Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160
description
Transcript of Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160
Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160
Sabine Wurmhöringer Salzburg University for Applied Sciences and Technology Telecommunications Engineering [email protected]
Stefan Wegenkittl Salzburg University for Applied Sciences and Technology Telecommunications Engineering
Peter Hellekalek Dept. of Mathematics, University of Salzburg, Austria
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Construction of Hash Functions
preimage resistance second preimage resistance collision resistance
(e.g. Bruce Schneier)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Collisions: 2 messages produce same hash!
I owe you100 $
I owe you1.000.000 $
00 34 CA ... FE
h h
160 bit hash
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Construction of Hash Functions
preimage resistance second preimage resistance collision resistance
(e.g. Bruce Schneier)
randomness of hash values
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Randomness of Hash Values: Stoch. Model
Principle: i.i.d. uniform plaintexts result in i.i.d. uniform hash values, thus minimize probability of collisions
X= {0,1}n plaintexts M ~ U[X]
|X| ∞
Y= {0,1}160 hashes C = h(M) ~ U[Y] |Y|= 2160
h!
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Example for Violation of Uniformity
1/10
1/10
9/10
9/10
h
h
space of plaintexts ( X ) space of hash values ( Y )
Attacks
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Randomness of Hash Values: Stat. Testing Substitute realisations for random variables
and apply statistical tests for uniformity to resulting hash values
Even more: hashing should destroy simple structures: structured plaintexts should produce equidistributed (pseudo-random) hash values
A simple structure: plaintexts are the consecutive values of a counter
same reasoning was applied in tests for cryptographic algorithms (e.g. AES)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Randomness in Cryptology and Simulation
Cryptology(Stochastic)Simulation
(Pseudo)Randomness
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Randomness in Cryptology and Simulation
Cryptology(Stochastic)Simulation
(Pseudo)Randomness
„unpredictability“ „unbiasedness“in terms of interpretation
„independence“ „equidistribution“in terms of statistics
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
High Dimensional Tests for Uniformity
„independence“
P[0|0] = ½
„equidistribution“
P[0,0]= ¼⇔
0 1
1
0
0 1
1
0
0 1
1
0
0 1
1
0
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
High Dimensional Tests for Uniformity
„independence“
P[0|0] = ½...
P[1|1] = ½
Tests forindependence
„equidistribution“
P[0,0]= ¼...
P[1,1]= ¼
Tests for uniformity in
higher dimensions
⇔
=
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Statistical Testing
Standard test batteries NIST test suite: http://www.nist.gov Diehard battery: http://
stat.fsu.edu/~geo/diehard.html- rather limited sample sizes and range of parameters- able to find several specific defects- Room for improvement: for example, a well-known defect in
T800 is not detected(ACM Tomacs ’99, Matsumoto and Wegenkittl)
Referencesup to date hardly any published results
Recommendation: additionally employ systematic testing (WSC ’99, Wegenkittl)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Systematic Testing: Serial Overlapping Tests
Load Test (m-tuple test) vary sample size in { 218 – 228 } vary dimension in {1, 2, 4, 8, 16 }
Gambling Test even higher dimensions in { 32, 64, 128,
256 } vary sample size in { 222 – 228 } based on simulation of gambling game
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Test Setup and Test Design
preparation of input
2-level serial overlapping test
Chi-square distributed level one test
Kolmogorov-Smirnov test at level two applied to 16 repetitions of level one test (see e.g. Knuth)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Preparation of Inputm‘=0 m‘‘=1
0 .............0 0 ............01 ...
32 bit 32 bit
counter
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Preparation of Inputm‘=0 m‘‘=1
0 .............0 0 ............01 ...
h(m‘)32 bit 32 bit
h(m‘‘)
counter
hash function
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Preparation of Input m‘=0 m‘‘=1
0 .............0 0 ............01 ...
c‘0 .........c‘159 c‘‘0 ............c‘‘159...
h(m‘)32 bit 32 bit
160 bit 160 bit
h(m‘‘)
counter
hash function
hash values
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Preparation of Inputm‘=0 m‘‘=1
0 .............0 0 ............01 ...
c‘0 .........c‘159 c‘‘0 ............c‘‘159...
h(m‘)32 bit 32 bit
160 bit 160 bit
h(m‘‘)
counter
hash function
hash values
cuttingc‘0 c‘8 ..... c‘152
c‘‘0 c‘‘8 ... c‘‘152...
20 bit 20 bit
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Preparation of Inputm‘=0 m‘‘=1
0 .............0 0 ............01 ...
c‘0 .........c‘159 c‘‘0 ............c‘‘159...
h(m‘)32 bit 32 bit
160 bit 160 bit
h(m‘‘)
counter
hash function
hash values
cuttingc‘0 c‘8 ..... c‘152
c‘‘0 c‘‘8 ... c‘‘152...
