650 likes | 933 Views
Introduction to Cryptographic Hash Functions. Pukyong National University Kyung Hyune Rhee Khrhee@pknu.ac.kr. Contents. Introduction The definition and the general model of hash functions Description of the new hash algorithms
E N D
Introduction to Cryptographic Hash Functions Pukyong National University Kyung Hyune Rhee Khrhee@pknu.ac.kr
Contents • Introduction • The definition and the general model of hash functions • Description of the new hash algorithms • The MAC(Message Authentication Code) using the proposed hash algorithms • Concluding Remarks
Hash Function • map a bitstring of arbitrary finite length into a string of fixed length(128 bits, 160 bits) • basic idea : hash value serves as a compressed representative image of an input string • uniquely identifying that string • unkeyed hash function & keyed hash function • applications • verification of integrity • construction of MAC(Message Authentication Code) • increase of the efficiency of digital signatures
Existing MDx-family hash functions • iterative process based on the theory of Merkle and Damgard • In 1990, MD4 proposed by Rivest • attacks against the shortened version by Merkle and Bosselaers • In 1991, MD5 : strengthenedversion of MD4 • In 1992, HAVAL designed by Zheng, Pieprzyk and Seberry • In 1993, SHA(Secure Hash Algorithm) published by NIST • In 1995, SHA-1 : improved version of SHA • In 1995, RIPEMD proposed by Europe RIPE consortium • a strengthened version of MD4 • In 1996, attack against a shortened version of RIPEMD byDobbertin • In 1996, RIPEMD-128/160 by Dobbertin, Bosselaers and Preneel • a strengthened version of RIPEMD • HAS-160 standardized by TTA
MAC(Message Authentication Code) • data integrity and data origin authentication • construction • based on CBC and CFB modes of a block cipher • MAA(Message Authenticator Algorithm) • ISO standard • relative fast in S/W • 32-bit result • based on hash functions • fast than other schemes • additional implementation effort is small • adopted in Kerberos and SNMP
Cryptographic hash functions • functions that map bit strings of arbitrary finite length into strings of fixed length • Given function h and input x, computing h(x) must be easy • properties of the cryptographic hash function • easy computation • pre-image resistance • second pre-image resistance • collision resistance
last message part padding message block 1 message block 2 compression function compression function compression function initial value Hash Structure of hash functions • iterative processes which hash inputs of arbitrary length by processing successive fixed-size blocks of input f : compress function Hi : chaining variable
Features of existing hash functions • SHA-1 : the message expansion • additional message words are generated from original input message words • a strong resistance against existing attacks exploiting the simplicity of applying the message word in the compression function • RIPEMD-160 • process the input message in two parallel lines in order to improve the security • HAVAL • variable length fingerprints and variable number of passes • use of strong Boolean functions having cryptographically good properties
Definition and general model of the hash function(4) • MAC(Message Authentication Code) • Keyed hash function • a hash function with a secondary input, i.e. , a secret key • existing MAC construction • Gene Tsudik • secret prefix method • secret suffix method • envelope method • Kaliski and Robshaw : MAC constructions using MD5 • Preneel, van Oorschot : MDx-MAC • Bellare et. al : NMAC, HMAC
New hash algorithm - SMD • New hash function (SMD;Strengthened Message Digest) • based on concrete design principles of MD family hash functions • secure against known attacks • the message expansion of SHA-1 • cryptographically strong Boolean functions similar to that of HAVAL • distinguishing feature : data-dependent rotation • rotations by variable amounts dependent on input messages
New hash algorithm - SMD(cont.) • Notations • word : 32-bit string • block : 512-bit string used as input of compression function • + : addition modulo 2 32 between two words • X<<s : left rotation X by s bits • : bitwise logical AND operation of A and B • : bitwise logical OR operation of A and B • : bitwise logical XOR operation of A and B
