sound hashing modes of arbitrary functions permutations
play

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block - PowerPoint PPT Presentation

Mar 01, 2023 •10 likes •800 views

Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1 Bart Mennink 1 Gilles Van Assche 2 Fast Software Encryption Paris, March 2019 1 Radboud University 2 STMicroelectronics 1 M 4 pad Hash function

  1. Sound Hashing Modes of Arbitrary Functions, Permutations, and Block Ciphers (SoK) Joan Daemen 1 Bart Mennink 1 Gilles Van Assche 2 Fast Software Encryption Paris, March 2019 1 Radboud University 2 STMicroelectronics 1

  2. M 4 pad Hash function example 1: SHA-256 F Underlying primitive: block cipher with 256-bit block and 512-bit key 1 CV i data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : digest CV Hash function h from compression function F with Merkle-Damgård : F CV M 3 F CV M 2 F M 1 IV 2

  3. Hash function example 1: SHA-256 M 3 Underlying primitive: block cipher with 256-bit block and 512-bit key 1 CV i data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : F CV F Hash function h from compression function F with Merkle-Damgård : CV 2 F CV IV M 1 F M 2 M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest

  4. Hash function example 1: SHA-256 F Underlying primitive: block cipher with 256-bit block and 512-bit key data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : F CV Hash function h from compression function F with Merkle-Damgård : F CV M 3 2 IV M 1 CV M 2 F M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ❍❍❍❍❍❍❍ ❍ ✲ ✲ ✲ ✲ CV i + 1 ⊕ ✻

  5. Hash function example 1: SHA-256 F Underlying primitive: block cipher with 256-bit block and 512-bit key data path mess. expans. M i CV i Compression function F from block cipher B with Davies-Meyer : F CV Hash function h from compression function F with Merkle-Damgård : F CV M 3 2 IV M 1 CV M 2 F M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ❍❍❍❍❍❍❍ ❍ ✲ ✲ ✲ ✲ CV i + 1 ⊕ ✻

  6. � � π π Example 2: MD6 [Rivest et al. 2008] Hash function h from CF F with dedicated tree hash mode: CF F from permutation P with dedicated construction: Underlying primitive: 5696-bit permutation 3

  7. π π Example 2: MD6 [Rivest et al. 2008] Hash function h from CF F with dedicated tree hash mode: Underlying primitive: 5696-bit permutation CF F from permutation P with dedicated construction: 3 � � Location (level,index) input to each node level (2,0) (2,1) (2,2) (2,3) 3 2 1 0

  8. Example 2: MD6 [Rivest et al. 2008] CF F from permutation P with dedicated construction: Underlying primitive: 5696-bit permutation Hash function h from CF F with dedicated tree hash mode: 3 � � Location (level,index) input to each node level (2,0) (2,1) (2,2) (2,3) 3 2 1 0 key+UV data const 15 8+2 64 89 words N Map 1-1 map π Prepend 89 words π ( N ) 16 words C Chop

  9. Example 2: MD6 [Rivest et al. 2008] CF F from permutation P with dedicated construction: Underlying primitive: 5696-bit permutation Hash function h from CF F with dedicated tree hash mode: 3 � � Location (level,index) input to each node level (2,0) (2,1) (2,2) (2,3) 3 2 1 0 key+UV data const 15 8+2 64 89 words N Map 1-1 map π Prepend 89 words π ( N ) 16 words C Chop

  10. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: XOF from permutation with sponge [KT 2008] : Underlying primitive: 1600-bit permutation Keccak- p 12 4

  11. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: Underlying primitive: 1600-bit permutation Keccak- p 12 XOF from permutation with sponge [KT 2008] : 4 S 1 S 2 S 3 S n -2 S n -1 110 110 110 110 110 110 * S 0 CV CV CV … CV CV n -1 FFFF 01

