SHA Hash Functions History & Current State Helsinki Institute for Information Technology, November...

SHA Hash FunctionsSHA Hash Functions

HistoryHistory & Current State& Current State

Helsinki Institute for Information Technology, November 03, 2009.

Sergey Panasenko, independent information security consultant,

Moscow, Russia.

[email protected] www.panasenko.ru

SHA Hash FunctionsSHA Hash Functions

1.1. Hash functions cryptanalysis review.Hash functions cryptanalysis review.

2.2. SHA (SHA-0) & SHA-1.SHA (SHA-0) & SHA-1.

3.3. SHA-2.SHA-2.

4.4. SHA-3 project.SHA-3 project.

Section 1. Hash functions Section 1. Hash functions cryptanalysis reviewcryptanalysis review

• typical hash function structure;typical hash function structure;

• goals of hash functions cryptanalysis;goals of hash functions cryptanalysis;

• cryptanalysis methods.cryptanalysis methods.

Typical hash function Typical hash function structurestructure

Merkle-DamgMerkle-Damgåård construction:rd construction:

IV fb() HN

M 0

fb()

M 1

. . . fb()

M N

Primary goals of hash Primary goals of hash functions cryptanalysisfunctions cryptanalysis

Collision: Collision: mm1 and 1 and mm2 with the same hash:2 with the same hash:

hh = = hashhash((mm1)1) == hashhash((mm2) 2)

Multicollision: several messages with the same Multicollision: several messages with the same hash.hash.

Theoretical time consumptionTheoretical time consumption: 2: 2nn/2/2 operations operations for for nn-bit hash function.-bit hash function.


First preimage: such First preimage: such mm that for given that for given hh::

hashhash((mm)) == hh

Second preimage: such Second preimage: such mm2 that for given 2 that for given mm1:1:

hashhash((mm2)2) == hashhash((mm1)1)

Theoretical time consumptionTheoretical time consumption: 2: 2nn operations for operations for nn-bit hash function.-bit hash function.


Secret key definition – for keyed hash functions Secret key definition – for keyed hash functions or hash functions in keyed mode.or hash functions in keyed mode.

Theoretical time consumptionTheoretical time consumption: 2: 2kk operations for operations for kk-bit key.-bit key.

Secondary goals of hash Secondary goals of hash functions cryptanalysisfunctions cryptanalysis

Near-collision: Near-collision: mm1 and 1 and mm2 with hash values 2 with hash values differ in several bits:differ in several bits:

hashhash((mm1)1) ≈≈ hashhash((mm2) 2)

Pseudo-collision: Pseudo-collision: mm1 and 1 and mm2 with the same 2 with the same hash but with different initial values:hash but with different initial values:

hashhash((mm1, 1, IVIV1)1) == hashhash((mm2,2, IVIV2) 2)

Theoretical time consumptionTheoretical time consumption: 2: 2nn/2/2 operations operations for for nn-bit hash function.-bit hash function.

Secondary goals of hash Secondary goals of hash functions cryptanalysisfunctions cryptanalysis

Pseudo-preimage: such Pseudo-preimage: such mm that for given that for given hh::

hashhash((IVIV, , mm)) == hh

where where IVIV is non-standard initial value. is non-standard initial value.

Theoretical time consumptionTheoretical time consumption: 2: 2nn operations for operations for nn-bit hash function.-bit hash function.

Attacks on hash functionsAttacks on hash functionsBrute-force attacksBrute-force attacks

• Step-by-step searching over the target space.Step-by-step searching over the target space.

• They define theoretical time consumption of They define theoretical time consumption of any goal.any goal.

• Can be used for finding collisions, preimages Can be used for finding collisions, preimages or secret keys.or secret keys.

• Highly parallelizable.Highly parallelizable.

• Can be accelerated greatly by specific Can be accelerated greatly by specific hardware.hardware.

• Can be used in context of other attacks. Can be used in context of other attacks.

• They define suitable hash or key sizes.They define suitable hash or key sizes.

Attacks on hash functionsAttacks on hash functions

Dictionary attacksDictionary attacks

• A kind of brute-force attacks on a reduced A kind of brute-force attacks on a reduced target space (e.g. words of any dictionary).target space (e.g. words of any dictionary).

• Typical application: finding a password for Typical application: finding a password for given hash value.given hash value.

• Offline work – precounting a table for Offline work – precounting a table for searching the required password. searching the required password.



The simplest case of The simplest case of tables: one hash tables: one hash for every for every password.password.

hash

...

abaca

aback

abaction

zygoma

5d12fdca

0a23647f

ca56ff12

7dd412a4

...

hash

hash

hash



Hash chains – reducing the memory (Martin Hash chains – reducing the memory (Martin Hellman, 1980):Hellman, 1980):

pp11 hh11 pp22 hh22 …… p pNN hhNN

hash

...

abaca

trend

mary

peace

5d12fdca

6fade4ac

67a97688

4fd769a3

...

hash

hash

hash

Rcouple

come

further

afford

...

R

R

R

hashf87df65a

1abb67a1

a3429904

a9112a3c

...

hash

hash

hash

sands

reach

etc

shorten

...

hash788a2c5d

df34a456

a63dd12a

c8a913cf

...

hash

hash

hash...

...

...

...



Hash chains – collision example:Hash chains – collision example:

hash

hash

R

R

hash

hash

hash

hash

R

R

...

afford

peace

a9112a3c

4fd769a3

...

yellow

afford

...

3287acfe

a9112a3c

...

reviewer

yellow

...

d51a900a

3287acfe

...

... ... ... ... ... ...

...

...



Strengthening hash chains:Strengthening hash chains:

• Several tables with different R-functions.Several tables with different R-functions.

• Variable length chains.Variable length chains.

hash

...

spoke

length

ode

000012ca

6acf499a

a97688cd

hash

hash

pipe

medicine

R

R

752a65fd

0000a342

hash

hash

john 000056dfhash

...


Dictionary attacks. Rainbow tablesDictionary attacks. Rainbow tables

Several R-functions Several R-functions RR11……RRNN-1-1 for every column of for every column of strings:strings:

• cyclic strings are impossible;cyclic strings are impossible;

• collisions lead to strings coincidence when occur collisions lead to strings coincidence when occur in the same column only – that can be detected.in the same column only – that can be detected.

R3

R3

R3

R3

R1

R1

R2

R2

hash

...

abaca

trend

mary

peace

5d12fdca

6fade4ac

67a97688

4fd769a3

...

hash

hash

hash

R1couple

come

further

afford

...

hashf87df65a

1abb67a1

a3429904

a9112a3c

...

hash

hash

hash

R1

R2texas

school

blow

come

...

hash77f9ac1a

d7c907f1

93aa1cbd

1abb67a1

...

hash

hash

hash

R2

...

...

...

...



Invented by Philip Oechslin in 2003.Invented by Philip Oechslin in 2003.

Can be further strengthened by combining with Can be further strengthened by combining with variable-length chains.variable-length chains.

Are in active use for cracking real systems:Are in active use for cracking real systems:

• http://project-rainbowcrack.com;http://project-rainbowcrack.com;

• http://lasecwww.epfl.ch;http://lasecwww.epfl.ch;

• http://www.freerainbowtables.com.http://www.freerainbowtables.com.



Countermeasures:Countermeasures:

• Salt – randomizing hashing;Salt – randomizing hashing;

• Increasing time to hash – e. g. multiple hashingIncreasing time to hash – e. g. multiple hashing..

Example: Niels Provos & David MaziExample: Niels Provos & David Mazièères (1999) – res (1999) – bcrypt hash function. Uses bcrypt hash function. Uses saltsalt & & costcost variables. variables. Cost defines the number of internal block cipher Cost defines the number of internal block cipher key extension rounds:key extension rounds:

22costcost+1+1 ++ 11


Birthday paradoxBirthday paradox

““Square root attack”: OSquare root attack”: O(( ) ) tries required to find the tries required to find the same element from an array with same element from an array with NN elements. elements.

Application to hash functions (Gideon Yuval, 1979):Application to hash functions (Gideon Yuval, 1979):

• An adversary prepares An adversary prepares rr variants of fraud variants of fraud document document ff and and rr variants of original document variants of original document mm..

• He searches among these variants such He searches among these variants such mmxx and and ffyy that that hashhash((mmxx)) == hashhash((ffyy))..

• User signs User signs mmxx, but his signature is correct when , but his signature is correct when verifying it for verifying it for ffyy..

N


Collision searchCollision search

Another variant of hash chains:Another variant of hash chains:

mmii hashhash((mmii)) hashhash((hashhash((mmii)) )) … …

All hash values are compared with previous All hash values are compared with previous values and values of other chains.values and values of other chains.

Disadvantage: huge memory requirements.Disadvantage: huge memory requirements.

Jean-Jacques Quisquater, Jean-Paul Delescaille, Jean-Jacques Quisquater, Jean-Paul Delescaille, 1987: store distinguished points1987: store distinguished points only. Their only. Their coincidence signals about found collision. Low coincidence signals about found collision. Low memory requirements.memory requirements.