New hash algorithm – SMD(cont.) • Output length and chaining variable : 160-bit result • Initial Value IV=(A,B,C,D,E) • A= 0x67452301 B= 0xefcdab89 C= 0x98badcfe D= 0x10325476 E = 0xc3d2e1f0 • Constants • K1= 0 , K2= 0x5a827999 ( ), K3= 0x6ed9eba1( ), K4= 0x8f1bbcdc ( ) • expansion of message variables • a message word affects steps as many as possible • additionally generating 8 message variables from 16 input message words
New hash algorithm – SMD(cont.) • the order of message words applied to each round • refer to the design principle of RIPEMD-160 • additionally generated words sufficiently disperse • the same word is not close by in each round • In each step of each round, the same message word is not used
New hash algorithm – SMD(cont.) • Step operation • Boolean functions • based on those of HAVAL • satisfy cryptographically good properties • 0-1 balanced , high nonlinearity , satisfy SAC(Strict Avalanche Criterion) • for the efficiency, use f1 repeatedly
New hash algorithm – SMD(cont.) • rotation • A distinguished feature : message-dependent rotations • variable rotations dependent on the input message • Because the hash result is more dependent on the input message, the security can be improved • Using different message words from those used in the step operation • The order of message word Xi
Round 1 24 words Round 2 메시지 확장 Round 3 16 words Round 4 Compression Function of ISMD
A B C D E Step Operation of ISMD
New hash algorithm – SMD(cont.) • Security • secure against known attacks by Boer and Bosselaers, and by Dobbertin • frustrate differential cryptanalysis and linear cryptanalysis data-dependent rotations • the best way to find a collision pairs • the birthday attack • In such an attack, attacker prepares two sets of 280 distinct messages, and calculates their fingerprints
New hash algorithm – SMD(cont.) • Performance • compare the performance of MD5, SHA-1, RIPEMD-160, HAVAL(5 pass, 160 bits), and our scheme • Implementation was written in C language on the Pentium (100MHz) • Our scheme is about 27% faster than RIPEMD-160 , about 2% faster than SHA-1
Secure hash function based on CA • Cellular Automata(CA) • a linearly connected array of L cells and a Boolean function f(x) with q variables • each cell takes the value 0 or 1 • q = 2r + 1 , r : the radius of the function f(x) • new value of the ith cell is calculated using the value of the ith cell and the values of r neighboring cells to the right and left of the ith cell • For L cell, there are possible state vectors • : state vector at the time step k • forms a cycle • P : period, which is a function of the initial value, the updating function, and the number of cells
Secure hash function based on CA(cont.) • CA with q=3 • function f : combinatorial logic associated with the CA • updating rule for transiting to the next state • If the next state function of a cell is expressed in the form of a truth table, then the decimal equivalent of the output column in the truth table is called a CA rule number. • Rule 90 • Rule 60 • Rule 150 • Rule 204
Secure hash function based on CA(cont.) • Uniform and Hybrid CA • Uniform CA : the same rules applied to all cells in a CA • Hybrid CA : otherwise • boundary condition : Null and Periodic • null : extreme cells are connected to logic ‘0’ • periodic : extreme cells are adjacent • Additive CA • next-state transition rules employs only XOR or XNOR operation • uniquely represented by a transition matrix over GF(2) • every transition matrix has a characteristic polynomial
Secure hash function based on CA(cont.) • L-cell additive CA with XOR operations • characterized by L x L Boolean matrix T • i th rows specifies the neighborhood dependency of the i th cell • x(t) : column vector representing the state of the CA at time t • next state of CA • Maximal length CA • the characteristic polynomial of CA is primitive • generates all states in the successive cycles excluding the all zero state • Programmable CA(PCA) • realizing different CA configurations on the same structure can be achieved using a control logic
Cell#i Control Signal Secure hash function based on CA(cont.) • Example of PCA : Rule 90 and Rule 150 If Control Signal is ‘0’, apply Rule 90 if Control Signal is ‘1’, apply Rule 150
Secure hash function based on CA(cont.) • Applications of CA • design block ciphers, stream ciphers and hash functions • first cryptographic application of CA: Crypto’85, Wolfram • In 1994, Nandi, et al proposed block and stream cipher based on CA • hash function based on CA • first proposal : Damgard • In 1991, Daemen analyzed the vulnerability of Damgard’s scheme and proposed new CA-based hash function • In 1997, Hirose proposed a hash function based on two-dimensional CA • In 1998, Mihaljevic proposed CA-based hash function • the compression function is the combination of nonlinear function and PCA and the output function is a key stream generator
