the end eicient and elegant. but 21

22 Security relation between and h iterating can degrade its security trivial example: 2 nd preimage IV H 1 H 2 H 3 g x 1 x 2 x 3 x 4 IV = H 1 H 2 H 3 g x 2 x 3 x 4 22

23 Security relation between and h (2) solution: Merkle-Damgård (MD) strengthening ix IV, use unambiguous padding and insert length at the end is collision resistant h is collision resistant [Merkle 89-Damgård 89] is ideally 2 nd preimage resistant? h is ideally 2 nd preimage resistant [Lai-Massey 92] 23

24 Security relation between and h (3) length extension: i one knows h(x), easy to compute h(x y) without knowing x or IV IV H 1 H 2 H 3 = h(x) x 1 IV x 2 H 1 x 3 H 2 H 3 H 4 = h(x y) x 1 x 2 x 3 y solution: output transormation IV H 1 H 2 H 3 g x 1 x 2 x 3 x 4 24

25 More on property preservation PRO preservation Col, Sec and Pre or ideal compression unction but or narrow pipe bounds or Sec and Pre are at most 2 n/2 rather than 2 n many more results 25

26 Attacks on MD-type iterations long message 2 nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier 05] Sec security degrades lineary with number 2 t o message blocks hashed: 2 n-t+1 + t 2 n/2+1 appending the length does not help here! multi-collision attack and impact on concatenation [Joux 04] herding attack [Kelsey-Kohno 06] reduces security o commitment using a hash unction rom 2 n on-line 2 n-t + precomputation 2.2 (n+t)/2 + storage 2 t 26

27 How (NOT) to strengthen a hash unction? [Coppersmith 85][Joux 04] answer: concatenation h 1 (n1-bit result) and h 2 (n2-bit result) intuition: the strength o g against collision/(2 nd ) preimage attacks is the product o the strength o h 1 and h 2 i both are independent but. h 1 h 2 g(x) = h 1 (x) h 2 (x) 27

28 Multiple collisions multi-collision Assume ideal hash unction h with n-bit result Θ(2 n/2 ) evaluations o h (or steps): 1 collision h(x)=h(x ) Θ(r. 2 n/2 ) steps: r 2 collisions h(x 1 )=h(x 1 ) ; h(x 2 )=h(x 2 ) ; ; h(x r 2)=h(x r 2 ) Θ(2 2n/3 ) steps: a 3-collision h(x)= h(x )=h(x ) Θ(2 n(t-1)/t ) steps: a t-old collision (multi-collision) h(x 1 )= h(x 2 )= =h(x t ) 28

29 Multi-collisions on iterated hash unction (2) IV H 1 H 2 H 3 x 1, x 1 x 2, x 2 x 3, x 3 x 4, x 4 or IV: collision or block 1: x 1, x 1 or H 1 : collision or block 2: x 2, x 2 or H 2 : collision or block 3: x 3, x 3 or H 3 : collision or block 4: x 4, x 4 now h(x 1 x 2 x 3 x 4 ) = h(x 1 x 2 x 3 x 4 ) = h(x 1 x 2 x 3 x 4 ) = = h(x 1 x 2 x 3 x 4 ) a 16-old collision (time: 4 collisions) 29

30 Multi-collisions [Coppersmith 85][Joux 04] inding multi-collisions or an iterated hash unction is not much harder than inding a single collision (i the size o the internal memory is n bits) algorithm generate R = 2 n1/2 -old multi-collision or h 2 in R: search by brute orce or h 1 R Time: n1. 2 n2/2 + 2 n1/2 << 2 (n1 + n2)/2 h 1 h 2 g(x) = h 1 (x) h 2 (x) 30

31 Multi-collisions [Coppersmith 85][ Joux 04] consider h 1 (n1-bit result) and h 2 (n2-bit result), with n1 n2. concatenation o 2 iterated hash unctions (g(x)= h 1 (x) h 2 (x)) is as most as strong as the strongest o the two (even i both are independent) cost o collision attack against g at most n1. 2 n2/2 + 2 n1/2 << 2 (n1 + n2)/2 cost o (2nd) preimage attack against g at most n1. 2 n2/2 + 2 n1 + 2 n2 << 2 n1 + n2 i either o the unctions is weak, the attacks may work better 31