Collisions searchCollisions search

Michael Wiener and Michael Wiener and Paul Van Paul Van Oorschot, 1994: Oorschot, 1994: parallel collision parallel collision search with search with specific values:specific values:

- in itia l values

- distinguished points


Birthday paradox & collisions searchBirthday paradox & collisions search

• Mihir Bellare and Tadayoshi Kohno, 2004: Mihir Bellare and Tadayoshi Kohno, 2004: “amount of regularity” of hash functions – as“amount of regularity” of hash functions – as output value distribution is regular. The less output value distribution is regular. The less regular, the easy to find collision.regular, the easy to find collision.

• Bart Preneel, 2003: hash value size analysis. Bart Preneel, 2003: hash value size analysis. 160 bits are enough for at least 20 years.160 bits are enough for at least 20 years.


Differential cryptanalysisDifferential cryptanalysis

Florent Chabaud & Antoine Joux, 1998: SHI1 algorithm:Florent Chabaud & Antoine Joux, 1998: SHI1 algorithm:

a b c d e

a b c d e

K i

W i

<<< 5 <<< 30

++

+


Differential cryptanalysisDifferential cryptanalysisa b c d e

a b d e

K i

W i

<<< 5 <<< 30

++

+

i+1:6 - iteration number : number of different bits,corrected bits are in bold font

i:1, i+1:6,i+2:1, i+3:31,i+4:31, i+5:31

i+1:6

i+2:1

i+2:31 c

i+3:31 i+4:31 i+5:31i+1:1i+2:1, i+3:31,i+4:31, i+5:31

i:1



Result: propagation of the difference is cancelled by Result: propagation of the difference is cancelled by the corrected bits. After 6 iterations the the corrected bits. After 6 iterations the difference is 0.difference is 0.

This is 6-round local collision: two messages differ in This is 6-round local collision: two messages differ in 6 bits (after expansion) but lead to the same 6 bits (after expansion) but lead to the same hash value.hash value.

Next step: construct messages which can expand Next step: construct messages which can expand with required difference.with required difference.

Attackers use Attackers use disturbance vectordisturbance vector – the table shows – the table shows which bits of messages must be different to which bits of messages must be different to achieve the collision.achieve the collision.



F. Chabaud & A. Joux:F. Chabaud & A. Joux:

SHI1 – SHI2 – SHI3 – SHASHI1 – SHI2 – SHI3 – SHA

Step-by-step including non-linear operation into Step-by-step including non-linear operation into the iterations.the iterations.

From deterministic to probabilistic constructions: From deterministic to probabilistic constructions: the same principles of attack can be applied the same principles of attack can be applied to real SHA algorithm.to real SHA algorithm.


Boomerang attackBoomerang attack

Invented by David Wagner for block ciphers in Invented by David Wagner for block ciphers in 1999.1999.

Applied to hash functions (SHA & SHA-1) by Applied to hash functions (SHA & SHA-1) by Antoine Joux and Thomas Peyrin, 2007.Antoine Joux and Thomas Peyrin, 2007.

Boomerang attack uses one or more auxiliary Boomerang attack uses one or more auxiliary differences besides the main difference. This differences besides the main difference. This significantly improves the probability of significantly improves the probability of finding collisions.finding collisions.


Boomerang attackBoomerang attack

P

C

P'

C'

Q

Q'

D

D'

main differencesauxiliary differences


Algebraic cryptanalysisAlgebraic cryptanalysis

Uses algebraic properties of an algorithm.Uses algebraic properties of an algorithm.

Successfully applied to block ciphers (e. g. works Successfully applied to block ciphers (e. g. works of Nicolas Courtois against AES).of Nicolas Courtois against AES).

Can be used in context of other attacks.Can be used in context of other attacks.

Example: Makoto Sugita, Mitsuru Kawazoe, Example: Makoto Sugita, Mitsuru Kawazoe, Hideki Imai (2006) attacked reduced-round Hideki Imai (2006) attacked reduced-round SHA-1 by algebraic and differential SHA-1 by algebraic and differential cryptanalysis in complex.cryptanalysis in complex.


Message modificationMessage modification

Xiaoyun Wang, Hongbo Yu, 2005: step-by-step Xiaoyun Wang, Hongbo Yu, 2005: step-by-step modifying the message to meet the criteria modifying the message to meet the criteria for differential cryptanalysis.for differential cryptanalysis.

Message modification technique allows to speed Message modification technique allows to speed up the collision search by fulfilling the up the collision search by fulfilling the required criteria for internal variables.required criteria for internal variables.


Meet in the middle attackMeet in the middle attack

Can be applied when a function can be represent Can be applied when a function can be represent as two subfunctions:as two subfunctions:

IV hash1() hash2() H

M1 M2

and if the second subfunction can be invertible.and if the second subfunction can be invertible.


Meet in the middle attackMeet in the middle attack

Finding preimage for a hash value Finding preimage for a hash value HH::

1.1. Count Count hashhash1() for variants of the first half of 1() for variants of the first half of messages (and store them in a table):messages (and store them in a table):

TTxx == hashhash1(1(MM11xx,, IVIV))..

2. Count inverted 2. Count inverted hashhash2() for variants of the 2() for variants of the second half of messages:second half of messages:

TTyy = = hashhash22-1-1((MM22yy,, HH))..

3. Searching for equivalent 3. Searching for equivalent TTxx and and TTyy..


Correcting blocksCorrecting blocks

Allows to find preimages or collisions. Example Allows to find preimages or collisions. Example for collisions:for collisions:

1. Select arbitrary messages 1. Select arbitrary messages MM and and MM*.*.

2. Find such corrected blocks 2. Find such corrected blocks XX and and XX* that:* that:

hash(Mhash(M || || X) = hash(MX) = hash(M* * |||| XX*).*).


Fixed pointsFixed points

A fixed point occurs when it is possible to find A fixed point occurs when it is possible to find such message block such message block MiMi that: that:

hash(M) = hash(Mhash(M) = hash(M |||| MiMi),),

i. e. intermediate hash value remains the same i. e. intermediate hash value remains the same after processing after processing MiMi block. block.

Can be used for finding collisions.Can be used for finding collisions.


Block-level manipulationsBlock-level manipulations

• inserting,inserting,

• removing,removing,

• permutation,permutation,

• substitutionsubstitution

of message blocks without affecting the hash of message blocks without affecting the hash value.value.


Two-block collisionsTwo-block collisions

near-collision

h0

h1 h1*

M 1 M 1*

h2

collision

M 2 M 2*

Eli Biham et al.,Eli Biham et al.,

2004:2004:


Multi-block collisionsMulti-block collisions

M 2 M 2*

near-collision

h0

h1 h1*

M 1 M 1*

hk

collision

M k M k*

near-collisionh2 h2*

near-collisionhk -1 hk-1*


Specific attacks on block cipher based Specific attacks on block cipher based hash functionshash functions

Allows to find collisions based on some Allows to find collisions based on some weaknesses of an underlying block cipher:weaknesses of an underlying block cipher:

• weak keys,weak keys,

• equivalent keys,equivalent keys,

• groups of keys,groups of keys,

• related-keys attacks.related-keys attacks.


Side-channel attacksSide-channel attacks

This group of attacks are invented by Paul This group of attacks are invented by Paul Kocher, 1996.Kocher, 1996.

Passive side-channel attacks (an adversary only Passive side-channel attacks (an adversary only readsreads side-channel information):side-channel information):

• Electromagnetic attacks.Electromagnetic attacks.

• Power attacks (simple & differential).Power attacks (simple & differential).

• Timing attacks.Timing attacks.

• Error-message attacks.Error-message attacks.



Active side-channel attacks (an adversary Active side-channel attacks (an adversary influences on hash function realization):influences on hash function realization):

• Optical, radiation or heating attacks.Optical, radiation or heating attacks.

• Spike & glitch attacks.Spike & glitch attacks.

• Fault attacks (simple and differential).Fault attacks (simple and differential).

• Hardware modification.Hardware modification.



Countermeasures:Countermeasures:

• Constant time consumption of operations.Constant time consumption of operations.

• Inserting random delaysInserting random delays, , noises, random noises, random variables etc, redundant computations.variables etc, redundant computations.

• Error messages without extra information.Error messages without extra information.

• Doubling calculations with comparing their Doubling calculations with comparing their results.results.

• Shielding.Shielding.

• Detecting of external actionsDetecting of external actions..


Other cryptanalytic methodsOther cryptanalytic methods

• Using neutral bits (Eli Biham & Rafi Chen, Using neutral bits (Eli Biham & Rafi Chen, 2004) – such bits of a message which do not 2004) – such bits of a message which do not influence on final or intermediate results influence on final or intermediate results during some rounds.during some rounds.

• Attacks that can use specifics of hash Attacks that can use specifics of hash functions realizations in network protocols, functions realizations in network protocols, signature schemes etc.signature schemes etc.

• Length-extension attack – inserting some data Length-extension attack – inserting some data to the end of a message to find a collision.to the end of a message to find a collision.

