Cryptography 7.
Hash functions
Hash functions in data structures
Hash function is a compression functionOn arbitrary length inputH : {0, 1}∗ 7→ {0, 1}k for k = 128, 160, 256, etcClassical application: data structures
Storing a set of elements in a table of length kAchieving O(1) insertion and lookup timeThe element x is stored in the H(x) table-cellRetrieve x by computing H(x) and check the respective cell
Collision: x 6= x′ : H(x) = H(x′)A hash function is „good” if there are few collisionsIt spreads the elements well
Hash functions in cryptography
Compressing dataFew collisionsA collision resistance in
Data structures desired onlyCryptography crucial
In data structures x and H(.) are independentIn cryptography the adversary can choose x arbitrarily tocause a collisionCryptographic hash functions are harder to construct...
Hash functions in cryptography
DefinitionA collision in a function H(.) is a pair of inputs x 6= x′ such thatH(x) = H(x′).A function H(.) is collision resistant if any PPT adversary canfind a collision with negligible probability only.A function H(.) is hash function if H : {0, 1}∗ 7→ {0, 1}n.
Weaker notions of security:1 Collision resistance: see above2 Second pre-image resistance: given x it is infeasible to find
x′ 6= x : H(x′) = H(x) by a PPT adversary3 Pre-image resistance: given y = H(x) for random (and
unknown) x it is infeasible to find x : H(x′) = y by a PPTadversary (in other words it’s a one-way function)
Hash functions in cryptography
Design principles
Collision resistanceSecond pre-image resistancePre-image resistanceAvalanche effect : small change in input⇒ large change inoutput
Strict avalanche criterion: if a single input bit iscomplemented⇒ every output bit is changed with 1/2probabilityBit independence criterion: ∀i, j, k : if a single input bit i iscomplemented⇒ output bits j, k change independently
Attacks and weaknesses
Theorem (Birthday paradox)
Let x1, . . . , xn ∈R {1, . . . , d} uniform random values. Then
P (∃i, j ∈ {1, . . . , n} : i 6= j, xi = xj) ≈ 1− e−n(n−1)
2d
Birthday attack
For a hash-function H : {0, 1}∗ 7→ {0, 1}n a collision can befound with probability 1/2 by computing 2n/2 hash values.
Significantly faster than brute force=⇒ n ≥ 160A collision can be found faster than the birthday attack =⇒tha hash is „broken”
Attacks and weaknesses
Sophisticated collision attacks: birthday paradox +cryptanalysis
Chosen-prefix attackGiven two prefixes p1 6= p2 findm1,m2 : H(p1||m1) = H(p2||m2).
Specific to Merkle-DamgårdReal-world attacks against MD5 based implementations
Attacks and weaknesses
Lenght-extension attack
Given hash value H(m) and message length |m| computeH(m||m′) for some m′ chosen by the attacker.
Padding based attackH(data||padding)⇒H(data||padding||OurData||NewPadding)Merkle-Damgård is vulnerableattacks on MD5, SHA1, SHA2
Attacks and weaknesses
Rainbow tablesFind a preimage using precomputed table of hashchains.
Application: password recoveryStoring the input-output pairs for hash-reduction chainsSearching for identical output values
Rainbow table with 3 reduction function for Wikipedia created by User:Dake
Attacks and weaknesses
Side-channel attacksAny attack based on information obtained from theimplementation of a given cryptosystem instead of weaknessesin the algorithm itself.
Timing informationPower consumptionElektromagnetic leaksSoundStatistical methods
Merkle-Damgård transform
Practical constructions handling fixed-length input onlyMethodology to construct full-fledged hash functionLet h : {0, 1}2n 7→ {0, 1}n be a fixed-length hash functionand m ∈ {0, 1}∗ with |m| = ` < 2n
Then the following H(.) is a variable-length hash function:
1 Split m into blocks of length n, i.e. let b := d `ne andm = (m1|m2| . . . |mb)
2 Set mb+1 := ` ∈ {0, 1}k, z0 := 0n3 For i = 1, . . . , b + 1 compute zi := h(zi−1|mi)4 H(m) := zb+1
Merkle-Damgård transform
1 Split m into blocks of length n, i.e. let b := d `ne andm = (m1|m2| . . . |mb)
2 Set mb+1 := ` ∈ {0, 1}k, z0 := 0k3 For i = 1, . . . , b + 1 compute zi := h(zi−1|mi)4 H(m) := zb+1
Practice: it is enough to consider fixed-length constructionsTheory: the amount of compressing is not importantInitialization vector – IV : z0 can be chosen freelySecurity: if h(.) is collision resistant then H(.) is collisionresistant as well
MD5 - Description
512 to 128 bits compression extended byMerkle-Damgård
Works on 32-bit words
m divided into 512(=16*32)-bit blocks
Operates on a 128(=4*32)-bit state
A,B,C,D are fixed
4 rounds, 16 similar operation each
Four possible non-linear F :1 F (B,C,D) = (B∧C)∨(¬B∧D)2 G(B,C,D) = (B∧D)∨(C∧¬D)3 H(B,C,D) = B ⊕ C ⊕D4 I(B,C,D) = C ⊕ (B ∨ ¬D)
Mi is a message block
Ki constant, s a rotation parameter varies foreach operation
MD5 – Analysis
NOT collision resistant!
