Statistical evidence for the cryptographic hash functions sha 1 and ripemd 160
This presentation is the property of its rightful owner.
Sponsored Links
1 / 33

Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160 PowerPoint PPT Presentation


  • 66 Views
  • Uploaded on
  • Presentation posted in: General

Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160. Sabine Wurmhöringer Salzburg University for Applied Sciences and Technology Telecommunications Engineering [email protected] Stefan Wegenkittl Salzburg University for Applied Sciences and Technology

Download Presentation

Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Statistical evidence for the cryptographic hash functions sha 1 and ripemd 160

Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160

Sabine Wurmhöringer

Salzburg University for Applied Sciences and Technology

Telecommunications Engineering

[email protected]

Stefan Wegenkittl

Salzburg University for Applied Sciences and Technology

Telecommunications Engineering

Peter Hellekalek

Dept. of Mathematics, University of Salzburg, Austria


Construction of hash functions

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Construction of Hash Functions

  • preimage resistance

  • second preimage resistance

  • collision resistance

    (e.g. Bruce Schneier)


Collisions 2 messages produce same hash

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Collisions: 2 messages produce same hash!

I owe you

100 $

I owe you

1.000.000 $

h

h

00 34 CA ... FE

160 bit hash


Construction of hash functions1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Construction of Hash Functions

  • preimage resistance

  • second preimage resistance

  • collision resistance

    (e.g. Bruce Schneier)

  • randomness of hash values


Randomness of hash values stoch model

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Randomness of Hash Values: Stoch. Model

  • Principle: i.i.d. uniform plaintexts result in i.i.d. uniform hash values, thus minimize probability of collisions

    X= {0,1}n plaintexts M ~ U[X]

    |X|∞

    Y= {0,1}160 hashes C = h(M) ~ U[Y]

    |Y|= 2160

h

!


Example for violation of uniformity

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Example for Violation of Uniformity

space of plaintexts ( X )

space of hash values ( Y)

h

Attacks

9/10

1/10

1/10

9/10

h


Randomness of hash values stat testing

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Randomness of Hash Values: Stat. Testing

  • Substitute realisations for random variables and apply statistical tests for uniformity to resulting hash values

  • Even more: hashing should destroy simplestructures: structured plaintexts should produce equidistributed (pseudo-random) hash values

  • A simple structure: plaintexts are the consecutive values of a counter

  • same reasoning was applied in tests for cryptographic algorithms (e.g. AES)


Randomness in cryptology and simulation

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Randomness in Cryptology and Simulation

(Stochastic)

Simulation

Cryptology

(Pseudo)

Randomness


Randomness in cryptology and simulation1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Randomness in Cryptology and Simulation

(Stochastic)

Simulation

Cryptology

(Pseudo)

Randomness

„unpredictability“

„unbiasedness“

in terms of

interpretation

„independence“

„equidistribution“

in terms of

statistics


High dimensional tests for uniformity

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

„independence“

P[0|0] = ½

„equidistribution“

P[0,0]= ¼

1

0

1

0

1

0

1

0

0 1

0 1

0 1

0 1

High Dimensional Tests for Uniformity


High dimensional tests for uniformity1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

„independence“

P[0|0] = ½

...

P[1|1] = ½

Tests for

independence

„equidistribution“

P[0,0]= ¼

...

P[1,1]= ¼

Tests for uniformity in

higher dimensions

High Dimensional Tests for Uniformity

=


Statistical testing

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Statistical Testing

  • Standard test batteries

    • NIST test suite: http://www.nist.gov

    • Diehard battery: http://stat.fsu.edu/~geo/diehard.html

  • rather limited sample sizes and range of parameters

  • able to find several specific defects

  • Room for improvement: for example, a well-known defect in T800 is not detected(ACM Tomacs ’99, Matsumoto and Wegenkittl)

  • Referencesup to date hardly any published results

  • Recommendation: additionally employ systematic testing (WSC ’99, Wegenkittl)


Systematic testing serial overlapping tests

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Systematic Testing: Serial Overlapping Tests

  • Load Test (m-tuple test)

    • vary sample size in { 218 – 228 }

    • vary dimension in {1, 2, 4, 8, 16 }

  • Gambling Test

    • even higher dimensions in { 32, 64, 128, 256 }

    • vary sample size in { 222 – 228 }

    • based on simulation of gambling game


Test setup and test design

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Test Setup and Test Design

  • preparation of input

  • 2-level serial overlapping test

    • Chi-square distributed level one test

    • Kolmogorov-Smirnov test at level two applied to 16 repetitions of level one test (see e.g. Knuth)


Preparation of input

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Preparation of Input

m‘=0

m‘‘=1

...

counter

0 .............0

0 ............01

32 bit

32 bit


Preparation of input1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Preparation of Input

m‘=0

m‘‘=1

...

counter

0 .............0

0 ............01

32 bit

32 bit

hash function

h(m‘)

h(m‘‘)


Preparation of input2

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Preparation of Input

m‘=0

m‘‘=1

...

counter

0 .............0

0 ............01

32 bit

32 bit

hash function

h(m‘)

h(m‘‘)

...

c‘0 .........c‘159

c‘‘0............c‘‘159

hash values

160 bit

160 bit


Preparation of input3

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Preparation of Input

m‘=0

m‘‘=1

...