  12. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: Underlying primitive: 1600-bit permutation Keccak- p 12 XOF from permutation with sponge [KT 2008] : 4 S 1 S 2 S 3 S n -2 S n -1 110 110 110 110 110 110 * S 0 CV CV CV … CV CV n -1 FFFF 01 M pad trunc Z r 0 f f f f f f outer inner c 0 absorbing squeezing

  13. Example 3: KangarooTwelve [Keccak Team 2016] Parallel XOF from XOF with Sakura-encoded [KT 2014] tree hash mode: XOF from permutation with sponge [KT 2008] : 4 S 1 S 2 S 3 S n -2 S n -1 110 110 110 110 110 110 * S 0 CV CV CV … CV CV n -1 FFFF 01 M pad trunc Z r 0 f f f f f f outer inner c 0 absorbing squeezing Underlying primitive: 1600-bit permutation Keccak- p [ 12 ]

  14. Basis for security of hash functions Trust in security based on public scrutiny and cryptanalysis But we can prove security of idealized version of the function … is h with underlying primitive replaced by random one Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure

  15. Basis for security of hash functions But we can prove security of idealized version of the function … is h with underlying primitive replaced by random one Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis

  16. Basis for security of hash functions Ideal hash function: random oracle Upper bound on advantage of distinguishing from this bound says something about the mode only better attacks must exploit specific properties of primitive In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function • … H is h with underlying primitive replaced by random one

  17. Basis for security of hash functions In other words, they bound the success probability of generic attacks 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function • … H is h with underlying primitive replaced by random one ▶ Ideal hash function: random oracle RO ▶ Upper bound on advantage of distinguishing H from RO • this bound says something about the mode only • better attacks must exploit specific properties of primitive

  18. attacks Basis for security of hash functions 5 ▶ We cannot prove a hash function h is secure ▶ Trust in security based on public scrutiny and cryptanalysis ▶ But we can prove security of idealized version H of the function • … H is h with underlying primitive replaced by random one ▶ Ideal hash function: random oracle RO ▶ Upper bound on advantage of distinguishing H from RO • this bound says something about the mode only • better attacks must exploit specific properties of primitive ▶ In other words, they bound the success probability of generic

  19. M 4 pad What can happen if you don’t have a good bound? digest Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC MAC function h K M not secure against forgery Length extension property CV F IV F CV M 3 F CV M 2 F M 1 6

  20. What can happen if you don’t have a good bound? CV Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC MAC function h K M not secure against forgery Length extension property F CV F IV 6 M 3 CV F M 1 F M 2 M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest

  21. What can happen if you don’t have a good bound? M 3 Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC MAC function h K M not secure against forgery F CV F IV CV 6 F CV M 1 F M 2 M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ▶ Length extension property

  22. What can happen if you don’t have a good bound? M 3 Affect all old-style hash standards: MD5, SHA-1 and all SHA-2 herding attack, … multi-collisions 2nd pre-image for long messages Attacks with less complexity than expected fixing requires adding expensive construction: HMAC F CV F IV CV 6 F M 1 F M 2 CV M 4 pad ❍❍❍ ❍❍❍ ❍❍❍ ❍❍❍ ✲ ✲ ✲ ✲ ❍ ❍ ❍ ❍ ✲ ✲ ✲ ✲ ✲ digest ▶ Length extension property • MAC function h ( K | M ) not secure against forgery

Recommend

On the (In)Security of IDEA in Various Hashing Modes Lei Wei 1 , Thomas Peyrin 1 , Przemysaw

On the (In)Security of IDEA in Various Hashing Modes Lei Wei 1 , Thomas Peyrin 1 , Przemysaw

On the (In)Security of IDEA in Various Hashing Modes On the (In)Security of IDEA in Various Hashing Modes Lei Wei 1 , Thomas Peyrin 1 , Przemysaw Sokoowski 2 , San Ling 1 , Josef Pieprzyk 2 , and Huaxiong Wang 1 1 Division of Mathematical

