introduction to cryptographic hash functions pukyong national university kyung hyune rhee...
TRANSCRIPT
Introduction to Cryptographic Hash Functions
Pukyong National University
Kyung Hyune Rhee
2
Contents Introduction The definition and the general model of hash functions Description of the new hash algorithms The MAC(Message Authentication Code) using the proposed
hash algorithms Concluding Remarks
Introduction
4
Hash Function map a bitstring of arbitrary finite length into a string of fixed le
ngth(128 bits, 160 bits)
basic idea : hash value serves as a compressed representative image of an input string uniquely identifying that string
unkeyed hash function & keyed hash function
applications verification of integrity construction of MAC(Message Authentication Code) increase of the efficiency of digital signatures
5
Existing MDx-family hash functions
iterative process based on the theory of Merkle and Damgard In 1990, MD4 proposed by Rivest
attacks against the shortened version by Merkle and Bosselaers
In 1991, MD5 : strengthened version of MD4 In 1992, HAVAL designed by Zheng, Pieprzyk and Seberry In 1993, SHA(Secure Hash Algorithm) published by NIST In 1995, SHA-1 : improved version of SHA In 1995, RIPEMD proposed by Europe RIPE consortium
a strengthened version of MD4 In 1996, attack against a shortened version of RIPEMD by Dobbertin
In 1996, RIPEMD-128/160 by Dobbertin, Bosselaers and Preneel a strengthened version of RIPEMD
HAS-160 standardized by TTA
6
MAC(Message Authentication Code) data integrity and data origin authentication construction
based on CBC and CFB modes of a block cipher MAA(Message Authenticator Algorithm)
ISO standard relative fast in S/W 32-bit result
based on hash functions fast than other schemes additional implementation effort is small adopted in Kerberos and SNMP
The definition and the general model of the hash function
8
Cryptographic hash functions functions that map bit strings of arbitrary finite length into stri
ngs of fixed length Given function h and input x, computing h(x) must be easy properties of the cryptographic hash function
easy computation pre-image resistance second pre-image resistance collision resistance
9
Structure of hash functions iterative processes which hash inputs of arbitrary length by
processing successive fixed-size blocks of input
t
iii
Hh(X)
ti),,Xf(HH
IVH
11
0
initial valuecompression
function Hashcompression
functioncompression
function
message block 1
message block 2
paddinglast message part
f : compress function
Hi : chaining variable
10
Features of existing hash functions SHA-1 : the message expansion
additional message words are generated from original input message words
a strong resistance against existing attacks exploiting the simplicity of applying the message word in the compression function
RIPEMD-160 process the input message in two parallel lines in order to improve the
security
HAVAL variable length fingerprints and variable number of passes use of strong Boolean functions having cryptographically good
properties
11
Definition and general model of the hash function(4)
MAC(Message Authentication Code) Keyed hash function
a hash function with a secondary input, i.e. , a secret key
existing MAC construction Gene Tsudik
– secret prefix method
– secret suffix method
– envelope method Kaliski and Robshaw : MAC constructions using MD5 Preneel, van Oorschot : MDx-MAC Bellare et. al : NMAC, HMAC
)||( MKMDMAC )||( KMMDMAC
12 ),||( KIVKMMDMAC
Description of the new hash algorithms
13
New hash algorithm - SMD New hash function (SMD;Strengthened Message Digest)
based on concrete design principles of MD family hash functions secure against known attacks the message expansion of SHA-1 cryptographically strong Boolean functions similar to that of HAVAL distinguishing feature : data-dependent rotation
– rotations by variable amounts dependent on input messages
14
New hash algorithm - SMD(cont.) Notations
