1 / 64

Introduction to Cryptographic Hash Functions

Introduction to Cryptographic Hash Functions. Pukyong National University Kyung Hyune Rhee Khrhee@pknu.ac.kr. Contents. Introduction The definition and the general model of hash functions Description of the new hash algorithms

bette
Download Presentation

Introduction to Cryptographic Hash Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Cryptographic Hash Functions Pukyong National University Kyung Hyune Rhee Khrhee@pknu.ac.kr

  2. Contents • Introduction • The definition and the general model of hash functions • Description of the new hash algorithms • The MAC(Message Authentication Code) using the proposed hash algorithms • Concluding Remarks

  3. Introduction

  4. Hash Function • map a bitstring of arbitrary finite length into a string of fixed length(128 bits, 160 bits) • basic idea : hash value serves as a compressed representative image of an input string • uniquely identifying that string • unkeyed hash function & keyed hash function • applications • verification of integrity • construction of MAC(Message Authentication Code) • increase of the efficiency of digital signatures

  5. Existing MDx-family hash functions • iterative process based on the theory of Merkle and Damgard • In 1990, MD4 proposed by Rivest • attacks against the shortened version by Merkle and Bosselaers • In 1991, MD5 : strengthenedversion of MD4 • In 1992, HAVAL designed by Zheng, Pieprzyk and Seberry • In 1993, SHA(Secure Hash Algorithm) published by NIST • In 1995, SHA-1 : improved version of SHA • In 1995, RIPEMD proposed by Europe RIPE consortium • a strengthened version of MD4 • In 1996, attack against a shortened version of RIPEMD byDobbertin • In 1996, RIPEMD-128/160 by Dobbertin, Bosselaers and Preneel • a strengthened version of RIPEMD • HAS-160 standardized by TTA

  6. MAC(Message Authentication Code) • data integrity and data origin authentication • construction • based on CBC and CFB modes of a block cipher • MAA(Message Authenticator Algorithm) • ISO standard • relative fast in S/W • 32-bit result • based on hash functions • fast than other schemes • additional implementation effort is small • adopted in Kerberos and SNMP

  7. The definition and the general model of the hash function

  8. Cryptographic hash functions • functions that map bit strings of arbitrary finite length into strings of fixed length • Given function h and input x, computing h(x) must be easy • properties of the cryptographic hash function • easy computation • pre-image resistance • second pre-image resistance • collision resistance

  9. last message part padding message block 1 message block 2 compression function compression function compression function initial value Hash Structure of hash functions • iterative processes which hash inputs of arbitrary length by processing successive fixed-size blocks of input f : compress function Hi : chaining variable

  10. Features of existing hash functions • SHA-1 : the message expansion • additional message words are generated from original input message words • a strong resistance against existing attacks exploiting the simplicity of applying the message word in the compression function • RIPEMD-160 • process the input message in two parallel lines in order to improve the security • HAVAL • variable length fingerprints and variable number of passes • use of strong Boolean functions having cryptographically good properties

  11. Definition and general model of the hash function(4) • MAC(Message Authentication Code) • Keyed hash function • a hash function with a secondary input, i.e. , a secret key • existing MAC construction • Gene Tsudik • secret prefix method • secret suffix method • envelope method • Kaliski and Robshaw : MAC constructions using MD5 • Preneel, van Oorschot : MDx-MAC • Bellare et. al : NMAC, HMAC

  12. Description of the new hash algorithms

  13. New hash algorithm - SMD • New hash function (SMD;Strengthened Message Digest) • based on concrete design principles of MD family hash functions • secure against known attacks • the message expansion of SHA-1 • cryptographically strong Boolean functions similar to that of HAVAL • distinguishing feature : data-dependent rotation • rotations by variable amounts dependent on input messages

  14. New hash algorithm - SMD(cont.) • Notations • word : 32-bit string • block : 512-bit string used as input of compression function • + : addition modulo 2 32 between two words • X<<s : left rotation X by s bits • : bitwise logical AND operation of A and B • : bitwise logical OR operation of A and B • : bitwise logical XOR operation of A and B

  15. New hash algorithm – SMD(cont.) • Output length and chaining variable : 160-bit result • Initial Value IV=(A,B,C,D,E) • A= 0x67452301 B= 0xefcdab89 C= 0x98badcfe D= 0x10325476 E = 0xc3d2e1f0 • Constants • K1= 0 , K2= 0x5a827999 ( ), K3= 0x6ed9eba1( ), K4= 0x8f1bbcdc ( ) • expansion of message variables • a message word affects steps as many as possible • additionally generating 8 message variables from 16 input message words

