Transcript Исторический обзор - эволюция алгоритма
SHA Hash Functions History & Current State
Helsinki Institute for Information Technology, November 03, 2009.
Sergey Panasenko, independent information security consultant, Moscow, Russia.
[email protected] www.panasenko.ru
SHA Hash Functions
1. Hash functions cryptanalysis review.
2. SHA (SHA-0) & SHA-1.
3. SHA-2.
4. SHA-3 project.
Section 1. Hash functions cryptanalysis review
• typical hash function structure; • goals of hash functions cryptanalysis; • cryptanalysis methods.
IV
Typical hash function structure
Merkle-Damgård construction:
M
0
fb
()
M
1
fb
()
. . .
M N fb
()
H N
Primary goals of hash functions cryptanalysis
Collision: m 1 and m 2 with the same hash: h = hash ( m 1) = hash ( m 2) Multicollision: several messages with the same hash.
Theoretical time consumption: 2 n /2 hash function.
operations for n -bit
Primary goals of hash functions cryptanalysis
First preimage: such m that for given h : hash ( m ) = h Second preimage: such m 2 that for given m 1: hash ( m 2) = hash ( m 1) Theoretical time consumption: 2 n hash function.
operations for n -bit
Primary goals of hash functions cryptanalysis
Secret key definition – for keyed hash functions or hash functions in keyed mode.
Theoretical time consumption: 2 k key.
operations for k -bit
Secondary goals of hash functions cryptanalysis
Near-collision: several bits: m 1 and m 2 with hash values differ in hash ( m 1) ≈ hash ( m 2) Pseudo-collision: m 1 and m 2 with the same hash but with different initial values: hash ( m 1, IV 1) = hash ( m 2, IV 2) Theoretical time consumption: 2 n /2 hash function.
operations for n -bit
Secondary goals of hash functions cryptanalysis
Pseudo-preimage: such m that for given h : hash ( IV , m ) = h where IV is non-standard initial value.
Theoretical time consumption: 2 n hash function.
operations for n -bit
Attacks on hash functions
Brute-force attacks
• Step-by-step searching over the target space.
• They define theoretical time consumption of any goal.
• Can be used for finding collisions, preimages or secret keys.
• Highly parallelizable.
• Can be accelerated greatly by specific hardware.
• Can be used in context of other attacks. • They define suitable hash or key sizes.
Attacks on hash functions
Dictionary attacks
• A kind of brute-force attacks on a reduced target space (e.g. words of any dictionary).
• Typical application: finding a password for given hash value.
• Offline work – precounting a table for searching the required password.
Attacks on hash functions
Dictionary attacks
hash
The simplest case of tables: one hash for every password.
abaca 5d12fdca
hash
aback 0a23647f
hash
abaction
...
zygoma
hash
ca56ff12
...
7dd412a4
Attacks on hash functions
Dictionary attacks
Hash chains – reducing the memory (Martin Hellman, 1980): p 1 h 1 p 2 h 2 … p N h N abaca trend mary
...
peace
hash
5d12fdca
hash
6fade4ac
hash hash
67a97688
...
4fd769a3
R R R R
couple come further
...
afford
hash
f87df65a
hash
1abb67a1
hash hash
a3429904
...
a9112a3c
...
...
...
...
sands reach etc
...
shorten
hash
788a2c5d
hash
df34a456
hash hash
a63dd12a
...
c8a913cf
Attacks on hash functions
Dictionary attacks
Hash chains – collision example:
...
afford
...
peace
hash hash ...
a9112a3c
...
4fd769a3
R R ...
yellow
...
afford
hash hash ...
3287acfe
...
a9112a3c
R R ...
reviewer
...
yellow
hash hash ...
d51a900a
...
3287acfe
...
...
Attacks on hash functions
Dictionary attacks
Strengthening hash chains: • Several tables with different R-functions.
• Variable length chains.
spoke length ode
...
hash
000012ca
hash
6acf499a
hash
a97688cd
R R hash
pipe medicine
hash
752a65fd 0000a342
...
john
hash
000056df
Attacks on hash functions
Dictionary attacks. Rainbow tables
Several R-functions strings: R 1 … R N -1 for every column of • cyclic strings are impossible; abaca • collisions lead to strings coincidence when occur in the same column only – that can be detected.
hash
5d12fdca
R
1 couple
hash
f87df65a
R
2 texas
hash
77f9ac1a
R
3
hash R
1
hash R
2
hash R
3 trend 6fade4ac come 1abb67a1 school d7c907f1
hash R
1
hash R
2
hash R
3 mary
...
peace
hash
67a97688
...
4fd769a3
R
1 further
...
afford
hash
a3429904
...
a9112a3c
R
2 blow
...
come
hash
93aa1cbd
...
1abb67a1
R
3
...
...
...
...
Attacks on hash functions
Dictionary attacks. Rainbow tables
Invented by Philip Oechslin in 2003.
Can be further strengthened by combining with variable-length chains.
Are in active use for cracking real systems: • http://project-rainbowcrack.com; • http://lasecwww.epfl.ch; • http://www.freerainbowtables.com.
Attacks on hash functions
Dictionary attacks. Rainbow tables
Countermeasures: • Salt – randomizing hashing; • Increasing time to hash – e. g. multiple hashing.
Example: Niels Provos & David Mazières (1999) – bcrypt hash function. Uses extension rounds: salt & cost variables. Cost defines the number of internal block cipher key 2 cost +1 + 1
Attacks on hash functions
Birthday paradox
“Square root attack”: O(
N
) tries required to find the same element from an array with N elements.
Application to hash functions (Gideon Yuval, 1979): • An adversary prepares f and r r variants of fraud document variants of original document m .
• He searches among these variants such that hash ( m x ) = hash ( f y ).
m x and f y • User signs m x , but his signature is correct when verifying it for f y .
