Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a h string of fixed length. There are Bart Preneel 1A3FD4128A198FB3CA345932 additional security conditions: it should be very hard to find an KU Leuven - COSIC input hashing to a given value (a firstname.lastname@esat.kuleuven.be preimage) or to find two colliding inputs (a collision). Sibenik, June 2016 Insert presenter logo here on slide master 2 Applications Agenda • Definitions • short unique identifier to a string – digital signatures • Iterations (modes) – data authentication • one-way function of a string • Compression functions – protection of passwords • Constructions – micro-payments • confirmation of knowledge/commitment • SHA-3 • pseudo-random string generation/key derivation • Conclusions • entropy extraction • construction of MAC algorithms, stream ciphers, block ciphers,… 2005: 800 uses of MD5 in Microsoft Windows 3 4 Preimage resistance Security requirements (n-bit result) 2 nd preimage collision preimage preimage • in a password file, one does not store – (username, password) ? x ? ? ? ? • but – (username,hash(password)) • this is sufficient to verify a password h h h h h h • an attacker with access to the password file has to find a preimage = h(x) = h(x’) h(x) h(x’) h(x) h(x) 2 n 2 n 2 n/2 2 n 5 6 1
Hash Functions - Bart Preneel June 2016 Second preimage resistance Collision resistance 2 nd preimage • hacker Alice prepares two versions collision of a software driver for the O/S x company Bob ? x’ x x Channel 1: high capacity and insecure – x is correct code h(x) – x’ contains a backdoor that gives Alice access to the machine Channel 2: low capacity but secure • Alice submits x for inspection to Bob h h (= authenticated – cannot be modified) h h • if Bob is satisfied, he digitally signs h(x) with his private key • an attacker can modify x but not h(x) • Alice now distributes x’ to users of • he can only fool the recipient if he = h(x) = h(x) h(x’) h(x’) the O/S; these users verify the finds a second preimage of x signature with Bob’s public key 2 n/2 2 n • this signature works for x and for x’, since h(x) = h(x’) 7 8 Brute force (2 nd ) preimage Pseudo-random function computationally indistinguishable from a random function • multiple target second preimage (1 out of many): prf = Pr [ K K : A hK(.) 1] - Pr [ f RAND(m,n) : A f 1] $ $ Adv h – if one can attack 2 t simultaneous targets, the effort to find a single preimage is 2 n-t RAND(m,n): set of all functions from m-bit to n-bit strings • multiple target second preimage (many out of many): – time-memory trade-off with Θ(2 n ) precomputation and K h f storage Θ(2 2n/3 ) time per (2 nd ) preimage: Θ(2 2n/3 ) [Hellman’80] • answer: randomize hash function with a parameter S ? or ? (salt, key, spice,…) This concept makes only D sense for a function with a secret key 9 10 Brute force attacks in practice Quantum computers • in principle exponential parallelism • (2 nd ) preimage search • inverting a one-way function: 2 n reduced to 2 n/2 – n = 128: 14 B$ for 1 year if one can attack 2 40 targets in [Grover’96] parallel • collision search: can we do better than 2 n/2 ? • parallel collision search: small memory using – 2 n/3 computation + hardware [Brassard-Hoyer-Tapp’98] = 2 2n/3 cycle finding algorithms (distinguished points) – [Bernstein’09] classical collision search requires 2 n/4 computation – n = 128: 1 M$ for 5 hours (or 1 year on 60K PCs) and hardware (= standard cost of 2 n/2 ) – n = 160: 56 M$ for 1 year – need 256-bit result for long term security (30 years or more) 11 12 12 2