32 Summary 32

33 Improving MD iteration salt + output transormation + counter + wide pipe IV salt salt salt salt salt H 1 H 2 H 3 2n 2n 2n 2n 2n n g x 1 1 x 2 x 3 x x security reductions well understood many more results on property preservation impact o theory limited 33

34 Improving MD iteration degradation with use: salting (amily o unctions, randomization) or should a salt be part o the input? PRO: strong output transormation g also solves length extension long message 2 nd preimage: preclude ix points counter i [Biham-Dunkelman 07] multi-collisions, herding: avoid breakdown at 2 n/2 with larger internal memory: known as wide pipe e.g., extended MD4, RIPEMD, [Lucks 05] 34

35 Tree structure: parallelism [Damgård 89], [Pal-Sarkar 03][Bertoni+13] x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 35

36 Permutation (π) based: sponge x 1 x 2 x 3 x 4 h1 h2 H1 0 H2 0 π π π π π π π π example: RadioGatun absorb buer squeeze generalization ( Parazoa ) JH, Cubehash, Fuge, Grindahl, Hamsi, Lua 36

37 Permutation (π) based: sponge x 1 x 2 x 3 x 4 h1 h2 H1 0 r H2 0 π π π π π π c absorb squeeze i H1 has r bits (rate), H2 has c bits (capacity) and the permutation π is ideal, then a sponge unction has security O(2 c ) against (2 nd ) preimage attacks and O(2 c/2 ) against collision attacks 37

38 Modes: summary growing theory to reduce security properties o hash unction to that o compression unction (MD) or permutation (sponge) preservation o large range o properties relation between properties it is very nice to assume multiple properties o the compression unction, but unortunately it is very hard to veriy these still no single comprehensive theory 38

39 Agenda Deinitions Iterations (modes) Compression unctions Constructions SHA-3 Conclusions 39

40 Compression unctions 40 40

41 Block cipher (E K ) based: single block length Davies-Meyer Miyaguchi-Preneel H i H i H i-1 E x i E x i H i-1 output length = block length m; rate 1; 1 key schedule per encryption 12 secure compression unctions (in ideal cipher model) lower bounds: collision 2 m/2, (2nd) preimage 2 m [Preneel+ 93], [Black-Rogaway-Shrimpton 02], [Duo-Li 06], [Stam 09], 41

42 Permutation (π) based parazoa JH small permutation Grøstl x i H1 i-1 H1 i x i π 1 H2 i-1 π H2 i H i H i-1 π 2 42

43 Iteration modes and compression unctions security o simple modes well understood powerul tools available analysis o slightly more complex schemes very diicult which properties are meaningul? which properties are preserved? MD versus sponge is still open debate 43

44 Hash unction constructions 44 44

45 Hash unction history 101 DES RSA HARDWARE SOFTWARE AES single block length double block length permutations ad hoc schemes security reduction or actoring, DLOG, lattices MD2 MD4 MD5 Dedicated SHA-1 SNEFRU RIPEMD-160 SHA-2 Whirlpool 2010 SHA-3 45

46 MDx-type hash unction history MD4 Ext. MD4 90 MD5 91 HAVAL RIPEMD 92 SHA(-0) SHA-1 RIPEMD SHA-2 SHA

47 MD5 [Rivest 91]: 4 rounds o 16 steps x 0 x 15 H i-1 A 0 B 0 C 0 D 0 A 1 B 1 C 1 D 1 A 16 B 16 C 16 D 16 x p(0) x p(15) g g A 17 B 17 C 17 D 17 A 32 B 32 C 32 D 32 x i K x q(0) x q(15) h h A 33 B 33 C 33 D 33 A 48 B 48 C 48 D 48 i x r(0) x r(15) j j A 49 B 49 C 49 D 49 A 64 B 64 C 64 D 64 + H i 47

48 Slide credit: C. Rechberger State updates in the MD4 amily MD4 SHA/SHA-1 SHA-256 K W << s KN+1 WN+1 + << >> 2 Σ 0 + M A J Σ 1 C H K W + + A N B N C N D N E N F N G N H N Design principles copied in MD5, RIPEMD, HAVAL, SHA, SHA-1, SHA-256,... All hash unctions in use today 48

49 The complexity o collision attacks brute orce: 1 million PCs (1 year) or US$ 100,000 hardware (4 days) MD4 MD5 SHA-0 SHA-1 Brute orce 49