Section 2. SHA & SHA-1Section 2. SHA & SHA-1

• SHA structure;SHA structure;

• SHA-1 structure;SHA-1 structure;

• SHA cryptanalysis;SHA cryptanalysis;

• SHA-1 cryptanalysis.SHA-1 cryptanalysis.

SHASHA

Secure Hash Algorithm.Secure Hash Algorithm.

Invented by U.S. National Security Agency in Invented by U.S. National Security Agency in 1992.1992.

U.S. hashing standard in 1993-1995 (FIPS 180).U.S. hashing standard in 1993-1995 (FIPS 180).

Must be used by U.S. Ministries and Agencies for Must be used by U.S. Ministries and Agencies for hashing non-classified information. hashing non-classified information. Recommended for commercial organizations.Recommended for commercial organizations.

Renamed to SHA-0 after SHA-1 invention.Renamed to SHA-0 after SHA-1 invention.

OverviewOverview

SHASHA

160-bit hash value.160-bit hash value.

Input data size – from 0 to (2Input data size – from 0 to (26464-1) bits.-1) bits.

Merkle-Damgaard construction with 512-bit data Merkle-Damgaard construction with 512-bit data blocks.blocks.

Last block is always padded by:Last block is always padded by:

• ““1” bit;1” bit;

• zero bits when required;zero bits when required;

• 64-bit input data length in bits.64-bit input data length in bits.

High-level structureHigh-level structure

SHASHA

1.1. 512-bit block is represented as 32-bit words 512-bit block is represented as 32-bit words WW00……WW1515..

2.2. The following 32-bit words The following 32-bit words WW1616……WW7979 are calculated: are calculated:

WWnn == WWnn-3-3 WWnn-8-8 WWnn-14-14 WWnn-16-16..

Message block expansionMessage block expansion

... ...... ...W n -16 W n -15 W n -14 W n -8 W n -3 W n -2 W n -1 W n

+ + +

SHASHA

80 iterations:80 iterations:

Compression functionCompression function

a b c d e

+

+

a b c d e

K i

W i

<<< 5 <<< 30

f i

SHASHA

fi fi functions: functions:

ff((xx, , yy, , zz) = () = (xx & & yy) | (~) | (~xx & & zz), i = 0…19;), i = 0…19;

ff((xx, , yy, , zz) = ) = xx yy zz, i = 20…39, 60…79;, i = 20…39, 60…79;

ff((xx, , yy, , zz) = () = (xx & & yy) | () | (xx & & zz) | () | (yy & & zz)), i = 40…59., i = 40…59.


SHASHA

Intermediate hash values: 32-bit registers Intermediate hash values: 32-bit registers AA……EE..

Chaining by addition modulo 2Chaining by addition modulo 23232::

A = A A = A ++ a a;;

B = B B = B ++ b b, etc., etc.

No finalization is performed: output hash value is No finalization is performed: output hash value is concatenation of concatenation of AA……EE after processing all after processing all message blocks.message blocks.

Chaining and finalizationChaining and finalization

SHA-1SHA-1

U.S. hashing standard since 1995 (FIPS 180-1, U.S. hashing standard since 1995 (FIPS 180-1, FIPS 180-2).FIPS 180-2).

Will be withdrawn (for some applications) in Will be withdrawn (for some applications) in 2010.2010.

All procedures are the same as in SHA algorithm, All procedures are the same as in SHA algorithm, except the message block expansion.except the message block expansion.

Overview & high-level structureOverview & high-level structure

SHA-1SHA-1

SHA-1 message block expansion:SHA-1 message block expansion:

WWnn == ( (WWnn-3-3 WWnn-8-8 WWnn-14-14 WWnn-16-16) <<< 1) <<< 1



+ + + <<< 1

Added one-bit left rotation into SHA message Added one-bit left rotation into SHA message block expansion procedure.block expansion procedure.

SHA CryptanalysisSHA Cryptanalysis

1. Collisions:1. Collisions:

StStééphane Manuel, Thomas Peyrin, 2008: 2phane Manuel, Thomas Peyrin, 2008: 23333 operations (boomerang attack).operations (boomerang attack).

2. Preimages:2. Preimages:

Christophe De CanniChristophe De Cannière, Christian Rechberger, ère, Christian Rechberger, 2008: 22008: 2153153 operations to find second preimage operations to find second preimage for SHA with 49 iterations (differential for SHA with 49 iterations (differential cryptanalysis, partial pseudo-preimages & cryptanalysis, partial pseudo-preimages & meet-in-the-middle attack).meet-in-the-middle attack).

Best resultsBest results

SHA-1 CryptanalysisSHA-1 Cryptanalysis

1. Collisions:1. Collisions:

StStééphane Manuel, 2008: 2phane Manuel, 2008: 25151 operations operations (boomerang attack);(boomerang attack);

Cameron McDonald, Philip Hawkes & Josef Cameron McDonald, Philip Hawkes & Josef Pieprzyk, 2009: 2Pieprzyk, 2009: 25252 operations (differential operations (differential cryptanalysis).cryptanalysis).

2. Preimages:2. Preimages:

Christophe De CanniChristophe De Cannière, Christian Rechberger, ère, Christian Rechberger, 2008: 22008: 2157157 operations to find second preimage operations to find second preimage for SHA-1 with 44 iterations (complex attack).for SHA-1 with 44 iterations (complex attack).



1. Michael Szydlo & Yiqun Lisa Yin, 2005:1. Michael Szydlo & Yiqun Lisa Yin, 2005:

Strengthened hash function Strengthened hash function HH**((mm):):

HH**((mm)) == HH((φφ((mm)))),,

where where φφ((mm)) is preprocessing function, it can is preprocessing function, it can perform:perform:

• message whitening (inserting specific blocks – message whitening (inserting specific blocks – SHApp algorithm);SHApp algorithm);

• self-interleaving of message blocks.self-interleaving of message blocks.

Collision search countermeasuresCollision search countermeasures


2. Shai Halevi, Hugo Krawczyk, 2006 (IBM):2. Shai Halevi, Hugo Krawczyk, 2006 (IBM):

Randomized hashing:Randomized hashing:

HH**((rr, , mm11,…, ,…, mmNN) = ) = HH((rr, , mm11 rr,…, ,…, mmNN rr),),

where where rr – block-sized random number. – block-sized random number.

Collision search countermeasuresCollision search countermeasures


Charanjit Jutla, Anandya Patthak, 2005 (IBM) – Charanjit Jutla, Anandya Patthak, 2005 (IBM) – SHA1-IME (improved message expansion):SHA1-IME (improved message expansion):

WWnn = = WWnn-3-3 WWnn-8-8 WWnn-14-14 WWnn-16-16 (( ((WWnn-1-1 WWnn-2-2 WWnn-15-15) <<< 1) for ) <<< 1) for nn = 16…35; = 16…35;

WWnn = = WWnn-3-3 WWnn-8-8 WWnn-14-14 WWnn-16-16 (( ((WWnn-1-1 WWnn-2-2 WWnn-15-15 WWnn-20-20) <<< 1) for ) <<< 1) for nn = 36…79. = 36…79.

Strengthening SHA-1Strengthening SHA-1


SHA-1:SHA-1:



+ + + <<< 1

... ... ...... ...W n -16 W n -15 W n -14 W n -8 W n -3 W n -2 W n -1 W n

+ + +

<<< 1

W n -20

+ + +

+

SHA1-IME:SHA1-IME:

Section 3. SHA-2Section 3. SHA-2

• SHA-2 overview;SHA-2 overview;

• SHA-256;SHA-256;

• SHA-224;SHA-224;

• SHA-512;SHA-512;

• SHA-384;SHA-384;

• SHA-2 cryptanalysis.SHA-2 cryptanalysis.

SHA-2SHA-2

U.S. hashing standard since 2002 (FIPS 180-2).U.S. hashing standard since 2002 (FIPS 180-2).

SHA-2 is a family of hashing algorithms:SHA-2 is a family of hashing algorithms:

• SHA-224 (since 2004 – defined in updated SHA-224 (since 2004 – defined in updated version of FIPS 180-2);version of FIPS 180-2);

• SHA-256, SHA-384, SHA-512.SHA-256, SHA-384, SHA-512.

nn in SHA- in SHA-nn means means nn-bit output hash value.-bit output hash value.

Patented by NSA but allowed for free use Patented by NSA but allowed for free use (U.S. Patent # 6829355)(U.S. Patent # 6829355)

OverviewOverview

SHA-2SHA-2

Input data size – from 0 to:Input data size – from 0 to:

• (2(26464-1) bits for SHA-224 & SHA-256;-1) bits for SHA-224 & SHA-256;

• (2(2128128-1) bits for SHA-384 & SHA-512.-1) bits for SHA-384 & SHA-512.

Merkle-Damgaard construction. 512-bit or 1024-Merkle-Damgaard construction. 512-bit or 1024-bit data blocks.bit data blocks.

Last block is paddedLast block is padded by the same way as in SHA, by the same way as in SHA, but 128-bit data length (instead of 64-bit) is but 128-bit data length (instead of 64-bit) is used for SHA-384 & SHA-512.used for SHA-384 & SHA-512.

