Cryptography 7.

Hash functions

Hash functions in data structures

Hash function is a compression functionOn arbitrary length inputH : {0, 1}∗ 7→ {0, 1}k for k = 128, 160, 256, etcClassical application: data structures

Storing a set of elements in a table of length kAchieving O(1) insertion and lookup timeThe element x is stored in the H(x) table-cellRetrieve x by computing H(x) and check the respective cell

Collision: x 6= x′ : H(x) = H(x′)A hash function is „good” if there are few collisionsIt spreads the elements well

Hash functions in cryptography

Compressing dataFew collisionsA collision resistance in

Data structures desired onlyCryptography crucial

In data structures x and H(.) are independentIn cryptography the adversary can choose x arbitrarily tocause a collisionCryptographic hash functions are harder to construct...

Hash functions in cryptography

DefinitionA collision in a function H(.) is a pair of inputs x 6= x′ such thatH(x) = H(x′).A function H(.) is collision resistant if any PPT adversary canfind a collision with negligible probability only.A function H(.) is hash function if H : {0, 1}∗ 7→ {0, 1}n.

Weaker notions of security:1 Collision resistance: see above2 Second pre-image resistance: given x it is infeasible to find

x′ 6= x : H(x′) = H(x) by a PPT adversary3 Pre-image resistance: given y = H(x) for random (and

unknown) x it is infeasible to find x : H(x′) = y by a PPTadversary (in other words it’s a one-way function)

Hash functions in cryptography

Design principles

Collision resistanceSecond pre-image resistancePre-image resistanceAvalanche effect : small change in input⇒ large change inoutput

Strict avalanche criterion: if a single input bit iscomplemented⇒ every output bit is changed with 1/2probabilityBit independence criterion: ∀i, j, k : if a single input bit i iscomplemented⇒ output bits j, k change independently

Attacks and weaknesses

Theorem (Birthday paradox)

Let x1, . . . , xn ∈R {1, . . . , d} uniform random values. Then

P (∃i, j ∈ {1, . . . , n} : i 6= j, xi = xj) ≈ 1− e−n(n−1)

2d

Birthday attack

For a hash-function H : {0, 1}∗ 7→ {0, 1}n a collision can befound with probability 1/2 by computing 2n/2 hash values.

Significantly faster than brute force=⇒ n ≥ 160A collision can be found faster than the birthday attack =⇒tha hash is „broken”

Attacks and weaknesses

Sophisticated collision attacks: birthday paradox +cryptanalysis

Chosen-prefix attackGiven two prefixes p1 6= p2 findm1,m2 : H(p1||m1) = H(p2||m2).

Specific to Merkle-DamgårdReal-world attacks against MD5 based implementations

Attacks and weaknesses

Lenght-extension attack

Given hash value H(m) and message length |m| computeH(m||m′) for some m′ chosen by the attacker.

Padding based attackH(data||padding)⇒H(data||padding||OurData||NewPadding)Merkle-Damgård is vulnerableattacks on MD5, SHA1, SHA2

Attacks and weaknesses

Rainbow tablesFind a preimage using precomputed table of hashchains.

Application: password recoveryStoring the input-output pairs for hash-reduction chainsSearching for identical output values

Rainbow table with 3 reduction function for Wikipedia created by User:Dake

Attacks and weaknesses

Side-channel attacksAny attack based on information obtained from theimplementation of a given cryptosystem instead of weaknessesin the algorithm itself.

Timing informationPower consumptionElektromagnetic leaksSoundStatistical methods

Merkle-Damgård transform

Practical constructions handling fixed-length input onlyMethodology to construct full-fledged hash functionLet h : {0, 1}2n 7→ {0, 1}n be a fixed-length hash functionand m ∈ {0, 1}∗ with |m| = ` < 2n

Then the following H(.) is a variable-length hash function:

1 Split m into blocks of length n, i.e. let b := d `ne andm = (m1|m2| . . . |mb)

2 Set mb+1 := ` ∈ {0, 1}k, z0 := 0n3 For i = 1, . . . , b + 1 compute zi := h(zi−1|mi)4 H(m) := zb+1

Merkle-Damgård transform

1 Split m into blocks of length n, i.e. let b := d `ne andm = (m1|m2| . . . |mb)

2 Set mb+1 := ` ∈ {0, 1}k, z0 := 0k3 For i = 1, . . . , b + 1 compute zi := h(zi−1|mi)4 H(m) := zb+1

Practice: it is enough to consider fixed-length constructionsTheory: the amount of compressing is not importantInitialization vector – IV : z0 can be chosen freelySecurity: if h(.) is collision resistant then H(.) is collisionresistant as well

MD5 - Description

512 to 128 bits compression extended byMerkle-Damgård

Works on 32-bit words

m divided into 512(=16*32)-bit blocks

Operates on a 128(=4*32)-bit state

A,B,C,D are fixed

4 rounds, 16 similar operation each

Four possible non-linear F :1 F (B,C,D) = (B∧C)∨(¬B∧D)2 G(B,C,D) = (B∧D)∨(C∧¬D)3 H(B,C,D) = B ⊕ C ⊕D4 I(B,C,D) = C ⊕ (B ∨ ¬D)

Mi is a message block

Ki constant, s a rotation parameter varies foreach operation

MD5 – Analysis

NOT collision resistant!