Secure hash function based on CA(cont.) • Uses the Davies-Meyer type compression function • imply secure hash function construction assuming that the compression function and the output function are secure • The compression function and output function are based on the CA • features of CA-based hash function • very fast hashing • the application of CA theory for the security analysis • the preimage and collision resistance due to the employed principles and building blocks
Secure hash function based on CA(cont.) • Notations • n : an output length of the hash function (n=160 bits) • l : an integer such that n/l is also an integer (l = 8 bits) • : nonlinear Boolean functions each of which maps five l-dimensional binary vectors into an l-dimensional binary • 0-1 balanced , high nonlinearity, satisfy SAC, pairwise linearly non-equivalent
Secure hash function based on CA(cont.) • Notations (cont.) • : a maximal length CA • : a PCA controlled by binary vector X and Y and the applied configuration rules are as follows: • if the i th bit of both X and Y are 0, then Rule 204 is applied to i th PCA cell • if the i th bit of both X is 0 and the i th bit of both Y is 1, then Rule 60 is applied to i th PCA cell • if the i th bit of both X is 1 and the i th bit of both Y is 0, then Rule 102 is applied to i th PCA cell • if the i th bit of both X and Y are 1, then Rule 150 is applied to i th PCA cell
Cell#i Cell # i+1 Cell # i-1 Secure hash function based on CA(cont.) • Notations (cont.) • : an ith 4n-bit block of the input message • : an n-bit chaining variable after the ith iteration
Secure hash function based on CA(cont.) • Message padding • has a variable-length hash result • The process of the message padding is equal to that of existing hash functions except for appending a bit-length of the hash result to the end of a message • a 2-byte output-length L is appended to the next of the length of the original message(8-byte) • Compression function f() • input : 4n-bit message block and a n-bit chaining variable • output : n-bit chaining variable
Secure hash function based on CA(cont.) • Compression function f() (cont.) • and are split into successive nonoverlapping equal length blocks of l-bit, respectively • Using two input and , each n-bitX, Y, Z are computed as the following procedure: (1) Compute an n-bitX • , k=0, 1, …, 9 : l-bit constants, respectively (2) Compute an n-bitY
Secure hash function based on CA(cont.) (3) Apply X, Y, to PHT(Pseudo-Hadamard Transform) • split n-bitX, Y, into 8-bit , , , respectively (4) Compute an n-bitV (5) Compute an n-bitZ
Secure hash function based on CA(cont.) • Output function g() (1) Load as the initial value of PCA (2) uses X, Y, V, Z when the last is computed • split n-bitX, Y, V, Z into 8-bit , , , , respectively (3) Operating the following by the output-length L • Each cycle outputs the middle bit of state values of PCA()
Secure hash function based on CA(cont.) • Hash function • Input : message M , n-bit initial value IV • Preprocessing : MD-strengthening and padding • splitting the message into m blocks of 4n-bit, • Iterative Processing : , i=1,2,…,m , do the following: • calculate the compression function f() : • If is the all zero vector, recalculate • Output function : calculate • Output : L-bit message digest
formatted input original input M hash function h Padding compression function f output function g Block Diagram of CA-based Hash Function
Secure hash function based on CA(cont.) • the security of the proposed hash function is determined by the security of its compression function and output function • the followings imply the security of the compression function • The CA has primitive characteristic polynomial to have a maximal length • The pattern generated by maximal length CA's meets the cryptographic criteria • High nonlinearity due to the employed Boolean functions and PCA • So far known methods for reconstruction of certain CA/PCA state can not work in f() • The compression function is a cryptographic transformation • Given f() output, finding the preimage requires about 2n operations and finding collision requires about 2n/2 operations.