20 bit 20 bitconcatenate
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Preparation of Inputm‘=0 m‘‘=1
0 .............0 0 ............01 ...
c‘0 .........c‘159 c‘‘0 ............c‘‘159...
h(m‘)32 bit 32 bit
160 bit 160 bit
h(m‘‘)
counter
hash function
hash values
cutting
input stream
c‘0 c‘8 ..... c‘152c‘‘0 c‘‘8 ... c‘‘152
...
b0 b1...................b19b20 ...................
20 bit 20 bitconcatenate
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Construction of Overlapping Tuples
. . .
Vioverlapping vectors with dimension t
input stream b0b1................................bn+t-1 ...
b0 .....bt-1
b1 .......bt
bi ....bi+t-1
V1
V0
Vnbn ...bn+t-1
. . .
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Test Setup
hash function
counter
bit stream
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Gambling Test
Test Setup
hash function
KS plot
counter
bit stream
Load Test
Level One Statistic (χ2)
Level Two Statistic (KS)
p-values Level One Statistic (χ2)
Level Two Statistic (KS)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
SHA-1 and RIPEMD-160
hash value: 160 bit published:
SHA-1: FIPS 180 RIPEMD-160: ISO/IEC 10118-3:2003
considered to be secure until 2005(Austrian Signature Regulations)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Visualization: Load Test
Level One p-values (upper-tail) of chi-square statistic 16 repetitions arrange resulting p-values in small
rectangles
black color indicates significance at 1% level
0highly non uniform
1highly uniform
scale:
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Results (p-values)
SHA-1:
RIPEMD-160:
dim
en
sio
n16 - 8 - 4 - 2 - 1 -
sample size (218 – 228)
16 - 8 - 4 - 2 - 1 -d
imen
sio
n
sample size (218 – 228)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Results (p-values)
SHA-1:
RIPEMD-160:
dim
en
sio
n16 - 8 - 4 - 2 - 1 -
sample size (218 – 228)
16 - 8 - 4 - 2 - 1 -d
imen
sio
n
sample size (218 – 228)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Visualization: Load Test
Level Two KS-values of two-sided Kolmogorov-
Smirnov test arrange resulting KS-values in a bar
diagram
red color indicates KS-value under 1% level
> 1.570
scale:
4
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Results (Kolmogorov-Smirnov values)SHA-1: RIPEMD-160:
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Results: Gambling Test
sample size in {222,...,228} dimension t in {32,64,128,256} 16 repetitions of Gambling Test p-values (upper-tail) of KS Statistic at level two
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Results: Gambling Test
samplesize
222 223 224 225 226 227 228
t=32 0.7433
0.8385
0.0979
0.5433
0.0640
0.4392
0.5358
t=64 0.5704
0.8830
0.7704
0.4719
0.7540
0.4346
0.4959
t=128 0.9949
0.8906
0.4484
0.2183
0.6042
0.2805
0.9444
t=256 0.7221
0.2805
0.4183
0.5822
0.1864
0.1321
0.2685
SHA-1
RIPEMD-160
samplesize
222 223 224 225 226 227 228
t=32 0.7097
0.0872
0.5383
0.3253
0.8401
0.4264
0.5945
t=64 0.7675
0.5224
0.6532
0.8619
0.4408
0.3848
0.1006
t=128 0.9073
0.8541
0.0478
0.9089
0.7353
0.0190
0.5726
t=256 0.2603
0.6301
0.4755
0.8799
0.3551
0.0288
0.5964
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Summary and Conclusion
tests did not find any systematic defects even highly correlated input results in uncorrelated hash values all examined probabilities were on target
work in progress: study influence of other simple structures in plaintexts (patterns and motives) and optimize testing strategy increase power of test w.r.t. detection of increased collision probability
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160
Links and References(1)S. Wegenkittl. Monkeys, gambling, and return times: Assessing
pseudorandomness. Proceedings of the 1999 Winter Simulation Conference, pages 625–631, Piscataway, N.J., 1999. IEEE Press.
(2)P. Hellekalek and S. Wegenkittl. Empirical evidence concerning AES. ACM Trans. Model. Comput. Simul., 13(4):322–333, 2003.
(3)S. Wegenkittl. The pLab picturebook: Load tests and ultimate load tests, part I. Report no. 1, pLab – reports, University of Salzburg, 1997.
(4)H. Leeb and S. Wegenkittl. Inversive and linear congruential pseudorandom number generators in empirical tests. ACM Transactions on Modeling and Computer Simulation, 7(2):272–286, 1997.
(5)S. Wegenkittl. Gambling tests for pseudorandom number generators. Mathematics and Computers in Simulation, 55(1–3):281–288, 2001.
(6)B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley and Sons, New York, second edition, 1996.
(7)S. Wurmhöringer. Statistische Analyse der Hashfunktionen die gemäß der österreichischen Signaturverordnung empfohlen werden. Master Thesis at the Salzburg University of Applied Science and Technology, 2004.