128 bit output =⇒ birthday attack ispossible...
1992 - MD5 published
1993 - „pseudo-collision” in the compressionfunction (IV based attack)
1996 - collision in the compression function
2004 - MD5CRK, a distributed effort usingbirthday attack
2004 - hash collision within 1 hour (analyticalattack)
2005 - practical collision of two X.509certificates with different public keys and thesame MD5 hash value
2010 - first published single-block collision
SHA-1
SHA – Secure Hash Algorithm
Designed by U.S. NSA, published by U.S.NIST
Similar to MD5
Versions:
SHA-0 (1993)
160-bit output, 32-bit words, 80 rounds
Operations: ⊕,�,∧,∨,≪Collision found
SHA-1 (1995)
160-bit output, 32-bit words, 80 rounds
Operations: ⊕,�,∧,∨,≪Wt expanded message word for round t
Kt round constant for round t
More resistant, theoretical attack ofcomplexity 261 (2011)
SHA-1, original diagram for Wikipedia created
by User:Matt Crypto
SHA-2
SHA-2 (2001) = SHA-256/SHA-512
256/512-bit output, 32/64-bit words, 64/80rounds
Operations: ⊕,�,∧,∨,≪, rotCh(E,F,G) = (E ∧ F )⊕ (¬E ∧G)Ma(A,B,C) = (A∧B)⊕ (A∧C)⊕ (B∧C)Σ0(A) = (A≫ 2)⊕ (A≫ 13)⊕ (A≫ 22)Σ1(E) = (E≫ 6)⊕(E≫ 11)⊕(E≫ 25)No collision found (yet)
SHA-3 (2014-)
Different design
An alternative of SHA-2SHA-2, original diagram for Wikipedia created
by User:kockmeyer
RIPEMD-160
Published in 1996160-bit hash valueSimilar design principles as MD5A bit faster than SHA-1BUT designed in the open academic community!!!Developed in the framework of the EU project RIPE (RACEIntegrity Primitives Evaluation)No collision found (yet)Optional extensions: RIPEMD-256 and RIPEMD-360
Longer hash valuesThe same levels of security
A possible alternative of SHA-1
NIST hash function competition (2007 – 2012)
Development process similar to the AES competitionOct. 2008 Submission deadline
Dec. 2008 51 candidates for Round 1
Feb. 2009 NIST conference: submitters presented their algorithms
Jul. 2009 14 candidates accepted to Round 2
Aug. 2010 CRYPTO 2010:the second-round candidates were discussed
Dec. 2010 Announcement of finalists
Performance: small hardware requirement
Security: possible crypto /design weaknesses
Analysis: (lack of) cryptanalysis of the whole crypto-community
Diversity: different modes of operation and internal structures
Dec. 2012 Winner: Keccak
Aug. 2013 NIST announced changes in the proposed standard to achieve bettersecurity/performance trade-off...
Aug. 2015 Keccak aka SHA-3 is the hashing standard
One finalist: Grøstl
The Grøstl hash-function
Knudsen et al. (TU of Denmark & TU Graz)Modified Merkle-Damgård
h0 = iv, hi = f(hi−1,mi)Compression function f based on permutations P,Q(seelater)H(m) = Ω(ht)Output transformation Ω(x) = truncn(P (x)⊕ x)
One finalist: Grøstl
f(h,m) = P (h⊕m)⊕Q(m)⊕ h
Design of P and Q are inspired byAES
Small number of permutations =⇒simple analysis
Well-known design principles
Provably secure if the permutationsare ideal
Collision find with ≥ 2`/4 P,Q eval
Preimage find with ≥ 2`/2 P,Q eval
Indifferentiable from a random oracle
The compression function f of Grøstl
One finalist: Skein
Schneier et al.