128 bit output =⇒ birthday attack ispossible...

1992 - MD5 published

1993 - „pseudo-collision” in the compressionfunction (IV based attack)

1996 - collision in the compression function

2004 - MD5CRK, a distributed effort usingbirthday attack

2004 - hash collision within 1 hour (analyticalattack)

2005 - practical collision of two X.509certificates with different public keys and thesame MD5 hash value

2010 - first published single-block collision

SHA-1

SHA – Secure Hash Algorithm

Designed by U.S. NSA, published by U.S.NIST

Similar to MD5

Versions:

SHA-0 (1993)

160-bit output, 32-bit words, 80 rounds

Operations: ⊕,�,∧,∨,≪Collision found

SHA-1 (1995)

160-bit output, 32-bit words, 80 rounds

Operations: ⊕,�,∧,∨,≪Wt expanded message word for round t

Kt round constant for round t

More resistant, theoretical attack ofcomplexity 261 (2011)

SHA-1, original diagram for Wikipedia created

by User:Matt Crypto

SHA-2

SHA-2 (2001) = SHA-256/SHA-512

256/512-bit output, 32/64-bit words, 64/80rounds

Operations: ⊕,�,∧,∨,≪, rotCh(E,F,G) = (E ∧ F )⊕ (¬E ∧G)Ma(A,B,C) = (A∧B)⊕ (A∧C)⊕ (B∧C)Σ0(A) = (A≫ 2)⊕ (A≫ 13)⊕ (A≫ 22)Σ1(E) = (E≫ 6)⊕(E≫ 11)⊕(E≫ 25)No collision found (yet)

SHA-3 (2014-)

Different design

An alternative of SHA-2SHA-2, original diagram for Wikipedia created

by User:kockmeyer

RIPEMD-160

Published in 1996160-bit hash valueSimilar design principles as MD5A bit faster than SHA-1BUT designed in the open academic community!!!Developed in the framework of the EU project RIPE (RACEIntegrity Primitives Evaluation)No collision found (yet)Optional extensions: RIPEMD-256 and RIPEMD-360

Longer hash valuesThe same levels of security

A possible alternative of SHA-1

NIST hash function competition (2007 – 2012)

Development process similar to the AES competitionOct. 2008 Submission deadline

Dec. 2008 51 candidates for Round 1

Feb. 2009 NIST conference: submitters presented their algorithms

Jul. 2009 14 candidates accepted to Round 2

Aug. 2010 CRYPTO 2010:the second-round candidates were discussed

Dec. 2010 Announcement of finalists

Performance: small hardware requirement

Security: possible crypto /design weaknesses

Analysis: (lack of) cryptanalysis of the whole crypto-community

Diversity: different modes of operation and internal structures

Dec. 2012 Winner: Keccak

Aug. 2013 NIST announced changes in the proposed standard to achieve bettersecurity/performance trade-off...

Aug. 2015 Keccak aka SHA-3 is the hashing standard

One finalist: Grøstl

The Grøstl hash-function

Knudsen et al. (TU of Denmark & TU Graz)Modified Merkle-Damgård

h0 = iv, hi = f(hi−1,mi)Compression function f based on permutations P,Q(seelater)H(m) = Ω(ht)Output transformation Ω(x) = truncn(P (x)⊕ x)

One finalist: Grøstl

f(h,m) = P (h⊕m)⊕Q(m)⊕ h

Design of P and Q are inspired byAES

Small number of permutations =⇒simple analysis

Well-known design principles

Provably secure if the permutationsare ideal

Collision find with ≥ 2`/4 P,Q eval

Preimage find with ≥ 2`/2 P,Q eval

Indifferentiable from a random oracle

The compression function f of Grøstl

One finalist: Skein

Schneier et al.

