SHA Hash Functions History & Current State

Helsinki Institute for Information Technology, November 03, 2009.

Sergey Panasenko, independent information security consultant, Moscow, Russia.

[email protected] www.panasenko.ru

SHA Hash Functions

1. Hash functions cryptanalysis review.

2. SHA (SHA-0) & SHA-1.

3. SHA-2.

4. SHA-3 project.

Section 1. Hash functions cryptanalysis review

• typical hash function structure; • goals of hash functions cryptanalysis; • cryptanalysis methods.

IV

Typical hash function structure

Merkle-Damgård construction:

M

0

fb

()

M

1

fb

()

. . .

M N fb

()

H N

Primary goals of hash functions cryptanalysis

Collision: m 1 and m 2 with the same hash: h = hash ( m 1) = hash ( m 2) Multicollision: several messages with the same hash.

Theoretical time consumption: 2 n /2 hash function.

operations for n -bit

Primary goals of hash functions cryptanalysis

First preimage: such m that for given h : hash ( m ) = h Second preimage: such m 2 that for given m 1: hash ( m 2) = hash ( m 1) Theoretical time consumption: 2 n hash function.

operations for n -bit

Primary goals of hash functions cryptanalysis

Secret key definition – for keyed hash functions or hash functions in keyed mode.

Theoretical time consumption: 2 k key.

operations for k -bit

Secondary goals of hash functions cryptanalysis

Near-collision: several bits: m 1 and m 2 with hash values differ in hash ( m 1) ≈ hash ( m 2) Pseudo-collision: m 1 and m 2 with the same hash but with different initial values: hash ( m 1, IV 1) = hash ( m 2, IV 2) Theoretical time consumption: 2 n /2 hash function.

operations for n -bit

Secondary goals of hash functions cryptanalysis

Pseudo-preimage: such m that for given h : hash ( IV , m ) = h where IV is non-standard initial value.

Theoretical time consumption: 2 n hash function.

operations for n -bit

Attacks on hash functions

Brute-force attacks

• Step-by-step searching over the target space.

• They define theoretical time consumption of any goal.

• Can be used for finding collisions, preimages or secret keys.

• Highly parallelizable.

• Can be accelerated greatly by specific hardware.

• Can be used in context of other attacks. • They define suitable hash or key sizes.

Attacks on hash functions

Dictionary attacks

• A kind of brute-force attacks on a reduced target space (e.g. words of any dictionary).

• Typical application: finding a password for given hash value.

• Offline work – precounting a table for searching the required password.

Attacks on hash functions

Dictionary attacks

hash

The simplest case of tables: one hash for every password.

abaca 5d12fdca

hash

aback 0a23647f

hash

abaction

...

zygoma

hash

ca56ff12

...

7dd412a4

Attacks on hash functions

Dictionary attacks

Hash chains – reducing the memory (Martin Hellman, 1980): p 1  h 1  p 2  h 2  …  p N  h N abaca trend mary

...

peace

hash

5d12fdca

hash

6fade4ac

hash hash

67a97688

...

4fd769a3

R R R R

couple come further

...

afford

hash

f87df65a

hash

1abb67a1

hash hash

a3429904

...

a9112a3c

...

...

...

...

sands reach etc

...

shorten

hash

788a2c5d

hash

df34a456

hash hash

a63dd12a

...

c8a913cf

Attacks on hash functions

Dictionary attacks

Hash chains – collision example:

...

afford

...

peace

hash hash ...

a9112a3c

...

4fd769a3

R R ...

yellow

...

afford

hash hash ...

3287acfe

...

a9112a3c

R R ...

reviewer

...

yellow

hash hash ...

d51a900a

...

3287acfe

...

...

Attacks on hash functions

Dictionary attacks

Strengthening hash chains: • Several tables with different R-functions.

• Variable length chains.

spoke length ode

...

hash

000012ca

hash

6acf499a

hash

a97688cd

R R hash

pipe medicine

hash

752a65fd 0000a342

...

john

hash

000056df

Attacks on hash functions

Dictionary attacks. Rainbow tables

Several R-functions strings: R 1 … R N -1 for every column of • cyclic strings are impossible; abaca • collisions lead to strings coincidence when occur in the same column only – that can be detected.

hash

5d12fdca

R

1 couple

hash

f87df65a

R

2 texas

hash

77f9ac1a

R

3

hash R

1

hash R

2

hash R

3 trend 6fade4ac come 1abb67a1 school d7c907f1

hash R

1

hash R

2

hash R

3 mary

...

peace

hash

67a97688

...

4fd769a3

R

1 further

...

afford

hash

a3429904

...

a9112a3c

R

2 blow

...

come

hash

93aa1cbd

...

1abb67a1

R

3

...

...

...

...

Attacks on hash functions

Dictionary attacks. Rainbow tables

Invented by Philip Oechslin in 2003.

Can be further strengthened by combining with variable-length chains.

Are in active use for cracking real systems: • http://project-rainbowcrack.com; • http://lasecwww.epfl.ch; • http://www.freerainbowtables.com.

Attacks on hash functions

Dictionary attacks. Rainbow tables

Countermeasures: • Salt – randomizing hashing; • Increasing time to hash – e. g. multiple hashing.

Example: Niels Provos & David Mazières (1999) – bcrypt hash function. Uses extension rounds: salt & cost variables. Cost defines the number of internal block cipher key 2 cost +1 + 1

Attacks on hash functions

Birthday paradox

“Square root attack”: O(

N

) tries required to find the same element from an array with N elements.

Application to hash functions (Gideon Yuval, 1979): • An adversary prepares f and r r variants of fraud document variants of original document m .

• He searches among these variants such that hash ( m x ) = hash ( f y ).

m x and f y • User signs m x , but his signature is correct when verifying it for f y .

Attacks on hash functions

Collision search

Another variant of hash chains: m i  hash ( m i )  hash ( hash ( m i ))  … All hash values are compared with previous values and values of other chains.