Hash Functions - Bart Preneel June 2016 Properties in practice • collision resistance is not always necessary • other properties are needed: – PRF: pseudo-randomness if keyed (with secret key) Iteration – PRO: pseudo-random oracle property – near-collision resistance (mode of compression function) – partial preimage resistance (most of input known) – multiplication freeness • how to formalize these requirements and the relation between them? 13 14 14 14 How not to construct a hash function Hash function: iterated structure • Divide the message into t blocks x i of n bits each IV H 1 H 2 H 3 g f f f f Message block 1: x 1 Message block 2: x 2 x 1 x 2 x 3 x 4 … • split messages into blocks of fixed length and hash them block by block with a compression function f • need padding at the end Message block t: x t = efficient and elegant…. but … Hash value h(x) 15 16 Security relation between f and h (2) Security relation between f and h • iterating f can degrade its security • solution: Merkle-Damgård (MD) strengthening trivial example: 2 nd preimage – fix IV, use unambiguous padding and insert length at the end – • f is collision resistant h is collision resistant IV H 1 H 2 H 3 [Merkle’89-Damgård’89] g ? f f f f • f is ideally 2 nd preimage resistant h is ideally 2 nd preimage resistant [Lai-Massey’92] x 1 x 2 x 3 x 4 IV = H 1 H 2 H 3 • many other results g f f f x 2 x 3 x 4 17 18 18 3
Hash Functions - Bart Preneel June 2016 Security relation between f and h (3) Attacks on MD-type iterations length extension: if one knows h(x), easy to compute h(x || y) without knowing x or IV • long message 2 nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier’05] IV H 1 H 2 – Sec security degrades lineary with number 2 t of message blocks H 3 = h(x) f f f hashed: 2 n-t+1 + t 2 n/2+1 – appending the length does not help here! x 1 x 2 x 3 H 4 = h(x || y) IV H 1 H 2 H 3 • multi-collision attack and impact on concatenation [Joux’04 ] f f f f x 1 x 2 x 3 y • herding attack [Kelsey-Kohno’06] – reduces security of commitment using a hash function from 2 n – on-line 2 n-t + precomputation 2.2 (n+t)/2 + storage 2 t solution: output transformation IV H 1 H 2 H 3 f f f f g x 1 x 2 x 3 x 4 19 20 20 How (NOT) to strengthen a hash function? Multiple collisions multi-collision [Coppersmith’85][Joux’04] Assume “ideal” hash function h with n-bit result • answer: concatenation • Θ(2 n/2 ) evaluations of h (or steps): 1 collision • h 1 (n1-bit result) and h 2 (n2-bit result ) – h(x)=h(x’) • Θ(r. 2 n/2 ) steps: r 2 collisions • intuition: the strength of g against – h(x 1 )=h(x 1 ’) ; h(x 2 )=h(x 2 ’) ; … ; h(x r 2 )=h(x r 2 ’) h 1 h 2 collision/(2 nd ) preimage attacks is the • Θ(2 2n/3 ) steps: a 3-collision product of the strength of h 1 and h 2 — if both are “independent” – h(x)= h(x’)=h(x’’) g(x) = h 1 (x) || h 2 (x) • but…. • Θ(2 n(t-1)/t ) steps: a t-fold collision (multi-collision) – h(x 1 )= h(x 2 )= … =h(x t ) 21 22 Multi-collisions Multi-collisions on iterated hash function (2) [Coppersmith’85][Joux ’04] • finding multi-collisions for an iterated hash function is not IV H 1 H 2 H 3 much harder than finding a single collision (if the size of the f f f f internal memory is n bits) R • algorithm x 1 , x’ 1 x 2 , x’ 2 x 3 , x’ 3 x 4 , x’ 4 • generate R = 2 n1/2 -fold • for IV: collision for block 1: x 1 , x’ 1 multi-collision for h 2 • in R: search by brute • for H 1 : collision for block 2: x 2 , x’ 2 force for h 1 • for H 2 : collision for block 3: x 3 , x’ 3 • for H 3 : collision for block 4: x 4 , x’ 4 h 1 h 2 • Time: n1. 2 n2/2 + 2 n1/2 << 2 (n1 + n2)/2 • now h(x 1 ||x 2 ||x 3 ||x 4 ) = h(x’ 1 ||x 2 ||x 3 ||x 4 ) = h(x’ 1 ||x’ 2 ||x 3 ||x 4 ) = … = h(x’ 1 ||x’ 2 ||x’ 3 ||x’ 4 ) a 16-fold collision (time: 4 collisions) g(x) = h 1 (x) || h 2 (x) 23 24 24 4
Recommend
More recommend
