1 / 30

The Hash Function “Fugue”

The Hash Function “Fugue”. Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center. Broad Overview. Maintains Large State (~1000 bits) Large Initial State Tougher to invert Large Final State Tougher to find collision Final Compression (to say, 256 bits)

daphnes
Download Presentation

The Hash Function “Fugue”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center

  2. Broad Overview Maintains Large State (~1000 bits) • Large Initial State • Tougher to invert • Large Final State • Tougher to find collision • Final Compression (to say, 256 bits) • Lots of Crunching • Tougher to find “properties”, invert, or find collision • Uses ‘super’ AES-like rounds • Focus of the Talk : Collision Resistance

  3. Fugue-256 Initial State (30 words) Process M1 New State M_i Iterate State Final Stage Hash Output (8 words)

  4. Fugue-256 Initial State (30 words) Process ΔM1 New State ΔM_i Iterate State Δ = 0 State Final Stage Δ = 0

  5. Overview (contd.) • Inspired by Grindahl [KRT07] • Small incremental input rounds • Long final stage. • Attacked by Peyrin [P07] -Internal Collisions • Fugue has a Proof Driven Design • Proves that Peyrin-style attacks do not work • Proves bound on differential attacks assuming limits (extremely generous) on message modification. • Proves bound on finding External Collisions. • Like AES, uses MDS codes • but bigger MDS codes • Does not need MD mode theorem

  6. Design Challenges • Non-secret Key/ Un-keyed properties gives adversary “non-standard” approaches to enhance differential attacks • Message Modification • Neutral Bits, Neutral Differentials

  7. Good News • The main “non-secret key” properties are about collisions • Collision, TCR, 2nd Pre-image, Universal Hash • The differential requires output difference to be zero, i.e. Dout = 0. • Is it easy to prove something about such restricted differentials? • Quandary: All good practical designs are based on permutations.

  8. Fugue-256 Initial State (30 words) Process ΔM1 New State ΔM_i Iterate State Δ  0 Invoke Coding Theory Final Stage Δ = 0

  9. What’s in an elementary round? • [Called SMIX in the paper] • Works on 128 bits (just like AES) • Arranged as 4 by 4 matrix (just like AES) • Starts with S-box substitution (same as AES) • Does linear mixing (more advanced than AES)

  10. AES Round

  11. AES Round

  12. Fugue elementary round “SMIX” Leads to MDS code over 16 bytes!

  13. Fugue elementary round “SMIX” Leads to MDS code over 16 bytes!

  14. Fugue elementary round “SMIX” At least 13 active S-Boxes • 2^{-6*13} = 2^{-78} Leads to MDS code over 16 bytes!

  15. FINAL STAGE Rapid Mixing (G1) Differential Killer (G2) output

  16. External Collision Provable Bound • Assumption: Differential Attacks • Attacker controls difference, state itself is random • Probabilities of different rounds are assumed independent. • Consider 2 messages leading to two different states at middle of final stage • After the rapid mixing • Allow the adversary to force a difference D of its choice at this point.

  17. External Collision Provable Bound • Theorem: For any state difference D  0, if the states at the start of G2 are chosen randomly then Pr[ Collision in 256 bit output | D ]  2-129 • Recall, assumes independence assumption

  18. Fugue-256 Initial State (30 words) Process Process M1 M1 New State  SMIX Repeat once more Iterate State Final Stage

  19. INTERNAL COLLISION PROVABLE BOUND Random States, but _{i-4} = D Process M, M’_i-3 State Process M, M’_i-2 State Process M, M’_i-1 State Process M, M’_i State _i = 0 Theorem Pr [ M, M’ <i-3..i> : _i =0 | _{i-4} = D ]  2-168

  20. Message Modification? • Neutral Bits? • How justified is random state? • We do more advanced analysis, giving extremely generous “free message modification / all bits neutral ” allowance. • Still can prove 2^{-128} bound.

  21. Performance (Fugue-256) • 32 bit Intel Core 2 Duo (Linux) • ANSI C : 36 cycles/byte • 64 bit Intel Xeon (CygWin) • ANSI C : 28 cycles/byte • 8-bit: as good as AES…similar advantages • Decent state size : 120 bytes (1000 cycles/byte) • Hardware: 90nm IBM Cu-8 technology • 360 MB/sec (basic) to 1.8 GB/sec.

  22. Conclusion • Proof-driven Design leads to best of both worlds: • - Security  • - Performance 

  23. THE END

  24. Fugue is a Universal Hash Fn. • Requirement: • For all messages M1,M2, Pr_k[ Fugue_k(M1) = Fugue_k(M2)] is low • Key is 8 words (256 bits), placed in the right most 8 words of initial state. • Assume (for now) same length. • Wlog internal collision, otherwise messages irrelevant.

  25. Internal coll. at end of Round 0 • Number the rounds backwards 0, -1, -2,… • For now, assume states at start of round –3 are random (but say, with some adversary determined difference D). • Then, we have already proven 2^{-168}.

  26. What about the random assump. • Random but diff = D at start of round –3. • That is allowing adversary to get an XOR-diff D with probability 1 (on a random key)! • So seems not that bad an assumption. • But, is entropy depletion a problem? • State starts with 8 word entropy. • Each round adversary inserts a word (pair).

  27. Input State (30 words) Process M1 I_S M1 (D; O_S) => ! (M1;IS) (D1,O_S) ->(M1; IS) (D2,O_S) ->(M1; IS’) ? Nope!  SMIX Repeat once more Output State (O_S) D

  28. (D1,O_S) ->(M1; IS) (D2,O_S) ->(M1; IS’) ? Input State (30 words) M1 I_S M1  M1 non-zero  SMIX All 4 words  non-zero X  X non-zero X  SMIX All 4 words  non-zero D Output State (O_S) = 0 0

  29. Discarded Slides

  30. Desired Properties • Keyed Properties • Secret Key • PRF (MAC) • Non-Secret Key (Salted) • Universal Hash, Extractor, Key Derivation • Collision Resistance, TCR, Pre-image (1st / 2nd) • Un-Keyed Versions • Collision Resistance, Pre-image (1st /2nd)

More Related