Disadvantage: huge memory requirements.

Jean-Jacques Quisquater, Jean-Paul Delescaille, 1987: store distinguished points only. Their coincidence signals about found collision. Low memory requirements.

Attacks on hash functions

Collisions search

Michael Wiener and Paul Van Oorschot, 1994: parallel collision search with specific values: - initial values - distinguished points

Attacks on hash functions

Birthday paradox & collisions search

• Mihir Bellare and Tadayoshi Kohno, 2004: “amount of regularity” of hash functions – as output value distribution is regular. The less regular, the easy to find collision.

• Bart Preneel, 2003: hash value size analysis. 160 bits are enough for at least 20 years.

Attacks on hash functions

Differential cryptanalysis

Florent Chabaud & Antoine Joux, 1998: SHI1 algorithm:

a b c d e

<<< 30

K i

<<< 5 +

W i

+

a

+

b c d e

Attacks on hash functions

Differential cryptanalysis

i

+2:1,

i

+3:31,

i

+4:31,

i

+5:31

a i

+1:1

b i

+2:1 <<< 5 <<< 30

c i

+3:31

i

+1:6

K i

+ +

d i

+4:31

e i

+5:31

W i i

:1,

i

+1:

6

,

i

+2:

1

,

i

+3:

31

,

i

+4:

31

,

i

+5:

31

+

a i

:1

b i

+2:31

c d i

+1:6 - iteration number : number of different bits, corrected bits are in bold font

e

Attacks on hash functions

Differential cryptanalysis

Result: propagation of the difference is cancelled by the corrected bits. After 6 iterations the difference is 0.

This is 6-round local collision: two messages differ in 6 bits (after expansion) but lead to the same hash value.

Next step: construct messages which can expand with required difference.

Attackers use disturbance vector – the table shows which bits of messages must be different to achieve the collision.

Attacks on hash functions

Differential cryptanalysis

F. Chabaud & A. Joux: SHI1 – SHI2 – SHI3 – SHA Step-by-step including non-linear operation into the iterations.

From deterministic to probabilistic constructions: the same principles of attack can be applied to real SHA algorithm.

Attacks on hash functions

Boomerang attack

Invented by David Wagner for block ciphers in 1999.

Applied to hash functions (SHA & SHA-1) by Antoine Joux and Thomas Peyrin, 2007.

Boomerang attack uses one or more auxiliary differences besides the main difference. This significantly improves the probability of finding collisions.

Attacks on hash functions

Boomerang attack

Q



P



P'



Q'

    

D D'



C C'

main differences auxiliary differences

Attacks on hash functions

Algebraic cryptanalysis

Uses algebraic properties of an algorithm.

Successfully applied to block ciphers (e. g. works of Nicolas Courtois against AES).

Can be used in context of other attacks.

Example: Makoto Sugita, Mitsuru Kawazoe, Hideki Imai (2006) attacked reduced-round SHA-1 by algebraic and differential cryptanalysis in complex.

Attacks on hash functions

Message modification

Xiaoyun Wang, Hongbo Yu, 2005: step-by-step modifying the message to meet the criteria for differential cryptanalysis.

Message modification technique allows to speed up the collision search by fulfilling the required criteria for internal variables.

Attacks on hash functions

Meet in the middle attack

Can be applied when a function can be represent as two subfunctions:

M

1

M

2

IV hash

1()

hash2()

and if the second subfunction can be invertible.

H

Attacks on hash functions

Meet in the middle attack

Finding preimage for a hash value H : 1. Count hash 1() for variants of the first half of messages (and store them in a table): T x = hash 1( M 1 x , IV ).

2. Count inverted hash 2() for variants of the second half of messages: T y = hash 2 -1 ( M 2 y , H ).

3. Searching for equivalent T x and T y .

Attacks on hash functions

Correcting blocks

Allows to find preimages or collisions. Example for collisions: 1. Select arbitrary messages M and M *.

2. Find such corrected blocks X and X * that: hash(M || X) = hash(M * || X *).

Attacks on hash functions

Fixed points

A fixed point occurs when it is possible to find such message block Mi that: hash(M) = hash(M || Mi ), i. e. intermediate hash value remains the same after processing Mi block.

Can be used for finding collisions.

Attacks on hash functions

Block-level manipulations

• inserting, • removing, • permutation, • substitution of message blocks without affecting the hash value.

Attacks on hash functions

Two-block collisions

h

0 Eli Biham et al., 2004:

M

1

M

1 *

h

1 near-collision

h

1 *

M

2

M

2 *

h

2 collision

Attacks on hash functions

h

0

Multi-block collisions

M

1

M

1 *

h

1 near-collision

h

1 *

M

2

M

2 *

h

2 near-collision

h

2 *

h k

-1

M k

near-collision

M k

*

h k

-1*

h k

collision

Attacks on hash functions

Specific attacks on block cipher based hash functions

Allows to find collisions based on some weaknesses of an underlying block cipher: • weak keys, • equivalent keys, • groups of keys, • related-keys attacks.

Attacks on hash functions

Side-channel attacks

This group of attacks are invented by Paul Kocher, 1996.

Passive side-channel attacks (an adversary only reads side-channel information): • Electromagnetic attacks.

• Power attacks (simple & differential).

• Timing attacks.

• Error-message attacks.

Attacks on hash functions

Side-channel attacks

Active side-channel attacks (an adversary influences on hash function realization): • Optical, radiation or heating attacks.

• Spike & glitch attacks.

• Fault attacks (simple and differential).

• Hardware modification.

Attacks on hash functions

Side-channel attacks

Countermeasures: • Constant time consumption of operations.

• Inserting random delays, noises, random variables etc, redundant computations.

• Error messages without extra information.

• Doubling calculations with comparing their results.

• Shielding.

• Detecting of external actions.