Attacks on hash functions
Collision search
Another variant of hash chains: m i hash ( m i ) hash ( hash ( m i )) … All hash values are compared with previous values and values of other chains.
Disadvantage: huge memory requirements.
Jean-Jacques Quisquater, Jean-Paul Delescaille, 1987: store distinguished points only. Their coincidence signals about found collision. Low memory requirements.
Attacks on hash functions
Collisions search
Michael Wiener and Paul Van Oorschot, 1994: parallel collision search with specific values: - initial values - distinguished points
Attacks on hash functions
Birthday paradox & collisions search
• Mihir Bellare and Tadayoshi Kohno, 2004: “amount of regularity” of hash functions – as output value distribution is regular. The less regular, the easy to find collision.
• Bart Preneel, 2003: hash value size analysis. 160 bits are enough for at least 20 years.
Attacks on hash functions
Differential cryptanalysis
Florent Chabaud & Antoine Joux, 1998: SHI1 algorithm:
a b c d e
<<< 30
K i
<<< 5 +
W i
+
a
+
b c d e
Attacks on hash functions
Differential cryptanalysis
i
+2:1,
i
+3:31,
i
+4:31,
i
+5:31
a i
+1:1
b i
+2:1 <<< 5 <<< 30
c i
+3:31
i
+1:6
K i
+ +
d i
+4:31
e i
+5:31
W i i
:1,
i
+1:
6
,
i
+2:
1
,
i
+3:
31
,
i
+4:
31
,
i
+5:
31
+
a i
:1
b i
+2:31
c d i
+1:6 - iteration number : number of different bits, corrected bits are in bold font
e
Attacks on hash functions
Differential cryptanalysis
Result: propagation of the difference is cancelled by the corrected bits. After 6 iterations the difference is 0.
This is 6-round local collision: two messages differ in 6 bits (after expansion) but lead to the same hash value.
Next step: construct messages which can expand with required difference.
Attackers use disturbance vector – the table shows which bits of messages must be different to achieve the collision.
Attacks on hash functions
Differential cryptanalysis
F. Chabaud & A. Joux: SHI1 – SHI2 – SHI3 – SHA Step-by-step including non-linear operation into the iterations.
From deterministic to probabilistic constructions: the same principles of attack can be applied to real SHA algorithm.
Attacks on hash functions
Boomerang attack
Invented by David Wagner for block ciphers in 1999.
Applied to hash functions (SHA & SHA-1) by Antoine Joux and Thomas Peyrin, 2007.
Boomerang attack uses one or more auxiliary differences besides the main difference. This significantly improves the probability of finding collisions.
Attacks on hash functions
Boomerang attack
Q
P
P'
Q'
D D'
C C'
main differences auxiliary differences
Attacks on hash functions
Algebraic cryptanalysis
Uses algebraic properties of an algorithm.
Successfully applied to block ciphers (e. g. works of Nicolas Courtois against AES).
Can be used in context of other attacks.
Example: Makoto Sugita, Mitsuru Kawazoe, Hideki Imai (2006) attacked reduced-round SHA-1 by algebraic and differential cryptanalysis in complex.
Attacks on hash functions
Message modification
Xiaoyun Wang, Hongbo Yu, 2005: step-by-step modifying the message to meet the criteria for differential cryptanalysis.
Message modification technique allows to speed up the collision search by fulfilling the required criteria for internal variables.
Attacks on hash functions
Meet in the middle attack
Can be applied when a function can be represent as two subfunctions:
M
1
M
2
IV hash
1()
hash2()
and if the second subfunction can be invertible.
H
Attacks on hash functions
Meet in the middle attack
Finding preimage for a hash value H : 1. Count hash 1() for variants of the first half of messages (and store them in a table): T x = hash 1( M 1 x , IV ).
2. Count inverted hash 2() for variants of the second half of messages: T y = hash 2 -1 ( M 2 y , H ).
3. Searching for equivalent T x and T y .
Attacks on hash functions
Correcting blocks
Allows to find preimages or collisions. Example for collisions: 1. Select arbitrary messages M and M *.
2. Find such corrected blocks X and X * that: hash(M || X) = hash(M * || X *).
Attacks on hash functions
Fixed points
A fixed point occurs when it is possible to find such message block Mi that: hash(M) = hash(M || Mi ), i. e. intermediate hash value remains the same after processing Mi block.
Can be used for finding collisions.
Attacks on hash functions
Block-level manipulations
• inserting, • removing, • permutation, • substitution of message blocks without affecting the hash value.
Attacks on hash functions
Two-block collisions
h
0 Eli Biham et al., 2004:
M
1
M
1 *
h
1 near-collision
h
1 *
M
2
M
2 *
h
2 collision
Attacks on hash functions
h
0
Multi-block collisions
M
1
M
1 *
h
1 near-collision
h
1 *
M
2
M
2 *
h
2 near-collision
h
2 *
h k
-1
M k
near-collision
M k
*
h k
-1*
h k
collision
Attacks on hash functions
Specific attacks on block cipher based hash functions
Allows to find collisions based on some weaknesses of an underlying block cipher: • weak keys, • equivalent keys, • groups of keys, • related-keys attacks.
Attacks on hash functions
Side-channel attacks
This group of attacks are invented by Paul Kocher, 1996.
Passive side-channel attacks (an adversary only reads side-channel information): • Electromagnetic attacks.
• Power attacks (simple & differential).
• Timing attacks.
• Error-message attacks.
Attacks on hash functions
Side-channel attacks
Active side-channel attacks (an adversary influences on hash function realization): • Optical, radiation or heating attacks.
• Spike & glitch attacks.
• Fault attacks (simple and differential).
• Hardware modification.
Attacks on hash functions
Side-channel attacks
Countermeasures: • Constant time consumption of operations.
• Inserting random delays, noises, random variables etc, redundant computations.
• Error messages without extra information.
• Doubling calculations with comparing their results.
• Shielding.