word : 32-bit string block : 512-bit string used as input of compression function + : addition modulo 2 32 between two words X<<s : left rotation X by s bits : bitwise logical AND operation of A and B : bitwise logical OR operation of A and B : bitwise logical XOR operation of A and B
X Y
X YX Y
15
New hash algorithm – SMD(cont.) Output length and chaining variable : 160-bit result Initial Value IV=(A,B,C,D,E)
A = 0x67452301 B = 0xefcdab89 C = 0x98badcfe
D = 0x10325476 E = 0xc3d2e1f0
Constants K1= 0 , K2= 0x5a827999 ( ),
K3= 0x6ed9eba1( ), K4= 0x8f1bbcdc ( )
expansion of message variables a message word affects steps as many as possible additionally generating 8 message variables from 16 input message
words
2 230
2 330 2 530
X X X X X ii i i i i16 0 2 7 121 0 1 7
( ) ( , , , )
16
New hash algorithm – SMD(cont.) the order of message words applied to each round
refer to the design principle of RIPEMD-160 additionally generated words sufficiently disperse the same word is not close by in each round In each step of each round, the same message word is
not used
i 0 1 2 3 4 5 6 7 8 9 10 11
(i) 4 21 17 1 23 18 12 10 5 16 8 0
i 12 13 14 15 16 17 18 19 20 21 22 23
(i) 20 3 22 6 11 19 15 2 7 14 9 13
Round 1 Round 2 Round 3 Round 4
i 2 3
17
New hash algorithm – SMD(cont.) Step operation
Boolean functions based on those of HAVAL satisfy cryptographically good properties
0-1 balanced , high nonlinearity , satisfy SAC(Strict Avalanche Criterion)
for the efficiency, use f1 repeatedly
A f A B C D E X K B Bis ( ( , , , , ) ) , 10
4535231543212
15432543211
54324321543210
)()()(),,,,(
)()(),,,,(
)()()(),,,,(
xxxxxxxxxxxxf
xxxxxxxxxxf
xxxxxxxxxxxxxf
Round 1 Round 2 Round 3 Round 4
f0 f1 f2 f1
18
New hash algorithm – SMD(cont.) rotation
A distinguished feature : message-dependent rotations variable rotations dependent on the input message
Because the hash result is more dependent on the input message, the security can be improved
Using different message words from those used in the step operation The order of message word Xi
s Xi 32mod
Round 1 Round 2 Round 3 Round 4
3 2 i
19
Compression Function of ISMD
Round 1
Round 2
Round 3
Round 4
24 words
iH
1iH
iB 메시지 확장
16 words
20
Step Operation of ISMD
A
B
C
D
E )2 1(][ SSjX 또는
][iX
K
if
21 ,)(),,,,( SSji CCKBXEDXCAfA
21
New hash algorithm – SMD(cont.) Security
secure against known attacks by Boer and Bosselaers, and by Dobbertin
frustrate differential cryptanalysis and linear cryptanalysis data-dependent rotations
the best way to find a collision pairs the birthday attack In such an attack, attacker prepares two sets of 280 distinct messages, and
calculates their fingerprints
22
New hash algorithm – SMD(cont.) Performance
compare the performance of MD5, SHA-1, RIPEMD-160, HAVAL(5 pass, 160 bits), and our scheme
Implementation was written in C language on the Pentium (100MHz)
Our scheme is about 27% faster than RIPEMD-160 , about 2% faster than SHA-1
performance
hash functionMbits per seconds
Relativeperformance
MD5 6.12 1.00
SHA-1 2.38 0.39
RIPEMD-160 1.77 0.29
HAVAL(5 pass,160-bit)
3.18 0.52
Proposed algorithm 2.42 0.40
23
Secure hash function based on CA Cellular Automata(CA)
a linearly connected array of L cells and a Boolean function f(x) with q variables
each cell takes the value 0 or 1 q = 2r + 1 , r : the radius of the function f(x)
new value of the ith cell is calculated using the value of the ith cell and the values of r neighboring cells to the right and left of the ith cell
For L cell, there are possible state vectors : state vector at the time step k
forms a cycle P : period, which is a function of the initial value, the updating function, a
nd the number of cells
L2
kS
Pkk SS
24
Secure hash function based on CA(cont.) CA with q=3
function f : combinatorial logic associated with the CA updating rule for transiting to the next state
If the next state function of a cell is expressed in the form of a truth table, then the decimal equivalent of the output column in the truth table is called a CA rule number.