Main components

1. ThreefishA tweakable block cipherTweak: an extra inputprovides variabilityLarge number of simplerounds instead of fewercomplex roundsKey + tweak subkeysMix: ⊕,�,

One finalist: Skein

Main components

2. Unique Block Iteration (UBI):A chaining mode using Threefishto build a compression functionExample: 166 byte input with 3calls of Threefish-512Tweak: length + first/last block +„type”Skein: multiple invocations of UBI

3. Optional Argument SystemFor extensions and other modes

Hashing a three-block message using UBI

Skein in normal hashing mode

SHA-3/Keccak

Diagram of a sponge construction from http://sponge.noekeon.org/

Winner of the NIST hash function competition (2012)

Created by Bertoni, Daemen, Peteers and Van Assche

Sponge construction – a fixed-length permutation f and a padding rule:

1. m is padded and splitted into r-bit blocks pi2. Absorbing: XORing pis into the hash state at a given rate r interleaved with

application of f (f : 4× 24 rounds of simple operations on a state consists of a5× 5 array of 64-bit words)

3. Squeezing: get the output blocks zi similarly from it at the same rate

GPU-resistant hash functions

RandomHash

serial vs. parallelhashers

N rounds, Hi-s arewell-known hashfunctions

∀ round H ∈R{H1, . . . ,H18}

Output isexpanded formemory-hardness

A possible solutionRandomHash design by Herman Schoenfeld

Privacy vs. Integrity

Secure communicationAlice wants to send a message to BobOpen communication channelPrivacyTool: encryption

Message integrityAlice wants to send a message to BobOpen communication channelAuthenticity (caller-ID, email address)IntegrityPrevent any undetected tamperingAdversarial tampering is not a crypto problem (physicalcountermeasures)Tool: ???

Encryption vs. Message Authentication

Encryption using stream ciphersLet c := Ek(m) = G(k)⊕m be the ciphertext, where G(.) isa PRGFlipping a bit in c =⇒ flipping the same bit in mExample: flipping the 11th lsb causes 1000$ difference...The scheme is still secureSimilar attack for the unconditionally secure one-time pad

Encryption using block ciphersThe same attack for OTR and CTR modesA bit sophisticated methods for ECB and CBC modes

Encryption itself does not provide integrityc completely hides the contents of mBUT the adversary can modify c in a meaningful way!Every possible c corresponds to some m...

We need something new

Message Authentication Codes: Definition

Communicating parties has a common secret (a private key)

Send an authenticated message

Know whether the message was tampered

Defintion

A message authentication code is a triple (Gen,Mac, V rfy) if thefollowing holds:

Key-generation Gen outputs a secret key k on input of the securityparameter 1n with |k| ≥ n

Tag-generation Mac outputs the MAC tag t := Mack(m) for everymessage m ∈ {0, 1}∗

Verification V rfy outputs a bit b := V rfyk(m, t), with b = 1 if theMAC tag is valid and 0 otherwise.

Furthermore the scheme has to be correct: for every set ofparameters

V rfyk(m,Mack(m)) = 1.

Message Authentication Codes: Definition of Security

How to attack such a scheme?The adversary performs the following steps:

1 Asks Alice for the MAC tags of some messages (influenceon the content of m)

2 Makes some computation based on the results3 Outputs a forgery : a valid t for a new m (not asked

previously)

If this attack is "hard", then the scheme is called secure

DefintionA message authentication code is existentially unforgeableunder an adaptive chosen-message attack (or secure shortly) ifevery PPT adversary can generate a valid MAC tag t for amessage m with negligible probability only after asking severalt′ for m′ 6= m.

Message Authentication Codes: Definition of Security

DefintionA message authentication code is existentially unforgeableunder an adaptive chosen-message attack (or secure shortly) ifevery PPT adversary can generate a valid MAC tag t for amessage m with negligible probability only after asking severalt′ for m′ 6= m.

Too strong definition?Adversary can request the tag of any messageGenerating a valid tag for any message "breaks" thescheme

Only meaningful messages are important in practiceWhat does "meaningful" mean?Replay attacks

Other methods: sequence numbers or time-stampsconcatenated with mDrawbacks: storing or synchronization problems

MAC constructions for fixed length messages

Fixed-length MAC

Let PRF : {0, 1}n 7→ {0, 1}n be a pseudorandom function.Then the following is a fixed-length MAC

Gen: k ∈R {0, 1}n

Mac: Given k and a message m ∈ {0, 1}n the tag ist := PRFk(m)

V rfy: Given k, a message m ∈ {0, 1}n and a tagt ∈ {0, 1}n the output is 1 iff t = PRFk(m)

If PRF is a pseudorandom function then this scheme issecureDrawback: only for fixed-length messages

MAC constructions for variable length messages

We have a secure MAC (Gen′,Mac′, V rfy′) for fixedlength mHow to extend it for arbitrary length m?Some wrong (but even better) ideas