• Detecting of external actions.
Attacks on hash functions
Other cryptanalytic methods
• Using neutral bits (Eli Biham & Rafi Chen, 2004) – such bits of a message which do not influence on final or intermediate results during some rounds.
• Attacks that can use specifics of hash functions realizations in network protocols, signature schemes etc.
• Length-extension attack – inserting some data to the end of a message to find a collision.
Section 2. SHA & SHA-1
• SHA structure; • SHA-1 structure; • SHA cryptanalysis; • SHA-1 cryptanalysis.
SHA
Overview Secure Hash Algorithm.
Invented by U.S. National Security Agency in 1992.
U.S. hashing standard in 1993-1995 (FIPS 180).
Must be used by U.S. Ministries and Agencies for hashing non-classified information. Recommended for commercial organizations.
Renamed to SHA-0 after SHA-1 invention.
SHA
High-level structure 160-bit hash value.
Input data size – from 0 to (2 64 -1) bits.
Merkle-Damgaard construction with 512-bit data blocks.
Last block is always padded by: • “1” bit; • zero bits when required; • 64-bit input data length in bits.
SHA
Message block expansion 1. 512-bit block is represented as 32-bit words W 0 … W 15 .
2. The following 32-bit words W 16 … W 79 are calculated: W n = W n -3 W n -8 W n -14 W n -16 .
...
W n
-16
W n
-15
W n
-14
...
W n
-8
...
W n
-3
W n
-2
W n
-1
W n ...
+ + +
SHA
Compression function 80 iterations:
a b c
<<< 5 <<< 30
f i K i
+
W i
+
a b c d e d e
SHA
Compression function fi functions: f ( x , y , z ) = ( x & y ) | (~ x & z ), i = 0…19; f ( x , y , z ) = x y z , i = 20…39, 60…79; f ( x , y , z ) = ( x & y ) | ( x & z ) | ( y & z ), i = 40…59.
SHA
Chaining and finalization Intermediate hash values: 32-bit registers A … E .
Chaining by addition modulo 2 32 : A = A + a ; B = B + b , etc.
No finalization is performed: output hash value is concatenation of blocks.
A … E after processing all message
SHA-1
Overview & high-level structure U.S. hashing standard since 1995 (FIPS 180-1, FIPS 180-2).
Will be withdrawn (for some applications) in 2010.
All procedures are the same as in SHA algorithm, except the message block expansion.
SHA-1
Message block expansion SHA-1 message block expansion: W n = ( W n -3 W n -8 W n -14 W n -16 ) <<< 1
...
W n
-16
W n
-15
W n
-14
...
W n
-8
...
W n
-3
W n
-2
W n
-1
W n ...
+ + +
<<<
1 Added one-bit left rotation into SHA message block expansion procedure.
SHA Cryptanalysis
Best results 1. Collisions: Stéphane Manuel, Thomas Peyrin, 2008: 2 33 (boomerang attack).
operations 2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: 2 153 operations to find second preimage for SHA with 49 iterations (differential cryptanalysis, partial pseudo-preimages & meet-in-the-middle attack).
SHA-1 Cryptanalysis
Best results 1. Collisions: Stéphane Manuel, 2008: 2 51 attack); operations (boomerang Cameron McDonald, Philip Hawkes & Josef Pieprzyk, 2009: 2 52 operations (differential cryptanalysis).
2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: 2 157 operations to find second preimage for SHA-1 with 44 iterations (complex attack).
SHA-1 Cryptanalysis
Collision search countermeasures 1. Michael Szydlo & Yiqun Lisa Yin, 2005: Strengthened hash function H * ( m ): H * ( m ) = H ( φ ( m )), where φ ( m ) is preprocessing function, it can perform: • message whitening (inserting specific blocks – SHApp algorithm); • self-interleaving of message blocks.
SHA-1 Cryptanalysis
Collision search countermeasures 2. Shai Halevi, Hugo Krawczyk, 2006 (IBM): Randomized hashing: H * ( r , m 1 ,…, m N ) = H ( r , m 1 r ,…, m N r ), where r – block-sized random number.
SHA-1 Cryptanalysis
Strengthening SHA-1 Charanjit Jutla, Anandya Patthak, 2005 (IBM) – SHA1 IME (improved message expansion): W n = W n -3 W n -8 W W n -15 ) <<< 1) for n n -14 W n -16 = 16…35; (( W n -1 W n -2 W n = W n -3 W n -15 W n -8 W n -14 W W n -20 ) <<< 1) for n n -16 (( W n = 36…79.
-1 W n -2
SHA-1 Cryptanalysis
Strengthening SHA-1 SHA-1:
...
W n
-16
W n
-15
W n
-14
...
W n
-8
...
W n
-3
W n
-2
W n
-1 + + +
<<<
1 SHA1-IME:
W n ...
...
W n
-20
...
W n
-16
W n
-15
W n
-14
...
W n
-8
...
W n
-3
W n
-2
W n
-1
W n ...
+ + + +
<<<
1 + + +
Section 3. SHA-2
• SHA-2 overview; • SHA-256; • SHA-224; • SHA-512; • SHA-384; • SHA-2 cryptanalysis.
SHA-2
Overview U.S. hashing standard since 2002 (FIPS 180-2).
SHA-2 is a family of hashing algorithms: • SHA-224 (since 2004 – defined in updated version of FIPS 180-2); • SHA-256, SHA-384, SHA-512.
n in SHA n means n -bit output hash value.
Patented by NSA but allowed for free use (U.S. Patent # 6829355)
SHA-2
High-level structure Input data size – from 0 to: • (2 64 -1) bits for SHA-224 & SHA-256; • (2 128 -1) bits for SHA-384 & SHA-512.
Merkle-Damgaard construction. 512-bit or 1024-bit data blocks.
Last block is padded by the same way as in SHA, but 128-bit data length (instead of 64-bit) is used for SHA-384 & SHA-512.
