1
Hash FunctionHash Function
Hash Functions Dedicated Hash Functions
◦ Useful for lightweight authentication in RFID system Message Authentication Codes
◦ CBC-MAC◦ Nested MAC
Collusion Search Attacks
2
Compress a binary string with an arbitrary length into a fixed short message Used for digital signature, integrity,
authentication, etc.
3
h()
{0,1}d
{0,1}r
d > r
hash, hash code/value/result message digest, checksum, MIC,authentication tag, seal, compressiondigital fingerprint, imprint
4
original input, x
append padding bits
append length block
compression ft, f
f
g
formatted input x=x1,x2,…,xt
H0=IVHi-1
xi
Hi
hash function, h
output h(x)=g(Ht)
Ht
preprocessing
iterative processing
g : output transformation mapping, e.g., identity mapping
Compression One-wayness
◦ Preimage resistance: Given y, it is computationally infeasible to compute x with y=h(x)
◦ Second Preimage resistance: Given x and h(x), it is computationally infeasible to compute x’ with h(x)=h(x’)
Collision-free (Prevent internal misuse): It is computational infeasible to find a pair (x, x’), x x’
satisfying h(x)=h(x’). Efficiency
◦ Easy to compute h(x) for a given x.
5
Collision resistance (which means collusion can’t be efficiently solved) implies 2nd-preimage resistance
Collision resistance does not guarantee preimage resistance◦ Let g be a collision resistance hash function to n-bit
output◦ h= 1 || x, if x has bitlength n◦ h= 0 || g(x), otherwise◦ h is collision resistant with n+1 bit hash◦ not preimage resistant to find an image easily
6
Using key or not◦ Keyed hash : MAC (Message Authentication Code)◦ Un-keyed hash : MDC (Manipulation Detection Code)
OWHF(One Way Hash Function) CFHF(Collision-Free Hash Function)
What purpose◦ MAC
Block Cipher-Based (DES-CBC MAC) Hash Function-Based(HMAC)
◦ MDC Dedicated Hash Functions (MD class, SHS, HAVAL) Block Cipher-Based (MDC-2, MDC-4) Modular Arithmetic: MASH-1, MASH-2
7
Model for ideal hash function H() behave like a random function
◦ If H() is fixed, invalid assumption◦ Whenever H() is used, we call oracle for the random
function (black box containing random ft.) Good for screening insecure solutions Security under ROM implies to many (not all !)
attack Not a complete proof of security, but a good
argument / evidence of security : vs. standard model
8
Universal forgery : Adversary can find the equivalent algorithm as MAC function
Selective forgery : Adversary can create a pair of new text-MAC.
Existential forgery : Even if adversary can’t adjust the value of text, he can create a pair of new text-MAC.
9
Probability that 2 persons have the same birthday among r persons : pr
(Assumption) each birthday is independent and uniform in the range 1 to m.
pr=1-(m)r / mr =1- m! / mr(m-r)! ≈ √ e-r2/(2m)
where, (m)r = m(m-1)…(m-r+1) If r= √m, pr ≈ 0.5 , e.g., m=365, r=23, pr>0.5 ↔ n-bit hash function will collide with probability
0.5 after √ (2n) times operation
10
All input value must affect to compute the hashed value.
(Ex) Crytanalysis of Snefru No trapdoor The length of hashed value must be greater than
128 bit guarantee breaking complexity 264 by brute force attack. ◦ 1 month with 10M $ machine in ‘94◦ Expected cost today : less than 100,000$
Maximum error propagation from input to output.
11
Extend Compression ft to Hash ft so that the resulting hash ft to be collusion resistant if compression does.
H0=IV, Hi=f(Hi-1,xi), 1it, h(x)=Ht
12
f ffH0
x1 x2 xtpadding
hashed code
f : h’s primitive hash function (a compression function)Hi : connection variable from i-1 to I
13
Matyas-Meyer-Oseas Davies-Meyer Miyaguchi-Preneel
Eg
Hi
Hi-1
xi
H0=IVHi=Eg(Hi-1)(xi ) xi
E
Hi
xi
Hi-1
H0=IVHi=Ex
i(Hi-1 ) Hi-1
EgHi-1
xi
Hi
H0=IVHi=Eg(Hi-1)(xi ) xi Hi-1
Yield m-bit hash using n-bit block cipher with k-bit key
All of them are secure assuming a block cipher satisfies required randomness properties
14
Hash Function (n,k,m) Rate (k/m)Matyas-Meyer-Oseas (n,k,n) 1
Davis-Meyer (n,k,n) k/nMiyaguchi-Preneel (n,k,n) 1
MDC-2 (w/DES) (64,56,128) ½
MDC-4(w/DES) (64,56,128) 1/4
MASH: Modular Arithmetic Secure Hash algorithm
Weakness: Efficiency (and Insecurity)
Quadratic Congruential◦ Hi = (xi + Hi-1)2 mod N, H0=0
where N=Mersenne prime 231-1
◦ Hi = (xi Hi-1)2 mod N xi
◦ Hi = (xi Hi-1)e mod N
15
16
Dedicated Hash FunctionsDedicated Hash Functions
Preprocessing a message, x1. Padding: d =(447 -|x|) mod 5122. Length of a message: n= |x| mod 264,|n|
=64 bit3. M = x ||1||0d||n multiple of 512
where || denotes concatenation
* little-endian : W=224B4+216B3+28B2+B1
(B1: lowest address)
17
18
Message Block
Round
1
ABCD
ABCD
Round
2Round
3
1. A=(A+f(B,C,D)+X[0])<<<32. D=(D+f(A,B,C)+X[1])<<<73. C=(C+f(D,A,B)+X[2])<<<114. B=(B+f(C,D,A)+X[3])<<<195. A=(A+f(B,C,D)+X[5])<<< 3 . .16. B=(B+f(C,D,A)+X[15])<<<19
where, f(X,Y,Z) = (X Y) ((X) Z) , : OR, : AND, :complement, <<<s : circular left rotate by s
19
1. Preprocess: M is 512 * N bits (512 bits=16 words) 2. Define 32 bits constants: A=67452301h,
B=efcdab89h, C=98badcfeh, D=10325476h
3. for i=0 to N/16 -1 do (N mod 16=0)3-1. for j=0 to 15 do X[j] =M[16i+j]
(M[i] : 32 bit string)3-2. AA=A, BB=B, CC=C, DD=D3-3. Round 1(for j=0..15), Round 2(for j=16..31),
Round 3(j=32..47)3-4. A=A+AA, B=B+BB, C=C+CC, D=D+DD
where + is modular addition over 232.4. output A||B||C||D||
20
Add 4-th rounds (16 steps) in MD4 Change g function in 2 round from symmetric ft
(XY) v (XZ) v (YZ) to non-symmetric ft (XZ) v (Y(Z))
Modify the access order for message words in Rounds 2 and 3
Modify the shift amounts Use unique constants in each of the 416 steps Each step is added to the output of a previous
step to achieve avalanche effect as earlier as possible.
