1 / 40

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited. Tom Shrimpton Portland State University. Results from CRYPTO 2004. “Near-collisions” in SHA-0 [Biham] Collisions in SHA-0 [Joux, rump session] Collisions in reduced-round SHA-1 [Biham, rump session]

briar
Download Presentation

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptographic Hashing:Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University

  2. Results from CRYPTO 2004 • “Near-collisions” in SHA-0 [Biham] • Collisions in SHA-0 [Joux, rump session] • Collisions in reduced-round SHA-1 [Biham, rump session] • Collisions in MD4, MD5, RIPEMD, HAVAL-128 [Wang et al., rump session] • Multicollisions in iterated constructions [Joux]

  3. Today • What are these objects? • What cryptographic properties do we like for them to have? • How do we build them (particularly, from a blockcipher) • What do we currently understand about proofs, models, bounds on efficiency, etc.? • A call to action!

  4. What are cryptographic hash functions? File Hash e.g., md5sum,SHA-1 Cryptographic “Fingerprint”

  5. SHA-1 512 bits [NIST] ... M1 M2 Mm fori = 1 tomdo Wt= { t-thword of Mi0£t £15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16£t £79 A ¬ H0i-1; B¬H1i-1; C¬ H2i-1; D¬H3i-1; E¬H4i-1 fort = 0 to 79 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E¬ D; D¬ C; C¬ B >> 2; B¬A; A¬ T end H0i¬ A + H0i-1; H1i¬B + H1i-1; H2i¬ C+ H2i-1; H3i¬D + H3i-1; H4i¬E + H4i-1 end returnH0mH1mH2mH3mH4m 160 bits

  6. Today P • What are these objects? • What cryptographic properties do we like for them to have? • How do we build them (particularly, from a blockcipher) • What do we currently understand about proofs, models, bounds on efficiency, etc.? • A call to action!

  7. 2nd-preimage resistance universal one-way hash function ? ? ? ? weak collision resistance inversion resistance collision-intractable ? ? ? ? ? ? strong hash ? one-way function ? strong collision resistance ? collision resistance ? ? target collision resistance ? ? ? ? preimage resistance ? collision-free

  8. A motivating quote, and a “fact” “2nd-preimage resistance — it is computationally infeasible to find any second-input which has the same output as any specified input, i.e., given x, to find a 2nd-preimage x’x such that h(x) = h(x’).” [MOV] How are inputs specified? How is h selected? “Fact Collision resistance implies 2nd-preimage resistance of hash functions” [MOV] This “fact” depends on how you answer the above questions!

  9. A cryptographic property (quite informal) 1. Preimage resistance:given a hash function and given a hash output it is hard to invert thatoutput BAD: H(M) = M mod 701

  10. Preimage resistance (intuition, but slightly more formal) H: ´ Strings® {0,1}n : a finite, nonempty set Strings: set of strings Í {0,1}* n: the hash length M HK HK Y {0,1}n M’ keyed-SHA1: {0,1}160 ´ {0,1}*® {0,1}160 SHA1 is one particular function from this family This direction is “hard” for any “reasonable” adversary {0,1}m

  11. Preimage resistance: a definition (formal) probabilistic game - random key - random domain pt - hash the domain pt - A runs, returns domain pt “name of game” event: did A win (find preimage)?

  12. A formal framework [RS04] Preimage Every hash function in the family is hard to invert fixed range point random range point fixed key random key Every range point is hard to invert “a” = “always” “e” = “everywhere”

  13. More cryptographic properties 1. Preimage resistance given a hash function and given an hash output it is hard to invert thatoutput P 2. Second-preimage given a hash function and resistance given a first input, it is hard to find a second input that collides with the first 3. Collision resistance given a hash function it is hard to find two colliding inputs

  14. Second Preimage Preimage fixed range point random range point fixed domain point random domain point aPre fixed key fixed key Pre ePre random key random key Collision Also known as UOWHF fixed key random key

  15. Our results [RS04] Coll aSec eSec Provisional Sec Conventional Separation [no arrow] aPre ePre Pre

  16. What about near-collisions? M HK Y Such that Y» Y’ HK Y’ {0,1}n M’ This should be “hard” for any “reasonable” adversary (Hmm.. what does this mean now?) Strings

  17. Research project #1 Continue definitional work What’s the “right” definition for the task? How do we make it formal?

  18. Today P • What are these objects? • What cryptographic properties do we like for them to have? • How do we build them (particularly, from a blockcipher) • What do we currently understand about proofs, models, bounds on efficiency, etc.? • A call to action! P