  16. New hash algorithm – SMD(cont.) • the order of message words applied to each round • refer to the design principle of RIPEMD-160 • additionally generated words sufficiently disperse • the same word is not close by in each round • In each step of each round, the same message word is not used

  17. New hash algorithm – SMD(cont.) • Step operation • Boolean functions • based on those of HAVAL • satisfy cryptographically good properties • 0-1 balanced , high nonlinearity , satisfy SAC(Strict Avalanche Criterion) • for the efficiency, use f1 repeatedly

  18. New hash algorithm – SMD(cont.) • rotation • A distinguished feature : message-dependent rotations • variable rotations dependent on the input message • Because the hash result is more dependent on the input message, the security can be improved • Using different message words from those used in the step operation • The order of message word Xi

  19. Round 1 24 words Round 2 메시지 확장 Round 3 16 words Round 4 Compression Function of ISMD

  20. A B C D E Step Operation of ISMD

  21. New hash algorithm – SMD(cont.) • Security • secure against known attacks by Boer and Bosselaers, and by Dobbertin • frustrate differential cryptanalysis and linear cryptanalysis  data-dependent rotations • the best way to find a collision pairs • the birthday attack • In such an attack, attacker prepares two sets of 280 distinct messages, and calculates their fingerprints

  22. New hash algorithm – SMD(cont.) • Performance • compare the performance of MD5, SHA-1, RIPEMD-160, HAVAL(5 pass, 160 bits), and our scheme • Implementation was written in C language on the Pentium (100MHz) • Our scheme is about 27% faster than RIPEMD-160 , about 2% faster than SHA-1

  23. Secure hash function based on CA • Cellular Automata(CA) • a linearly connected array of L cells and a Boolean function f(x) with q variables • each cell takes the value 0 or 1 • q = 2r + 1 , r : the radius of the function f(x) • new value of the ith cell is calculated using the value of the ith cell and the values of r neighboring cells to the right and left of the ith cell • For L cell, there are possible state vectors • : state vector at the time step k • forms a cycle  • P : period, which is a function of the initial value, the updating function, and the number of cells

  24. Secure hash function based on CA(cont.) • CA with q=3 • function f : combinatorial logic associated with the CA • updating rule for transiting to the next state • If the next state function of a cell is expressed in the form of a truth table, then the decimal equivalent of the output column in the truth table is called a CA rule number. • Rule 90 • Rule 60 • Rule 150 • Rule 204

  25. Secure hash function based on CA(cont.) • Uniform and Hybrid CA • Uniform CA : the same rules applied to all cells in a CA • Hybrid CA : otherwise • boundary condition : Null and Periodic • null : extreme cells are connected to logic ‘0’ • periodic : extreme cells are adjacent • Additive CA • next-state transition rules employs only XOR or XNOR operation • uniquely represented by a transition matrix over GF(2) • every transition matrix has a characteristic polynomial

  26. Secure hash function based on CA(cont.) • L-cell additive CA with XOR operations • characterized by L x L Boolean matrix T • i th rows specifies the neighborhood dependency of the i th cell • x(t) : column vector representing the state of the CA at time t • next state of CA • Maximal length CA • the characteristic polynomial of CA is primitive • generates all states in the successive cycles excluding the all zero state • Programmable CA(PCA) • realizing different CA configurations on the same structure can be achieved using a control logic

  27. Cell#i Control Signal Secure hash function based on CA(cont.) • Example of PCA : Rule 90 and Rule 150 If Control Signal is ‘0’, apply Rule 90 if Control Signal is ‘1’, apply Rule 150

  28. Secure hash function based on CA(cont.) • Applications of CA • design block ciphers, stream ciphers and hash functions • first cryptographic application of CA: Crypto’85, Wolfram • In 1994, Nandi, et al proposed block and stream cipher based on CA • hash function based on CA • first proposal : Damgard • In 1991, Daemen analyzed the vulnerability of Damgard’s scheme and proposed new CA-based hash function • In 1997, Hirose proposed a hash function based on two-dimensional CA • In 1998, Mihaljevic proposed CA-based hash function • the compression function is the combination of nonlinear function and PCA and the output function is a key stream generator

  29. Secure hash function based on CA(cont.) • Uses the Davies-Meyer type compression function • imply secure hash function construction assuming that the compression function and the output function are secure • The compression function and output function are based on the CA • features of CA-based hash function • very fast hashing • the application of CA theory for the security analysis • the preimage and collision resistance due to the employed principles and building blocks