Attacks on hash functions

Other cryptanalytic methods

• Using neutral bits (Eli Biham & Rafi Chen, 2004) – such bits of a message which do not influence on final or intermediate results during some rounds.

• Attacks that can use specifics of hash functions realizations in network protocols, signature schemes etc.

• Length-extension attack – inserting some data to the end of a message to find a collision.

Section 2. SHA & SHA-1

• SHA structure; • SHA-1 structure; • SHA cryptanalysis; • SHA-1 cryptanalysis.

SHA

Overview Secure Hash Algorithm.

Invented by U.S. National Security Agency in 1992.

U.S. hashing standard in 1993-1995 (FIPS 180).

Must be used by U.S. Ministries and Agencies for hashing non-classified information. Recommended for commercial organizations.

Renamed to SHA-0 after SHA-1 invention.

SHA

High-level structure 160-bit hash value.

Input data size – from 0 to (2 64 -1) bits.

Merkle-Damgaard construction with 512-bit data blocks.

Last block is always padded by: • “1” bit; • zero bits when required; • 64-bit input data length in bits.

SHA

Message block expansion 1. 512-bit block is represented as 32-bit words W 0 … W 15 .

2. The following 32-bit words W 16 … W 79 are calculated: W n = W n -3  W n -8  W n -14  W n -16 .

...

W n

-16

W n

-15

W n

-14

...

W n

-8

...

W n

-3

W n

-2

W n

-1

W n ...

+ + +

SHA

Compression function 80 iterations:

a b c

<<< 5 <<< 30

f i K i

+

W i

+

a b c d e d e

SHA

Compression function fi functions: f ( x , y , z ) = ( x & y ) | (~ x & z ), i = 0…19; f ( x , y , z ) = x  y  z , i = 20…39, 60…79; f ( x , y , z ) = ( x & y ) | ( x & z ) | ( y & z ), i = 40…59.

SHA

Chaining and finalization Intermediate hash values: 32-bit registers A … E .

Chaining by addition modulo 2 32 : A = A + a ; B = B + b , etc.

No finalization is performed: output hash value is concatenation of blocks.

A … E after processing all message

SHA-1

Overview & high-level structure U.S. hashing standard since 1995 (FIPS 180-1, FIPS 180-2).

Will be withdrawn (for some applications) in 2010.

All procedures are the same as in SHA algorithm, except the message block expansion.

SHA-1

Message block expansion SHA-1 message block expansion: W n = ( W n -3  W n -8  W n -14  W n -16 ) <<< 1

...

W n

-16

W n

-15

W n

-14

...

W n

-8

...

W n

-3

W n

-2

W n

-1

W n ...

+ + +

<<<

1 Added one-bit left rotation into SHA message block expansion procedure.

SHA Cryptanalysis

Best results 1. Collisions: Stéphane Manuel, Thomas Peyrin, 2008: 2 33 (boomerang attack).

operations 2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: 2 153 operations to find second preimage for SHA with 49 iterations (differential cryptanalysis, partial pseudo-preimages & meet-in-the-middle attack).

SHA-1 Cryptanalysis

Best results 1. Collisions: Stéphane Manuel, 2008: 2 51 attack); operations (boomerang Cameron McDonald, Philip Hawkes & Josef Pieprzyk, 2009: 2 52 operations (differential cryptanalysis).

2. Preimages: Christophe De Cannière, Christian Rechberger, 2008: 2 157 operations to find second preimage for SHA-1 with 44 iterations (complex attack).

SHA-1 Cryptanalysis

Collision search countermeasures 1. Michael Szydlo & Yiqun Lisa Yin, 2005: Strengthened hash function H * ( m ): H * ( m ) = H ( φ ( m )), where φ ( m ) is preprocessing function, it can perform: • message whitening (inserting specific blocks – SHApp algorithm); • self-interleaving of message blocks.

SHA-1 Cryptanalysis

Collision search countermeasures 2. Shai Halevi, Hugo Krawczyk, 2006 (IBM): Randomized hashing: H * ( r , m 1 ,…, m N ) = H ( r , m 1  r ,…, m N  r ), where r – block-sized random number.

SHA-1 Cryptanalysis

Strengthening SHA-1 Charanjit Jutla, Anandya Patthak, 2005 (IBM) – SHA1 IME (improved message expansion): W n = W n -3  W n -8  W W n -15 ) <<< 1) for n n -14  W n -16 = 16…35;  (( W n -1  W n -2  W n = W n -3 W n -15   W n -8  W n -14  W W n -20 ) <<< 1) for n n -16  (( W n = 36…79.

-1  W n -2 

SHA-1 Cryptanalysis

Strengthening SHA-1 SHA-1:

...

W n

-16

W n

-15

W n

-14

...

W n

-8

...

W n

-3

W n

-2

W n

-1 + + +

<<<

1 SHA1-IME:

W n ...

...

W n

-20

...

W n

-16

W n

-15

W n

-14

...

W n

-8

...

W n

-3

W n

-2

W n

-1

W n ...

+ + + +

<<<

1 + + +

Section 3. SHA-2

• SHA-2 overview; • SHA-256; • SHA-224; • SHA-512; • SHA-384; • SHA-2 cryptanalysis.

SHA-2

Overview U.S. hashing standard since 2002 (FIPS 180-2).

SHA-2 is a family of hashing algorithms: • SHA-224 (since 2004 – defined in updated version of FIPS 180-2); • SHA-256, SHA-384, SHA-512.

n in SHA n means n -bit output hash value.

Patented by NSA but allowed for free use (U.S. Patent # 6829355)

SHA-2

High-level structure Input data size – from 0 to: • (2 64 -1) bits for SHA-224 & SHA-256; • (2 128 -1) bits for SHA-384 & SHA-512.

Merkle-Damgaard construction. 512-bit or 1024-bit data blocks.

Last block is padded by the same way as in SHA, but 128-bit data length (instead of 64-bit) is used for SHA-384 & SHA-512.