Secure hash function based on CA(cont.) • The security of output function g() • a key stream generator which consists of two stages using CA and PCA • It has primitive characteristic polynomial to have a maximal length • high nonlinearity due to the employed PCA • a cryptographic transformation • for given n-bit hash value, finding the input of g() , i.e, Hm , requires about 2noperations and finding collision requires about 2n/2 operations. • For an n-bit hash value, the security of the proposed hash function • finding preimage requires about operations • finding collision requires about operations
Secure hash function based on CA(cont.) • Computational complexity of the compression function • Boolean functions of n/5l times and mod 256 addition of 2n/l times • n-bit CA(= 3n XOR operations) • mod 256 addition of 8n/16times and 1-bit left shift of 4n/16times • Boolean functions of n/5l times and mod 256 addition of 2n/l times • n-bit CA(= 3n XOR operations) • n-bit PCAXY (= 3n XOR operations) • n-bitXOR operations • mod 256 addition of (4n/l + n/2) times, 1-bit left shift of n/4 times, two n-bit CA calculations, n-bit PCA computation, bitwise AND of 30n/5l times, bitwise XOR of 26n/5l times, bitwise OR of 4n/5l times, NOT operation of 2n/5l times, and n-bit XOR computations
Secure hash function based on CA(cont.) • Computational complexity of the output function • mod 256 addition of 8n/16times and 1-bit left shift of 4n/16times • 2L-cycle CA and L-cycle PCAX’Y’ (L : bit-length of the hash result) • Complexity for processing m message blocks(n=160, l=8, L=n) • 80(2m+1) mod 256 addition + 40(m+1)1-bit left shift + (2m+320) CA + (m+160) PCA + 248m bitwise logical operation + m 160-bit XOR • Memory requirement • 4n bits , n bits , X, Y, V, Z, n bits temporary buffer => total 10n bits memory is required
Secure hash function based on CA(cont.) • Comparing with Daemen’s, Hirose’s and Mihaljevic’s scheme • Daemen's scheme : uses nonlinear CA and linear CA • Herose's scheme : employs two nonlinear CA • the used nonlinear CA belong to a class of nonlinear CA for an algorithm for inversion of the CA iterations published recently • The compression function of the proposed hash function • employs the Davies-Meyer type and the combined form of nonlinear functions and PCA • more secure than Daemen's scheme and Hirose's scheme • Both schemes do not employ the output function, but the proposed hash function has the output function based on CA/PCA
Secure hash function based on CA(cont.) • Mihaljevic’s scheme • employs the Davies-Meyer type compression function and cascade of the nonlinear function and PCA • requires ROM and memory reading operation for nonlinear functions (which is similar with S-Box of DES) • employs PCAX() controlled by binary vector X • output function : PCA based key stream generator • The proposed scheme • employs 5-variable Boolean functions which uses only bitwise logical operations • use more complex PCAXY () which apply one of four cases dependent on binary vector X and Y • output function : the combination of CA and PCA
Secure hash function based on CA(cont.) • The computational complexity, for n=160, l=8, k=3 • Mihaljevic’s scheme • the compression function • 40 times ROM reading • 20 times ROM reading • 160-bit CA(=480 XOR operation) • 20 times ROM reading • 160-bit PCA(=480 XOR operation) • 160 times XOR operation • the output function • 160 times mod addition, 160 times ROM reading, 160-cycle PCA operation, and 160-bit permutation
Secure hash function based on CA(cont.) • The proposed scheme • the compression function • 40 times mod 256 addition and 124 times XOR operation • 160-bit CA(=480 XOR operation) • 80 times mod 256 addition and 40 times 1-bit shift • 40 times mod 256 addition and 124 times XOR operation • 160-bit CA(=480 XOR operation) • 160-bit PCA(=480 XOR operation) • 160 times XOR operation • the output function • 80 times mod 256 addition and 40 times 1-bit shift • 360-cycle CA operation and 160-cycle PCA operation
Secure hash function based on CA(cont.) • When processing the compression function, • the proposed scheme processes the 4n bits input data • Mihaljevic’s scheme processes the 2n bits input data • when processing the same length of the input data, Mihaljevic’s scheme 2 times computation of the compression function than the proposed scheme • Assuming 640 bits input data • Mihaljevic’s scheme : 80 times ROM reading + 2240 times XOR operation • proposed scheme : 160 times mod 256 addition + 40 times 1-bit shift + 1848 XOR operation
Secure hash function based on CA(cont.) • Memory requirement for n=160, l=8, k=3 • Mihaljevic’s scheme : about 1546Kbits ROM memory and 800bits buffer • proposed scheme : about 1600bits buffer • However, the proposed scheme has more complex control logic than Mihaljevic’s scheme, and the implementational complexity is increased due to PHT and nonlinear function • The proposed scheme has the variable-length hash result • It can be used to various applications
The MAC(Message Authentication Code) using the proposed hash algorithms
The MAC construction using SMD • Design goals • The secret key should be involved at the beginning and end, and at every iteration of the hash function • The deviation from the original hash function should be minimal in order to minimize implementation effort and maximize on confidence previously gained • The performance should be close to that of the hash function • The additional memory requirements should be minimized • The approach should be generic, i.e. should apply to any MD-family hash functions