High-level structureHigh-level structure

SHA-256SHA-256



WWnn = = SigSig1,2561,256((WWnn-2-2) + ) + WWnn-7-7 + + Sig Sig0,2560,256((WWnn-15-15) + ) + WWnn-16-16 mod 2 mod 23232,,

where:where:

SigSig0,2560,256((xx) = () = (xx >>> 7) >>> 7) ( (xx >>> 18) >>> 18) ( (xx >> 3), >> 3),

SigSig1,2561,256((xx) = () = (xx >>> 17) >>> 17) ( (xx >>> 19) >>> 19) ( (xx >> 10). >> 10).


SHA-256SHA-256Message block expansionMessage block expansion

... ...... ...W n-16 W n-15 W n-14 W n-7 W n-3 W n-2 W n-1 W n

+

>>>17 >>>19

>>10

+

+

>>>7 >>>18

>>3

+ +

SHA-256SHA-256



a b c d e f g h

+

+

a b c d e f g h

M aj

+Ch +

+Sum 1,256

K i,256

W i

Sum 0,256

SHA-256SHA-256

Functions of the iteration:Functions of the iteration:

SumSum0,2560,256((xx) = () = (xx >>> 2) >>> 2) ( (xx >>> 13) >>> 13) ( (xx >>> >>> 22);22);

SumSum1,2561,256((xx) = () = (xx >>> 6) >>> 6) ( (xx >>> 11) >>> 11) ( (xx >>> >>> 25);25);

ChCh((xx, , yy, , zz) = () = (xx & & yy) ) (~ (~xx & & zz););

MajMaj((xx, , yy, , zz) = () = (xx & & yy) ) ( (xx & & zz) ) ( (yy & & zz).).


SHA-256SHA-256

Intermediate hash values: 32-bit registers Intermediate hash values: 32-bit registers AA……HH..


A = A A = A ++ a a;;


No finalization is performed: output hash value is No finalization is performed: output hash value is concatenation of concatenation of AA……HH after processing all after processing all message blocks.message blocks.


SHA-224SHA-224

The same structure as SHA-256 excluding the The same structure as SHA-256 excluding the following differences:following differences:

• Another initial value.Another initial value.

• Output hash value is concatenation of Output hash value is concatenation of AA……GG registers (instead of registers (instead of AA……HH) – i. e. truncated ) – i. e. truncated SHA-256 hash value.SHA-256 hash value.

SHA-224 compared to SHA-256SHA-224 compared to SHA-256

SHA-512SHA-512



WWnn = = SigSig1,5121,512((WWnn-2-2) + ) + WWnn-7-7 + + Sig Sig0,5120,512((WWnn-15-15) + ) + WWnn-16-16 mod 2 mod 26464,,

where:where:

SigSig0,5120,512((xx) = () = (xx >>> 1) >>> 1) ( (xx >>> 8) >>> 8) ( (xx >> 7), >> 7),

SigSig1,5121,512((xx) = () = (xx >>> 19) >>> 19) ( (xx >>> 61) >>> 61) ( (xx >> 6). >> 6).


SHA-512SHA-512



a b c d e f g h

+

+

a b c d e f g h

M aj

+Ch +

+Sum 1,512

K i,512

W i

Sum 0,512

SHA-512SHA-512

Slightly modified Sum-functions:Slightly modified Sum-functions:

SumSum0,5120,512((xx) = () = (xx >>> 28) >>> 28) ( (xx >>> 34) >>> 34) ( (xx >>> >>> 39);39);

SumSum1,5121,512((xx) = () = (xx >>> 14) >>> 14) ( (xx >>> 18) >>> 18) ( (xx >>> >>> 41).41).


SHA-512SHA-512

Intermediate hash values: 64-bit registers Intermediate hash values: 64-bit registers AA……HH..


A = A A = A ++ a a;;


No finalization is performed: output hash value is No finalization is performed: output hash value is concatenation of concatenation of AA……HH after processing all after processing all message blocks.message blocks.


SHA-384SHA-384

The same structure as SHA-512 excluding the The same structure as SHA-512 excluding the following differences:following differences:

• Another initial value.Another initial value.

• Output hash value is concatenation of Output hash value is concatenation of AA……FF registers (instead of registers (instead of AA……HH) – i. e. truncated ) – i. e. truncated SHA-512 hash value.SHA-512 hash value.

SHA-384 compared to SHA-512SHA-384 compared to SHA-512


Collisions. Collisions. Somitra Sanadhya, Palash Sarkar:Somitra Sanadhya, Palash Sarkar:

• 221616 operations & 2 operations & 23535 bytes of memory to find a bytes of memory to find a collision for SHA-256 with 24 iterations;collision for SHA-256 with 24 iterations;

• 222323 operations & 2 operations & 26868 bytes of memory to find a bytes of memory to find a collision for SHA-512 with 24 iterations.collision for SHA-512 with 24 iterations.



SShash algorithm by Somitra Sanadhya & Palash Sarkar:SShash algorithm by Somitra Sanadhya & Palash Sarkar:


a b c d e f g h

+

+

a b c d e f g h

M aj

+Ch +

+Gam 1,n

K i,n

W i

Gam 0,n

+

++

+

Section 4. SHA-3Section 4. SHA-3

• SHA-3 project overview;SHA-3 project overview;

• algorithms not selected to round 1;algorithms not selected to round 1;

• algorithms of round 1;algorithms of round 1;

• algorithms of round 2;algorithms of round 2;

• summarizing;summarizing;

• round 2 algorithms performance;round 2 algorithms performance;

• conclusion.conclusion.

SHA-SHA-33

SHA-3 project is an open competition for a new SHA-3 project is an open competition for a new SHA-3 hash function.SHA-3 hash function.

Main project timelines:Main project timelines:

• November 2007: submission requirements November 2007: submission requirements were published;were published;

• October 2008: the deadline for algorithm October 2008: the deadline for algorithm submissions;submissions;

• 2010: selecting finalists of the project;2010: selecting finalists of the project;

• 2012: selecting a winner.2012: selecting a winner.

OverviewOverview

Algorithms not in round 1Algorithms not in round 1

Author: Neil Sholer (WaveStrong).Author: Neil Sholer (WaveStrong).

High-level structure: cryptographic sponge.High-level structure: cryptographic sponge.

Compression function based on feedback shift Compression function based on feedback shift registers.registers.

Conceded broken by Ivica NikoliConceded broken by Ivica Nikolić ć & Dmitry & Dmitry Khovratovich: meet-in-the-middle attack Khovratovich: meet-in-the-middle attack allows to find second preimage by 2allows to find second preimage by 2172172 operations.operations.

AbacusAbacus


Author: Gregory Rose (Qualcomm).Author: Gregory Rose (Qualcomm).


Compression function based on non-linear Compression function based on non-linear feedback shift register.feedback shift register.

Broken by Broken by Tomislav NadTomislav Nad: collision attack:: collision attack:

• 223434 operations for 256-bit hash; operations for 256-bit hash;

• 226666 operations for 512-bit hash. operations for 512-bit hash.

BooleBoole


Author: David Wilson.Author: David Wilson.

High-level structure: Merkle-DamgHigh-level structure: Merkle-Damgård ård constructionconstruction..

Compression function: substitution-permutation Compression function: substitution-permutation network block cipher.network block cipher.

Broken by Mario Lamberger & Florian Mendel: Broken by Mario Lamberger & Florian Mendel: just 521 operations to find collision or just 521 operations to find collision or preimage.preimage.

DCHDCH


Author: Natarajan Vijayarangan (Tata Consultancy Author: Natarajan Vijayarangan (Tata Consultancy Services, Ltd.).Services, Ltd.).

High-level structure: Merkle-DamgHigh-level structure: Merkle-Damgård constructionård construction..

Compression function: linear feedback shift register.Compression function: linear feedback shift register.

Broken by:Broken by:

• Nicky Mouha – collision example;Nicky Mouha – collision example;

• Prasanth Thandra & Satya Murty: instant Prasanth Thandra & Satya Murty: instant collisions or second preimages.collisions or second preimages.

Khichidi-1Khichidi-1


Author: Robert Jenkins JrAuthor: Robert Jenkins Jr..

High-level structure: original iterative structure.High-level structure: original iterative structure.

Compression function: internal state’s fragments Compression function: internal state’s fragments parallel substitution by 8 X 8 S-boxes.parallel substitution by 8 X 8 S-boxes.

Broken by Sebastiaan Indesteege: instant finding Broken by Sebastiaan Indesteege: instant finding preimage.preimage.

MaracaMaraca


Author: BjAuthor: Bjöörn Fayrn Fay..


Compression function: multistreamCompression function: multistream processing of processing of the internal state with permutations between the internal state with permutations between data streams.data streams.

Conceded broken by its author because of Conceded broken by its author because of certification meet-in-the-middle attacks by certification meet-in-the-middle attacks by SSøøren Thomsen: e. g. 2ren Thomsen: e. g. 2ndnd preimage for 256-bit preimage for 256-bit hash value for 2hash value for 2194194 operations. operations.

