ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash Functions for Iterated Hash Functions • definitions Bart Preneel Bart Preneel • applications COSIC – Kath. Univ. Leuven, Belgium & ABT Crypto COSIC – Kath. Univ. Leuven, Belgium & ABT Crypto • generic attacks bart.preneel(AT)esat.kuleuven.be bart.preneel(AT)esat.kuleuven.be • attacks on iterated constructions April 2007 April 2007 • attacks on custom designed hash functions: MD5, SHA, SHA-1 • alternative constructions • pseudo-randomness • conclusions Hash functions Hash function flavours • MDC (manipulation • (MDC-2) detection code) cryptographic hash function • (MD5) • • Protect short hash value (SHA-1) this • rather than long text talk RIPEMD-160 MAC MDC • SHA-256, SHA-512 This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a OWHF CRHF string of fixed length. There are h 1A3FD4128A198FB3CA345932 additional security conditions: it UOWHF should be very hard to find an input hashing to a given value (a (TCR) preimage) or to find two colliding inputs (a collision). Informal definitions (1) Security requirements (n-bit result) • no secret parameters 2 nd preimage collision preimage • input string x of arbitrary length ⇒ output h(x) of fixed bitlength n ≠ ≠ x ? ? ? ? • computation “easy” • One Way Hash Function (OWHF) h h h h h — preimage resistance — 2 nd preimage resistance = = h(x’) h(x) h(x) h(x’) h(x’) • Collision Resistant Hash Function (CRHF): OWHF + — collision resistant 2 n 2 n 2 n/2 1
ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Informal definitions (2) Formal definition: (2 nd ) preimage resistance • preimage resistant ⇒ 2 nd preimage resistant x Notation: Σ = {0,1}, l(n)>n — take a preimage resistant hash function; add an input bit b and replace one A one-way hash function (OWFH) H is a function with domain input bit by the sum modulo 2 of this input bit and b D= Σ l(n) and range R= Σ n that satisfies the following conditions: x 0 …x m-2 x 0 …x m-2 • preimage resistance : let x be selected uniformly in D and let M be h h x m-1 x m-1 ⊕ an adversary that on input h(x) uses time ≤ t and outputs M(h(x)) ∈ x m D . For each adversary M , • 2nd preimage resistant ⇒ preimage resistant x Pr x ∈ D { h(M(h(x)))=h(x) } < ε — if h is OWHF, h is 2nd preimage resistant but not preimage resistant: Here the probability is also taken over the random choices of M. if |x| ≤ n h(x) = 0 || x • 2nd preimage resistance : let x be selected uniformly in D= Σ l(n) 1 || h(X) otherwise and let M' be an adversary who on input x uses time ≤ t and • collision resistant ⇒ 2nd preimage resistant outputs x' ∈ D with x' ≠ x. For each adversary M', Pr x ∈ D { h(M'(x))=h(x) } < ε • [Simon 98] one cannot derive collision resistance from “general” preimage Here the probability is taken over the random choices of M'. resistance (there exists no black box reduction) Formal definitions: collision resistance Formal definitions - continued • For collision resistance: considering a family of hash functions A collision-resistant hash function (CRHF) H is a function family {h S } with domain D= Σ l(n) and range R= Σ n that that satisfies the indexed by a parameter (“key”) is essential for formalization (but see Rogaway ’06: “formalizing human ignorance”) following conditions: • For (2nd) preimage resistance, one can choose the challenge (x) • the functions h S are preimage resistant and second preimage and/or the key that selects the function. resistant) • This gives three flavours [Rogaway-Shrimpton’04] • collision resistance: let F be a collision string finder that on input — random challenge, random key (Pre and Sec) S ∈ Σ s uses time ≤ t and outputs either “?” or a pair x, x' ∈ Σ l(n) with x' ≠ x such that h S (x‘)=h S (x). For each F , — random key, fixed challenge (ePre and eSec everywhere) Pr S { F( H ) ≠ “?‘” } < ε (eSec=UOWHF) Here the probability is also taken over the random choices of F . — fixed key, random challenge (aPre and aSec - always) • Complex relationship (see figure on next slide). Relation between formal definitions Applications [Rogaway-Shrimpton’04] • digital signatures: OWHF/CRHF, `destroy algebraic structure‘ • information authentication: protect authenticity of hash result • protection of passwords: preimage resistant • confirmation of knowledge/commitment: OWHF/CRHF • pseudo-random string generation/key derivation • micropayments (e.g., micromint) • construction of MACs, stream ciphers, block ciphers • (redundancy: hash result appended to data before encryption) 2
ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Applications (2) Brute force (2 nd ) preimage • Collision resistance is not always necessary • If one can attack 2 t simultaneous targets, the effort to find a single preimage is 2 n-t • Other properties are needed: — note for t = n/2 this is 2 n/2 — pseudo-randomness if keyed (with secret key) • [Hellman80] if one has to find (second) preimages for many — near-collision resistance targets, one can use a time-memory trade-off with Θ (2 n ) — partial preimage resistance precomputation and storage Θ (2 2n/3 ) — inversion of one message in time Θ (2 2n/3 ) — multiplication freeness • [Wiener02] if Θ (2 3n/5 ) targets are attacked, the full cost per (2 nd ) — random oracle property preimage decreases from Θ (2 n ) to Θ (2 2n/5 ) • how to formalize these requirements and the relation between • answer: randomize hash function them? — salt, spice, “key”: parameter to index family of functions Birthday paradox for collisions The birthday paradox (2) • Given a set with S elements • How hard is it to find a collision for a hash function with an n-bit result? • Choose r elements at random (with replacements) with r « S • 2 n/2 evaluations of the hash function • The probability p that there are at least 2 equal elements (a collision) is 1 - exp ( - r(r-1)/2S) • Indeed, the number of pairs of outputs = • The number of collisions follows a Poisson distribution with λ = r(r-1)/2S (1/2) 2 n/2 . 2 n/2 — The expected number of collisions is equal to λ — The probability to have c collision is e - λ λ c / c! • conclusion: n ≥ 256 or more for long-term security • S large, r = √ S, p = 0.39 • S = 365, r = 23, p = 0.50 The birthday paradox (3) - proof Brute force collision search r terms • Consider the functional graph of f q = 1-p = 1 . ((S-1)/S) . ((S-2)/S) …. ((S-(r-1))/S) x f(x) f r-1 (S-k/S) or q = Π k=1 r-1 ln (1-k/S) ≅ Σ k=1 r-1 -k/S = -r(r-1)/2S ln q = Σ k=1 collision Taylor: if x « 1: ln (1-x) ≅ x summation: Σ k=1r-1 k = r (r-1)/2 • hence p = 1 – q = 1 - exp ( - r(r-1)/2S) 3
Recommend
More recommend
