Cryptography and Network SecurityChapter 11Fifth Editionby William Stallings

Chapter 11 Cryptographic Hash FunctionsAt cats' green on the Sunday he took the message from the inside of the pillar and added Peter Moran's name to the two names already printed there in the "Brontosaur" code. The message now read: Leviathan to Dragon: Martin Hillman, Trevor Allan, Peter Moran: observe and tail. What was the good of it John hardly knew. He felt better, he felt that at last he had made an attack on Peter Moran instead of waiting passively and effecting no retaliation. Besides, what was the use of being in possession of the key to the codes if he never took advantage of it?Talking to Strange Men, Ruth Rendell

Swiss army knife in cryptographyOne of the most useful mathematical concept that has been invented in the contemporary cryptology in the last 20 years.Main use:Part of digital signature schemas

Used in dig. signatures schemesPassword protectionSwiss army knife in cryptography and information securityHash functions

What is a cryptographic hash function?Intuitive requirementsA function that maps a message of an arbitrary length to a n-bit output (the message digest)output to act as a fingerprintif the message digest is transmitted securely, then changes to the message to be detected with overwhelming probability

What is a cryptographic hash function?Informal definitionA function h:{0,1}* {0,1}n, for a given nN is called cryptographic hash function if it isOne wayCollision resistant

What is a cryptographic hash function?One way:Preimage resistant i.e. it should has the property that it is easy to compute h(M)=y for a given M{0,1}*, but it should be hard (or infeasible) to compute any M if just the value of y is given.

What is a cryptographic hash function?One waySecond preimage resistant i.e. it should has the property that for a given M it is easy to compute h(M), but it should be hard' (or infeasible) to find another M M such that h(M)=h(M).

What is a cryptographic hash function?Collision resistantIt should be hard (or infeasible) to find two values M M such that h(M)=h(M).

Conflict theory vs. practiceThe first explicit note for the need of one-way functions in cryptography was given by Diffie and Hellman in 1976.Several significant theoretical works by Yao in 1982 and Levin in 1985 (connected with even older ideas of by Kolmogorov from mid and late 1960s)The existence of one-way functions was connected with the famous question from the complexity theory is P = NP ?

Conflict theory vs. practiceIt was shown that if one-way functions exist then P NP Or vice versa, if P = NP then there are no one-way functions.The first conflict:It is well known that so far no one has succeeded either to prove or to disprove the claim P = NP, Nevertheless the practical requirements to the designers of the cryptographic hash functions are to construct functions that look like one-way.

Conflict theory vs. practiceTrivial theoretical fact (the pigeonhole principle). Since h:{0,1}* {0,1}n, then there are infinite number of colliding pairs M1,M2 {0,1}* such that h(M1)=h(M2). The second conflict:although there are infinite numbers of colliding pairs, practical requirements to the designer of the cryptographic hash function are that it is infeasible in practice to find at least one colliding pair.

Conflicts theory vs. practice

The conflicts between our theoretically limited knowledge for one-way functions and the practical requirements, make the construction of cryptographic hash functions extremely hard.The task for designers is additionally hardened by additional security requirements:pseudo-randomness when it is keyed with a secret keynear-collision resistancepartial preimage resistanceindifferentiable from random oracleConflict theory vs. practice

Another point of view to cryptographic hash functionsThe Random-Oracle paradigm, Bellare and Rogaway, 1993Hash functions are random functionsDigest d=h(M) are chosen uniformly for each message MDigest d=h(M) has no correlation with MFor distinct M1,M2,, digests di=h(Mi) are completely uncorrelated to each otherCannot find collisions, or even near-collisionsCannot find M to hit a specific dCannot find fixed-points d = h(d)

Random oracle paradigmThe Random-Oracle paradigm works like this:Assume that in your system (protocol, algorithm, ...) the hash function that you are using is really that good (as a random function)Try to prove the security of your system with that assumption.Replace the ideal hash function with a particularly specified function.In practice very useful paradigm (OAEP encryption, Full Domain Hash i.e. FDH-RSA, Probabilistic Signature Schemes i.e. PSS signatures, )BUT

Random oracle paradigm Canetti, Goldreich and Halevi: The random oracle methodology, revisited, 1998. There exists a protocol (pretty artificial, but still theoretically sound) which is provably secure in the random oracle model, but becomes insecure when the hash function used in the protocol is replaced by any concretely specified hash function.

Random oracle paradigm Stinson 2001: A proof in the random oracle model is therefore no more than plausible evidence of security when the random oracle model is replaced by a particular hash function. This was the thesis proposed by Bellare and Rogaway when they introduced the random oracle model. In favor of this thesis, it should be noted that no practical protocol proven secure in the random oracle model has been broken when used with a good hash function.On the other hand, the Canneti-Goldreich-Halevi result indicates that there is not likely to be any proof that this thesis is always valid.

Formal definition of hash functions and basic attacksFormalization used by Stinson in: Some observations on the theory of cryptographic hash functions, 2001 (based on Bellare-Rogaway random oracle model)An (N, M) hash function is any function f: X Y, where X and Y are finite sets with |X|=N, and |Y|=M. These hash functions with finite domains are also called compression functions.