MeshHashMeshHash


Author: Geoffrey ParkAuthor: Geoffrey Park..

High-level structure: stream hashing.High-level structure: stream hashing.

Compression function: two-dimensional cellular Compression function: two-dimensional cellular automata.automata.


• Christophe Christophe De CanniDe Cannièèrere: collision example for : collision example for 224-bit hash;224-bit hash;

• Brandon Enright: collision example for 512-bit Brandon Enright: collision example for 512-bit hash.hash.

NKS 2DNKS 2D


Author: Peter SchmidtAuthor: Peter Schmidt--NielsenNielsen..

High-level structure: wide-pipe Merkle-DamgHigh-level structure: wide-pipe Merkle-Damgård ård constructionconstruction..

Compression function: shift registers.Compression function: shift registers.

Certification attacks by MarCertification attacks by Maríía Nayaa Naya--Plasencia: Plasencia: 22265265 operations &operations & 2 2256256 memory blocks to find memory blocks to find 22ndnd preimage for 512-bit hash. preimage for 512-bit hash.

PonicPonic


Authors: Authors: Adem Atalay, Orhun Kara, Ferhat KarakoAdem Atalay, Orhun Kara, Ferhat Karakoçç and Cevat Manap (National Research Institute and Cevat Manap (National Research Institute of Electronics and Cryptology, Turkey).of Electronics and Cryptology, Turkey).

High-level structure: wide-pipe Merkle-DamgHigh-level structure: wide-pipe Merkle-Damgård ård construction with finalizationconstruction with finalization..

Compression function: feedback shift registers.Compression function: feedback shift registers.

Broken by Florian Mendel, Martin Schläffer, Broken by Florian Mendel, Martin Schläffer, Christian Rechberger, Sebastiaan Indesteege: Christian Rechberger, Sebastiaan Indesteege: collision example for 256-bit hash (2collision example for 256-bit hash (24040 operations).operations).

SHAMATASHAMATA


Author: Michal TrojnaraAuthor: Michal Trojnara


Compression function: original structure based Compression function: original structure based on S-boxes.on S-boxes.

Broken by Tor BjBroken by Tor Bjøørstad: collision example for rstad: collision example for 256-bit hash.256-bit hash.

StreamHashStreamHash


Authors: Rafael Alvarez, Gary McGuire, Antonio Authors: Rafael Alvarez, Gary McGuire, Antonio Zamora.Zamora.


Compression function: substitution-permutation Compression function: substitution-permutation network.network.

Broken by SBroken by Søren øren Thomsen: collision example (2Thomsen: collision example (21313 – 2– 22828 operations required). operations required).

TangleTangle


Author: John WashburnAuthor: John Washburn


Compression function: original structure based Compression function: original structure based on matrix operations.on matrix operations.

Broken by David Wilson: several operations to Broken by David Wilson: several operations to find a collision or second preimage for all find a collision or second preimage for all sizes of hash value.sizes of hash value.

WaMMWaMM


Author: Bob HattersleyAuthor: Bob Hattersley (Opta Consulting)(Opta Consulting)


Compression function: shift registers and entropy Compression function: shift registers and entropy arrays (“pools”).arrays (“pools”).

Conceded broken by Scott Fluhrer: 2Conceded broken by Scott Fluhrer: 27070 operations operations to find a collision.to find a collision.

WaterfallWaterfall

Round 1 algorithmsRound 1 algorithms

Authors: Specialists from Korea University, Seoul.Authors: Specialists from Korea University, Seoul.


Compression function: generalized Feistel Compression function: generalized Feistel network with feed-forward operations.network with feed-forward operations.

ARIRANG (structure)ARIRANG (structure)


Attacks:Attacks:

• Jian Guo et al.: instant near-collisions (256 or Jian Guo et al.: instant near-collisions (256 or 512-bit hash), 2512-bit hash), 22323 operations to find pseudo- operations to find pseudo-collisions (224 or 384-bit hash);collisions (224 or 384-bit hash);

• Deukjo Hong, Woo-Hwan Kim, Bonwook Koo: Deukjo Hong, Woo-Hwan Kim, Bonwook Koo: 22481481 operations operations to find a preimage for 512-bit to find a preimage for 512-bit reduced-round (33 of 40 iterations) algorithm.reduced-round (33 of 40 iterations) algorithm.

Relatively high security margin, but simple near- Relatively high security margin, but simple near- & pseudo-collision attacks.& pseudo-collision attacks.

ARIRANG (cryptanalysis)ARIRANG (cryptanalysis)


Authors: Specialists from Sony Corporation & Authors: Specialists from Sony Corporation & Nagoya University, Japan.Nagoya University, Japan.

High-level structure:High-level structure:

• Merkle-DamgMerkle-Damgård construction with finalization ård construction with finalization ((AURORA-224, 256);AURORA-224, 256);

• ““Double-Mix” wide-pipe Merkle-DamgDouble-Mix” wide-pipe Merkle-Damgård ård construction with finalization (construction with finalization (AURORA-224M, AURORA-224M, 256M, 384, 512).256M, 384, 512).


AURORA (structure)AURORA (structure)


Several certification attacks:Several certification attacks:

• Yu Sasaki: 2Yu Sasaki: 2259259 operations to find 512-bit key operations to find 512-bit key of keyed AURORA-512 (HMAC mode); 2of keyed AURORA-512 (HMAC mode); 2236236 operations & huge memory to find 8-block operations & huge memory to find 8-block message collision for 512-bit hash;message collision for 512-bit hash;

• Niels Ferguson & Stefan Lucks: 2Niels Ferguson & Stefan Lucks: 2291291 operations operations to find 2to find 2ndnd preimage for 512-bit hash. preimage for 512-bit hash.

Medium security margin.Medium security margin.

AURORA (cryptanalysis)AURORA (cryptanalysis)


Author: Colin Bradbury.Author: Colin Bradbury.

High-level structure: original iterative structure (2 High-level structure: original iterative structure (2 streamsstreams with mixing operationswith mixing operations, , using using checksums while padding the messagechecksums while padding the message))..

Compression function: one strongCompression function: one strong iteration with iteration with permutation operations for each block permutation operations for each block processing.processing.

Broken by Vlastimil Klima: Broken by Vlastimil Klima: 10 * 10 * 22nn//44 operations to operations to find find nn-bit hash preimage (i. e. 10 * 2-bit hash preimage (i. e. 10 * 25656 operations operations for 224-bit hash); also near-collision example.for 224-bit hash); also near-collision example.

BlenderBlender


Authors: Dmitry Khovratovich, Alex Biryukov, Authors: Dmitry Khovratovich, Alex Biryukov, Ivica NikoliIvica Nikolić (University of Luxembourg)ć (University of Luxembourg)..

High-level structure: iterative structure with High-level structure: iterative structure with feed-forward & pre-finalization before last feed-forward & pre-finalization before last block processing.block processing.

Compression function: substitution-permutation Compression function: substitution-permutation network based on AES functions.network based on AES functions.

No attacks on full-round Cheetah found.No attacks on full-round Cheetah found.

CheetahCheetah


Authors: Phil Hawkes & Cameron McDonaldAuthors: Phil Hawkes & Cameron McDonald (Qualcomm, Australia)(Qualcomm, Australia)..


Compression function: generalized Feistel Compression function: generalized Feistel network.network.

No attacks found.No attacks found.

CHICHI


Authors: large group of experts.Authors: large group of experts.


Compression function: unbalanced Feistel Compression function: unbalanced Feistel network.network.

No attacks on the main requirements found (but No attacks on the main requirements found (but MustafaMustafa Ç Çobanoban found that length-extension found that length-extension attacks on CRUNCH are possible).attacks on CRUNCH are possible).

CRUNCHCRUNCH


Author: Zijie Xu.Author: Zijie Xu.


Compression function: generalized Feistel network.Compression function: generalized Feistel network.


• Jean-Philippe Aumasson et al.: collision examples Jean-Philippe Aumasson et al.: collision examples (2(22222 operations for 512-bit hash, 2 operations for 512-bit hash, 22121 – for 256-bit); – for 256-bit);

• Length-extension attack by Vlastimil Klima;Length-extension attack by Vlastimil Klima;

• Sebastiaan Indesteege: collision examples.Sebastiaan Indesteege: collision examples.

Dynamic SHADynamic SHA


Author: Zijie Xu.Author: Zijie Xu.




• Jean-Philippe Aumasson et al.: 2Jean-Philippe Aumasson et al.: 25252 operations to operations to find a collision for 256-bit hash;find a collision for 256-bit hash;

• Hongbo Yu & Xiaoyun Wang: 2Hongbo Yu & Xiaoyun Wang: 24545 operations to operations to find a near-collision for 256-bit hash;find a near-collision for 256-bit hash;

• Length-extension attack by Vlastimil Klima.Length-extension attack by Vlastimil Klima.