counter

0 .............0

0 ............01

32 bit

32 bit

hash function

h(m‘)

h(m‘‘)

...

c‘0 .........c‘159

c‘‘0............c‘‘159

hash values

160 bit

160 bit

cutting

...

c‘‘0 c‘‘8 ... c‘‘152

c‘0 c‘8 ..... c‘152

20 bit

20 bit


Preparation of input4

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Preparation of Input

m‘=0

m‘‘=1

...

counter

0 .............0

0 ............01

32 bit

32 bit

hash function

h(m‘)

h(m‘‘)

...

c‘0 .........c‘159

c‘‘0............c‘‘159

hash values

160 bit

160 bit

cutting

...

c‘‘0 c‘‘8 ... c‘‘152

c‘0 c‘8 ..... c‘152

20 bit

20 bit

concatenate


Preparation of input5

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Preparation of Input

m‘=0

m‘‘=1

...

counter

0 .............0

0 ............01

32 bit

32 bit

hash function

h(m‘)

h(m‘‘)

...

c‘0 .........c‘159

c‘‘0............c‘‘159

hash values

160 bit

160 bit

cutting

...

c‘‘0 c‘‘8 ... c‘‘152

c‘0 c‘8 ..... c‘152

20 bit

20 bit

concatenate

input stream

b0 b1...................b19b20 ...................


Construction of overlapping tuples

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Construction of Overlapping Tuples

input stream

b0b1................................bn+t-1 ...

V0

b0 .....bt-1

b1 .......bt

V1

. . .

overlapping vectors with dimension t

bi ....bi+t-1

Vi

. . .

Vn

bn ...bn+t-1


Test setup

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Test Setup

counter

hash function

bit stream


Test setup1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Test Setup

counter

hash function

bit stream

Load Test

Gambling Test

Level One Statistic (χ2)

p-values

Level One Statistic (χ2)

Level Two Statistic (KS)

KS plot

Level Two Statistic (KS)


Sha 1 and ripemd 160

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

SHA-1 and RIPEMD-160

  • hash value: 160 bit

  • published:

    • SHA-1: FIPS 180

    • RIPEMD-160: ISO/IEC 10118-3:2003

  • considered to be secure until 2005

    (Austrian Signature Regulations)


Visualization load test

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Visualization: Load Test

  • Level One

    • p-values (upper-tail) of chi-square statistic

    • 16 repetitions

    • arrange resulting p-values in small rectangles

    • black color indicates significance at 1% level

scale:

1

highly uniform

0

highly non uniform


Results p values

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Results (p-values)

16 -

8 -

4 -

2 -

1 -

SHA-1:

RIPEMD-160:

dimension

sample size (218 – 228)

16 -

8 -

4 -

2 -

1 -

dimension

sample size (218 – 228)


Results p values1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Results (p-values)

16 -

8 -

4 -

2 -

1 -

SHA-1:

RIPEMD-160:

dimension

sample size (218 – 228)

16 -

8 -

4 -

2 -

1 -

dimension

sample size (218 – 228)


Visualization load test1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

scale:

0

> 1.57

4

Visualization: Load Test

  • Level Two

    • KS-values of two-sided Kolmogorov-Smirnov test

    • arrange resulting KS-values in a bar diagram

    • red color indicates KS-value under 1% level


Results kolmogorov smirnov values

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Results (Kolmogorov-Smirnov values)

SHA-1:

RIPEMD-160:


Results gambling test

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Results: Gambling Test

  • sample size in {222,...,228}

  • dimension t in {32,64,128,256}

  • 16 repetitions of Gambling Test

  • p-values (upper-tail) of KS Statistic at level two


Results gambling test1

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Results: Gambling Test

SHA-1

RIPEMD-160


Summary and conclusion

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Summary and Conclusion

  • tests did not find any systematic defects

  • even highly correlated input results in uncorrelated hash values

  • all examined probabilities were on target

  • work in progress:

    • study influence of other simple structures in plaintexts (patterns and motives) and optimize testing strategy

    • increase power of test w.r.t. detection of increased collision probability


Links and references

Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160

Links and References

  • S. Wegenkittl. Monkeys, gambling, and return times: Assessing pseudorandomness. Proceedings of the 1999 Winter Simulation Conference, pages 625–631, Piscataway, N.J., 1999. IEEE Press.

  • P. Hellekalek and S. Wegenkittl. Empirical evidence concerning AES. ACM Trans. Model. Comput. Simul., 13(4):322–333, 2003.

  • S. Wegenkittl. The pLab picturebook: Load tests and ultimate load tests, part I. Report no. 1, pLab – reports, University of Salzburg, 1997.

  • H. Leeb and S. Wegenkittl. Inversive and linear congruential pseudorandom number generators in empirical tests. ACM Transactions on Modeling and Computer Simulation, 7(2):272–286, 1997.

  • S. Wegenkittl. Gambling tests for pseudorandom number generators. Mathematics and Computers in Simulation, 55(1–3):281–288, 2001.

  • B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley and Sons, New York, second edition, 1996.

  • S. Wurmhöringer. Statistische Analyse der Hashfunktionen die gemäß der österreichischen Signaturverordnung empfohlen werden. Master Thesis at the Salzburg University of Applied Science and Technology, 2004.


  • Login