SHA-256

Message block expansion 1. 512-bit block is represented as 32-bit words W 0 … W 15 .

2. The following 32-bit words W 16 … W 63 are calculated: W n = Sig 1,256 ( W n -2 ) + W n -7 + Sig 0,256 ( W n -15 ) + W n -16 mod 2 32 , where: Sig 0,256 ( x ) = ( x >>> 7)  ( x >>> 18)  ( x >> 3), Sig 1,256 ( x ) = ( x >>> 17)  ( x >>> 19)  ( x >> 10).

SHA-256

Message block expansion

...

W n-16 W n-15 W n-14 ...

W n-7 ...

W n-3 W n-2 W n-1 W n ...

>>>7 >>>18 >>>17 >>>19 >>3 >>10 + + + + +

SHA-256

Compression function

a

64 iterations:

b c d e Sum

0,256 +

Maj

+ +

f g Ch Sum

1,256

h

+ +

K i

,256

W i a b c d e f g h

SHA-256

Compression function Functions of the iteration: Sum 0,256 ( x ) = ( x >>> 2)  ( x >>> 13)  ( x >>> 22); Sum 1,256 ( x ) = ( x >>> 6)  ( x >>> 11)  ( x >>> 25); Ch ( x , y , z ) = ( x & y )  (~ x & z ); Maj ( x , y , z ) = ( x & y )  ( x & z )  ( y & z ).

SHA-256

Chaining and finalization Intermediate hash values: 32-bit registers A … H .

Chaining by addition modulo 2 32 : A = A + a ; B = B + b , etc.

No finalization is performed: output hash value is concatenation of blocks.

A … H after processing all message

SHA-224

SHA-224 compared to SHA-256 The same structure as SHA-256 excluding the following differences: • Another initial value.

• Output hash value is concatenation of (instead of value.

A … G registers A … H ) – i. e. truncated SHA-256 hash

SHA-512

Message block expansion 1. 1024-bit block is represented as 64-bit words W 0 … W 15 .

2. The following 64-bit words W 16 … W 79 are calculated: W n = Sig 1,512 ( W n -2 ) + W n -7 + Sig 0,512 ( W n -15 ) + W n -16 mod 2 64 , where: Sig 0,512 ( x ) = ( x >>> 1)  ( x >>> 8)  ( x >> 7), Sig 1,512 ( x ) = ( x >>> 19)  ( x >>> 61)  ( x >> 6).

SHA-512

Compression function

a

80 iterations:

b c d e Sum

0,512 +

Maj

+ +

f g Ch Sum

1,512

h

+ +

K i

,512

W i a b c d e f g h

SHA-512

Compression function Slightly modified Sum-functions: Sum 0,512 ( x ) = ( x >>> 28)  ( x >>> 34)  ( x >>> 39); Sum 1,512 ( x ) = ( x >>> 14)  ( x >>> 18)  ( x >>> 41).

SHA-512

Chaining and finalization Intermediate hash values: 64-bit registers A … H .

Chaining by addition modulo 2 64 : A = A + a ; B = B + b , etc.

No finalization is performed: output hash value is concatenation of blocks.

A … H after processing all message

SHA-384

SHA-384 compared to SHA-512 The same structure as SHA-512 excluding the following differences: • Another initial value.

• Output hash value is concatenation of (instead of value.

A … F registers A … H ) – i. e. truncated SHA-512 hash

SHA-2 Cryptanalysis

Best results Collisions. Somitra Sanadhya, Palash Sarkar: • 2 16 operations & 2 35 bytes of memory to find a collision for SHA-256 with 24 iterations; • 2 23 operations & 2 68 bytes of memory to find a collision for SHA-512 with 24 iterations.

SHA-2 Cryptanalysis

Strengthening SHA-2

a

SShash algorithm by Somitra Sanadhya & Palash Sarkar:

b c d e f g h K i

,

n Gam

0,

n

+

Ch Gam

1,

n

+ + +

Maj

+ +

W i

+ + +

a b c d e f g h

Section 4. SHA-3

• SHA-3 project overview; • algorithms not selected to round 1; • algorithms of round 1; • algorithms of round 2; • summarizing; • round 2 algorithms performance; • conclusion.

SHA-3

Overview SHA-3 project is an open competition for a new SHA-3 hash function.

Main project timelines: • November 2007: submission requirements were published; • October 2008: the deadline for algorithm submissions; • 2010: selecting finalists of the project; • 2012: selecting a winner.

Algorithms not in round 1

Abacus Author: Neil Sholer (WaveStrong).

High-level structure: cryptographic sponge.

Compression function based on feedback shift registers.

Conceded broken by Ivica Nikolić & Dmitry Khovratovich: meet-in-the-middle attack allows to find second preimage by 2 172 operations.

Algorithms not in round 1

Boole Author: Gregory Rose (Qualcomm).

High-level structure: cryptographic sponge.

Compression function based on non-linear feedback shift register.

Broken by Tomislav Nad: collision attack: • 2 34 operations for 256-bit hash; • 2 66 operations for 512-bit hash.

Algorithms not in round 1

DCH Author: David Wilson.

High-level structure: Merkle-Damgård construction.

Compression function: substitution-permutation network block cipher.

Broken by Mario Lamberger & Florian Mendel: just 521 operations to find collision or preimage.

Algorithms not in round 1

Khichidi-1 Author: Natarajan Vijayarangan (Tata Consultancy Services, Ltd.).

High-level structure: Merkle-Damgård construction.

Compression function: linear feedback shift register.

Broken by: • Nicky Mouha – collision example; • Prasanth Thandra & Satya Murty: instant collisions or second preimages.

Algorithms not in round 1

Maraca Author: Robert Jenkins Jr.

High-level structure: original iterative structure.

Compression function: internal state’s fragments parallel substitution by 8 X 8 S-boxes.

Broken by Sebastiaan Indesteege: instant finding preimage.