Dynamic SHA2Dynamic SHA2


Authors: Daniel Brown, Matt Campagna, Rene Authors: Daniel Brown, Matt Campagna, Rene Struik (Certicom Corp., Canada).Struik (Certicom Corp., Canada).


Compression function: computations over a Compression function: computations over a group of elliptic curve points.group of elliptic curve points.

Attacked by Michael HalcrowAttacked by Michael Halcrow & Niels Ferguson: & Niels Ferguson: 22143143 operations to find 2 operations to find 2ndnd preimage for 256-bit preimage for 256-bit hash (2hash (2287287 – for 512-bit hash). – for 512-bit hash).

Relatively low security margin.Relatively low security margin.

ECOHECOH


Author: Danilo Gligoroski.Author: Danilo Gligoroski.


Compression function: quasigroup operations.Compression function: quasigroup operations.

Edon-REdon-R ( (structure)structure)


Attacks:Attacks:

• Dmitry Khovratovich, Ivica NikoliDmitry Khovratovich, Ivica Nikolić, Ralf-Philipp ć, Ralf-Philipp Weinmann: 2Weinmann: 222nn/3/3 operations to find a preimage operations to find a preimage for for nn-bit hash; pseudo-attacks with minimum -bit hash; pseudo-attacks with minimum time consumptiontime consumption..

• Gaëtan Leurent: practical key-recovery attack Gaëtan Leurent: practical key-recovery attack (for keyed version of Edon-R).(for keyed version of Edon-R).

Relatively high security margin, but some doubts Relatively high security margin, but some doubts about pseudo-attacks. Impossible to use the about pseudo-attacks. Impossible to use the keyed version attacked by G. Leurent.keyed version attacked by G. Leurent.

Edon-REdon-R ( (attacks)attacks)


Authors: Sean O’Neil, Karsten Nohl, Luca Henzen.Authors: Sean O’Neil, Karsten Nohl, Luca Henzen.


Compression function: some permutation Compression function: some permutation operations while insertingoperations while inserting input word into the input word into the internal state.internal state.

Broken by Sebastiaan Indesteege: collision Broken by Sebastiaan Indesteege: collision example for 256-bit hash (2example for 256-bit hash (24040 operations). operations).

EnRUPTEnRUPT


Authors: Jason Martin.Authors: Jason Martin.

High-level structure: balanced binary tree.High-level structure: balanced binary tree.

Compression function: feedback shift registers.Compression function: feedback shift registers.

Attacked by MarAttacked by Maríía Nayaa Naya--Plasencia et al.: 2Plasencia et al.: 29191 operations to find a collision for 256-bit hash, operations to find a collision for 256-bit hash, 22168168 operations – for 512-bit hash. operations – for 512-bit hash.

Low security margin.Low security margin.

ESSENCEESSENCE

OutlineOutlineTree-based structure of hash functionsTree-based structure of hash functions

Padded message:

Compressionfunction calls:

Hash value:


Authors: several experts from French National Authors: several experts from French National Institute for Research in Computer Science Institute for Research in Computer Science and Control.and Control.


Compression function: based on vector Compression function: based on vector operations.operations.


FSBFSB


Author: Sebastiaan Indesteege, Catholic Author: Sebastiaan Indesteege, Catholic University of Leuven, Belgium.University of Leuven, Belgium.

High-level structure: Merkle-DamgHigh-level structure: Merkle-Damgård ård construction with finalizationconstruction with finalization..



LANELANE


Authors: Shoichi HiroseAuthors: Shoichi Hirose, , Hidenori Kuwakado, Hidenori Kuwakado, Hirotaka Yoshida.Hirotaka Yoshida.




LesamntaLesamnta


Authors: Ivica NikoliAuthors: Ivica Nikolić, ć, Alex Biryukov,Alex Biryukov, Dmitry Dmitry Khovratovich Khovratovich (University of Luxembourg)(University of Luxembourg)..


Compression function: two arrays of the internal Compression function: two arrays of the internal state are updated by one AES round for every state are updated by one AES round for every input word.input word.

Attacked by Dai Watanabe: 2Attacked by Dai Watanabe: 2100100 operations to find a operations to find a collision for 256-bit hash (2collision for 256-bit hash (2200200 – for 2 – for 2ndnd preimage), 2preimage), 2228228 – for 512-bit hash. – for 512-bit hash.


LUXLUX


Author: Mikhail Maslennikov.Author: Mikhail Maslennikov.


Compression function: non-linear feedback shift Compression function: non-linear feedback shift register.register.

Attacked by Jean-Philippe Aumasson & MarAttacked by Jean-Philippe Aumasson & Maríía a NayaNaya--Plasencia: 2Plasencia: 233nn/8/8 operations to find a operations to find a collision, 2collision, 233nn/4/4 – to find 2 – to find 2ndnd preimage for preimage for nn-bit -bit hash.hash.


MCSSHA-3MCSSHA-3


Authors: large group of experts with leadership Authors: large group of experts with leadership of Ronald Rivest.of Ronald Rivest.

High-level structure: tree.High-level structure: tree.

Compression function: non-linear feedback shift Compression function: non-linear feedback shift register.register.


Algorithm was withdrawn from SHA-3 projectAlgorithm was withdrawn from SHA-3 project by by its authors.its authors.

MD6MD6


Authors: Smile Markovski & Aleksandra Mileva.Authors: Smile Markovski & Aleksandra Mileva.



Attacked by Zhimin Li et al.: 2Attacked by Zhimin Li et al.: 2128128 operations to operations to find a collision for 512-bit NaSHA.find a collision for 512-bit NaSHA.

Authors of NaSHA disprovedAuthors of NaSHA disproved the results of Li Z. et the results of Li Z. et al.al.

NaSHANaSHA


Authors: large group of experts, mainly from Authors: large group of experts, mainly from Sandia National Laboratories, U. S.Sandia National Laboratories, U. S.

High-level structure: tree.High-level structure: tree.

Compression function: original structure with Compression function: original structure with substitution-permutation operations.substitution-permutation operations.


SANDstormSANDstorm


Authors: Kerem Varıcı, Onur Özen, Çelebi Kocair Authors: Kerem Varıcı, Onur Özen, Çelebi Kocair (Middle East Technical University, Turkey).(Middle East Technical University, Turkey).

High-level structure: wide-pipe Merkle-DamgHigh-level structure: wide-pipe Merkle-Damgård ård construction modification with feed-forwardconstruction modification with feed-forward..


Attacked by Florian Mendel & Martin SchlAttacked by Florian Mendel & Martin Schlääffer: 2ffer: 2nn/3/3 operations & 2operations & 2nn/3/3 memory blocks to find a memory blocks to find a collision for collision for nn-bit hash.-bit hash.

Low security margin.Low security margin.

SarmalSarmal


Author: Peter Maxwell.Author: Peter Maxwell.



Attacked by its author: instant collision for all Attacked by its author: instant collision for all hash sizes.hash sizes.

The algorithm was modified by its author. The algorithm was modified by its author. Attacks on the modified version are not found.Attacks on the modified version are not found.

SgSgàilàil


Authors: large group of experts fromAuthors: large group of experts from University University of California at Santa Barbara, U. S.of California at Santa Barbara, U. S.


Compression function: 3-dimensional array Compression function: 3-dimensional array processed by discrete Fourier transform.processed by discrete Fourier transform.

Broken independently by Brandon Enright, Tor Broken independently by Brandon Enright, Tor BjørstadBjørstad & Ethan Heilman: instant collisions.& Ethan Heilman: instant collisions.

Spectral HashSpectral Hash


Authors: large group of experts from Israel and Authors: large group of experts from Israel and U. S.U. S.

High-level structure: slightly modified Merkle-High-level structure: slightly modified Merkle-DamgDamgård construction with finalizationård construction with finalization..

Compression function: original construction Compression function: original construction based on fast Fourier transform.based on fast Fourier transform.


SWIFFTXSWIFFTX


Authors: Miguel Montes, Daniel PenazziAuthors: Miguel Montes, Daniel Penazzi (Cordoba (Cordoba University, Spain).University, Spain).

High-level structure: Merkle-DamgHigh-level structure: Merkle-Damgård construction ård construction with feed-forward & finalizationwith feed-forward & finalization..


Attacked by Florian Mendel, Martin Schläffer: 2Attacked by Florian Mendel, Martin Schläffer: 2122122 operations & 2operations & 25353 memory to find a collision for memory to find a collision for 256-bit hash.256-bit hash.

Medium security margin.Medium security margin.

TIB3TIB3


Authors: Ewan Fleischmann, Christian Forler & Authors: Ewan Fleischmann, Christian Forler & Michael Gorski.Michael Gorski.



Twister (structure)Twister (structure)


Several certification attacks by Florian Mendel, Several certification attacks by Florian Mendel, Christian Rechberger & Martin SchlChristian Rechberger & Martin Schläffer, e. g. äffer, e. g. 22384384 operations to find 2 operations to find 2ndnd preimage for 512-bit preimage for 512-bit hash.hash.

Relatively high security margin.Relatively high security margin.