Rule 90 Rule 60
Rule 150
Rule 204
)}(),(),({)1( 11 txtxtxftx iiii
)()()1( 111 txtxtx iii )()()1( 11 txtxtx iii
)()()()1( 111 txtxtxtx iiii
)()1(1 txtx ii
25
Secure hash function based on CA(cont.) Uniform and Hybrid CA
Uniform CA : the same rules applied to all cells in a CA Hybrid CA : otherwise
boundary condition : Null and Periodic null : extreme cells are connected to logic ‘0’ periodic : extreme cells are adjacent
Additive CA next-state transition rules employs only XOR or XNOR operation uniquely represented by a transition matrix over GF(2) every transition matrix has a characteristic polynomial
26
Secure hash function based on CA(cont.) L-cell additive CA with XOR operations
characterized by L x L Boolean matrix T i th rows specifies the neighborhood dependency of the i th cell x(t) : column vector representing the state of the CA at time t
next state of CA
Maximal length CA the characteristic polynomial of CA is primitive generates all states in the successive cycles excluding the all zero
state
Programmable CA(PCA) realizing different CA configurations on the same structure can be achi
eved using a control logic
)()1( txTtx
12 L
27
Secure hash function based on CA(cont.) Example of PCA : Rule 90 and Rule 150
Cell#i
Control SignalIf Control Signal is ‘0’, apply Rule 90
if Control Signal is ‘1’, apply Rule 150
28
Secure hash function based on CA(cont.)
Applications of CA
design block ciphers, stream ciphers and hash functions
first cryptographic application of CA: Crypto’85, Wolfram
In 1994, Nandi, et al proposed block and stream cipher based on CA
hash function based on CA first proposal : Damgard
In 1991, Daemen analyzed the vulnerability of Damgard’s scheme and proposed new CA-based hash function
In 1997, Hirose proposed a hash function based on two-dimensional CA
In 1998, Mihaljevic proposed CA-based hash function
– the compression function is the combination of nonlinear function and PCA and the output function is a key stream generator
29
Secure hash function based on CA(cont.) Uses the Davies-Meyer type compression function
imply secure hash function construction assuming that the compression function and the output function are secure
The compression function and output function are based on the CA
features of CA-based hash function very fast hashing the application of CA theory for the security analysis the preimage and collision resistance due to the employed principles an
d building blocks
111 )(),( iiMii HHFHMhi
30
Secure hash function based on CA(cont.) Notations
n : an output length of the hash function (n=160 bits) l : an integer such that n/l is also an integer (l = 8 bits) : nonlinear Boolean functions each of which maps fiv
e l-dimensional binary vectors into an l-dimensional binary 0-1 balanced , high nonlinearity, satisfy SAC, pairwise linearly non-equiva
lent
4,,1,0(), kk
))&(&))^&(((^^),,,,(
))&(|)&((^),,,,(
))&(|)&(()^&&(^),,,,(
)&))^&((())^^(&(^),,,,(
)&)^(()^&()^&(),,,,(
4
3
2
1
0
CBAEDEDEDCBA
CAEDBEDCBA
DBCAEDCAEDCBA
ECDADABAEDCBA
DCBCBEAEDCBA
31
Secure hash function based on CA(cont.) Notations (cont.)
: a maximal length CA : a PCA controlled by binary vector X and Y and the applied c
onfiguration rules are as follows: if the i th bit of both X and Y are 0, then Rule 204 is applied to i th PCA cel
l if the i th bit of both X is 0 and the i th bit of both Y is 1, then Rule 60 is a
pplied to i th PCA cell if the i th bit of both X is 1 and the i th bit of both Y is 0, then Rule 102 is
applied to i th PCA cell if the i th bit of both X and Y are 1, then Rule 150 is applied to i th PCA cel
l
)(CA
)(XYPCA
32
Secure hash function based on CA(cont.) Notations (cont.)
: an ith 4n-bit block of the input message : an n-bit chaining variable after the ith iteration
Cell#i
iX
iY
Cell # i-1 Cell # i+1
iM
iH
33
Secure hash function based on CA(cont.) Message padding
has a variable-length hash result The process of the message padding is equal to that of existing hash
functions except for appending a bit-length of the hash result to the end of a message
a 2-byte output-length L is appended to the next of the length of the original message(8-byte)
Compression function f() input : 4n-bit message block and a n-bit chaining variable output : n-bit chaining variable
11 )(),( iXYii HZPCAHMf
1iH
iH
34
Secure hash function based on CA(cont.) Compression function f() (cont.)