SHA-256
Message block expansion 1. 512-bit block is represented as 32-bit words W 0 … W 15 .
2. The following 32-bit words W 16 … W 63 are calculated: W n = Sig 1,256 ( W n -2 ) + W n -7 + Sig 0,256 ( W n -15 ) + W n -16 mod 2 32 , where: Sig 0,256 ( x ) = ( x >>> 7) ( x >>> 18) ( x >> 3), Sig 1,256 ( x ) = ( x >>> 17) ( x >>> 19) ( x >> 10).
SHA-256
Message block expansion
...
W n-16 W n-15 W n-14 ...
W n-7 ...
W n-3 W n-2 W n-1 W n ...
>>>7 >>>18 >>>17 >>>19 >>3 >>10 + + + + +
SHA-256
Compression function
a
64 iterations:
b c d e Sum
0,256 +
Maj
+ +
f g Ch Sum
1,256
h
+ +
K i
,256
W i a b c d e f g h
SHA-256
Compression function Functions of the iteration: Sum 0,256 ( x ) = ( x >>> 2) ( x >>> 13) ( x >>> 22); Sum 1,256 ( x ) = ( x >>> 6) ( x >>> 11) ( x >>> 25); Ch ( x , y , z ) = ( x & y ) (~ x & z ); Maj ( x , y , z ) = ( x & y ) ( x & z ) ( y & z ).
SHA-256
Chaining and finalization Intermediate hash values: 32-bit registers A … H .
Chaining by addition modulo 2 32 : A = A + a ; B = B + b , etc.
No finalization is performed: output hash value is concatenation of blocks.
A … H after processing all message
SHA-224
SHA-224 compared to SHA-256 The same structure as SHA-256 excluding the following differences: • Another initial value.
• Output hash value is concatenation of (instead of value.
A … G registers A … H ) – i. e. truncated SHA-256 hash
SHA-512
Message block expansion 1. 1024-bit block is represented as 64-bit words W 0 … W 15 .
2. The following 64-bit words W 16 … W 79 are calculated: W n = Sig 1,512 ( W n -2 ) + W n -7 + Sig 0,512 ( W n -15 ) + W n -16 mod 2 64 , where: Sig 0,512 ( x ) = ( x >>> 1) ( x >>> 8) ( x >> 7), Sig 1,512 ( x ) = ( x >>> 19) ( x >>> 61) ( x >> 6).
SHA-512
Compression function
a
80 iterations:
b c d e Sum
0,512 +
Maj
+ +
f g Ch Sum
1,512
h
+ +
K i
,512
W i a b c d e f g h
SHA-512
Compression function Slightly modified Sum-functions: Sum 0,512 ( x ) = ( x >>> 28) ( x >>> 34) ( x >>> 39); Sum 1,512 ( x ) = ( x >>> 14) ( x >>> 18) ( x >>> 41).
SHA-512
Chaining and finalization Intermediate hash values: 64-bit registers A … H .
Chaining by addition modulo 2 64 : A = A + a ; B = B + b , etc.
No finalization is performed: output hash value is concatenation of blocks.
A … H after processing all message
SHA-384
SHA-384 compared to SHA-512 The same structure as SHA-512 excluding the following differences: • Another initial value.
• Output hash value is concatenation of (instead of value.
A … F registers A … H ) – i. e. truncated SHA-512 hash
SHA-2 Cryptanalysis
Best results Collisions. Somitra Sanadhya, Palash Sarkar: • 2 16 operations & 2 35 bytes of memory to find a collision for SHA-256 with 24 iterations; • 2 23 operations & 2 68 bytes of memory to find a collision for SHA-512 with 24 iterations.
SHA-2 Cryptanalysis
Strengthening SHA-2
a
SShash algorithm by Somitra Sanadhya & Palash Sarkar:
b c d e f g h K i
,
n Gam
0,
n
+
Ch Gam
1,
n
+ + +
Maj
+ +
W i
+ + +
a b c d e f g h
Section 4. SHA-3
• SHA-3 project overview; • algorithms not selected to round 1; • algorithms of round 1; • algorithms of round 2; • summarizing; • round 2 algorithms performance; • conclusion.
SHA-3
Overview SHA-3 project is an open competition for a new SHA-3 hash function.
Main project timelines: • November 2007: submission requirements were published; • October 2008: the deadline for algorithm submissions; • 2010: selecting finalists of the project; • 2012: selecting a winner.
Algorithms not in round 1
Abacus Author: Neil Sholer (WaveStrong).
High-level structure: cryptographic sponge.
Compression function based on feedback shift registers.
Conceded broken by Ivica Nikolić & Dmitry Khovratovich: meet-in-the-middle attack allows to find second preimage by 2 172 operations.
Algorithms not in round 1
Boole Author: Gregory Rose (Qualcomm).
High-level structure: cryptographic sponge.
Compression function based on non-linear feedback shift register.
Broken by Tomislav Nad: collision attack: • 2 34 operations for 256-bit hash; • 2 66 operations for 512-bit hash.
Algorithms not in round 1
DCH Author: David Wilson.
High-level structure: Merkle-Damgård construction.
Compression function: substitution-permutation network block cipher.
Broken by Mario Lamberger & Florian Mendel: just 521 operations to find collision or preimage.
Algorithms not in round 1
Khichidi-1 Author: Natarajan Vijayarangan (Tata Consultancy Services, Ltd.).
High-level structure: Merkle-Damgård construction.
Compression function: linear feedback shift register.
Broken by: • Nicky Mouha – collision example; • Prasanth Thandra & Satya Murty: instant collisions or second preimages.
Algorithms not in round 1
Maraca Author: Robert Jenkins Jr.
High-level structure: original iterative structure.
Compression function: internal state’s fragments parallel substitution by 8 X 8 S-boxes.
Broken by Sebastiaan Indesteege: instant finding preimage.