Twister (attacks)Twister (attacks)


Authors: Shay Gueron & Michael KounavisAuthors: Shay Gueron & Michael Kounavis (Intel (Intel Corp.).Corp.).

High-level structure: Merkle-DamgHigh-level structure: Merkle-Damgård construction ård construction with finalizationwith finalization..


Attacked by Lars Knudsen, Florian Mendel, Attacked by Lars Knudsen, Florian Mendel, Christian Rechberger, SChristian Rechberger, Søren Thomsen: 2øren Thomsen: 233nn/4/4 operations to find a preimage for operations to find a preimage for nn-bit hash.-bit hash.


VortexVortex


Authors: Jean-Philippe Aumasson, Luca Henzen, Authors: Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael Phan.Willi Meier, Raphael Phan.

High-level structure: modified Merkle-DamgHigh-level structure: modified Merkle-Damgård ård construction: local wide-pipe with finalizationconstruction: local wide-pipe with finalization..

Compression function: permutation operations.Compression function: permutation operations.

One of the fastest round 2 algorithms.One of the fastest round 2 algorithms.

BLAKE (overview)BLAKE (overview)

Round 2 algorithmsRound 2 algorithmsBLAKE (structure)BLAKE (structure)

a

m x

b

c

d

+

cy +

+ >>> 16

+

+ >>> 12

+

m y

cx +

+ >>> 8

+

+ >>> 7

a

b

c

d

G-G-function – the basis of round permutation.function – the basis of round permutation.

10 or 14 rounds with 8 G-function calls each.10 or 14 rounds with 8 G-function calls each.


Certification attacks on reduced-round BLAKE:Certification attacks on reduced-round BLAKE:

• Ji Li & Liangyu Xu: preimage for 512-bit BLAKE Ji Li & Liangyu Xu: preimage for 512-bit BLAKE with 2.5 rounds – 2with 2.5 rounds – 2481481 operations; operations;

• Jian Guo & Krystian Matusiewicz: near-Jian Guo & Krystian Matusiewicz: near-collision for compression function of 256-bit collision for compression function of 256-bit BLAKE with 4 rounds – 2BLAKE with 4 rounds – 24242 operations. operations.

Very high security margin.Very high security margin.

BLAKE (attacks)BLAKE (attacks)


Authors: large group of experts, mainly from Authors: large group of experts, mainly from Norwegian University of Science and Norwegian University of Science and Technology.Technology.


Compression function: sequential processing of Compression function: sequential processing of the current state by 3 different functions with the current state by 3 different functions with feed-forward.feed-forward.


Blue Midnight Wish (overview)Blue Midnight Wish (overview)

Round 2 algorithmsRound 2 algorithmsBlue Midnight Wish (structure)Blue Midnight Wish (structure)

Compression function structure:Compression function structure:

f0()S tate

Message block

Modification

f1() f2() S tate


Certification attacks by SCertification attacks by Søren Thomsenøren Thomsen::

• instant near collision for compression function instant near collision for compression function of 256-bit Blue Midnight Wish (11 different of 256-bit Blue Midnight Wish (11 different bits);bits);

• pseudo-collision (2pseudo-collision (233nn/8+1/8+1 operations) or pseudo- operations) or pseudo-preimage (2preimage (233nn/4+1/4+1 operations) for operations) for nn-bit Blue -bit Blue Midnight Wish.Midnight Wish.


Blue Midnight Wish (attacks)Blue Midnight Wish (attacks)


Author: Daniel Bernstein (University of Illinois at Author: Daniel Bernstein (University of Illinois at Chicago).Chicago).


Compression function: Feistel network.Compression function: Feistel network.

Relative performance greatly depends on the Relative performance greatly depends on the platform and on the size of the test message – platform and on the size of the test message – from the fastest round 2 algorithm to the from the fastest round 2 algorithm to the slowest one.slowest one.

CubeHash (overview)CubeHash (overview)

Round 2 algorithmsRound 2 algorithmsCubeHash (structure)CubeHash (structure)

CubeHasCubeHash h round:round:

<<<7

+

+

+

<<<11

+

Round 2 algorithmsRound 2 algorithmsCubeHash (structure)CubeHash (structure)

CubeHashCubeHashrr//bb parameters: parameters:

• rr – number of rounds; – number of rounds;

• bb – message block size in bytes. – message block size in bytes.

The original submitted variant is CubeHash8/1 – The original submitted variant is CubeHash8/1 – is very slow.is very slow.

It was replaced with CubeHash16/32 – about 16 It was replaced with CubeHash16/32 – about 16 times faster.times faster.


Several attacks (include practical) on the Several attacks (include practical) on the variants with reduced rounds and larger variants with reduced rounds and larger blocks (e. g. CubeHash2/4 or CubeHash1/45).blocks (e. g. CubeHash2/4 or CubeHash1/45).

Several certification preimage attacks on Several certification preimage attacks on submitted versions of CubeHash – by Jean-submitted versions of CubeHash – by Jean-Philippe Aumasson et al. and by Dmitry Philippe Aumasson et al. and by Dmitry Khovratovich et al.Khovratovich et al.

Security margin can be considered high.Security margin can be considered high.

CubeHash (attacks)CubeHash (attacks)


Authors: big groups of experts from Orange Labs Authors: big groups of experts from Orange Labs (France).(France).



One of the slowest round 2 algorithms.One of the slowest round 2 algorithms.


ECHO (overview & attacks)ECHO (overview & attacks)

Round 2 algorithmsRound 2 algorithmsECHO (structure)ECHO (structure)

Internal state: 4 X 4 array of 128-bit words.Internal state: 4 X 4 array of 128-bit words.

8 rounds of substitution (on the figure) and 8 rounds of substitution (on the figure) and permutation operations similar to AES round.permutation operations similar to AES round.

AES-128round

Counter Salt

AES-128round


Authors: Shai Halevi, William Hall, Charanjit Jutla Authors: Shai Halevi, William Hall, Charanjit Jutla (IBM).(IBM).



Features: 32-bit blocks; relatively large internal Features: 32-bit blocks; relatively large internal state; strengthened AES transforms.state; strengthened AES transforms.

Relatively low performance.Relatively low performance.


FugueFugue


Authors: several experts from Technical Authors: several experts from Technical University of Denmark & Graz University of University of Denmark & Graz University of Technology, Austria.Technology, Austria.





GrGrøstl (overview & attacks)østl (overview & attacks)

Round 2 algorithmsRound 2 algorithmsGrGrøstløstl (structure) (structure)

PP and and QQ functions performs 10 or 14 rounds of functions performs 10 or 14 rounds of modified AES transformations.modified AES transformations.

PP and and QQ differ from each other in round constants only. differ from each other in round constants only.

State

Message B lock

P () S tate+

Q ()

+


Author: Author: ÖÖzgzgüül Kl Küçüüçük (Catholic University of k (Catholic University of Leuven, Belgium).Leuven, Belgium).

High-level structure: concatenate-permute-High-level structure: concatenate-permute-truncate.truncate.




HamsiHamsi (overview & attacks) (overview & attacks)

Round 2 algorithmsRound 2 algorithmsHamsi (structure)Hamsi (structure)

CC, , PP, and , and TT-functions (“concatenate-permute--functions (“concatenate-permute-truncate”) form Hamsi compression function.truncate”) form Hamsi compression function.

32- or 64-bit message blocks (are expanded to 32- or 64-bit message blocks (are expanded to 256 or 512 bits each).256 or 512 bits each).

C ()h i-1

Message block

Expansion State

P () T () h i


Author: Hongjun Wu (Institute for Infocomm Author: Hongjun Wu (Institute for Infocomm Research, Singapore).Research, Singapore).



Medium performance.Medium performance.

JHJH (overview) (overview)

Round 2 algorithmsRound 2 algorithmsJH (structure)JH (structure)

Compression function Compression function structure:structure:

h i-1

Message block

E ()

+

h i

+


Certification attack by Florian Mendel and SCertification attack by Florian Mendel and Søren øren ThomsenThomsen: 2: 2510510 operations & 2 operations & 2510510 memory memory blocks to find a preimage for 512-bit JH.blocks to find a preimage for 512-bit JH.

Hongjun Wu disproved the attack.Hongjun Wu disproved the attack.

JH (attacks)JH (attacks)


Authors: Guido Bertoni, Joan Daemen, Michaël Authors: Guido Bertoni, Joan Daemen, Michaël Peeters & Gilles Van Assche.Peeters & Gilles Van Assche.


Compression function: permutation operations.Compression function: permutation operations.

Relatively high performance.Relatively high performance.


KeccakKeccak (overview & attacks) (overview & attacks)

Round 2 algorithmsRound 2 algorithmsKeccak (structure)Keccak (structure)

Compression Compression function function round:round:

>>>1

A B

C

D

r

+1

+2

+

3

>>>4

+5

&

~


Authors: Christophe De CanniAuthors: Christophe De Cannière, Hisayoshi Sato ère, Hisayoshi Sato & Dai Watanabe& Dai Watanabe..



High performance.High performance.

LuffaLuffa (overview) (overview)

Round 2 algorithmsRound 2 algorithmsLuffa (structure)Luffa (structure)


...