50 log 2 complexity SHA-1 designed by NIST (NSA) in 94 [Wang+ 04] [Wang+ 05] [Mendel+ 08] [Manuel+ 09] [Stevens 12] [Sugita+ 06] [McDonald+ 09] Most attacks unpublished/withdrawn prediction: collision or SHA-1 in the next 12 months 50

51 Rogue CA attack [Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger 08] request user cert; by special collision this results in a ake CA cert (need to predict serial number + validity period) Sel-signed root key CA1 CA2 Rogue CA impact: rogue CA that can issue certs that are trusted by all browsers User1 User2 User x 6 CAs have issued certiicates signed with MD5 in 2008: Rapid SSL, Free SSL (ree trial certiicates oered by RapidSSL), TC TrustCenter AG, RSA Data Security, Verisign.co.jp 51

52 Upgrades RIPEMD-160 is good replacement or SHA-1 upgrading algorithms is always hard TLS uses MD5 SHA-1 to protect algorithm negotiation (up to v1.1) upgrading negotiation algorithm is even harder: need to upgrade TLS 1.1 to TLS

53 SHA-2 [NIST 02] SHA-224, SHA-256, SHA-384, SHA-512 non-linear message expansion 64/80 steps SHA-384 and SHA-512: 64-bit architectures SHA-256 collisions: 31/64 steps [Mendel+ 13] ree start collision: 52/64 steps (2 12x ) [Li+12] non-randomness 47/64 steps (practical) [Biryukov+11][Mendel+11] SHA-256 preimages: 45/64 steps (2 25x ) [Khovratovich+ 12] implementations today aster than anticipated adoption industry slow in migrating; may be now implementing SHA-3 very slow or TLS/IPsec (no pressing need) 53

54 Agenda Deinitions Iterations (modes) Compression unctions Constructions SHA-3 Conclusions 54

55 SHA-3 (bits and bytes) 55 55

56 NIST AHS competition (SHA-3) SHA-3: 224, 256, 384, and 512-bit message digests (similar to SHA-2) Call: 02/11/07 Deadline (64): 31/10/08 Round 1 (51): 09/12/08 Round 2 (14): 24/7/09 Final (5): 10/12/10 Selection: 02/10/ Q4/08 Q3/09 Q4/10 Q4/12 round 1 round 2 inal 56

57 The candidates Slide credit: Christophe De Cannière 57

58 Preliminary cryptanalysis Slide credit: Christophe De Cannière 58

59 End o Round 1 candidates a Slide credit: Christophe De Cannière 59

60 Round 2 candidates a Slide credit: Christophe De Cannière 60

61 Properties: bits and bytes [Watanabe 10] 61

62 Sotware perormance ebash [Bernstein-Lange] logarithmic scale slower actor 4 in cycles/byte 62

63 Hardware: post-place & route results ASIC 130nm [Guo-Huang-Nazhandali-Schaumont 10] Throughput (Gbps) Keccak SHA256 Blake BMW CubeHash Blake JH Grøstl ECHO Fugue Grostl Hamsi JH Keccak Lua Shabal SHAvite SIMD Skein ,000 80, , , ,000 Slide credit: Patrick Schaumont, Virginia Tech Skein Area (GateEqv) 63

64 Keccak permutation: 25, 50, 100, 200, 400, 800, 1600 nominal version: 5x5 array o 64 bits 18 rounds o 5 steps 64

65 new number (not 180-x) Keccak: FIPS lexible output length and tree structure (Sakura) allowed by additional encoding six versions n=256; c = 256; r = 1344 (84%) n=256; c = 256; r = 1344 (84%) n=384; c = 512; r = 1088 (68%) n=512; c = 512; r = 1088 (68%) n=x; c = 256; r = 1344 (84%) n=x; c = 512; r = 1088 (68%) I H1 has r bits (rate), H2 has c bits (capacity) and the permutation π is ideal, then a sponge unction has security O(2 c ) against (2 nd ) preimage attacks and O(2 c/2 ) against collision attacks 65

66 Perormance o hash unctions [Bernstein-Lange] (cycles/byte) Intel Core 2 Quad Q9550; 4 x 2833MHz (2008) 2001 (estimated) 66

67 Hash unctions: conclusions SHA-1 would have needed steps instead o attacks: cryptographic meltdown but not dramatic or most applications theory is developing or more robust iteration modes and extra eatures; still early or building blocks Nirwana: eicient hash unctions with security reduction 67