524 views • 25 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.5k views • 58 slides
14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple

14. Hashing Hash Tables, Pre-Hashing, Hashing, Resolving Collisions using Chaining, Simple Uniform Hashing, Popular Hash Functions, Table-Doubling, Open Addressing: Probing, Uniform Hashing, Universal Hashing, Perfect Hashing [Ottman/Widmayer,

1.25k views • 98 slides
Universal hashing Problem: if h is fixed there are with many collisions Idea of

Universal hashing Problem: if h is fixed there are with many collisions Idea of

Universal hashing Problem: if h is fixed there are with many collisions Idea of universal hashing: Choose hash function h randomly H finite set of hash functions Definition: H is universal, if for arbitrary x , y U : Hence:

759 views • 14 slides
Hash Tables Outline Definition Hash functions Open hashing Closed hashing

Hash Tables Outline Definition Hash functions Open hashing Closed hashing

Hash Tables Outline Definition Hash functions Open hashing Closed hashing collision resolution techniques Efficiency EECS 268 Programming II 1 Overview Implementation style for the Table ADT that is good in a wide

237 views • 20 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M.

Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M.

Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M. Gessel Department of Mathematics Brandeis University Workshop on Quasisymmetric Functions Bannf International Research Station November 17, 2010

983 views • 77 slides
Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table

Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table

Hashing Algorithms Hash functions Separate Chaining Linear Probing Double Hashing Symbol-Table ADT Records with keys (priorities) basic operations insert search create generic operations common to many ADTs test if empty

474 views • 13 slides
Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing

Lecture 8 Hashing I 6.006 Fall 2011 Lecture 8: Hashing I Lecture Overview Dictionaries and Python Motivation Prehashing Hashing Chaining Simple uniform hashing Good hash functions Dictionary Problem Abstract

452 views • 21 slides
Union-Find [10] In the last class Hashing Collision Handling for Hashing Closed

Union-Find [10] In the last class Hashing Collision Handling for Hashing Closed

Algorithm : Design & Analysis Union-Find [10] In the last class Hashing Collision Handling for Hashing Closed Address Hashing Open Address Hashing Hash Functions Array Doubling and Amortized Analysis Union-Find

618 views • 33 slides
Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL Story So far m Enc SC PRG (i.e., a Stream Cipher) for one-time SKE K Mode of operation: msg pseudorandom pad PRF (i.e., a Block Cipher)

426 views • 13 slides
Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL

Symmetric-Key Encryption: One-Way Functions Lecture 6 PRG from One-Way Permutations RECALL Story So far m Enc SC PRG (i.e., a Stream Cipher) for one-time SKE K Mode of operation: msg pseudorandom pad PRF (i.e., a Block Cipher)

251 views • 12 slides
On APN permutations Marco Calderini University of Trento Boolean Functions and their

On APN permutations Marco Calderini University of Trento Boolean Functions and their

On APN permutations Marco Calderini University of Trento Boolean Functions and their Applications July 3-8, 2017 Cryptographic motivations Some cryptographic primitives, as block ciphers, have components called S-boxes. Often an S-box is a

816 views • 37 slides
Machine Learning for NLP Readings in unsupervised Learning Aurlie Herbelot 2018 Centre for

Machine Learning for NLP Readings in unsupervised Learning Aurlie Herbelot 2018 Centre for

Machine Learning for NLP Readings in unsupervised Learning Aurlie Herbelot 2018 Centre for Mind/Brain Sciences University of Trento 1 Hashing 2 Hashing: definition Hashing is the process of converting data of arbitrary size into

845 views • 48 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
Quantum permutations of two elements Tomasz Maszczyk UNB, June 27, 2014 Tomasz Maszczyk Quantum

Quantum permutations of two elements Tomasz Maszczyk UNB, June 27, 2014 Tomasz Maszczyk Quantum