Q 0

M IIV

M 0

...Q 1

Q w -1

... ...

Q 0

M I

M 1

...Q 1

Q w -1

... ...

...

...

...

Round 2 algorithmsRound 2 algorithmsLuffa (structure)Luffa (structure)

Round of Round of QQ-functions:-functions:S-boxes S-boxes

L() L() L() L()

+ C


Several “pseudo”-attacks by Keting Jia:Several “pseudo”-attacks by Keting Jia:

• instant pseudo-collisions and 2instant pseudo-collisions and 2ndnd pseudo- pseudo-preimages;preimages;

• instant pseudo-preimages for 224- or 256-bit hash;instant pseudo-preimages for 224- or 256-bit hash;

• 226464 operations and 2 operations and 26464 memory to find pseudo- memory to find pseudo-preimage for 384-bit hash.preimage for 384-bit hash.

No attacks found on main security requirements.No attacks found on main security requirements.

But “pseudo”-attacks can be used in context of other But “pseudo”-attacks can be used in context of other attacks.attacks.

Luffa (attacks)Luffa (attacks)


Authors: large group of experts of Saphir project Authors: large group of experts of Saphir project funded by French National Research Agency.funded by French National Research Agency.

High-level structure: strengthened Merkle-High-level structure: strengthened Merkle-DamgDamgård construction (includes some sponge-ård construction (includes some sponge-like operations and feed-forward)like operations and feed-forward)..

Compression function: shift registers with Compression function: shift registers with different kinds of feedback.different kinds of feedback.



ShabalShabal (overview & attacks) (overview & attacks)

Round 2 algorithmsRound 2 algorithmsShabal (structure)Shabal (structure)


A

++

B

C

M 1

W

+

+

-

P()

M 2

+

+

-

P()


Authors: Eli Biham & Orr Dunkelman.Authors: Eli Biham & Orr Dunkelman.


Compression function: Feistel network (224- or Compression function: Feistel network (224- or 256-bit hash) or generalized Feistel network 256-bit hash) or generalized Feistel network (384- or 512-bit hash) based on AES (384- or 512-bit hash) based on AES operations.operations.

One of the slowest round 2 algorithms.One of the slowest round 2 algorithms.


SHAvite-3SHAvite-3 (overview & attacks) (overview & attacks)

Round 2 algorithmsRound 2 algorithmsSHAvite-3 (structure)SHAvite-3 (structure)

Compression function for 224- or 256-bit hash:Compression function for 224- or 256-bit hash:

State

AESround

AESround

AESround ++

Key extension

M i salt Ctr

0

.........

Round 2 algorithmsRound 2 algorithmsSHAvite-3 (structure)SHAvite-3 (structure)

Compression function round for 384- or 512-bit hash:Compression function round for 384- or 512-bit hash:

4 AESrounds

Roundkeys

+ 4 AESrounds+


Authors: Gaëtan Leurent, Pierre-Alain Fouque & Authors: Gaëtan Leurent, Pierre-Alain Fouque & Charles Bouillaguet (École Normale Charles Bouillaguet (École Normale Supérieure, Paris).Supérieure, Paris).


Compression function: generalized Feistel Compression function: generalized Feistel network.network.



SIMDSIMD (overview & attacks) (overview & attacks)

Round 2 algorithmsRound 2 algorithmsSIMD (structure)SIMD (structure)


f()

<<< r

+

...

+W x

<<< s

+...

... 32-bit state words

f()

<<< r

+

+W y

<<< s

+ ...


Authors: Large group of experts.Authors: Large group of experts.

High-level structure: Unique Block Iteration.High-level structure: Unique Block Iteration.



SkeinSkein (overview) (overview)

Round 2 algorithmsRound 2 algorithmsSkein (structure)Skein (structure)

Compression function Compression function based on Threefish based on Threefish block cipher.block cipher.

72 or 80 rounds based 72 or 80 rounds based on permutations and on permutations and parallel parallel mixmix operations:operations:

x0

+

<<< R

+

x1

y0 y1


Several attacks on reduced-round Skein Several attacks on reduced-round Skein procedures by Jean-Philippe Aumasson et al.:procedures by Jean-Philippe Aumasson et al.:

• near-collision for 17-round compression near-collision for 17-round compression function of Skein – 2function of Skein – 22424 operations; operations;

• key recovery attack on 34-round Threefish – key recovery attack on 34-round Threefish – 22312312 operations. operations.


Skein (attacks)Skein (attacks)

Structures tablesStructures tablesHigh-level structuresHigh-level structures

Merkle-DamgMerkle-Damgård construction and its variants.ård construction and its variants.

Structures tablesStructures tablesHigh-level structuresHigh-level structures

Other structuresOther structures..

Structures tablesStructures tablesHigh-level structures statisticsHigh-level structures statistics

Structures tableStructures tableCompression function structuresCompression function structures

Structures tableStructures tableCompression function structures statisticsCompression function structures statistics

Performance tablesPerformance tablesClaimed performance by authors. Source: Ewan Fleischmann Claimed performance by authors. Source: Ewan Fleischmann

et al. “Classification of the SHA-3 candidates”.et al. “Classification of the SHA-3 candidates”.

Performance tablesPerformance tables64-bit platform: AMD Athlon 64 X2 2000 MHz. Source: 64-bit platform: AMD Athlon 64 X2 2000 MHz. Source:

eBASH project (http://bench.cr.yp.to), July 2009.eBASH project (http://bench.cr.yp.to), July 2009.

Performance tablesPerformance tables32-bit platform: Intel Core 2 Duo 3000 MHz. Source: 32-bit platform: Intel Core 2 Duo 3000 MHz. Source:

eBASH project (http://bench.cr.yp.to), July 2009.eBASH project (http://bench.cr.yp.to), July 2009.

Performance tablesPerformance tablesARM: XScale-PXA270 416 MHz. Source: eBASH ARM: XScale-PXA270 416 MHz. Source: eBASH

project (http://bench.cr.yp.to), February 2009.project (http://bench.cr.yp.to), February 2009.


Can we divide the round 2 algorithms to the Can we divide the round 2 algorithms to the following categories?following categories?

• most probable, andmost probable, and

• less probable algorithms to be SHA-3 less probable algorithms to be SHA-3 standard.standard.

ConclusionConclusion


Possible factors to exclude algorithms from the Possible factors to exclude algorithms from the further concerning:further concerning:

• relatively low performance;relatively low performance;

• not high security margin;not high security margin;

• too complex structure of algorithm – difficult too complex structure of algorithm – difficult to analyze or realize;to analyze or realize;

• similarity to SHA-2 in structure.similarity to SHA-2 in structure.



Performance factor:Performance factor:

• ECHO, ECHO, Grøstl, Grøstl, Hamsi, Hamsi, SHAvite-3SHAvite-3 – relatively – relatively low practical performance;low practical performance;

• FugueFugue – relatively low theoretical – relatively low theoretical performance;performance;

• CubeHash – relatively slow while hashing CubeHash – relatively slow while hashing short messages.short messages.



Security margin factor:Security margin factor:

• Luffa: no attacks on main security Luffa: no attacks on main security requirements, but simple attacks allow to find requirements, but simple attacks allow to find pseudo-collisions and pseudo-preimages; pseudo-collisions and pseudo-preimages; “pseudo”-attacks can be theoretically used “pseudo”-attacks can be theoretically used while mounting future attacks on Luffa, so its while mounting future attacks on Luffa, so its security margin can not be considered high.security margin can not be considered high.



Other factors – no algorithms to exclude:Other factors – no algorithms to exclude:

• all algorithms have clear and relatively simple all algorithms have clear and relatively simple structures;structures;

• no algorithms are very similar to SHA-2.no algorithms are very similar to SHA-2.



Therefore the following algorithms can be Therefore the following algorithms can be considered less probable to be SHA-3:considered less probable to be SHA-3:

• CubeHash, ECHO, Fugue, GrCubeHash, ECHO, Fugue, Grøstl, Hamsi, østl, Hamsi, SHAvite-3 – relatively low performance;SHAvite-3 – relatively low performance;

• Luffa – some doubts about security margin.Luffa – some doubts about security margin.



As a result, the following algorithms can be As a result, the following algorithms can be considered more probable to be SHA-3 considered more probable to be SHA-3 standard:standard:

• Blake;Blake;

• Blue Midnight Wish;Blue Midnight Wish;

• JH;JH;

• Keccak;Keccak;

• Shabal;Shabal;

• SIMD;SIMD;

• Skein.Skein.


AcknowledgementsAcknowledgements

• to Andrei Gurtov, who invited me to give a to Andrei Gurtov, who invited me to give a talk about hash functions.talk about hash functions.

Thank youThank you!!

Sergey Panasenko, independent information security consultant,

Moscow, Russia.

[email protected] www.panasenko.ru

SHA Hash Functions History & Current State Helsinki Institute for Information Technology, November...

Documents

Transcript of SHA Hash Functions History & Current State Helsinki Institute for Information Technology, November...