1 / 34

Hash Function

Hash Function. Contents. Hash Functions Dedicated Hash Functions Useful for lightweight authentication in RFID system Message Authentication Codes CBC-MAC Nested MAC Collusion Search Attacks. Hash function. {0,1} d. d > r. h(). hash, hash code/value/result

kirk
Download Presentation

Hash Function

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hash Function

  2. Contents • Hash Functions • Dedicated Hash Functions • Useful for lightweight authentication in RFID system • Message Authentication Codes • CBC-MAC • Nested MAC • Collusion Search Attacks

  3. Hash function {0,1}d d > r h() hash, hash code/value/result message digest, checksum, MIC, authentication tag, seal, compression digital fingerprint, imprint {0,1}r • Compress a binary string with an arbitrary length into a fixed short message • Used for digital signature, integrity, authentication, etc.

  4. Configuration original input, x hash function, h preprocessing append padding bits append length block formatted input x=x1,x2,…,xt iterative processing compression ft, f xi f Hi-1 H0=IV Hi Ht g g : output transformation mapping, e.g., identity mapping output h(x)=g(Ht)

  5. Requirements • Compression • One-wayness • Preimage resistance: Given y, it is computationally infeasible to compute x with y=h(x) • Second Preimage resistance: Given x and h(x), it is computationally infeasible to compute x’ with h(x)=h(x’) • Collision-free (Prevent internal misuse) : It is computational infeasible to find a pair (x, x’), x x’ satisfying h(x)=h(x’). • Efficiency • Easy to computeh(x) for a given x.

  6. Relationship • Collision resistance (which means collusion can’t be efficiently solved) implies 2nd-preimage resistance • Collision resistance does not guarantee preimage resistance • Let g be a collision resistance hash function to n-bit output • h= 1 || x, if x has bitlength n • h= 0 || g(x), otherwise • h is collision resistant with n+1 bit hash • not preimage resistant to find an image easily

  7. Classification • Using key or not • Keyed hash : MAC (Message Authentication Code) • Un-keyed hash : MDC (Manipulation Detection Code) • OWHF(One Way Hash Function) • CFHF(Collision-Free Hash Function) • What purpose • MAC • Block Cipher-Based (DES-CBC MAC) • Hash Function-Based(HMAC) • MDC • Dedicated Hash Functions (MD class, SHS, HAVAL) • Block Cipher-Based (MDC-2, MDC-4) • Modular Arithmetic: MASH-1, MASH-2

  8. Random Oracle Model (ROM) • Model for ideal hash function • H() behave like a random function • If H() is fixed, invalid assumption • Whenever H() is used, we call oracle for the random function (black box containing random ft.) • Good for screening insecure solutions • Security under ROM implies to many (not all !) attack • Not a complete proof of security, but a good argument / evidence of security : vs. standard model

  9. MAC forgery Universal forgery : Adversary can find the equivalent algorithm as MAC function Selective forgery : Adversary can create a pair of new text-MAC. Existential forgery : Even if adversary can’t adjust the value of text, he can create a pair of new text-MAC.

  10. Birthday Paradox Probability that 2 persons have the same birthday among r persons : pr (Assumption) each birthday is independent and uniform in the range 1 to m. pr=1-(m)r / mr =1- m! / mr(m-r)! ≈ √ e-r2/(2m) where,(m)r = m(m-1)…(m-r+1) If r= √m, pr ≈ 0.5 , e.g., m=365, r=23, pr>0.5 ↔ n-bit hash function will collide with probability 0.5 after √ (2n) times operation

  11. Design Criteria • All input value must affect to compute the hashed value. (Ex) Crytanalysis of Snefru • No trapdoor • The length of hashed value must be greater than 128 bit guarantee breaking complexity 264 by brute force attack. • 1 month with 10M $ machine in ‘94 • Expected cost today : less than 100,000$ • Maximum error propagation from input to output.

  12. x1 x2 xt padding H0 hashed code f f f Merkle-Damgard Construction f : h’s primitive hash function (a compression function) Hi : connection variable from i-1 to I Extend Compression ft to Hash ft so that the resulting hash ft to be collusion resistant if compression does. H0=IV, Hi=f(Hi-1,xi), 1it, h(x)=Ht

  13. xi Hi-1 xi Hi-1 Hi-1 xi E E g E g Hi Hi Hi Hash ft (MDC) by block cipher Matyas-Meyer-Oseas Davies-Meyer Miyaguchi-Preneel H0=IV Hi=Exi(Hi-1 )  Hi-1 H0=IV Hi=Eg(Hi-1)(xi )  xi H0=IV Hi=Eg(Hi-1)(xi )  xi Hi-1

  14. Comparison • Yield m-bit hash using n-bit block cipher with k-bit key • All of them are secure assuming a block cipher satisfies required randomness properties

  15. Hash by modular operation • MASH: Modular Arithmetic Secure Hash algorithm • Weakness: Efficiency (and Insecurity) • Quadratic Congruential • Hi = (xi + Hi-1)2 mod N, H0=0 • where N=Mersenne prime 231-1 • Hi = (xi Hi-1)2 mod N  xi • Hi = (xi Hi-1)e mod N

  16. Dedicated Hash Functions

  17. MD4(I) • Preprocessing a message, x 1. Padding: d =(447 -|x|) mod 512 2. Length of a message: n= |x| mod 264,|n|=64 bit 3. M = x ||1||0d||n  multiple of 512 where || denotes concatenation * little-endian : W=224B4+216B3+28B2+B1 (B1: lowest address)