Quantum permutations of two elements Tomasz Maszczyk UNB, June 27, 2014 Tomasz Maszczyk Quantum permutations of two elements 1. Frobenius algebras Let k be an arbitrary base field. Theorem (Nakayama) The following are equivalent: A =

327 views • 32 slides
Memory-hard functions and tradeoff cryptanalysis with applications to password hashing,

Memory-hard functions and tradeoff cryptanalysis with applications to password hashing,

Memory-hard functions and tradeoff cryptanalysis with applications to password hashing, cryptocurrencies, and white-box cryptography Alex Biryukov Dmitry Khovratovich Johann Groschaedl University of Luxembourg 1 Introduction Passwords

2.82k views • 132 slides
= 6 13 14 15 16 17 18 19 20 1 / 12 Expected Value Definition: The expected value of a

= 6 13 14 15 16 17 18 19 20 1 / 12 Expected Value Definition: The expected value of a

Hashing Todays announcements: PA2 out, due Nov 1, 23:59 MT2 Nov 7, 19:00-21:00 WOOD 2 Todays Plan 0 1 Hashing 2 3 Universal hash functions 4 5 6 12345 7 8 9 10 11 12 = 6 13 14 15 16 17 18 19 20 1 / 12

492 views • 12 slides
Layered permutations and rational generating functions Anders Bjrner Department of Mathematics

Layered permutations and rational generating functions Anders Bjrner Department of Mathematics

Layered permutations and rational generating functions Anders Bjrner Department of Mathematics Kungliga Tekniska Hgskolan S-100 44 Stockholm, SWEDEN and Bruce Sagan Department of Mathematics Michigan State University East Lansing, MI

1.23k views • 84 slides
Discrete Mathematics in Computer Science Permutations Malte Helmert, Gabriele R oger

Discrete Mathematics in Computer Science Permutations Malte Helmert, Gabriele R oger

Discrete Mathematics in Computer Science Permutations Malte Helmert, Gabriele R oger University of Basel Permutations as Functions A permutation rearranges objects. Consider for example sequence o 2 , o 1 , o 3 , o 4 Lets rearrange the

634 views • 48 slides
Non-scalar operators and logarithmic correlation functions for the Potts model in arbitrary

Non-scalar operators and logarithmic correlation functions for the Potts model in arbitrary

Operator in the Potts model Correlation functions and non-scalar operators Log correlation functions Non-scalar operators and logarithmic correlation functions for the Potts model in arbitrary dimension RGP 2016 - IHP Romain Couvreur

173 views • 15 slides
Announcements Exam 2: 03/11, PA2______,HW3______. Today: Characterizing hash functions

Announcements Exam 2: 03/11, PA2______,HW3______. Today: Characterizing hash functions

Announcements Exam 2: 03/11, PA2______,HW3______. Today: Characterizing hash functions Hashing strings Universal hashing Collision resolution 0 A perfect hash function? 1 2 3 4 5 Roll 5 dice: 6 7 8 9 10 11 12 13 14 15 16

379 views • 8 slides
Extreme functions with an arbitrary number of slopes Amitabh Basu Michele Conforti Marco

Extreme functions with an arbitrary number of slopes Amitabh Basu Michele Conforti Marco

Extreme functions with an arbitrary number of slopes Amitabh Basu Michele Conforti Marco Di Summa Joseph Paat Johns Hopkins University Dipartimento di Matematica, Universita degli Studi di Padova, Italy. Aussois 2016

875 views • 61 slides
Hashing (Application of Probability) Ashwinee Panda Final CS 70 Lecture! 9 Aug 2018 Overview

Hashing (Application of Probability) Ashwinee Panda Final CS 70 Lecture! 9 Aug 2018 Overview

Hashing (Application of Probability) Ashwinee Panda Final CS 70 Lecture! 9 Aug 2018 Overview Intro to Hashing Hashing with Chaining Hashing Performance Hash Families Balls and Bins Load Balancing Universal Hashing

726 views • 18 slides

More recommend