  30. Secure hash function based on CA(cont.) • Notations • n : an output length of the hash function (n=160 bits) • l : an integer such that n/l is also an integer (l = 8 bits) • : nonlinear Boolean functions each of which maps five l-dimensional binary vectors into an l-dimensional binary • 0-1 balanced , high nonlinearity, satisfy SAC, pairwise linearly non-equivalent

  31. Secure hash function based on CA(cont.) • Notations (cont.) • : a maximal length CA • : a PCA controlled by binary vector X and Y and the applied configuration rules are as follows: • if the i th bit of both X and Y are 0, then Rule 204 is applied to i th PCA cell • if the i th bit of both X is 0 and the i th bit of both Y is 1, then Rule 60 is applied to i th PCA cell • if the i th bit of both X is 1 and the i th bit of both Y is 0, then Rule 102 is applied to i th PCA cell • if the i th bit of both X and Y are 1, then Rule 150 is applied to i th PCA cell

  32. Cell#i Cell # i+1 Cell # i-1 Secure hash function based on CA(cont.) • Notations (cont.) • : an ith 4n-bit block of the input message • : an n-bit chaining variable after the ith iteration

  33. Secure hash function based on CA(cont.) • Message padding • has a variable-length hash result • The process of the message padding is equal to that of existing hash functions except for appending a bit-length of the hash result to the end of a message • a 2-byte output-length L is appended to the next of the length of the original message(8-byte) • Compression function f() • input : 4n-bit message block and a n-bit chaining variable • output : n-bit chaining variable

  34. Secure hash function based on CA(cont.) • Compression function f() (cont.) • and are split into successive nonoverlapping equal length blocks of l-bit, respectively • Using two input and , each n-bitX, Y, Z are computed as the following procedure: (1) Compute an n-bitX • , k=0, 1, …, 9 : l-bit constants, respectively (2) Compute an n-bitY

  35. Secure hash function based on CA(cont.) (3) Apply X, Y, to PHT(Pseudo-Hadamard Transform) • split n-bitX, Y, into 8-bit , , , respectively (4) Compute an n-bitV (5) Compute an n-bitZ

  36. Secure hash function based on CA(cont.) • Output function g() (1) Load as the initial value of PCA (2) uses X, Y, V, Z when the last is computed • split n-bitX, Y, V, Z into 8-bit , , , , respectively (3) Operating the following by the output-length L • Each cycle outputs the middle bit of state values of PCA()

  37. Secure hash function based on CA(cont.) • Hash function • Input : message M , n-bit initial value IV • Preprocessing : MD-strengthening and padding • splitting the message into m blocks of 4n-bit, • Iterative Processing : , i=1,2,…,m , do the following: • calculate the compression function f() : • If is the all zero vector, recalculate • Output function : calculate • Output : L-bit message digest

  38. formatted input original input M hash function h Padding compression function f output function g Block Diagram of CA-based Hash Function

  39. Secure hash function based on CA(cont.) • the security of the proposed hash function is determined by the security of its compression function and output function • the followings imply the security of the compression function • The CA has primitive characteristic polynomial to have a maximal length • The pattern generated by maximal length CA's meets the cryptographic criteria • High nonlinearity due to the employed Boolean functions and PCA • So far known methods for reconstruction of certain CA/PCA state can not work in f() • The compression function is a cryptographic transformation • Given f() output, finding the preimage requires about 2n operations and finding collision requires about 2n/2 operations.

  40. Secure hash function based on CA(cont.) • The security of output function g() • a key stream generator which consists of two stages using CA and PCA • It has primitive characteristic polynomial to have a maximal length • high nonlinearity due to the employed PCA • a cryptographic transformation • for given n-bit hash value, finding the input of g() , i.e, Hm , requires about 2noperations and finding collision requires about 2n/2 operations. • For an n-bit hash value, the security of the proposed hash function • finding preimage requires about operations • finding collision requires about operations

  41. Secure hash function based on CA(cont.) • Computational complexity of the compression function • Boolean functions of n/5l times and mod 256 addition of 2n/l times • n-bit CA(= 3n XOR operations) • mod 256 addition of 8n/16times and 1-bit left shift of 4n/16times • Boolean functions of n/5l times and mod 256 addition of 2n/l times • n-bit CA(= 3n XOR operations) • n-bit PCAXY (= 3n XOR operations) • n-bitXOR operations • mod 256 addition of (4n/l + n/2) times, 1-bit left shift of n/4 times, two n-bit CA calculations, n-bit PCA computation, bitwise AND of 30n/5l times, bitwise XOR of 26n/5l times, bitwise OR of 4n/5l times, NOT operation of 2n/5l times, and n-bit XOR computations

