220 likes | 383 Views
JH Review. Group 3. Outline. Why we choose JH Description of JH Comments of NIST and MIT students Preimage Attack by Mendel and Thomsen Analysis of Author in Round1 and Round2 Compare with CubeHash Reference. Why we choose JH. ECHO... Preimage Attack Simplicity. Description of JH.
E N D
JH Review Group 3
Outline Why we choose JH Description of JH Comments of NIST and MIT students Preimage Attack by Mendel and Thomsen Analysis of Author in Round1 and Round2 Compare with CubeHash Reference
Why we choose JH ECHO... Preimage Attack Simplicity
Description of JH Normal Padding Split to 512-bit-long M_i (1 <= i <= n) Init H_0 H_i = f(M_i, H_{i-1}) (1 <= i <= n) f = f_8 = F8 in our descripions Truncate H_n to get Hash Value
Description of JH (Jump this) 我们的描述1 JH算法首先将Message用课上的加一个1,若干个0,再加上一个表示长度的二进制数得到一个512n位的初始信息,然后分成n个512位的段,进行HASH。HASH过程非常简单,主要就用到了一个F8函数,将512位的信息段和一个1024位的HASH值计算得到一个 1024位的新HASH值。算法开始时首先通过长度生成一个初始值H0,然后对n个512位的信息段M1, M2等分别用F8函数获得H1,H2...最后得到的Hn就是结果。如果最终需要得到的HASH值应该是m位,那么就将Hn的最后m位提取出来即可。
Description of JH (Jump this) Our Description 2 The main hash first pad the message to be a multiple of 512 bits, in which the length of the message is padded to the message. After padding, the message is split into blocks of 512 bits. Then, starting from an initial hash value H (0) (1024-bit), the algorithm itera- tively uses a compression function F8 to compress each block, resulting in a final hash value H (N ) . Finally H (N ) is truncated into message digest of designated length.
Description of JH (Jump this) 我们的描述3 JH算法中所使用的函数都是一些常见的用于Hash的处理过程。JH通过两个S-boxes、若干Permutation及线性变换来完成对定长数据的压缩(F_d)。给定一个输入后,JH先进行 一般的Padding和分块处理,然后根据数据摘要的长度计算出一个初始的H^(0),然后用F_d函数进行若干轮计算后得到最终的Hash值。 总的来说,JH的算法比较简单和常见。我认为,JH在数据处理方面并没有什么创新,它的安全性主要是通过合理地设计各个子过程的执行步骤以及增加块长度和增加加密轮数来实现的。但是,正因为JH所使用的算法非常“大众化“,所以恰好方便了我们对其安全性和运行效率进行分析。
Compression Function E is a permutation of 1024 elements
Comments of NIST “JH uses a novel construction, somewhat reminiscent of a sponge construction, to build a hash algorithm out of a single, large, fixed permutation. The fixed permutation is an SP network, combining two 4-bit S-boxes with a set of linear mixing operations and bit permutations. All nonlinearity in this design is derived from the S-boxes. The most innovative part of this design is the compression function construction, which XORs a 512-bit message block into the left half of the input of the fixed permutation, and then XORs the same message block into the right half of the output of the fixed permutation. The design of the fixed permutation is also new.”
Comments of NIST JH’s performance is good, and has modest memory requirements. Unlike most second-round candidates, all output sizes of JH use the same function, but with different initial hash values and different amounts of truncation at the end. The most serious cryptanalytic result on JH is a theoretical preimage attack on the 512-bit version, which is barely cheaper than a brute force attack. As this attack does not appear to threaten the design, it does not concern us. However, the compression function construction of JH is not well-understood, and the submitter did not provide a great deal of analysis of this construction.
Comments of MIT Students (?) “We found that in terms of quality and depth of proofs, Lesamnta offered the best security analysis. The authors offered extensive analysis of the security features of all parts of the Lesamnta algorithm, including the modes of operation and the underlying compression function. In addition, they showed that Lesamnta was provably secure against both common and emerging attacks against hash functions. Particularly impressive was that Lesamnta was shown to be provably secure against known key distinguisher attacks, something that we did not even see mentioned in other papers.”
Comments of MIT Students (?) “Among the other submissions, SHAvite-3 was a close second in terms of security analysis. Though they too offered a good number of proofs against many common attacks, their analysis was not quite as in depth as that of Lesamnta. The other algorithms, FSB and JH, were often very simplistic in their assumptions and limited in the types of attacks that they were able to prove security against.”
Keywords Compression Function New, not well understood Security Analysis Not enough Simplicity and Performance Good
Preimage Attackby Mendel and Thomsen “we present a generic preimage attack on JH-512. We do not claim that our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the SHA-2 family.” Compression Function
Attack Detail Given H_4 (final hash value), use M_4 to get H_3(Obs.1) where M_4 is arbitrary block satisfying padding scheme. Enumerate M_3 to get enough pairs of (H_2, M_3) where f(H_2, M_3) = H_3 Find multiple collisions H_1^k (0 <= k < r), preparing for Obs.2 Using Obs.2 to enumerate M_2^k satisfying f(H_1^k, M_2^k) = (H_2, M_3)
Attack Analysis Suppose that f satisfies POISSON distribution => multiple collission Use Obs.2 to skip some Compression Function calculation. However, very poor:2^510.3 => (2^510.3) * 51 The reason of 51 and 510.3 : the balance of the complexity of finding multiple collission
Attack Result No effect on JH's security (So we ignore Author's defence) Just some interesting things about Compression Function “Nevertheless, we think that the attack shows some interesting properties of JH-512, which do not exist in other hash functions. Maybe these properties can be combined with a dedicated preimage attack on JH-512 in the future. At the moment, our attack does not compromise the security claims of JH-512.”
Author's Analysis Paullznand Chimney Liu's Reports(click the hyperlink above to see the report)
Compare With CubeHash What is Cube Hash? A very SIMPLE cryptographic hash function. Algorithm introduction in 2 pages. Process Initialization Padding & Blocking Identical rounds to change states. Finalization Ten steps per round with only xor, add, and rotate “That's it”
Compare With CubeHash JH CubeHash Performance Hardware optimized (Bit-Slice) SSE2 optimized Modest memory requirements SIMD optimized Security Most serious result barely cheaper than brute force. Lack of analysis on compression function. Best-understood candidate. Semi-free-start collision and the symmetry properties the mose troubling. Variants (Performance & security trade-off) Relatively fixed (Algorithm limitation) Variable (2 tunable parameters) Easy to choose parameters for different requirements A little bit hard to design proper combination of parameters Innovation Compression function construction
Reference JH:http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/ NIST官方评价:http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/sha3_NISTIR7620.pdf MIT Students Summary:http://courses.csail.mit.edu/6.857/2009/sha3/group7.pdf Preimage Attack by Mendel and Thomsen:http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf Author's defence of Preimage Attack:http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf