Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160

Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160

Sabine Wurmhöringer Salzburg University for Applied Sciences and Technology Telecommunications Engineering [email protected]

Stefan Wegenkittl Salzburg University for Applied Sciences and Technology Telecommunications Engineering

Peter Hellekalek Dept. of Mathematics, University of Salzburg, Austria

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Construction of Hash Functions

preimage resistance second preimage resistance collision resistance

(e.g. Bruce Schneier)


Collisions: 2 messages produce same hash!

I owe you100 $

I owe you1.000.000 $

00 34 CA ... FE

h h

160 bit hash


Construction of Hash Functions

preimage resistance second preimage resistance collision resistance

(e.g. Bruce Schneier)

randomness of hash values


Randomness of Hash Values: Stoch. Model

Principle: i.i.d. uniform plaintexts result in i.i.d. uniform hash values, thus minimize probability of collisions

X= {0,1}n plaintexts M ~ U[X]

|X| ∞

Y= {0,1}160 hashes C = h(M) ~ U[Y] |Y|= 2160

h!


Example for Violation of Uniformity

1/10

1/10

9/10

9/10

h

h

space of plaintexts ( X ) space of hash values ( Y )

Attacks


Randomness of Hash Values: Stat. Testing Substitute realisations for random variables

and apply statistical tests for uniformity to resulting hash values

Even more: hashing should destroy simple structures: structured plaintexts should produce equidistributed (pseudo-random) hash values

A simple structure: plaintexts are the consecutive values of a counter

same reasoning was applied in tests for cryptographic algorithms (e.g. AES)


Randomness in Cryptology and Simulation

Cryptology(Stochastic)Simulation

(Pseudo)Randomness


Randomness in Cryptology and Simulation

Cryptology(Stochastic)Simulation

(Pseudo)Randomness

„unpredictability“ „unbiasedness“in terms of interpretation

„independence“ „equidistribution“in terms of statistics


High Dimensional Tests for Uniformity

„independence“

P[0|0] = ½

„equidistribution“

P[0,0]= ¼⇔

0 1

1

0

0 1

1

0

0 1

1

0

0 1

1

0


High Dimensional Tests for Uniformity

„independence“

P[0|0] = ½...

P[1|1] = ½

Tests forindependence

„equidistribution“

P[0,0]= ¼...

P[1,1]= ¼

Tests for uniformity in

higher dimensions

⇔

=


Statistical Testing

Standard test batteries NIST test suite: http://www.nist.gov Diehard battery: http://

stat.fsu.edu/~geo/diehard.html- rather limited sample sizes and range of parameters- able to find several specific defects- Room for improvement: for example, a well-known defect in

T800 is not detected(ACM Tomacs ’99, Matsumoto and Wegenkittl)

Referencesup to date hardly any published results

Recommendation: additionally employ systematic testing (WSC ’99, Wegenkittl)


Systematic Testing: Serial Overlapping Tests

Load Test (m-tuple test) vary sample size in { 218 – 228 } vary dimension in {1, 2, 4, 8, 16 }

Gambling Test even higher dimensions in { 32, 64, 128,

256 } vary sample size in { 222 – 228 } based on simulation of gambling game


Test Setup and Test Design

preparation of input

2-level serial overlapping test

Chi-square distributed level one test

Kolmogorov-Smirnov test at level two applied to 16 repetitions of level one test (see e.g. Knuth)


Preparation of Inputm‘=0 m‘‘=1

0 .............0 0 ............01 ...

32 bit 32 bit

counter



0 .............0 0 ............01 ...

h(m‘)32 bit 32 bit

h(m‘‘)

counter

hash function


Preparation of Input m‘=0 m‘‘=1

0 .............0 0 ............01 ...

c‘0 .........c‘159 c‘‘0 ............c‘‘159...


160 bit 160 bit

h(m‘‘)

counter

hash function

hash values



0 .............0 0 ............01 ...

c‘0 .........c‘159 c‘‘0 ............c‘‘159...


160 bit 160 bit

h(m‘‘)

counter

hash function

hash values

cuttingc‘0 c‘8 ..... c‘152

c‘‘0 c‘‘8 ... c‘‘152...

20 bit 20 bit



0 .............0 0 ............01 ...

c‘0 .........c‘159 c‘‘0 ............c‘‘159...


160 bit 160 bit

h(m‘‘)

counter

hash function

hash values

cuttingc‘0 c‘8 ..... c‘152

c‘‘0 c‘‘8 ... c‘‘152...

20 bit 20 bitconcatenate



0 .............0 0 ............01 ...

c‘0 .........c‘159 c‘‘0 ............c‘‘159...