Formal definition of hash functions and basic attacks (cont.)

Formal definition of hash functions and basic attacks (cont.)For an n-bit hash function (i.e. M=2n) in order 0.5, q0.692n

Formal definition of hash functions and basic attacks (cont.)For an n-bit hash function (i.e. M=2n) in order 0.5, q0.692n

Formal definition of hash functions and basic attacks (cont.)For an n-bit hash function (i.e. M=2n) in order 0.5, q0.692n + 1

Formal definition of hash functions and basic attacks (cont.)For an n-bit hash function (i.e. M=2n) in order 0.5, q1.182n/2

Choosing the length of Hash outputsBecause of the birthday attack, the length of hash outputs in general should double the key length of block ciphersFrom 2010 recommended hash functions and hash output lengths are: SHA-224, SHA-256, SHA-384, SHA-512 with projected collision security of 112, 128, 192 and 256 bits.

Iterative Construction of Hash Functions (Merkle-Damgrd Construction)A hash function needs to map a message of an arbitrary length to a n-bit outputh: {0,1}*{0,1}nThe iterative constructionuse a compression function that takes a fixed-length input string and output a shorter stringf:{0,1}n + t {0,1}na message is divided into fixed length blocks and processed block by blockMerkle and Damgrd in 1989 (independently) showed that given a collision resistant compression function, a collision resistant hash function could be constructed

Iterative Construction of Hash Functions (Merkle-Damgrd Construction)

A short history of practical hash functions constructions (and their failures)MDx familyProposed by Ronald Rivest for RSA LabsMD2: 1989, BrokenMD4, 1990, Broken MD5, 1992, BrokenInspired by MDx familyRIPEMD: 1995, BrokenRIPEMD-160: 1996Haval: 1992, Broken

A short history of practical hash functions constructions (and their failures)

Merkle-Damgrd Construction does not act as Random OracleLength extension attack on Merkle-DamgrdFor a message M = M1 M2 MN, and the compression function f(A, B) used in Merkle-Damgrd construction, the hash function is defined as:h(M)=C(C(C(IV,M1),M2),MN),PM)where PM is the proper padding.The attacker does not M, but can guess its length i.e. he knows the block PM.He can easily construct a message M=PM||M1, such that he knows the hash of the message M||M i.e. he knows how to computeH(M||M) = C(C(H(M),M1),PM)

Merkle-Damgrd Construction does not act as Random OracleMulti-collisions (Joux 2004)Set i=0Set IV=hiAfter 2n/2 computations of the compression function f() find a colliding pair of different messages (mi1, mi2) such that hi+1= f(hi, mi1)=f(hi, mi2)i=i+1Repeat steps 3 and 4 while i

Slide, from Shai Halevi

Constructions of iterative hash functions that do not suffer from attacks on MDWide pipe (Lucks 2005)

Constructions of iterative hash functions that do not suffer from attacks on MDSponge design (Bertoni, Daemen, Peeters and Van Assche, 2007)

Constructions of iterative hash functions that do not suffer from attacks on MDHAIFA (Biham, Dunkelman, 2006)

Description of the main applications of hash functionsDigital signatures

Description of the main applications of hash functionsMAC and HMAC

Description of the main applications of hash functionsMAC and HMAC

Description of the main applications of hash functionsModification Detection Codes (MDC)

Description of the main applications of hash functionsUses hash functions, via HMAC

Block Ciphers as Hash Functionscan use block ciphers as hash functionsusing H0=0 and zero-pad of final blockcompute: Hi = EMi [Hi-1]and use final block as the hash valuesimilar to CBC but without a keyresulting hash is too small (64-bit)both due to direct birthday attackand to meet-in-the-middle attackother variants also susceptible to attack

Building blocks in the hash functionsBased on block ciphers

Building blocks in the hash functionsBased on block ciphersGovaerts, Preneel and Vandewalle: Hash functions based on block ciphers: A synthetic approach, 199312 secure schemes (PGV1-12)Strict black-box analysis done by Rogaway, Black and Shrimpton I 2002.

Secure Hash AlgorithmSHA originally designed by NIST & NSA in 1993was revised in 1995 as SHA-1US standard for use with DSA signature scheme standard is FIPS 180-1 1995, also Internet RFC3174nb. the algorithm is SHA, the standard is SHS based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications

Revised Secure Hash StandardNIST issued revision FIPS 180-2 in 2002adds 3 additional versions of SHA SHA-256, SHA-384, SHA-512designed for compatibility with increased security provided by the AES cipherstructure & detail is similar to SHA-1hence analysis should be similarbut security levels are rather higher

SHA-512 Overview

Complete pseudo-code for SHA-512

SHA-512 Compression Functionheart of the algorithmprocessing message in 1024-bit blocksconsists of 80 roundsupdating a 512-bit buffer using a 64-bit value Wt derived from the current message blockand a round constant based on cube root of first 80 prime numbers

SHA-512 Round Function

SHA-512 Round Function

NIST worldwide hash competition for SHA-3

SHA-3 Requirements224, 256, 384 and 512 bits of outputCollision resistance of n/2 bits(Second)Preimage resistance of n bitsResistant against length-extension attackSignificantly faster than SHA-2

SHA-3 Competition timeline

SHA-3 Competition timeline3Q | Announce the Second Round candidates.