Algorithms not in round 1
MeshHash Author: Björn Fay.
High-level structure: cryptographic sponge.
Compression function: multistream processing of the internal state with permutations between data streams.
Conceded broken by its author because of certification meet-in-the-middle attacks by Søren Thomsen: e. g. 2 nd preimage for 256-bit hash value for 2 194 operations.
Algorithms not in round 1
NKS 2D Author: Geoffrey Park.
High-level structure: stream hashing.
Compression function: two-dimensional cellular automata.
Broken by: • Christophe De Cannière: collision example for 224 bit hash; • Brandon Enright: collision example for 512-bit hash.
Algorithms not in round 1
Ponic Author: Peter Schmidt-Nielsen.
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: shift registers.
Certification attacks by María Naya-Plasencia: 2 265 operations & 2 256 memory blocks to find 2 nd preimage for 512-bit hash.
Algorithms not in round 1
SHAMATA Authors: Adem Atalay, Orhun Kara, Ferhat Karakoç and Cevat Manap (National Research Institute of Electronics and Cryptology, Turkey).
High-level structure: wide-pipe Merkle-Damgård construction with finalization.
Compression function: feedback shift registers.
Broken by Florian Mendel, Martin Schläffer, Christian Rechberger, Sebastiaan Indesteege: collision example for 256-bit hash (2 40 operations).
Algorithms not in round 1
StreamHash Author: Michal Trojnara High-level structure: stream hashing.
Compression function: original structure based on S boxes.
Broken by Tor Bjørstad: collision example for 256-bit hash.
Algorithms not in round 1
Tangle Authors: Rafael Alvarez, Gary McGuire, Antonio Zamora.
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: substitution-permutation network.
Broken by Søren Thomsen: collision example (2 13 operations required).
– 2 28
Algorithms not in round 1
WaMM Author: John Washburn High-level structure: wide-pipe Merkle-Damgård construction with finalization.
Compression function: original structure based on matrix operations.
Broken by David Wilson: several operations to find a collision or second preimage for all sizes of hash value.
Algorithms not in round 1
Waterfall Author: Bob Hattersley (Opta Consulting) High-level structure: original iterative structure.
Compression function: shift registers and entropy arrays (“pools”).
Conceded broken by Scott Fluhrer: 2 70 find a collision.
operations to
Round 1 algorithms
ARIRANG (structure) Authors: Specialists from Korea University, Seoul.
High-level structure: Merkle-Damgård construction.
Compression function: generalized Feistel network with feed-forward operations.
Round 1 algorithms
ARIRANG (cryptanalysis) Attacks: • Jian Guo et al.: instant near-collisions (256 or 512 bit hash), 2 23 operations to find pseudo-collisions (224 or 384-bit hash); • Deukjo Hong, Woo-Hwan Kim, Bonwook Koo: 2 round (33 of 40 iterations) algorithm.
481 operations to find a preimage for 512-bit reduced Relatively high security margin, but simple near- & pseudo-collision attacks.
Round 1 algorithms
AURORA (structure) Authors: Specialists from Sony Corporation & Nagoya University, Japan.
High-level structure: • Merkle-Damgård construction with finalization (AURORA-224, 256); • “Double-Mix” wide-pipe Merkle-Damgård construction with finalization (AURORA-224M, 256M, 384, 512).
Compression function: substitution-permutation network.
Round 1 algorithms
AURORA (cryptanalysis) Several certification attacks: • Yu Sasaki: 2 259 512-bit hash; operations to find 512-bit key of keyed AURORA-512 (HMAC mode); 2 236 operations & huge memory to find 8-block message collision for • Niels Ferguson & Stefan Lucks: 2 291 find 2 nd preimage for 512-bit hash.
operations to Medium security margin.
Round 1 algorithms
Blender Author: Colin Bradbury.
High-level structure: original iterative structure (2 streams with mixing operations, using checksums while padding the message).
Compression function: one strong iteration with permutation operations for each block processing.
Broken by Vlastimil Klima: 10 * 2 n /4 operations to find n bit hash preimage (i. e. 10 * 2 56 operations for 224 bit hash); also near-collision example.
Round 1 algorithms
Cheetah Authors: Dmitry Khovratovich, Alex Biryukov, Ivica Nikolić (University of Luxembourg).
High-level structure: iterative structure with feed forward & pre-finalization before last block processing.
Compression function: substitution-permutation network based on AES functions.
No attacks on full-round Cheetah found.
Round 1 algorithms
CHI Authors: Phil Hawkes & Cameron McDonald (Qualcomm, Australia).
High-level structure: Merkle-Damgård construction.
Compression function: generalized Feistel network.
No attacks found.
Round 1 algorithms
CRUNCH Authors: large group of experts.
High-level structure: Merkle-Damgård construction.
Compression function: unbalanced Feistel network.
No attacks on the main requirements found (but Mustafa Çoban found that length-extension attacks on CRUNCH are possible).
Round 1 algorithms
Dynamic SHA Author: Zijie Xu.
High-level structure: Merkle-Damgård construction.
Compression function: generalized Feistel network.
Broken by: • Jean-Philippe Aumasson et al.: collision examples (2 22 operations for 512-bit hash, 2 21 – for 256-bit); • Length-extension attack by Vlastimil Klima; • Sebastiaan Indesteege: collision examples.
Round 1 algorithms
Dynamic SHA2 Author: Zijie Xu.
High-level structure: Merkle-Damgård construction.
Compression function: generalized Feistel network.
Broken by: • Jean-Philippe Aumasson et al.: 2 52 a collision for 256-bit hash; operations to find • Hongbo Yu & Xiaoyun Wang: 2 45 near-collision for 256-bit hash; operations to find a • Length-extension attack by Vlastimil Klima.
Round 1 algorithms
ECOH Authors: Daniel Brown, Matt Campagna, Rene Struik (Certicom Corp., Canada).