Algorithms not in round 1

MeshHash Author: Björn Fay.

High-level structure: cryptographic sponge.

Compression function: multistream processing of the internal state with permutations between data streams.

Conceded broken by its author because of certification meet-in-the-middle attacks by Søren Thomsen: e. g. 2 nd preimage for 256-bit hash value for 2 194 operations.

Algorithms not in round 1

NKS 2D Author: Geoffrey Park.

High-level structure: stream hashing.

Compression function: two-dimensional cellular automata.

Broken by: • Christophe De Cannière: collision example for 224 bit hash; • Brandon Enright: collision example for 512-bit hash.

Algorithms not in round 1

Ponic Author: Peter Schmidt-Nielsen.

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: shift registers.

Certification attacks by María Naya-Plasencia: 2 265 operations & 2 256 memory blocks to find 2 nd preimage for 512-bit hash.

Algorithms not in round 1

SHAMATA Authors: Adem Atalay, Orhun Kara, Ferhat Karakoç and Cevat Manap (National Research Institute of Electronics and Cryptology, Turkey).

High-level structure: wide-pipe Merkle-Damgård construction with finalization.

Compression function: feedback shift registers.

Broken by Florian Mendel, Martin Schläffer, Christian Rechberger, Sebastiaan Indesteege: collision example for 256-bit hash (2 40 operations).

Algorithms not in round 1

StreamHash Author: Michal Trojnara High-level structure: stream hashing.

Compression function: original structure based on S boxes.

Broken by Tor Bjørstad: collision example for 256-bit hash.

Algorithms not in round 1

Tangle Authors: Rafael Alvarez, Gary McGuire, Antonio Zamora.

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: substitution-permutation network.

Broken by Søren Thomsen: collision example (2 13 operations required).

– 2 28

Algorithms not in round 1

WaMM Author: John Washburn High-level structure: wide-pipe Merkle-Damgård construction with finalization.

Compression function: original structure based on matrix operations.

Broken by David Wilson: several operations to find a collision or second preimage for all sizes of hash value.

Algorithms not in round 1

Waterfall Author: Bob Hattersley (Opta Consulting) High-level structure: original iterative structure.

Compression function: shift registers and entropy arrays (“pools”).

Conceded broken by Scott Fluhrer: 2 70 find a collision.

operations to

Round 1 algorithms

ARIRANG (structure) Authors: Specialists from Korea University, Seoul.

High-level structure: Merkle-Damgård construction.

Compression function: generalized Feistel network with feed-forward operations.

Round 1 algorithms

ARIRANG (cryptanalysis) Attacks: • Jian Guo et al.: instant near-collisions (256 or 512 bit hash), 2 23 operations to find pseudo-collisions (224 or 384-bit hash); • Deukjo Hong, Woo-Hwan Kim, Bonwook Koo: 2 round (33 of 40 iterations) algorithm.

481 operations to find a preimage for 512-bit reduced Relatively high security margin, but simple near- & pseudo-collision attacks.

Round 1 algorithms

AURORA (structure) Authors: Specialists from Sony Corporation & Nagoya University, Japan.

High-level structure: • Merkle-Damgård construction with finalization (AURORA-224, 256); • “Double-Mix” wide-pipe Merkle-Damgård construction with finalization (AURORA-224M, 256M, 384, 512).

Compression function: substitution-permutation network.

Round 1 algorithms

AURORA (cryptanalysis) Several certification attacks: • Yu Sasaki: 2 259 512-bit hash; operations to find 512-bit key of keyed AURORA-512 (HMAC mode); 2 236 operations & huge memory to find 8-block message collision for • Niels Ferguson & Stefan Lucks: 2 291 find 2 nd preimage for 512-bit hash.

operations to Medium security margin.

Round 1 algorithms

Blender Author: Colin Bradbury.

High-level structure: original iterative structure (2 streams with mixing operations, using checksums while padding the message).

Compression function: one strong iteration with permutation operations for each block processing.

Broken by Vlastimil Klima: 10 * 2 n /4 operations to find n bit hash preimage (i. e. 10 * 2 56 operations for 224 bit hash); also near-collision example.

Round 1 algorithms

Cheetah Authors: Dmitry Khovratovich, Alex Biryukov, Ivica Nikolić (University of Luxembourg).

High-level structure: iterative structure with feed forward & pre-finalization before last block processing.

Compression function: substitution-permutation network based on AES functions.

No attacks on full-round Cheetah found.

Round 1 algorithms

CHI Authors: Phil Hawkes & Cameron McDonald (Qualcomm, Australia).

High-level structure: Merkle-Damgård construction.

Compression function: generalized Feistel network.

No attacks found.

Round 1 algorithms

CRUNCH Authors: large group of experts.

High-level structure: Merkle-Damgård construction.

Compression function: unbalanced Feistel network.

No attacks on the main requirements found (but Mustafa Çoban found that length-extension attacks on CRUNCH are possible).

Round 1 algorithms

Dynamic SHA Author: Zijie Xu.

High-level structure: Merkle-Damgård construction.

Compression function: generalized Feistel network.

Broken by: • Jean-Philippe Aumasson et al.: collision examples (2 22 operations for 512-bit hash, 2 21 – for 256-bit); • Length-extension attack by Vlastimil Klima; • Sebastiaan Indesteege: collision examples.

Round 1 algorithms

Dynamic SHA2 Author: Zijie Xu.

High-level structure: Merkle-Damgård construction.

Compression function: generalized Feistel network.

Broken by: • Jean-Philippe Aumasson et al.: 2 52 a collision for 256-bit hash; operations to find • Hongbo Yu & Xiaoyun Wang: 2 45 near-collision for 256-bit hash; operations to find a • Length-extension attack by Vlastimil Klima.

Round 1 algorithms

ECOH Authors: Daniel Brown, Matt Campagna, Rene Struik (Certicom Corp., Canada).