and are split into successive nonoverlapping equal length blocks of l-bit, respectively
Using two input and , each n-bit X, Y, Z are computed as the following procedure:
(1) Compute an n-bit X
, k=0, 1, …, 9 : l-bit constants, respectively
(2) Compute an n-bit Y
iM 1iH
iM 1iH
lnk
MCMHHMMXk
l
ni
kk
l
ni
l
nk
l
ni
kik
l
ni
kikk
/,,1,0
),,,,( 3,
10mod2,mod)
2(,1
,1,
,5mod
kC
)(XCAY
35
Secure hash function based on CA(cont.)(3) Apply X, Y, to PHT(Pseudo-Hadamard Transform)
split n-bit X, Y, into 8-bit , ,
, respectively
(4) Compute an n-bit V
(5) Compute an n-bit Z
1iH
8/21 ,,, nXXX
8/,12,11,1 ,,, niii HHH
28,,2,1),,2(),( ,1,1,1
n
jHXHXHXPHT jijjijjij
8,,2
28,1
28 ,
28,,2,1 ),,(
nnnk
njXXPHT kj
8,,2
28,1
28),,( ,1
nnnjYHPHT jji
8,,2
28,1
28 ,
28,,2,1 ),,(
nnnk
njYYPHT kj
1iH 8/21 ,,, nYYY
)(VCAZ
lnk
YMMMHMXV kk
l
ni
kik
l
ni
kik
l
ni
kkk
/,,1,0
),,,,( 3,
,,
,12,
5mod
36
Secure hash function based on CA(cont.) Output function g()
(1) Load as the initial value of PCA
(2) uses X, Y, V, Z when the last is computed split n-bit X, Y, V, Z into 8-bit , ,
, , respectively
(3) Operating the following by the output-length L Each cycle outputs the middle bit of state values of PCA()
mHmH
8/21 ,,, nXXX 8/21 ,,, nYYY
8/21 ,,, nVVV 8/21 ,,, nZZZ
28,,2,1),,(
njVXPHT jj
8,,2
28,1
28),,(
nnnjYVPHT jj
8,,2
28,1
28 ,
28,,2,1 ),,(
nnnk
njZYPHT kj
8,,2
28,1
28 ,
28,,2,1 ),,(
nnnk
njXZPHT kj
)(XCAX
)( mYX HPCA
)(YCAY
37
Secure hash function based on CA(cont.) Hash function
Input : message M , n-bit initial value IV Preprocessing : MD-strengthening and padding
splitting the message into m blocks of 4n-bit,
Iterative Processing : , i=1,2,…,m , do the following: calculate the compression function f() :
If is the all zero vector, recalculate Output function : calculate Output : L-bit message digest
)(h
IVH 0
),,,( 21 mMMMM
),( 1 iii HMfH
mH)( mHg
)()( mHgMh
),( 0HMfH mm
38
Block Diagram of CA-based Hash Function
Padding
original input M
hash function h
formatted inputtMMMM 21
iMcompressionfunction fiH
tH
1iH
IVH 0
valuehash
)(ZPCAXY
)( ZPCA YX outputfunction g
39
Secure hash function based on CA(cont.) the security of the proposed hash function is determined by the s
ecurity of its compression function and output function the followings imply the security of the compression function
The CA has primitive characteristic polynomial to have a maximal length
The pattern generated by maximal length CA's meets the cryptographic criteria
High nonlinearity due to the employed Boolean functions and PCA So far known methods for reconstruction of certain CA/PCA state can
not work in f() The compression function is a cryptographic transformation
Given f() output, finding the preimage requires about 2n operations and finding collision requires about 2n/2 operations.
40
Secure hash function based on CA(cont.) The security of output function g()
a key stream generator which consists of two stages using CA and PCA
It has primitive characteristic polynomial to have a maximal length high nonlinearity due to the employed PCA a cryptographic transformation
for given n-bit hash value, finding the input of g() , i.e, Hm , requires about 2n operations and finding collision requires about 2n/2 operations.