SHA-3 Competition timelineDelayed for 4Q.

SHA-3 Competition timeline

AdditionRotationeXoringmostly AESlike Serpent

AdditionRotationeXoringmostly AESlike SerpentOn 9 Dec 2010 NIST announced 5 SHA-3 finalists

AdditionRotationeXoringmostly AESlike SerpentOn 9 Dec 2010 NIST announced 5 SHA-3 finalists2 October 2012, NIST announced that SHA-3 is Keccak

NIST worldwide hash competition for SHA-3What does it mean significantly improved efficiency (over SHA-2)?Let us take the following definition: Significantly improved efficiency over SHA-2 means at least 2 times faster than SHA-2.Then, if a function is 2 times slower than SHA-2, it means that it has significantly worse efficiency.This convention seems to be accepted by many in cryptography (see Classication of the SHA-3 Candidates, Fleischmann, Forler, and Gorski, eprint 2008, report 511)

NIST worldwide hash competition for SHA-3Why NIST expected SHA-3 to be with significantly improved efficiency (over SHA-2)?Because of their experience with serious software vendors that are still using MD5 instead of SHA-1 (and now instead of SHA-2) due to the more than 1:3 speed ratio in favor to MD5 vs sha256.

Summaryhave considered:hash functionsSHA-3SHA-512

**Opening quote.******************************************A number of proposals have been made for hash functions based on using a cipher block chaining technique, but without the secret key (instead using the message blocks as keys). Unfortunately these are subject to both the birthday attack, and to a meet-in-the-middle attack. Thus, attention has been directed at finding other approaches to hashing.

****The Secure Hash Algorithm (SHA) was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993; a revised version was issued as FIPS 180-1 in 1995 and is generally referred to as SHA-1. The actual standards document is entitled Secure Hash Standard. SHA is based on the hash function MD4 and its design closely models MD4. SHA-1 produces a hash value of 160 bits. In 2005, a research team described an attack in which two separate messages could be found that deliver the same SHA-1 hash using 2^69 operations, far fewer than the 2^80 operations previously thought needed to find a collision with an SHA-1 hash [WANG05]. This result should hasten the transition to newer, longer versions of SHA.*In 2002, NIST produced a revised version of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512. These new versions have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA-1, hence analyses should be similar. In 2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the other SHA versions by 2010. See Stallings Table12.1 for comparative details of these algorithms.**Now examine the structure of SHA-512, noting that the other versions are quite similar.SHA-512 follows the structure depicted in Stallings Figure 12.1. The processing consists of the following steps: Step 1: Append padding bits Step 2: Append length Step 3: Initialize hash buffer Step 4: Process the message in 1024-bit (128-word) blocks, which forms the heart of the algorithm Step 5: Output the final state value as the resulting hashSee text for details.****The SHA-512 Compression Function is the heart of the algorithm. In this Step 4, it processes the message in 1024-bit (128-word) blocks, using a module that consists of 80 rounds, labeled F in Stallings Figure 12, as shown in Figure 12.2. Each round takes as input the 512-bit buffer value, and updates the contents of the buffer. Each round t makes use of a 64-bit value Wt derived using a message schedule from the current 1024-bit block being processed. Each round also makes use of an additive constant Kt, based on the fractional parts of the cube roots of the first eighty prime numbers. The output of the eightieth round is added to the input to the first round to produce the final hash value for this message block, which forms the input to the next iteration of this compression function, as shown on the previous slide.*The structure of each of the 80 rounds is shown in Stallings Figure 12.3. Each 64-bit word shuffled along one place, and in some cases manipulated using a series of simple logical functions (ANDs, NOTs, ORs, XORs, ROTates), in order to provide the avalanche & completeness properties of the hash function. The elements are:Ch(e,f,g) = (e AND f) XOR (NOT e AND g)Maj(a,b,c) = (a AND b) XOR (a AND c) XOR (b AND c)(a) = ROTR(a,28) XOR ROTR(a,34) XOR ROTR(a,39)(e) = ROTR(e,14) XOR ROTR(e,18) XOR ROTR(e,41)+ = addition modulo 2^64Kt = a 64-bit additive constant Wt = a 64-bit word derived from the current 512-bit input block.*Stallings Figure 12.4 details how the 64-bit word values Wt are derived from the 1024-bit message. The first 16 values of Wt are taken directly from the 16 words of the current block. The remaining values are defined as a function of the earlier values using ROTates, SHIFTs and XORs as shown. The function elements are:0(x) = ROTR(x,1) XOR ROTR(x,8) XOR SHR(x,7)1(x) = ROTR(x,19) XOR ROTR(x,61) XOR SHR(x,6).

**************Chapter 11 summary.