High-level structure: original iterative structure.

Compression function: computations over a group of elliptic curve points.

Attacked by Michael Halcrow & Niels Ferguson: 2 143 operations to find 2 nd preimage for 256-bit hash (2 287 – for 512-bit hash).

Relatively low security margin.

Round 1 algorithms

Edon-R (structure) Author: Danilo Gligoroski.

High-level structure: Merkle-Damgård construction.

Compression function: quasigroup operations.

Round 1 algorithms

Edon-R (attacks) Attacks: • Dmitry Khovratovich, Ivica Nikolić, Ralf-Philipp Weinmann: 2 2 n /3 operations to find a preimage for bit hash; pseudo-attacks with minimum time consumption.

n • Gaëtan Leurent: practical key-recovery attack (for keyed version of Edon-R).

Relatively high security margin, but some doubts about pseudo-attacks. Impossible to use the keyed version attacked by G. Leurent.

Round 1 algorithms

EnRUPT Authors: Sean O’Neil, Karsten Nohl, Luca Henzen.

High-level structure: stream hashing.

Compression function: some permutation operations while inserting input word into the internal state.

Broken by Sebastiaan Indesteege: collision example for 256-bit hash (2 40 operations).

Round 1 algorithms

ESSENCE Authors: Jason Martin.

High-level structure: balanced binary tree.

Compression function: feedback shift registers.

Attacked by María Naya-Plasencia et al.: 2 91 to find a collision for 256-bit hash, 2 168 for 512-bit hash.

operations operations – Low security margin.

Outline

Tree-based structure of hash functions Hash value: Compression function calls: Padded message:

Round 1 algorithms

FSB Authors: several experts from French National Institute for Research in Computer Science and Control.

High-level structure: wide-pipe Merkle-Damgård construction with finalization.

Compression function: based on vector operations.

No attacks found.

Round 1 algorithms

LANE Author: Sebastiaan Indesteege, Catholic University of Leuven, Belgium.

High-level structure: Merkle-Damgård construction with finalization.

Compression function: substitution-permutation network based on AES functions.

No attacks found.

Round 1 algorithms

Lesamnta Authors: Shoichi Hirose, Hidenori Kuwakado, Hirotaka Yoshida.

High-level structure: Merkle-Damgård construction with finalization.

Compression function: unbalanced Feistel network.

No attacks found.

Round 1 algorithms

LUX Authors: Ivica Nikolić, Alex Biryukov, Dmitry Khovratovich (University of Luxembourg).

High-level structure: stream hashing.

Compression function: two arrays of the internal state are updated by one AES round for every input word.

Attacked by Dai Watanabe: 2 100 operations to find a collision for 256-bit hash (2 200 – for 2 nd preimage), 2 228 – for 512-bit hash.

Relatively low security margin.

Round 1 algorithms

MCSSHA-3 Author: Mikhail Maslennikov.

High-level structure: stream hashing.

Compression function: non-linear feedback shift register.

Attacked by Jean-Philippe Aumasson & María Naya Plasencia: 2 3 n /8 operations to find a collision, 2 3 n /4 to find 2 nd preimage for n -bit hash.

– Relatively low security margin.

Round 1 algorithms

MD6 Authors: large group of experts with leadership of Ronald Rivest.

High-level structure: tree.

Compression function: non-linear feedback shift register.

No attacks found.

Algorithm was withdrawn from SHA-3 project by its authors.

Round 1 algorithms

NaSHA Authors: Smile Markovski & Aleksandra Mileva.

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: unbalanced Feistel network.

Attacked by Zhimin Li et al.: 2 128 collision for 512-bit NaSHA.

operations to find a Authors of NaSHA disproved the results of Li Z. et al.

Round 1 algorithms

SANDstorm Authors: large group of experts, mainly from Sandia National Laboratories, U. S.

High-level structure: tree.

Compression function: original structure with substitution-permutation operations.

No attacks found.

Round 1 algorithms

Sarmal Authors: Kerem Varıcı, Onur Özen, Çelebi Kocair (Middle East Technical University, Turkey).

High-level structure: wide-pipe Merkle-Damgård construction modification with feed-forward.

Compression function: generalized Feistel network.

Attacked by Florian Mendel & Martin Schläffer: 2 n /3 operations & 2 n /3 memory blocks to find a collision for n -bit hash.

Low security margin.

Round 1 algorithms

Sgàil Author: Peter Maxwell.

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: substitution-permutation network.

Attacked by its author: instant collision for all hash sizes.

The algorithm was modified by its author. Attacks on the modified version are not found.

Round 1 algorithms

Spectral Hash Authors: large group of experts from University of California at Santa Barbara, U. S.

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: 3-dimensional array processed by discrete Fourier transform.

Broken independently by Brandon Enright, Tor Bjørstad & Ethan Heilman: instant collisions.

Round 1 algorithms

SWIFFTX Authors: large group of experts from Israel and U. S.

High-level structure: slightly modified Merkle-Damgård construction with finalization.

Compression function: original construction based on fast Fourier transform.

No attacks found.

Round 1 algorithms

TIB3 Authors: Miguel Montes, Daniel Penazzi (Cordoba University, Spain).

High-level structure: Merkle-Damgård construction with feed-forward & finalization.

Compression function: generalized Feistel network.

Attacked by Florian Mendel, Martin Schläffer: 2 122 operations & 2 53 memory to find a collision for 256 bit hash.

Medium security margin.

Round 1 algorithms

Twister (structure) Authors: Ewan Fleischmann, Christian Forler & Michael Gorski.

High-level structure: Merkle-Damgård construction with finalization.

Compression function: substitution-permutation network based on AES functions.

Round 1 algorithms

Twister (attacks) Several certification attacks by Florian Mendel, Christian Rechberger & Martin Schläffer, e. g. 2 384 operations to find 2 nd preimage for 512-bit hash.

Relatively high security margin.