High-level structure: original iterative structure.
Compression function: computations over a group of elliptic curve points.
Attacked by Michael Halcrow & Niels Ferguson: 2 143 operations to find 2 nd preimage for 256-bit hash (2 287 – for 512-bit hash).
Relatively low security margin.
Round 1 algorithms
Edon-R (structure) Author: Danilo Gligoroski.
High-level structure: Merkle-Damgård construction.
Compression function: quasigroup operations.
Round 1 algorithms
Edon-R (attacks) Attacks: • Dmitry Khovratovich, Ivica Nikolić, Ralf-Philipp Weinmann: 2 2 n /3 operations to find a preimage for bit hash; pseudo-attacks with minimum time consumption.
n • Gaëtan Leurent: practical key-recovery attack (for keyed version of Edon-R).
Relatively high security margin, but some doubts about pseudo-attacks. Impossible to use the keyed version attacked by G. Leurent.
Round 1 algorithms
EnRUPT Authors: Sean O’Neil, Karsten Nohl, Luca Henzen.
High-level structure: stream hashing.
Compression function: some permutation operations while inserting input word into the internal state.
Broken by Sebastiaan Indesteege: collision example for 256-bit hash (2 40 operations).
Round 1 algorithms
ESSENCE Authors: Jason Martin.
High-level structure: balanced binary tree.
Compression function: feedback shift registers.
Attacked by María Naya-Plasencia et al.: 2 91 to find a collision for 256-bit hash, 2 168 for 512-bit hash.
operations operations – Low security margin.
Outline
Tree-based structure of hash functions Hash value: Compression function calls: Padded message:
Round 1 algorithms
FSB Authors: several experts from French National Institute for Research in Computer Science and Control.
High-level structure: wide-pipe Merkle-Damgård construction with finalization.
Compression function: based on vector operations.
No attacks found.
Round 1 algorithms
LANE Author: Sebastiaan Indesteege, Catholic University of Leuven, Belgium.
High-level structure: Merkle-Damgård construction with finalization.
Compression function: substitution-permutation network based on AES functions.
No attacks found.
Round 1 algorithms
Lesamnta Authors: Shoichi Hirose, Hidenori Kuwakado, Hirotaka Yoshida.
High-level structure: Merkle-Damgård construction with finalization.
Compression function: unbalanced Feistel network.
No attacks found.
Round 1 algorithms
LUX Authors: Ivica Nikolić, Alex Biryukov, Dmitry Khovratovich (University of Luxembourg).
High-level structure: stream hashing.
Compression function: two arrays of the internal state are updated by one AES round for every input word.
Attacked by Dai Watanabe: 2 100 operations to find a collision for 256-bit hash (2 200 – for 2 nd preimage), 2 228 – for 512-bit hash.
Relatively low security margin.
Round 1 algorithms
MCSSHA-3 Author: Mikhail Maslennikov.
High-level structure: stream hashing.
Compression function: non-linear feedback shift register.
Attacked by Jean-Philippe Aumasson & María Naya Plasencia: 2 3 n /8 operations to find a collision, 2 3 n /4 to find 2 nd preimage for n -bit hash.
– Relatively low security margin.
Round 1 algorithms
MD6 Authors: large group of experts with leadership of Ronald Rivest.
High-level structure: tree.
Compression function: non-linear feedback shift register.
No attacks found.
Algorithm was withdrawn from SHA-3 project by its authors.
Round 1 algorithms
NaSHA Authors: Smile Markovski & Aleksandra Mileva.
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: unbalanced Feistel network.
Attacked by Zhimin Li et al.: 2 128 collision for 512-bit NaSHA.
operations to find a Authors of NaSHA disproved the results of Li Z. et al.
Round 1 algorithms
SANDstorm Authors: large group of experts, mainly from Sandia National Laboratories, U. S.
High-level structure: tree.
Compression function: original structure with substitution-permutation operations.
No attacks found.
Round 1 algorithms
Sarmal Authors: Kerem Varıcı, Onur Özen, Çelebi Kocair (Middle East Technical University, Turkey).
High-level structure: wide-pipe Merkle-Damgård construction modification with feed-forward.
Compression function: generalized Feistel network.
Attacked by Florian Mendel & Martin Schläffer: 2 n /3 operations & 2 n /3 memory blocks to find a collision for n -bit hash.
Low security margin.
Round 1 algorithms
Sgàil Author: Peter Maxwell.
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: substitution-permutation network.
Attacked by its author: instant collision for all hash sizes.
The algorithm was modified by its author. Attacks on the modified version are not found.
Round 1 algorithms
Spectral Hash Authors: large group of experts from University of California at Santa Barbara, U. S.
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: 3-dimensional array processed by discrete Fourier transform.
Broken independently by Brandon Enright, Tor Bjørstad & Ethan Heilman: instant collisions.
Round 1 algorithms
SWIFFTX Authors: large group of experts from Israel and U. S.
High-level structure: slightly modified Merkle-Damgård construction with finalization.
Compression function: original construction based on fast Fourier transform.
No attacks found.
Round 1 algorithms
TIB3 Authors: Miguel Montes, Daniel Penazzi (Cordoba University, Spain).
High-level structure: Merkle-Damgård construction with feed-forward & finalization.
Compression function: generalized Feistel network.
Attacked by Florian Mendel, Martin Schläffer: 2 122 operations & 2 53 memory to find a collision for 256 bit hash.
Medium security margin.
Round 1 algorithms
Twister (structure) Authors: Ewan Fleischmann, Christian Forler & Michael Gorski.
High-level structure: Merkle-Damgård construction with finalization.
Compression function: substitution-permutation network based on AES functions.
Round 1 algorithms
Twister (attacks) Several certification attacks by Florian Mendel, Christian Rechberger & Martin Schläffer, e. g. 2 384 operations to find 2 nd preimage for 512-bit hash.
Relatively high security margin.