Main components
1. ThreefishA tweakable block cipherTweak: an extra inputprovides variabilityLarge number of simplerounds instead of fewercomplex roundsKey + tweak subkeysMix: ⊕,�,
One finalist: Skein
Main components
2. Unique Block Iteration (UBI):A chaining mode using Threefishto build a compression functionExample: 166 byte input with 3calls of Threefish-512Tweak: length + first/last block +„type”Skein: multiple invocations of UBI
3. Optional Argument SystemFor extensions and other modes
Hashing a three-block message using UBI
Skein in normal hashing mode
SHA-3/Keccak
Diagram of a sponge construction from http://sponge.noekeon.org/
Winner of the NIST hash function competition (2012)
Created by Bertoni, Daemen, Peteers and Van Assche
Sponge construction – a fixed-length permutation f and a padding rule:
1. m is padded and splitted into r-bit blocks pi2. Absorbing: XORing pis into the hash state at a given rate r interleaved with
application of f (f : 4× 24 rounds of simple operations on a state consists of a5× 5 array of 64-bit words)
3. Squeezing: get the output blocks zi similarly from it at the same rate
GPU-resistant hash functions
RandomHash
serial vs. parallelhashers
N rounds, Hi-s arewell-known hashfunctions
∀ round H ∈R{H1, . . . ,H18}
Output isexpanded formemory-hardness
A possible solutionRandomHash design by Herman Schoenfeld
Privacy vs. Integrity
Secure communicationAlice wants to send a message to BobOpen communication channelPrivacyTool: encryption
Message integrityAlice wants to send a message to BobOpen communication channelAuthenticity (caller-ID, email address)IntegrityPrevent any undetected tamperingAdversarial tampering is not a crypto problem (physicalcountermeasures)Tool: ???
Encryption vs. Message Authentication
Encryption using stream ciphersLet c := Ek(m) = G(k)⊕m be the ciphertext, where G(.) isa PRGFlipping a bit in c =⇒ flipping the same bit in mExample: flipping the 11th lsb causes 1000$ difference...The scheme is still secureSimilar attack for the unconditionally secure one-time pad
Encryption using block ciphersThe same attack for OTR and CTR modesA bit sophisticated methods for ECB and CBC modes
Encryption itself does not provide integrityc completely hides the contents of mBUT the adversary can modify c in a meaningful way!Every possible c corresponds to some m...
We need something new
Message Authentication Codes: Definition
Communicating parties has a common secret (a private key)
Send an authenticated message
Know whether the message was tampered
Defintion
A message authentication code is a triple (Gen,Mac, V rfy) if thefollowing holds:
Key-generation Gen outputs a secret key k on input of the securityparameter 1n with |k| ≥ n
Tag-generation Mac outputs the MAC tag t := Mack(m) for everymessage m ∈ {0, 1}∗
Verification V rfy outputs a bit b := V rfyk(m, t), with b = 1 if theMAC tag is valid and 0 otherwise.
Furthermore the scheme has to be correct: for every set ofparameters
V rfyk(m,Mack(m)) = 1.
Message Authentication Codes: Definition of Security
How to attack such a scheme?The adversary performs the following steps:
1 Asks Alice for the MAC tags of some messages (influenceon the content of m)
2 Makes some computation based on the results3 Outputs a forgery : a valid t for a new m (not asked
previously)
If this attack is "hard", then the scheme is called secure
DefintionA message authentication code is existentially unforgeableunder an adaptive chosen-message attack (or secure shortly) ifevery PPT adversary can generate a valid MAC tag t for amessage m with negligible probability only after asking severalt′ for m′ 6= m.
Message Authentication Codes: Definition of Security
DefintionA message authentication code is existentially unforgeableunder an adaptive chosen-message attack (or secure shortly) ifevery PPT adversary can generate a valid MAC tag t for amessage m with negligible probability only after asking severalt′ for m′ 6= m.