  18. MD4(II) Message Block A B C D Round 2 Round 1 Round 3 A B C D

  19. Round 1 in MD4 1. A=(A+f(B,C,D)+X[0])<<<3 2. D=(D+f(A,B,C)+X[1])<<<7 3. C=(C+f(D,A,B)+X[2])<<<11 4. B=(B+f(C,D,A)+X[3])<<<19 5. A=(A+f(B,C,D)+X[5])<<< 3 . . 16. B=(B+f(C,D,A)+X[15])<<<19 where, f(X,Y,Z) = (X  Y)  ((X)  Z) , : OR, : AND, :complement, <<<s : circular left rotate by s

  20. Pseudocode of MD4 1. Preprocess: M is 512 * N bits (512 bits=16 words) 2. Define 32 bits constants: A=67452301h, B=efcdab89h, C=98badcfeh, D=10325476h 3. for i=0 to N/16 -1 do (N mod 16=0) 3-1. for j=0 to 15 do X[j] =M[16i+j] (M[i] : 32 bit string) 3-2. AA=A, BB=B, CC=C, DD=D 3-3. Round 1(for j=0..15), Round 2(for j=16..31), Round 3(j=32..47) 3-4. A=A+AA, B=B+BB, C=C+CC, D=D+DD where + is modular addition over 232. 4. output A||B||C||D||

  21. MD5(I) Add 4-th rounds (16 steps) in MD4 Change g function in 2 round from symmetric ft (XY) v (XZ) v (YZ) to non-symmetric ft (XZ) v (Y(Z)) Modify the access order for message words in Rounds 2 and 3 Modify the shift amounts Use unique constants in each of the 416 steps Each step is added to the output of a previous step to achieve avalanche effect as earlier as possible.

  22. MD5(II) Message Block A B C D Round 1 Round 2 Round 3 Round 4 A B C D

  23. ti Mj a b nonlinear operation c <<<s d FF(a,b,c,d,Mj,ti,s) MD5’s primitive ft

  24. ei-1 ei di-1 di ci-1 ci bi-1 bi ai-1 ai SHA-1(I) Kt W t nonlinear operation <<<30 <<<5 FF(a,b,c,d,Mj,ti,s)

  25. SHA-1(II) • 160 bit hashed value (5 words), Big-endian • 4 round hash, each round has 20 step • Change internal primitive ft and constants (B  C) v ((B)  D) 0 ≤ t ≤19 Ft(B,C,D) = B C D 20 ≤t ≤39 (B  C) v ((B)  D) 40 ≤t ≤59 B C D 60 ≤t ≤79 • Secure Hash Standard(SHS), FIPS Pub 180-1, 1995. • For details, refer to p.138.

  26. Performance 486SX(33MHZ) Algorithm Length Speed (Kb/s) Davies-Meyer with DES HAVAL (3 pass) HAVAL (4 pass) HAVAL (5 pass) MD2 MD4 MD5 N-Hash(12 round) N-Hash(15 round) RIPEMD SHA-1 64 variable variable variable 128 128 128 128 128 128 160 9 168 118 95 23 236 174 29 24 182 75

  27. HMAC   Nested MAC algorithm from the composition of two (keyed) hash family The Keyed-Hash Message Authentication Code(HMAC), FIPS Pub 198, 2002 HMACk(x) = SHA-1[(K opad) || SHA-1((K ipad) || x)] where ipad = 3636 …. 36, opad = 5C5C … 5C K : 512 bit key x: message to be authenticated Secure against unknown-key collusion attack

  28. Dedicated Hash Functions SHS: Secure Hash Standard RIPE: Race Integrity Primitive Evaluation

  29. Collusion Search Attack

  30. Previous Work on SHA-0/1 • Chaubaud and Joux [Cr98] • SHA-0, 261, local collision and disturbance vector • Biham and Chen [Cr04] • Near collision attack on SHA-0, 240 • Biham, Joux and Chen [Cr04 rump, EC05] • First real collision on SHA-0 (4 message blocks) found • Collision attack on SHA-1 reduces to 50+ steps • Rijmen and Osward [RSA-CT05] • Collision attack on SHA-1 reduces to 53 steps.

  31. Publications X. Wang, Y.L. Yin and H.Yu, “Finding Collusions in the Full SHA-1”, Proc. of Crypto2005, pp.17-36, LNCS3621 X. Wang, H.Yu and Y.L. Yin, “Efficient Collusions Search Attacks on SHA-0”, Proc. of Crypto2005, pp.1-16, LNCS3621 X.Y.Wang, D.G.Feng, X.J.Lai and H.B. Yu, “Collusions for hash Functions MD4, MD5, HAVAL-128 and RIPEND”, IACR eprint, 2004/199 and Crypto2005 Rump Session

  32. Flow of Collusion Search Find disturbance vector with low Hamming weights (difference for subtractions mod 232) Construct differential paths by specifying conditions so that the differential path will occur with high probabilities. Generate a message randomly, modify it using message modification techniques, and find a collusion

  33. Summary • Complexity of best known attack of MD4 : 26, MD5 : 233, SHA-0: 239, SHA-1: 269 • More complex message preprocessing can provide more security • But SHA-1, message expansion does not seem to have enough avalanche effect • All step functions have unexpected weakness • Addition and Boolean function can faciliate the attack • More analysis is needed for SHA-256, -384, -512 which was defined in Secure Hash Standard (SHS), FIPS 180-2, 2002, Aug

  34. Example Message collusion of 58 steps SHA-1

More Related