Round 1 algorithms

Vortex Authors: Shay Gueron & Michael Kounavis (Intel Corp.).

High-level structure: Merkle-Damgård construction with finalization.

Compression function: substitution-permutation network based on AES functions.

Attacked by Lars Knudsen, Florian Mendel, Christian Rechberger, Søren Thomsen: 2 3 n /4 operations to find a preimage for n -bit hash.

Relatively low security margin.

Round 2 algorithms

BLAKE (overview) Authors: Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael Phan.

High-level structure: modified Merkle-Damgård construction: local wide-pipe with finalization.

Compression function: permutation operations.

One of the fastest round 2 algorithms.

Round 2 algorithms

BLAKE (structure) G function – the basis of round permutation.

10 or 14 rounds with 8 G-function calls each.

a b c d c y m x

+

+

+ >>> 16

c x m y

+

+

+ >>> 12

+

+ >>> 8

+

+ >>> 7

a b c d

Round 2 algorithms

BLAKE (attacks) Certification attacks on reduced-round BLAKE: • Ji Li & Liangyu Xu: preimage for 512-bit BLAKE with 2.5 rounds – 2 481 operations; • Jian Guo & Krystian Matusiewicz: near-collision for compression function of 256-bit BLAKE with 4 rounds – 2 42 operations.

Very high security margin.

Round 2 algorithms

Blue Midnight Wish (overview) Authors: large group of experts, mainly from Norwegian University of Science and Technology.

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: sequential processing of the current state by 3 different functions with feed forward.

One of the fastest round 2 algorithms.

Round 2 algorithms

Blue Midnight Wish (structure) Compression function structure: State

f

0() Message block Modification

f

1()

f

2() State

Round 2 algorithms

Blue Midnight Wish (attacks) Certification attacks by Søren Thomsen: • instant near collision for compression function of 256-bit Blue Midnight Wish (11 different bits); • pseudo-collision (2 3 n /8+1 preimage (2 3 n /4+1 Wish.

operations) or pseudo operations) for n -bit Blue Midnight Very high security margin.

Round 2 algorithms

CubeHash (overview) Author: Daniel Bernstein (University of Illinois at Chicago).

High-level structure: stream hashing.

Compression function: Feistel network.

Relative performance greatly depends on the platform and on the size of the test message – from the fastest round 2 algorithm to the slowest one.

Round 2 algorithms

CubeHash (structure) CubeHash round: <<<7 + <<<11 + + +

Round 2 algorithms

CubeHash (structure) CubeHash r / b parameters: • r – number of rounds; • b – message block size in bytes.

The original submitted variant is CubeHash8/1 – is very slow.

It was replaced with CubeHash16/32 – about 16 times faster.

Round 2 algorithms

CubeHash (attacks) Several attacks (include practical) on the variants with reduced rounds and larger blocks (e. g. CubeHash2/4 or CubeHash1/45).

Several certification preimage attacks on submitted versions of CubeHash – by Jean-Philippe Aumasson et al. and by Dmitry Khovratovich et al.

Security margin can be considered high.

Round 2 algorithms

ECHO (overview & attacks) Authors: big groups of experts from Orange Labs (France).

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: substitution-permutation network based on AES functions.

One of the slowest round 2 algorithms.

No attacks found.

Round 2 algorithms

ECHO (structure) Internal state: 4 X 4 array of 128-bit words.

8 rounds of substitution (on the figure) and permutation operations similar to AES round.

Counter AES-128 round Salt AES-128 round

Round 2 algorithms

Fugue Authors: Shai Halevi, William Hall, Charanjit Jutla (IBM).

High-level structure: stream hashing.

Compression function: substitution-permutation network based on AES functions.

Features: 32-bit blocks; relatively large internal state; strengthened AES transforms.

Relatively low performance.

No attacks found.

Round 2 algorithms

Grøstl (overview & attacks) Authors: several experts from Technical University of Denmark & Graz University of Technology, Austria.

High-level structure: wide-pipe Merkle-Damgård construction with finalization.

Compression function: substitution-permutation network based on AES functions.

Relatively low performance.

No attacks found.

Round 2 algorithms

Grøstl (structure) P and Q functions performs 10 or 14 rounds of modified AES transformations.

P and Q differ from each other in round constants only.

State Message Block

Q

() +

P

() + State

Round 2 algorithms

Hamsi (overview & attacks) Author: Özgül Küçük (Catholic University of Leuven, Belgium).

High-level structure: concatenate-permute-truncate.

Compression function: substitution-permutation network.

Relatively low performance.

No attacks found.

Round 2 algorithms

Hamsi (structure) C , P , and T -functions (“concatenate-permute-truncate”) form Hamsi compression function.

32- or 64-bit message blocks (are expanded to 256 or 512 bits each).

Message block Expansion

h i

-1

C

() State

P

()

T

()

h i

Round 2 algorithms

JH (overview) Author: Hongjun Wu (Institute for Infocomm Research, Singapore).

High-level structure: wide-pipe Merkle-Damgård construction.

Compression function: substitution-permutation network.

Medium performance.

Round 2 algorithms

JH (structure) Compression function structure: Message block +

h i

-1

E

()

h i

+

Round 2 algorithms

JH (attacks) Certification attack by Florian Mendel and Søren Thomsen: 2 510 operations & 2 510 memory blocks to find a preimage for 512-bit JH.

Hongjun Wu disproved the attack.

Round 2 algorithms

Keccak (overview & attacks) Authors: Guido Bertoni, Joan Daemen, Michaël Peeters & Gilles Van Assche.

High-level structure: cryptographic sponge.

Compression function: permutation operations.

Relatively high performance.

No attacks found.

Round 2 algorithms

Keccak (structure)

A

Compression function round: 5 +

C

1 + + 3 & ~

B r

4 >>>

D

2 + >>>1

Round 2 algorithms

Luffa (overview) Authors: Christophe De Cannière, Hisayoshi Sato & Dai Watanabe.