160 bit 160 bit

h(m‘‘)

counter

hash function

hash values

cutting

input stream

c‘0 c‘8 ..... c‘152c‘‘0 c‘‘8 ... c‘‘152

...

b0 b1...................b19b20 ...................

20 bit 20 bitconcatenate


Construction of Overlapping Tuples

. . .

Vioverlapping vectors with dimension t

input stream b0b1................................bn+t-1 ...

b0 .....bt-1

b1 .......bt

bi ....bi+t-1

V1

V0

Vnbn ...bn+t-1

. . .


Test Setup

hash function

counter

bit stream


Gambling Test

Test Setup

hash function

KS plot

counter

bit stream

Load Test

Level One Statistic (χ2)

Level Two Statistic (KS)

p-values Level One Statistic (χ2)

Level Two Statistic (KS)


SHA-1 and RIPEMD-160

hash value: 160 bit published:

SHA-1: FIPS 180 RIPEMD-160: ISO/IEC 10118-3:2003

considered to be secure until 2005(Austrian Signature Regulations)


Visualization: Load Test

Level One p-values (upper-tail) of chi-square statistic 16 repetitions arrange resulting p-values in small

rectangles

black color indicates significance at 1% level

0highly non uniform

1highly uniform

scale:


Results (p-values)

SHA-1:

RIPEMD-160:

dim

en

sio

n16 - 8 - 4 - 2 - 1 -

sample size (218 – 228)

16 - 8 - 4 - 2 - 1 -d

imen

sio

n



Results (p-values)

SHA-1:

RIPEMD-160:

dim

en

sio

n16 - 8 - 4 - 2 - 1 -


16 - 8 - 4 - 2 - 1 -d

imen

sio

n



Visualization: Load Test

Level Two KS-values of two-sided Kolmogorov-

Smirnov test arrange resulting KS-values in a bar

diagram

red color indicates KS-value under 1% level

> 1.570

scale:

4


Results (Kolmogorov-Smirnov values)SHA-1: RIPEMD-160:


Results: Gambling Test

sample size in {222,...,228} dimension t in {32,64,128,256} 16 repetitions of Gambling Test p-values (upper-tail) of KS Statistic at level two


Results: Gambling Test

samplesize

222 223 224 225 226 227 228

t=32 0.7433

0.8385

0.0979

0.5433

0.0640

0.4392

0.5358

t=64 0.5704

0.8830

0.7704

0.4719

0.7540

0.4346

0.4959

t=128 0.9949

0.8906

0.4484

0.2183

0.6042

0.2805

0.9444

t=256 0.7221

0.2805

0.4183

0.5822

0.1864

0.1321

0.2685

SHA-1

RIPEMD-160

samplesize

222 223 224 225 226 227 228

t=32 0.7097

0.0872

0.5383

0.3253

0.8401

0.4264

0.5945

t=64 0.7675

0.5224

0.6532

0.8619

0.4408

0.3848

0.1006

t=128 0.9073

0.8541

0.0478

0.9089

0.7353

0.0190

0.5726

t=256 0.2603

0.6301

0.4755

0.8799

0.3551

0.0288

0.5964


Summary and Conclusion

tests did not find any systematic defects even highly correlated input results in uncorrelated hash values all examined probabilities were on target

work in progress: study influence of other simple structures in plaintexts (patterns and motives) and optimize testing strategy increase power of test w.r.t. detection of increased collision probability


Links and References(1)S. Wegenkittl. Monkeys, gambling, and return times: Assessing

pseudorandomness. Proceedings of the 1999 Winter Simulation Conference, pages 625–631, Piscataway, N.J., 1999. IEEE Press.

(2)P. Hellekalek and S. Wegenkittl. Empirical evidence concerning AES. ACM Trans. Model. Comput. Simul., 13(4):322–333, 2003.

(3)S. Wegenkittl. The pLab picturebook: Load tests and ultimate load tests, part I. Report no. 1, pLab – reports, University of Salzburg, 1997.

(4)H. Leeb and S. Wegenkittl. Inversive and linear congruential pseudorandom number generators in empirical tests. ACM Transactions on Modeling and Computer Simulation, 7(2):272–286, 1997.

(5)S. Wegenkittl. Gambling tests for pseudorandom number generators. Mathematics and Computers in Simulation, 55(1–3):281–288, 2001.

(6)B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley and Sons, New York, second edition, 1996.

(7)S. Wurmhöringer. Statistische Analyse der Hashfunktionen die gemäß der österreichischen Signaturverordnung empfohlen werden. Master Thesis at the Salzburg University of Applied Science and Technology, 2004.

Date post:	12-Jan-2016
Category:	Documents
Upload:	lori
View:	37 times
Download:	6 times

Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160

Documents