Round 1 algorithms
Vortex Authors: Shay Gueron & Michael Kounavis (Intel Corp.).
High-level structure: Merkle-Damgård construction with finalization.
Compression function: substitution-permutation network based on AES functions.
Attacked by Lars Knudsen, Florian Mendel, Christian Rechberger, Søren Thomsen: 2 3 n /4 operations to find a preimage for n -bit hash.
Relatively low security margin.
Round 2 algorithms
BLAKE (overview) Authors: Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael Phan.
High-level structure: modified Merkle-Damgård construction: local wide-pipe with finalization.
Compression function: permutation operations.
One of the fastest round 2 algorithms.
Round 2 algorithms
BLAKE (structure) G function – the basis of round permutation.
10 or 14 rounds with 8 G-function calls each.
a b c d c y m x
+
+
+ >>> 16
c x m y
+
+
+ >>> 12
+
+ >>> 8
+
+ >>> 7
a b c d
Round 2 algorithms
BLAKE (attacks) Certification attacks on reduced-round BLAKE: • Ji Li & Liangyu Xu: preimage for 512-bit BLAKE with 2.5 rounds – 2 481 operations; • Jian Guo & Krystian Matusiewicz: near-collision for compression function of 256-bit BLAKE with 4 rounds – 2 42 operations.
Very high security margin.
Round 2 algorithms
Blue Midnight Wish (overview) Authors: large group of experts, mainly from Norwegian University of Science and Technology.
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: sequential processing of the current state by 3 different functions with feed forward.
One of the fastest round 2 algorithms.
Round 2 algorithms
Blue Midnight Wish (structure) Compression function structure: State
f
0() Message block Modification
f
1()
f
2() State
Round 2 algorithms
Blue Midnight Wish (attacks) Certification attacks by Søren Thomsen: • instant near collision for compression function of 256-bit Blue Midnight Wish (11 different bits); • pseudo-collision (2 3 n /8+1 preimage (2 3 n /4+1 Wish.
operations) or pseudo operations) for n -bit Blue Midnight Very high security margin.
Round 2 algorithms
CubeHash (overview) Author: Daniel Bernstein (University of Illinois at Chicago).
High-level structure: stream hashing.
Compression function: Feistel network.
Relative performance greatly depends on the platform and on the size of the test message – from the fastest round 2 algorithm to the slowest one.
Round 2 algorithms
CubeHash (structure) CubeHash round: <<<7 + <<<11 + + +
Round 2 algorithms
CubeHash (structure) CubeHash r / b parameters: • r – number of rounds; • b – message block size in bytes.
The original submitted variant is CubeHash8/1 – is very slow.
It was replaced with CubeHash16/32 – about 16 times faster.
Round 2 algorithms
CubeHash (attacks) Several attacks (include practical) on the variants with reduced rounds and larger blocks (e. g. CubeHash2/4 or CubeHash1/45).
Several certification preimage attacks on submitted versions of CubeHash – by Jean-Philippe Aumasson et al. and by Dmitry Khovratovich et al.
Security margin can be considered high.
Round 2 algorithms
ECHO (overview & attacks) Authors: big groups of experts from Orange Labs (France).
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: substitution-permutation network based on AES functions.
One of the slowest round 2 algorithms.
No attacks found.
Round 2 algorithms
ECHO (structure) Internal state: 4 X 4 array of 128-bit words.
8 rounds of substitution (on the figure) and permutation operations similar to AES round.
Counter AES-128 round Salt AES-128 round
Round 2 algorithms
Fugue Authors: Shai Halevi, William Hall, Charanjit Jutla (IBM).
High-level structure: stream hashing.
Compression function: substitution-permutation network based on AES functions.
Features: 32-bit blocks; relatively large internal state; strengthened AES transforms.
Relatively low performance.
No attacks found.
Round 2 algorithms
Grøstl (overview & attacks) Authors: several experts from Technical University of Denmark & Graz University of Technology, Austria.
High-level structure: wide-pipe Merkle-Damgård construction with finalization.
Compression function: substitution-permutation network based on AES functions.
Relatively low performance.
No attacks found.
Round 2 algorithms
Grøstl (structure) P and Q functions performs 10 or 14 rounds of modified AES transformations.
P and Q differ from each other in round constants only.
State Message Block
Q
() +
P
() + State
Round 2 algorithms
Hamsi (overview & attacks) Author: Özgül Küçük (Catholic University of Leuven, Belgium).
High-level structure: concatenate-permute-truncate.
Compression function: substitution-permutation network.
Relatively low performance.
No attacks found.
Round 2 algorithms
Hamsi (structure) C , P , and T -functions (“concatenate-permute-truncate”) form Hamsi compression function.
32- or 64-bit message blocks (are expanded to 256 or 512 bits each).
Message block Expansion
h i
-1
C
() State
P
()
T
()
h i
Round 2 algorithms
JH (overview) Author: Hongjun Wu (Institute for Infocomm Research, Singapore).
High-level structure: wide-pipe Merkle-Damgård construction.
Compression function: substitution-permutation network.
Medium performance.
Round 2 algorithms
JH (structure) Compression function structure: Message block +
h i
-1
E
()
h i
+
Round 2 algorithms
JH (attacks) Certification attack by Florian Mendel and Søren Thomsen: 2 510 operations & 2 510 memory blocks to find a preimage for 512-bit JH.
Hongjun Wu disproved the attack.
Round 2 algorithms
Keccak (overview & attacks) Authors: Guido Bertoni, Joan Daemen, Michaël Peeters & Gilles Van Assche.
High-level structure: cryptographic sponge.
Compression function: permutation operations.
Relatively high performance.
No attacks found.
Round 2 algorithms
Keccak (structure)
A
Compression function round: 5 +
C
1 + + 3 & ~
B r
4 >>>
D
2 + >>>1
Round 2 algorithms
Luffa (overview) Authors: Christophe De Cannière, Hisayoshi Sato & Dai Watanabe.