  42. Secure hash function based on CA(cont.) • Computational complexity of the output function • mod 256 addition of 8n/16times and 1-bit left shift of 4n/16times • 2L-cycle CA and L-cycle PCAX’Y’ (L : bit-length of the hash result) • Complexity for processing m message blocks(n=160, l=8, L=n) • 80(2m+1) mod 256 addition + 40(m+1)1-bit left shift + (2m+320) CA + (m+160) PCA + 248m bitwise logical operation + m 160-bit XOR • Memory requirement • 4n bits , n bits , X, Y, V, Z, n bits temporary buffer => total 10n bits memory is required

  43. Secure hash function based on CA(cont.) • Comparing with Daemen’s, Hirose’s and Mihaljevic’s scheme • Daemen's scheme : uses nonlinear CA and linear CA • Herose's scheme : employs two nonlinear CA • the used nonlinear CA belong to a class of nonlinear CA for an algorithm for inversion of the CA iterations published recently • The compression function of the proposed hash function • employs the Davies-Meyer type and the combined form of nonlinear functions and PCA • more secure than Daemen's scheme and Hirose's scheme • Both schemes do not employ the output function, but the proposed hash function has the output function based on CA/PCA

  44. Secure hash function based on CA(cont.) • Mihaljevic’s scheme • employs the Davies-Meyer type compression function and cascade of the nonlinear function and PCA • requires ROM and memory reading operation for nonlinear functions (which is similar with S-Box of DES) • employs PCAX() controlled by binary vector X • output function : PCA based key stream generator • The proposed scheme • employs 5-variable Boolean functions which uses only bitwise logical operations • use more complex PCAXY () which apply one of four cases dependent on binary vector X and Y • output function : the combination of CA and PCA

  45. Secure hash function based on CA(cont.) • The computational complexity, for n=160, l=8, k=3 • Mihaljevic’s scheme • the compression function • 40 times ROM reading • 20 times ROM reading • 160-bit CA(=480 XOR operation) • 20 times ROM reading • 160-bit PCA(=480 XOR operation) • 160 times XOR operation • the output function • 160 times mod addition, 160 times ROM reading, 160-cycle PCA operation, and 160-bit permutation

  46. Secure hash function based on CA(cont.) • The proposed scheme • the compression function • 40 times mod 256 addition and 124 times XOR operation • 160-bit CA(=480 XOR operation) • 80 times mod 256 addition and 40 times 1-bit shift • 40 times mod 256 addition and 124 times XOR operation • 160-bit CA(=480 XOR operation) • 160-bit PCA(=480 XOR operation) • 160 times XOR operation • the output function • 80 times mod 256 addition and 40 times 1-bit shift • 360-cycle CA operation and 160-cycle PCA operation

  47. Secure hash function based on CA(cont.) • When processing the compression function, • the proposed scheme processes the 4n bits input data • Mihaljevic’s scheme processes the 2n bits input data • when processing the same length of the input data, Mihaljevic’s scheme 2 times computation of the compression function than the proposed scheme • Assuming 640 bits input data • Mihaljevic’s scheme : 80 times ROM reading + 2240 times XOR operation • proposed scheme : 160 times mod 256 addition + 40 times 1-bit shift + 1848 XOR operation

  48. Secure hash function based on CA(cont.) • Memory requirement for n=160, l=8, k=3 • Mihaljevic’s scheme : about 1546Kbits ROM memory and 800bits buffer • proposed scheme : about 1600bits buffer • However, the proposed scheme has more complex control logic than Mihaljevic’s scheme, and the implementational complexity is increased due to PHT and nonlinear function • The proposed scheme has the variable-length hash result • It can be used to various applications

  49. The MAC(Message Authentication Code) using the proposed hash algorithms

  50. The MAC construction using SMD • Design goals • The secret key should be involved at the beginning and end, and at every iteration of the hash function • The deviation from the original hash function should be minimal in order to minimize implementation effort and maximize on confidence previously gained • The performance should be close to that of the hash function • The additional memory requirements should be minimized • The approach should be generic, i.e. should apply to any MD-family hash functions

More Related