Hash Functions Vincent Rijmen Challenges and Perspectives for - PowerPoint PPT Presentation

Hash Functions Vincent Rijmen Challenges and Perspectives for Academia and Industry Antwerp, May 27 th , 2008

A cryptographic hash function produces cryptographic checksums or fingerprints cryptographic checksums or fingerprints • Fast • Secure • Secure Hash Hash Hash Hash Function Function

Common uses of a hash function 98246 Representative Commitment 012345 012345 ? ? 6789… Randomiser

First security property: one-wayness one wayness Hash Hash Hash Hash Function Function

Second security property : collision resistance collision resistance Hash Hash Hash Hash Function Function Function Function Function Function Function Function

Some definition problems • Information-theoretic – Collisions always exist • Complexity-theoretic C l it th ti – Standardised hash functions are fixed algorithms, not classes – Finding a collision is difficult only the first time • Largely ignored by “practical” people

Some other problems • Designs with provable security often ignore properties which are important in practice • Near-collisions: two inputs give almost the same output – May interact badly with applications • One-wayness: for all outputs most outputs most • One-wayness: for all outputs, most outputs, most probable outputs?

Hash function design: Davies-Meyer (1979) Davies Meyer (1979) H i Key Encryption M i sched (DES) + H i+1

MD4 (R. Rivest,1990) H i Expan State M i sion Update + H i+1

MD4 state update: Unbalanced Feistel Network (48 iterations) Feistel Network (48 iterations) • No arguments for its security for its security • Fast on 32-bit CPUs

State updates in the MD4 family MD4 MD4 SHA/SHA-1 SHA/SHA 1 SHA-256 SHA 256 K Σ 0 Σ 1 + + + << 5 K K K N+1 + f + + M C A W + + + + f H J W W N+1 + >> 2 << s + + + A N B N C N D N E N F N G N H N Design principles copied in MD5 RIPEMD HAVAL SHA Design principles copied in MD5, RIPEMD, HAVAL, SHA, SHA-1, SHA-256, ... – All hash functions in use today

Hash function crisis [2004-2005] • New cryptanalysis technique announced – Novel method to do differential cryptanalysis • Collisions for MD4, MD5, RIPEMD in minutes C lli i f MD4 MD5 RIPEMD i i t • Collisions for SHA (SHA-0) in hours • Collisions for SHA-1 “theoretically possible” C lli i f SHA 1 “ h i ll ibl ” – 2 69 hashing operations

Impact • These collisions have a very specific structure • Many applications rely on one-wayness only • Hiding structure might turn out to be the easiest part of the problem p • Educating people that collisions may not endanger some applications might turn out to be a most difficult task • Impact should not be underestimated

Situation now: SHA-1 • Collisions for reduced variants: – 58 iterations in 2005, – 64 iterations in 2006, – 70 iterations in 2007 • Collisions for SHA-1 still “theoretically possible” – Estimated work for 80 iterations: 2 61 hashing operations – Distributed effort http://boinc.iaik.tugraz.at

Situation now: alternatives SHA-256 39 • SHA-256 (64 iterations) 31 – Best result now is on 39 iterations Best result now is on 39 iterations – Best result 4 months ago: collision on 18 iterations 24 22 • RIPEMD-160 18 – Surprisingly (?) resistant 2006 2006 2008 2008 • Whirlpool – Based on AES-like block cipher S

STVL activities on hash functions • Work group on hash functions • Two workshops (Krakow 2005, Barcelona 2007), sponsoring a third (Leiden 2008) sponsoring a third (Leiden 2008) • ECRYPT Position Paper on Recent Collision Attacks on Hash Functions (2004, 2005) • 30 internal documents, leading to 24 publications/talks at international conferences • ehash wiki http://ehash.iaik.tugraz.at h h iki htt // h h i ik t t • To be continued in ECRYPT2 • To be continued in ECRYPT2

STVL papers on hash functions • Cryptanalysis of SMASH, LASH, FORK-256, VSH, GOST GOST • Analysis of MD4, SHA-1, SHA-256 • Syndrome based hash functions • Syndrome based hash functions • Iteration modes • Impact on APOP, NMAC, HMAC p , , • ...

Challenge 1: break SHA-256 • Security of SHA-256 is based on the fact that many people would rather eat liver than do a full security l ld th t li th d f ll it analysis • Automatic searching tools have been useful before – DES, MD4, MD5, SHA-1

Challenge 2: proofs & properties • How to define security when – Nothing is secret – Everything is deterministic • What properties do we want – Required in applications – Properly definable and provable P l d fi bl d bl • Develop a usable hash function design theory p g y

Hash function theory • What is the best we can hope for? • Study generic attacks – Optimal one-wayness – Meet-in-the-middle attacks Meet in the middle attacks • Good iteration modes: – Relation between properties of compression function and properties of hash function • Leverage results from block cipher theory – Known-key security of block ciphers

Challenge 3: practical design • SHA-3 development process organized by NIST – Aim to be as successful as with AES process • Design & submission of new proposals • Design & submission of new proposals – Optimized MD4-style designs, or – New types of designs • Evaluation: security & performance

Design question: S-boxes? • Can be made strongly non-linear • Tailored towards any criterion • Question: which properties are relevant?

Design question: state size • Output size n • Message block size m • How much state do we need in order to exclude generic Ho m ch state do e need in order to e cl de generic attacks against the one-wayness? • Can we do less than 2 n + m ?

Design question: relevant attacks • Current attacks on hash function follow from differential cryptanalysis t l i • First results with higher-order attacks are promising • What about saturation attacks? • Linear cryptanalysis? yp y

Challenge 4: changing the real world changing the real world • Propagate new insights and new designs into applications • Faster than with AES ☺ • Different output size • Additional inputs? Additional inputs?