0 Split m into b blocks m1, . . . ,mb and authenticate blockwise1 Authenticate the sum of the blocks: t := Mac′k(⊕imi)

Easy to forge: give a new message m′ : ⊕im′i = ⊕imi2 Authenticate each blocks separately: t := (t1, . . . , tb) with

ti := Mac′k(mi)

Easy to forge: permute the blocks3 Authenticate each blocks with a sequence number:

t := (t1, . . . , tb) with ti := Mac′k(i|mi)Easy to forge: drop or mix-and-match the blocks

Additional information to every blocks to preventLength based attacksCombining the blocks

MAC constructions for variable length messages

Variable-length MACLet (Gen′,Mac′, V rfy′) be a fixed-length MAC for messages of length n

Gen: The same as Gen′

Mac: Given k and a message m ∈ {0, 1}∗ with ` := |m| < 2n/4. split minto b blocks m1, . . . ,mb with |mi| = n/4 and chooser ∈R {0, 1}n/4. Compute the tags ti := Mac′k(r|`|i|mi), then thetag is t := (r, t1, . . . , tb)

V rfy: Given k, a message m ∈ {0, 1}∗ and a tag t = (r, , t1, . . . , tb′ ) splitm into b blocks. The output is 1 iff b = b′ and V rfy′k(r|`|i|mi, ti) = 1for i = 1, . . . , b.

If (Gen′,Mac′, V rfy′) is a secure fixed-length MAC then(Gen,Mac, V rfy) is a secure variable-length MAC

MAC from hash functions: Nested MAC

NMACLet h : {0, 1}2n 7→ {0, 1}n be a compression function and let

H : {0, 1}∗ 7→ {0, 1}n be a hash function constructed by the Merkle-Damgårdtransform

Gen: k1, k2 ∈R {0, 1}n

Mac: Given k1, k2 and a message m ∈ {0, 1}∗ the tag ist := h(k1|Hk2(m))

V rfy: Given k1, k2 and a message m ∈ {0, 1}∗ and a tag t ∈ {0, 1}nthe output is 1 iff t = Mack1,k2(m)

HIV (.) denotes the Merkle-Damgård hash keyed hash with initializationvector z0 := IV ∈ {0, 1}n

The compression of a key and the output of a keyed Merkle-Damgård

If h(.) is collision resistant and yields a secure MAC then NMAC issecure

MAC from hash functions: HMAC

HMACLet h : {0, 1}2n 7→ {0, 1}n be a compression function, let

H : {0, 1}∗ 7→ {0, 1}n be a hash function constructed by the Merkle-Damgårdtransform and let IV, ipad, opad ∈ {0, 1}n be fixed.

Gen: k ∈R {0, 1}n

Mac: Given k and a message m ∈ {0, 1}∗ the tag ist := h(h(IV |k ⊕ opad)|HIV (k ⊕ ipad|m))

V rfy: Given k and a message m ∈ {0, 1}∗ and a tag t ∈ {0, 1}n theoutput is 1 iff t = Mack(m)

Improvement of NMAC: uses a fixed IV and a single secret key only

In fact its a special case: k1 := h(IV |k ⊕ opad), k2 := h(IV |k ⊕ ipad)

MAC from hash functions: HMAC

HMAC-XLet HX : {0, 1}∗ 7→ {0, 1}n be an arbitrary hashfunction and let ipad, opad ∈ {0, 1}n be fixed.

Gen: k ∈R {0, 1}n

Mac: Given k and a message m ∈ {0, 1}∗the tag ist := HX((k ⊕ opad)|HX(k ⊕ ipad|m))

V rfy: Given k and a message m ∈ {0, 1}∗and a tag t ∈ {0, 1}n the output is 1 ifft = Mack(m)

Eliminates the weaknesses of HX

Immune to length-extension attackHMAC-SHA1

MAC from block ciphers: CBC-MAC

Fixed length CBC-MAC

Let Ek : {0, 1}n 7→ {0, 1}n be a block-cipher and let x be a fixed length.Gen: k ∈R {0, 1}n

Mac: Given k and a message m ∈ {0, 1}x·n first split m into blocks oflength n, i.e. l m = (m1|m2| . . . |mx) and computeti := Ek(ti−1 ⊕mi) for i = 1 to x with t0 := 0n. The tag is t := tx

V rfy: Given k and a message m ∈ {0, 1}x·n and a tag t ∈ {0, 1}n theoutput is 1 iff t = Mack(m)

MAC from block ciphers: CBC-MAC

Fixed length CBC-MAC

If E is a PRF then this is a secure fixed-length MACGeneralizations to variable-length input:

1 Use the key kx := Ek(x) in the block-cipher2 Prepend m with its length (add one more round with

m0 := |m|)3 Use two keys k1, k2 ∈ {0, 1}n and first compute the

CBC-MAC with k1, the tag is t′ := Ek2(t)