High-level structure: cryptographic sponge.

Compression function: substitution-permutation network.

High performance.

Round 2 algorithms

Luffa (structure) Compression function structure:

IV M 0 M 1 ...

MI ...

Q

0

Q

1

...

Q w

-1

...

MI ...

Q

0

Q

1

...

Q w

-1

...

...

...

...

Round 2 algorithms

Luffa (structure) Round of Q -functions: S-boxes S-boxes

L

()

L

()

L

()

L

() +

C

Round 2 algorithms

Luffa (attacks) Several “pseudo”-attacks by Keting Jia: • instant pseudo-collisions and 2 nd pseudo-preimages; • instant pseudo-preimages for 224- or 256-bit hash; • 2 64 operations and 2 64 memory to find pseudo preimage for 384-bit hash.

No attacks found on main security requirements.

But “pseudo”-attacks can be used in context of other attacks.

Round 2 algorithms

Shabal (overview & attacks) Authors: large group of experts of Saphir project funded by French National Research Agency.

High-level structure: strengthened Merkle-Damgård construction (includes some sponge-like operations and feed-forward).

Compression function: shift registers with different kinds of feedback.

One of the fastest round 2 algorithms.

No attacks found.

A B C

Round 2 algorithms

Shabal (structure) Compression function structure:

W ++ M

1 +

+ P() -

+

+ M

2

P() -

Round 2 algorithms

SHAvite-3 (overview & attacks) Authors: Eli Biham & Orr Dunkelman.

High-level structure: Merkle-Damgård construction with finalization.

Compression function: Feistel network (224- or 256-bit hash) or generalized Feistel network (384- or 512-bit hash) based on AES operations.

One of the slowest round 2 algorithms.

No attacks found.

...

Round 2 algorithms

SHAvite-3 (structure) Compression function for 224- or 256-bit hash: + AES round 0 State AES round AES round +

M i salt Ctr

Key extension ...

...

Round 2 algorithms

SHAvite-3 (structure) Compression function round for 384- or 512-bit hash: + 4 AES rounds + 4 AES rounds Round keys

Round 2 algorithms

SIMD (overview & attacks) Authors: Gaëtan Leurent, Pierre-Alain Fouque & Charles Bouillaguet (École Normale Supérieure, Paris).

High-level structure: wide-pipe Merkle-Damgård construction with finalization.

Compression function: generalized Feistel network.

Relatively high performance.

No attacks found.

Round 2 algorithms

SIMD (structure) ...

<<<

r

Compression function structure: 32-bit state words

f

() +

W x

+ <<<

r

...

<<<

s

+ ...

f

() +

W y

+ <<<

s

+ ...

Round 2 algorithms

Skein (overview) Authors: Large group of experts.

High-level structure: Unique Block Iteration.

Compression function: substitution-permutation network.

Relatively high performance.

Round 2 algorithms

Skein (structure) Compression function based on Threefish block cipher.

72 or 80 rounds based on permutations and parallel mix operations:

x

0 +

x

1

y

0 <<<

R

+

y

1

Round 2 algorithms

Skein (attacks) Several attacks on reduced-round Skein procedures by Jean-Philippe Aumasson et al.: • near-collision for 17-round compression function of Skein – 2 24 operations; • key recovery attack on 34-round Threefish – 2 312 operations.

Very high security margin.

Structures tables

High-level structures Merkle-Damgård construction and its variants.

Structures tables

High-level structures Other structures.

Structures tables

High-level structures statistics

Structures table

Compression function structures

Structures table

Compression function structures statistics

Performance tables

Claimed performance by authors. Source: Ewan Fleischmann et al. “Classification of the SHA-3 candidates”.

Performance tables

64-bit platform: AMD Athlon 64 X2 2000 MHz. Source: eBASH project (http://bench.cr.yp.to), July 2009.

Performance tables

32-bit platform: Intel Core 2 Duo 3000 MHz. Source: eBASH project (http://bench.cr.yp.to), July 2009.

Performance tables

ARM: XScale-PXA270 416 MHz. Source: eBASH project (http://bench.cr.yp.to), February 2009.

Round 2 algorithms

Conclusion Can we divide the round 2 algorithms to the following categories?

• most probable, and • less probable algorithms to be SHA-3 standard.

Round 2 algorithms

Conclusion Possible factors to exclude algorithms from the further concerning: • relatively low performance; • not high security margin; • too complex structure of algorithm – difficult to analyze or realize; • similarity to SHA-2 in structure.

Round 2 algorithms

Conclusion Performance factor: • ECHO, Grøstl, Hamsi, SHAvite-3 – relatively low practical performance; • Fugue – relatively low theoretical performance; • CubeHash – relatively slow while hashing short messages.

Round 2 algorithms

Conclusion Security margin factor: • Luffa: no attacks on main security requirements, but simple attacks allow to find pseudo-collisions and pseudo-preimages; “pseudo”-attacks can be theoretically used while mounting future attacks on Luffa, so its security margin can not be considered high.

Round 2 algorithms

Conclusion Other factors – no algorithms to exclude: • all algorithms have clear and relatively simple structures; • no algorithms are very similar to SHA-2.

Round 2 algorithms

Conclusion Therefore the following algorithms can be considered less probable to be SHA-3: • CubeHash, ECHO, Fugue, Grøstl, Hamsi, SHAvite-3 – relatively low performance; • Luffa – some doubts about security margin.

Round 2 algorithms

Conclusion As a result, the following algorithms can be considered more probable to be SHA-3 standard: • Blake; • Blue Midnight Wish; • JH; • Keccak; • Shabal; • SIMD; • Skein.

Acknowledgements

• to Andrei Gurtov, who invited me to give a talk about hash functions.

Thank you!

Sergey Panasenko, independent information security consultant, Moscow, Russia.

[email protected] www.panasenko.ru