For an n-bit hash value, the security of the proposed hash function• finding preimage requires about operations
• finding collision requires about operations
n22/2n
41
Secure hash function based on CA(cont.) Computational complexity of the compression functio
n Boolean functions of n/5l times and mod 256 addition of 2n/l time
s n-bit CA(= 3n XOR operations) mod 256 addition of 8n/16 times and 1-bit left shift of 4n/16 times Boolean functions of n/5l times and mod 256 addition of 2n/l time
s n-bit CA(= 3n XOR operations) n-bit PCAXY (= 3n XOR operations)
n-bit XOR operations mod 256 addition of (4n/l + n/2) times, 1-bit left shift of n/4 times, two
n-bit CA calculations, n-bit PCA computation, bitwise AND of 30n/5l times, bitwise XOR of 26n/5l times, bitwise OR of 4n/5l times, NOT operation of 2n/5l times, and n-bit XOR computations
i
i
42
Secure hash function based on CA(cont.) Computational complexity of the output function
mod 256 addition of 8n/16 times and 1-bit left shift of 4n/16 times 2L-cycle CA and L-cycle PCAX’Y’ (L : bit-length of the hash result)
Complexity for processing m message blocks(n=160, l=8, L=n) 80(2m+1) mod 256 addition + 40(m+1) 1-bit left shift + (2m+320) CA
+ (m+160) PCA + 248m bitwise logical operation + m 160-bit XOR
Memory requirement 4n bits , n bits , X, Y, V, Z, n bits temporary buffer
=> total 10n bits memory is required
iM iH
43
Secure hash function based on CA(cont.) Comparing with Daemen’s, Hirose’s and Mihaljevic’s scheme Daemen's scheme : uses nonlinear CA and linear CA Herose's scheme : employs two nonlinear CA the used nonlinear CA belong to a class of nonlinear CA for an
algorithm for inversion of the CA iterations published recently The compression function of the proposed hash function
employs the Davies-Meyer type and the combined form of nonlinear functions and PCA
more secure than Daemen's scheme and Hirose's scheme
Both schemes do not employ the output function, but the proposed hash function has the output function based on CA/PCA
44
Secure hash function based on CA(cont.) Mihaljevic’s scheme
employs the Davies-Meyer type compression function and cascade of the nonlinear function and PCA
requires ROM and memory reading operation for nonlinear functions (which is similar with S-Box of DES)
employs PCAX() controlled by binary vector X
output function : PCA based key stream generator
The proposed scheme employs 5-variable Boolean functions which uses only bitwise logical
operations use more complex PCAXY () which apply one of four cases dependent o
n binary vector X and Y output function : the combination of CA and PCA
45
Secure hash function based on CA(cont.) The computational complexity, for n=160, l=8, k=3
Mihaljevic’s scheme the compression function
– 40 times ROM reading
– 20 times ROM reading
– 160-bit CA(=480 XOR operation)
– 20 times ROM reading
– 160-bit PCA(=480 XOR operation)
– 160 times XOR operation the output function
– 160 times mod addition, 160 times ROM reading, 160-cycle PCA operation, and 160-bit permutation
46
Secure hash function based on CA(cont.) The proposed scheme
the compression function
– 40 times mod 256 addition and 124 times XOR operation
– 160-bit CA(=480 XOR operation)
– 80 times mod 256 addition and 40 times 1-bit shift
– 40 times mod 256 addition and 124 times XOR operation
– 160-bit CA(=480 XOR operation)
– 160-bit PCA(=480 XOR operation)
– 160 times XOR operation the output function
– 80 times mod 256 addition and 40 times 1-bit shift
– 360-cycle CA operation and 160-cycle PCA operation
47
Secure hash function based on CA(cont.) When processing the compression function,
the proposed scheme processes the 4n bits input data Mihaljevic’s scheme processes the 2n bits input data
when processing the same length of the input data, Mihaljevic’s scheme 2 times computation of the compression function than the proposed scheme
Assuming 640 bits input data Mihaljevic’s scheme : 80 times ROM reading + 2240 times XOR operatio
n proposed scheme : 160 times mod 256 addition + 40 times 1-bit shift + 18
48 XOR operation
48
Secure hash function based on CA(cont.) Memory requirement for n=160, l=8, k=3
Mihaljevic’s scheme : about 1546Kbits ROM memory and 800bits buffer
proposed scheme : about 1600bits buffer
However, the proposed scheme has more complex control logic than Mihaljevic’s scheme, and the implementational complexity is increased due to PHT and nonlinear function
The proposed scheme has the variable-length hash result It can be used to various applications
The MAC(Message Authentication Code) using the proposed hash
algorithms
50
The MAC construction using SMD Design goals
The secret key should be involved at the beginning and end, and at every iteration of the hash function
The deviation from the original hash function should be minimal in order to minimize implementation effort and maximize on confidence previously gained
The performance should be close to that of the hash function
The additional memory requirements should be minimized
The approach should be generic, i.e. should apply to any MD-family hash functions
51
The MAC construction using SMD(cont.)