High-level structure: cryptographic sponge.
Compression function: substitution-permutation network.
High performance.
Round 2 algorithms
Luffa (structure) Compression function structure:
IV M 0 M 1 ...
MI ...
Q
0
Q
1
...
Q w
-1
...
MI ...
Q
0
Q
1
...
Q w
-1
...
...
...
...
Round 2 algorithms
Luffa (structure) Round of Q -functions: S-boxes S-boxes
L
()
L
()
L
()
L
() +
C
Round 2 algorithms
Luffa (attacks) Several “pseudo”-attacks by Keting Jia: • instant pseudo-collisions and 2 nd pseudo-preimages; • instant pseudo-preimages for 224- or 256-bit hash; • 2 64 operations and 2 64 memory to find pseudo preimage for 384-bit hash.
No attacks found on main security requirements.
But “pseudo”-attacks can be used in context of other attacks.
Round 2 algorithms
Shabal (overview & attacks) Authors: large group of experts of Saphir project funded by French National Research Agency.
High-level structure: strengthened Merkle-Damgård construction (includes some sponge-like operations and feed-forward).
Compression function: shift registers with different kinds of feedback.
One of the fastest round 2 algorithms.
No attacks found.
A B C
Round 2 algorithms
Shabal (structure) Compression function structure:
W ++ M
1 +
+ P() -
+
+ M
2
P() -
Round 2 algorithms
SHAvite-3 (overview & attacks) Authors: Eli Biham & Orr Dunkelman.
High-level structure: Merkle-Damgård construction with finalization.
Compression function: Feistel network (224- or 256-bit hash) or generalized Feistel network (384- or 512-bit hash) based on AES operations.
One of the slowest round 2 algorithms.
No attacks found.
...
Round 2 algorithms
SHAvite-3 (structure) Compression function for 224- or 256-bit hash: + AES round 0 State AES round AES round +
M i salt Ctr
Key extension ...
...
Round 2 algorithms
SHAvite-3 (structure) Compression function round for 384- or 512-bit hash: + 4 AES rounds + 4 AES rounds Round keys
Round 2 algorithms
SIMD (overview & attacks) Authors: Gaëtan Leurent, Pierre-Alain Fouque & Charles Bouillaguet (École Normale Supérieure, Paris).
High-level structure: wide-pipe Merkle-Damgård construction with finalization.
Compression function: generalized Feistel network.
Relatively high performance.
No attacks found.
Round 2 algorithms
SIMD (structure) ...
<<<
r
Compression function structure: 32-bit state words
f
() +
W x
+ <<<
r
...
<<<
s
+ ...
f
() +
W y
+ <<<
s
+ ...
Round 2 algorithms
Skein (overview) Authors: Large group of experts.
High-level structure: Unique Block Iteration.
Compression function: substitution-permutation network.
Relatively high performance.
Round 2 algorithms
Skein (structure) Compression function based on Threefish block cipher.
72 or 80 rounds based on permutations and parallel mix operations:
x
0 +
x
1
y
0 <<<
R
+
y
1
Round 2 algorithms
Skein (attacks) Several attacks on reduced-round Skein procedures by Jean-Philippe Aumasson et al.: • near-collision for 17-round compression function of Skein – 2 24 operations; • key recovery attack on 34-round Threefish – 2 312 operations.
Very high security margin.
Structures tables
High-level structures Merkle-Damgård construction and its variants.
Structures tables
High-level structures Other structures.
Structures tables
High-level structures statistics
Structures table
Compression function structures
Structures table
Compression function structures statistics
Performance tables
Claimed performance by authors. Source: Ewan Fleischmann et al. “Classification of the SHA-3 candidates”.
Performance tables
64-bit platform: AMD Athlon 64 X2 2000 MHz. Source: eBASH project (http://bench.cr.yp.to), July 2009.
Performance tables
32-bit platform: Intel Core 2 Duo 3000 MHz. Source: eBASH project (http://bench.cr.yp.to), July 2009.
Performance tables
ARM: XScale-PXA270 416 MHz. Source: eBASH project (http://bench.cr.yp.to), February 2009.
Round 2 algorithms
Conclusion Can we divide the round 2 algorithms to the following categories?
• most probable, and • less probable algorithms to be SHA-3 standard.
Round 2 algorithms
Conclusion Possible factors to exclude algorithms from the further concerning: • relatively low performance; • not high security margin; • too complex structure of algorithm – difficult to analyze or realize; • similarity to SHA-2 in structure.
Round 2 algorithms
Conclusion Performance factor: • ECHO, Grøstl, Hamsi, SHAvite-3 – relatively low practical performance; • Fugue – relatively low theoretical performance; • CubeHash – relatively slow while hashing short messages.
Round 2 algorithms
Conclusion Security margin factor: • Luffa: no attacks on main security requirements, but simple attacks allow to find pseudo-collisions and pseudo-preimages; “pseudo”-attacks can be theoretically used while mounting future attacks on Luffa, so its security margin can not be considered high.
Round 2 algorithms
Conclusion Other factors – no algorithms to exclude: • all algorithms have clear and relatively simple structures; • no algorithms are very similar to SHA-2.
Round 2 algorithms
Conclusion Therefore the following algorithms can be considered less probable to be SHA-3: • CubeHash, ECHO, Fugue, Grøstl, Hamsi, SHAvite-3 – relatively low performance; • Luffa – some doubts about security margin.
Round 2 algorithms
Conclusion As a result, the following algorithms can be considered more probable to be SHA-3 standard: • Blake; • Blue Midnight Wish; • JH; • Keccak; • Shabal; • SIMD; • Skein.
Acknowledgements
• to Andrei Gurtov, who invited me to give a talk about hash functions.
Thank you!
Sergey Panasenko, independent information security consultant, Moscow, Russia.
[email protected] www.panasenko.ru