  19. H: ´ Strings® {0,1}n How to do this? arbitrary length string n-bit string

  20. f f f Merkle-Damgard construction [Me89],[Da89] Compression function M3 M1 M2 n h1 h2 h3 = H(M) IV k k Chaining value Fixed initial value MD Theorem: if f is CR, then so is H

  21. ... M1 M2 Mm Mi 512 bits fori = 1 tomdo Wt= { t-thword of Mi0£t £15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16£t £79 A ¬ H0i-1; B¬H1i-1; C¬ H2i-1; D¬H3i-1; E¬H4i-1 fort = 0 to 79 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E¬ D; D¬ C; C¬ B >> 2; B¬A; A¬ T end H0..4i-1 H0i¬ A + H0i-1; H1i¬B + H1i-1; H2i¬ C+ H2i-1; H3i¬D + H3i-1; H4i¬E + H4i-1 end 160 bits returnH0mH1mH2mH3mH4m 160 bits 160 bits

  22. Why build hash function from blockciphers? Economy of primitives “Do as much as possible with as little as possible” • weak keys causes design difficulties • small blocksize Þ easier wins for adversary (late 70s-early 90s): DES (now): AES has changed the playing field • no known weak keys • bigger blocksize Þ harder wins for adversary

  23. M1 M2 Blockcipher-based compression function #1 (CBC) [Akl83] Is this collision-resistant? IV 0 EK(IV)ÅEK(0) 0 IV EK(EK(0)) = EK(EK(0)) E E K K

  24. Attempt #2 [PGV93] How about this? IVÅ 1 E1(1) ÅIV M2 E0(0) ÅIV M1 IV E E IV = IV IV

  25. 12 provably-secure compression functions

  26. Davies-Meyer compression function [PGV93],[BRS02] Mi hi hi-1 E

  27. Mi SHA-0, SHA-1 are blockcipher-based hash functions! Blockcipher 512-bit key, 160-bit block fori = 1 tomdo Wt= { t-thword of Mi0£t £15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16£t £79 A ¬ H0i-1; B¬H1i-1; C¬ H2i-1; D¬H3i-1; E¬H4i-1 fort = 0 to 79 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E¬ D; D¬ C; C¬ B >> 2; B¬A; A¬ T end H0..4i-1 H0i¬ A + H0i-1; H1i¬B + H1i-1; H2i¬ C+ H2i-1; H3i¬D + H3i-1; H4i¬E + H4i-1 Davies-Meyers feedforward

  28. E Advcoll( q) = max {Advcoll( A)} H H Collision resistance in the “ideal cipher” model E-1 E K, x K, y -1 EK(y) EK(x) ... ... A M, M’ Model blockcipher as a random permutation for each key Advcoll( A) = Pr [ AE, E -1finds a collision inH E] H Computationally unbounded adversary Only counted resource is oracle queries A at most q queries

  29. Why such a strong model? PRP assumption isn’t enough in general [Simon] Specifically, for each of the 12 there is a PRP that makes collisions easy [Hopwood][Wagner] More importantly, PRP is the wrong tool Security depends on a random, secret key

  30. Research project #2 Find new models and/or assumptions What properties does a blockcipher need for hashing? How can we abstract them to models/assumptions? Can we prove things?

  31. Moving theory towards practice Mi Mi+1 E E hi hi+1 hi-1 Expensive operations

  32. Secure rate-1, fixed-key constructions? No secure rate-1, fixed-key constructions[BCS 04] Mi n EK hi-1 hi f1 f2 n n n n In the black-box model: compression function — collision after 2 blockcipher calls iterated function — collisions in Q(n + lg(n)) calls

  33. Research project #3 Find secure, fixed-key, rate < 1, iterated constructions (some progress being made)

  34. 128 bits too small? Cascaded constructions! n bits n bits HK1(M) || HK2(M) = G (K1,K2) (M) ß ß ? Þ n bits of CR n/2 bits of CR n/2 bits of CR Joux: for MD constructions, No!

  35. f f f Multicollisions Mm M1 M2 n hm-1 h1 h2 hm = H(M) IV … n n For m(2n/2) work, we can make 2m messages that collide

  36. Collisions in cascaded constructions 160 bits 160 bits For G (K1,K2) (M) = HK1(M) || HK2(M) : 1. Create 281-way multicollision under HK1 2. Hash these messages under HK2 Collision in G for work O(280) << O(2160)

  37. What about MDC-2? Mi E hi-1 hi E gi-1 gi

  38. Huge opportunities for research • Continue definitional work • Formalize “near collisions”, etc. • What are the right properties for specific tasks? • Flesh out the theoretical landscape • Ideal cipher model Þ proofs • PRP assumption Þ no proofs • Find secure, fixed-key, rate < 1, iterated scheme • Analysis of MDC-2

More Related