21
22
Round
2
ABCD
ABCD
Message Block
Round
1
Round
3
Round
4
23
a
b
c
d
nonlinearoperation
<<<s
Mj
ti
FF(a,b,c,d,Mj,ti,s)
24
nonlinearoperation
FF(a,b,c,d,Mj,ti,s)
ai-1
bi-1
ci-1
di-1
ei-1
<<<30
ai
bi
ci
di
ei
W t Kt
<<<5
160 bit hashed value (5 words), Big-endian 4 round hash, each round has 20 step Change internal primitive ft and constants
(B C) v ((B) D) 0 ≤ t ≤19Ft(B,C,D) = B C D 20 ≤t ≤39 (B C) v ((B) D) 40 ≤t ≤59 B C D 60 ≤t ≤79
Secure Hash Standard(SHS), FIPS Pub 180-1, 1995.
For details, refer to p.138.
25
26
Algorithm Length Speed (Kb/s)
Davies-Meyer with DESHAVAL (3 pass)HAVAL (4 pass)HAVAL (5 pass)MD2MD4MD5N-Hash(12 round)N-Hash(15 round)RIPEMDSHA-1
64variablevariablevariable128128128128128128160
91681189523
2361742924
18275
486SX(33MHZ)
Nested MAC algorithm from the composition of two (keyed) hash family
The Keyed-Hash Message Authentication Code (HMAC), FIPS Pub 198, 2002
HMACk(x) = SHA-1[(K opad) || SHA-1((K ipad) || x)]
where ipad = 3636 …. 36, opad = 5C5C … 5C K : 512 bit key x: message to be authenticated Secure against unknown-key collusion attack
27
SHS: Secure Hash StandardRIPE: Race Integrity Primitive Evaluation
28
Name Designer Year Bit Characteristics Security
MD4Rivest
(US)1990 128
- 32 bit Op., 3 R
- Boolean ft of deg 4
Collision(‘95)
(220 Oper)
MD5Rivest
(US)1991 128
- Modified MD4
- 4 rounds
Primitive Ft
Collision(’96)
SHA-1 NIST 1993 160- Modified MD4
- Federal StandardCollusion
Search(‘05)
HAVALSeberry et. al
(Australia)1992
Var.(128~256)
- Exp. of MD5(3,4,5R)
- Boolean ft of deg 7
Collusion Search of HAVAL-128(‘05)
RIPEMD-160
RIPE
(Europe)1997 160
- Modified MD4
- Indep. 2 ftCollusion
Search(‘05)
HAS-160 KISA(Korea) 1998 160 -
29
Collusion Search AttackCollusion Search Attack
Chaubaud and Joux [Cr98]◦ SHA-0, 261, local collision and disturbance vector
Biham and Chen [Cr04]◦ Near collision attack on SHA-0, 240
Biham, Joux and Chen [Cr04 rump, EC05]◦ First real collision on SHA-0 (4 message blocks) found◦ Collision attack on SHA-1 reduces to 50+ steps
Rijmen and Osward [RSA-CT05]◦ Collision attack on SHA-1 reduces to 53 steps.
30
X. Wang, Y.L. Yin and H.Yu, “Finding Collusions in the Full SHA-1”, Proc. of Crypto2005, pp.17-36, LNCS3621
X. Wang, H.Yu and Y.L. Yin, “Efficient Collusions Search Attacks on SHA-0”, Proc. of Crypto2005, pp.1-16, LNCS3621
X.Y.Wang, D.G.Feng, X.J.Lai and H.B. Yu, “Collusions for hash Functions MD4, MD5, HAVAL-128 and RIPEND”, IACR eprint, 2004/199 and Crypto2005 Rump Session
31
1. Find disturbance vector with low Hamming weights (difference for subtractions mod 232)
2. Construct differential paths by specifying conditions so that the differential path will occur with high probabilities.
3. Generate a message randomly, modify it using message modification techniques, and find a collusion
32
Complexity of best known attack of MD4 : 26, MD5 : 233, SHA-0: 239, SHA-1: 269
More complex message preprocessing can provide more security◦ But SHA-1, message expansion does not seem to have enough
avalanche effect◦ All step functions have unexpected weakness◦ Addition and Boolean function can faciliate the attack
More analysis is needed for SHA-256, -384, -512 which was defined in Secure Hash Standard (SHS), FIPS 180-2, 2002, Aug
33
Message collusion of 58 steps SHA-1
34