Key extraction concatenate K to itself a sufficient number of times, and build a 512-bit bl
ock size apply it to the hash function, and construct 160-bit key used to MAC
generating random permutation of the order of message words use the leftmost 10 bytes (k1 ) of 160 bits key k (in practice, 75 bits)
use the Knuth algorithm, which biject any permutation of size m to an integer between 0 and (m!-1)
After applying the permutation, which corresponds, one-to-one, to the random number generated from the linear congruential equation, to Knuth algorithm, compose two resulting permutations of the algorithm and use it as the order of message words
)(Khashk
52
The MAC construction using SMD(cont.)
21
2 !24 mod 12
1 !24 mod 1
]1 Round[
1
1
pp
pQXX
pQkX
21
2 !24 mod 34
1 !24 mod 23
]2 Round[
2 pp
pQXX
pQXX
53
The MAC construction using SMD(cont.) Modifying the constants
take 8 bytes ( k2 ) next to k1
split into four 16-bit substrings Each substring is concatenated to itself repeatedly in order to build 32-
bit word each word is added mod 232 to the constants used in each round
computing the MAC
key elements are prepended and appended to a message M
MAC result is the leftmost m bits of the hash value.
m=n/2 is recommended for most applications.
))360(||||)50(( xkMcxkhashMAC
54
The MAC construction using SMD(cont.) The computational overhead of the proposed MAC
one block operation for the key extraction two blocks prepended and appended to a message the generation of random permutations for the order of message
words requires a multiprecision operation for converting 75-bit k1 to the fac
torial number system– one division (multiprecision / int)– one modulo operation (multiprecision mod int)
only 10% slower than that of the original hash function
Security In the final step, key elements prepended and appended to a m
essage are similar to the envelope method
55
The MAC construction using SMD(cont.) To add key component to constants
provides additional protection over the envelope method In each round, the random permutation of the order of
message words trapdoor one-way function the probability that the order of message words is equal or
reversed to that of the previous round, is negligible 160-bit key K is secure against an exhaustive search 160-bit key K has an advantage when comparing with 672
bits(160+512) previously proposed for the envelope method
If a MAC result is equal to m=n/2, a forgery attack on the proposed MAC requires chosen text-MAC pairs and known texts
strong against attack exploiting the internal structure of the hash function
keep the order of message words applied to each round securely
))1/(2( sO m ))1(/2( sO m
Concluding Remarks
57
Concluding Remarks Proposed new hash functions
SMD based on the design principles of existing MD family hash functions
processes the arbitrary length message by 512-bit block and outputs 160-bit message digest
4 rounds , each round executes 24 step operations message expansion and the cryptographically strong Boolean functions data-dependent rotation improves the security because the hash result is more dependent on the
input message
CA-based hash function compression function and output function are constructed by cellular
automata(CA) fast processed by hardware implementation the application of CA theory for the security analysis the pre-image and collision resistance due to the employed principles and
building blocks
58
Concluding Remarks(cont.) Proposed MAC
The secret key should be involved at the beginning and end, and at every iteration of the hash function
The deviation from the original hash function should be minimal in order to minimize implementation effort and maximize on confidence previously gained
The performance should be close to that of the hash function
The additional memory requirements should be minimized
The approach should be generic, i.e. should apply to any MD-family hash functions
Thanks a lot !!!
60
Compression Function of MD4
61
Compression Function of MD5
62
Compression Function of RIPEMD-160
63
Compression Function of SHA-1
64
The structure of the proposed MAC
10 bytes 8 bytes
K
hash( )K
Generating random permutationsfor the order of message words
Modifying the constants
1k 2k
160 bits hash result