Too strong definition?Adversary can request the tag of any messageGenerating a valid tag for any message "breaks" thescheme
Only meaningful messages are important in practiceWhat does "meaningful" mean?Replay attacks
Other methods: sequence numbers or time-stampsconcatenated with mDrawbacks: storing or synchronization problems
MAC constructions for fixed length messages
Fixed-length MAC
Let PRF : {0, 1}n 7→ {0, 1}n be a pseudorandom function.Then the following is a fixed-length MAC
Gen: k ∈R {0, 1}n
Mac: Given k and a message m ∈ {0, 1}n the tag ist := PRFk(m)
V rfy: Given k, a message m ∈ {0, 1}n and a tagt ∈ {0, 1}n the output is 1 iff t = PRFk(m)
If PRF is a pseudorandom function then this scheme issecureDrawback: only for fixed-length messages
MAC constructions for variable length messages
We have a secure MAC (Gen′,Mac′, V rfy′) for fixedlength mHow to extend it for arbitrary length m?Some wrong (but even better) ideas
0 Split m into b blocks m1, . . . ,mb and authenticate blockwise1 Authenticate the sum of the blocks: t := Mac′k(⊕imi)
Easy to forge: give a new message m′ : ⊕im′i = ⊕imi2 Authenticate each blocks separately: t := (t1, . . . , tb) with
ti := Mac′k(mi)
Easy to forge: permute the blocks3 Authenticate each blocks with a sequence number:
t := (t1, . . . , tb) with ti := Mac′k(i|mi)Easy to forge: drop or mix-and-match the blocks
Additional information to every blocks to preventLength based attacksCombining the blocks
MAC constructions for variable length messages
Variable-length MACLet (Gen′,Mac′, V rfy′) be a fixed-length MAC for messages of length n
Gen: The same as Gen′
Mac: Given k and a message m ∈ {0, 1}∗ with ` := |m| < 2n/4. split minto b blocks m1, . . . ,mb with |mi| = n/4 and chooser ∈R {0, 1}n/4. Compute the tags ti := Mac′k(r|`|i|mi), then thetag is t := (r, t1, . . . , tb)
V rfy: Given k, a message m ∈ {0, 1}∗ and a tag t = (r, , t1, . . . , tb′ ) splitm into b blocks. The output is 1 iff b = b′ and V rfy′k(r|`|i|mi, ti) = 1for i = 1, . . . , b.
If (Gen′,Mac′, V rfy′) is a secure fixed-length MAC then(Gen,Mac, V rfy) is a secure variable-length MAC
MAC from hash functions: Nested MAC
NMACLet h : {0, 1}2n 7→ {0, 1}n be a compression function and let
H : {0, 1}∗ 7→ {0, 1}n be a hash function constructed by the Merkle-Damgårdtransform
Gen: k1, k2 ∈R {0, 1}n
Mac: Given k1, k2 and a message m ∈ {0, 1}∗ the tag ist := h(k1|Hk2(m))
V rfy: Given k1, k2 and a message m ∈ {0, 1}∗ and a tag t ∈ {0, 1}nthe output is 1 iff t = Mack1,k2(m)
HIV (.) denotes the Merkle-Damgård hash keyed hash with initializationvector z0 := IV ∈ {0, 1}n
The compression of a key and the output of a keyed Merkle-Damgård
If h(.) is collision resistant and yields a secure MAC then NMAC issecure
MAC from hash functions: HMAC
HMACLet h : {0, 1}2n 7→ {0, 1}n be a compression function, let
H : {0, 1}∗ 7→ {0, 1}n be a hash function constructed by the Merkle-Damgårdtransform and let IV, ipad, opad ∈ {0, 1}n be fixed.
Gen: k ∈R {0, 1}n
Mac: Given k and a message m ∈ {0, 1}∗ the tag ist := h(h(IV |k ⊕ opad)|HIV (k ⊕ ipad|m))
V rfy: Given k and a message m ∈ {0, 1}∗ and a tag t ∈ {0, 1}n theoutput is 1 iff t = Mack(m)
Improvement of NMAC: uses a fixed IV and a single secret key only
In fact its a special case: k1 := h(IV |k ⊕ opad), k2 := h(IV |k ⊕ ipad)
MAC from hash functions: HMAC
HMAC-XLet HX : {0, 1}∗ 7→ {0, 1}n be an arbitrary hashfunction and let ipad, opad ∈ {0, 1}n be fixed.
Gen: k ∈R {0, 1}n
Mac: Given k and a message m ∈ {0, 1}∗the tag ist := HX((k ⊕ opad)|HX(k ⊕ ipad|m))
V rfy: Given k and a message m ∈ {0, 1}∗and a tag t ∈ {0, 1}n the output is 1 ifft = Mack(m)
Eliminates the weaknesses of HX
Immune to length-extension attackHMAC-SHA1
MAC from block ciphers: CBC-MAC
Fixed length CBC-MAC
Let Ek : {0, 1}n 7→ {0, 1}n be a block-cipher and let x be a fixed length.Gen: k ∈R {0, 1}n
Mac: Given k and a message m ∈ {0, 1}x·n first split m into blocks oflength n, i.e. l m = (m1|m2| . . . |mx) and computeti := Ek(ti−1 ⊕mi) for i = 1 to x with t0 := 0n. The tag is t := tx
V rfy: Given k and a message m ∈ {0, 1}x·n and a tag t ∈ {0, 1}n theoutput is 1 iff t = Mack(m)
MAC from block ciphers: CBC-MAC
Fixed length CBC-MAC
If E is a PRF then this is a secure fixed-length MACGeneralizations to variable-length input:
1 Use the key kx := Ek(x) in the block-cipher2 Prepend m with its length (add one more round with
m0 := |m|)3 Use two keys k1, k2 ∈ {0, 1}n and first compute the
CBC-MAC with k1, the tag is t′ := Ek2(t)