400 likes | 542 Views
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited. Tom Shrimpton Portland State University. Results from CRYPTO 2004. “Near-collisions” in SHA-0 [Biham] Collisions in SHA-0 [Joux, rump session] Collisions in reduced-round SHA-1 [Biham, rump session]
E N D
Cryptographic Hashing:Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University
Results from CRYPTO 2004 • “Near-collisions” in SHA-0 [Biham] • Collisions in SHA-0 [Joux, rump session] • Collisions in reduced-round SHA-1 [Biham, rump session] • Collisions in MD4, MD5, RIPEMD, HAVAL-128 [Wang et al., rump session] • Multicollisions in iterated constructions [Joux]
Today • What are these objects? • What cryptographic properties do we like for them to have? • How do we build them (particularly, from a blockcipher) • What do we currently understand about proofs, models, bounds on efficiency, etc.? • A call to action!
What are cryptographic hash functions? File Hash e.g., md5sum,SHA-1 Cryptographic “Fingerprint”
SHA-1 512 bits [NIST] ... M1 M2 Mm fori = 1 tomdo Wt= { t-thword of Mi0£t £15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16£t £79 A ¬ H0i-1; B¬H1i-1; C¬ H2i-1; D¬H3i-1; E¬H4i-1 fort = 0 to 79 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E¬ D; D¬ C; C¬ B >> 2; B¬A; A¬ T end H0i¬ A + H0i-1; H1i¬B + H1i-1; H2i¬ C+ H2i-1; H3i¬D + H3i-1; H4i¬E + H4i-1 end returnH0mH1mH2mH3mH4m 160 bits
Today P • What are these objects? • What cryptographic properties do we like for them to have? • How do we build them (particularly, from a blockcipher) • What do we currently understand about proofs, models, bounds on efficiency, etc.? • A call to action!
2nd-preimage resistance universal one-way hash function ? ? ? ? weak collision resistance inversion resistance collision-intractable ? ? ? ? ? ? strong hash ? one-way function ? strong collision resistance ? collision resistance ? ? target collision resistance ? ? ? ? preimage resistance ? collision-free
A motivating quote, and a “fact” “2nd-preimage resistance — it is computationally infeasible to find any second-input which has the same output as any specified input, i.e., given x, to find a 2nd-preimage x’x such that h(x) = h(x’).” [MOV] How are inputs specified? How is h selected? “Fact Collision resistance implies 2nd-preimage resistance of hash functions” [MOV] This “fact” depends on how you answer the above questions!
A cryptographic property (quite informal) 1. Preimage resistance:given a hash function and given a hash output it is hard to invert thatoutput BAD: H(M) = M mod 701
Preimage resistance (intuition, but slightly more formal) H: ´ Strings® {0,1}n : a finite, nonempty set Strings: set of strings Í {0,1}* n: the hash length M HK HK Y {0,1}n M’ keyed-SHA1: {0,1}160 ´ {0,1}*® {0,1}160 SHA1 is one particular function from this family This direction is “hard” for any “reasonable” adversary {0,1}m
Preimage resistance: a definition (formal) probabilistic game - random key - random domain pt - hash the domain pt - A runs, returns domain pt “name of game” event: did A win (find preimage)?
A formal framework [RS04] Preimage Every hash function in the family is hard to invert fixed range point random range point fixed key random key Every range point is hard to invert “a” = “always” “e” = “everywhere”
More cryptographic properties 1. Preimage resistance given a hash function and given an hash output it is hard to invert thatoutput P 2. Second-preimage given a hash function and resistance given a first input, it is hard to find a second input that collides with the first 3. Collision resistance given a hash function it is hard to find two colliding inputs
Second Preimage Preimage fixed range point random range point fixed domain point random domain point aPre fixed key fixed key Pre ePre random key random key Collision Also known as UOWHF fixed key random key
Our results [RS04] Coll aSec eSec Provisional Sec Conventional Separation [no arrow] aPre ePre Pre
What about near-collisions? M HK Y Such that Y» Y’ HK Y’ {0,1}n M’ This should be “hard” for any “reasonable” adversary (Hmm.. what does this mean now?) Strings
Research project #1 Continue definitional work What’s the “right” definition for the task? How do we make it formal?
Today P • What are these objects? • What cryptographic properties do we like for them to have? • How do we build them (particularly, from a blockcipher) • What do we currently understand about proofs, models, bounds on efficiency, etc.? • A call to action! P
H: ´ Strings® {0,1}n How to do this? arbitrary length string n-bit string
f f f Merkle-Damgard construction [Me89],[Da89] Compression function M3 M1 M2 n h1 h2 h3 = H(M) IV k k Chaining value Fixed initial value MD Theorem: if f is CR, then so is H
... M1 M2 Mm Mi 512 bits fori = 1 tomdo Wt= { t-thword of Mi0£t £15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16£t £79 A ¬ H0i-1; B¬H1i-1; C¬ H2i-1; D¬H3i-1; E¬H4i-1 fort = 0 to 79 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E¬ D; D¬ C; C¬ B >> 2; B¬A; A¬ T end H0..4i-1 H0i¬ A + H0i-1; H1i¬B + H1i-1; H2i¬ C+ H2i-1; H3i¬D + H3i-1; H4i¬E + H4i-1 end 160 bits returnH0mH1mH2mH3mH4m 160 bits 160 bits
Why build hash function from blockciphers? Economy of primitives “Do as much as possible with as little as possible” • weak keys causes design difficulties • small blocksize Þ easier wins for adversary (late 70s-early 90s): DES (now): AES has changed the playing field • no known weak keys • bigger blocksize Þ harder wins for adversary
M1 M2 Blockcipher-based compression function #1 (CBC) [Akl83] Is this collision-resistant? IV 0 EK(IV)ÅEK(0) 0 IV EK(EK(0)) = EK(EK(0)) E E K K
Attempt #2 [PGV93] How about this? IVÅ 1 E1(1) ÅIV M2 E0(0) ÅIV M1 IV E E IV = IV IV
Davies-Meyer compression function [PGV93],[BRS02] Mi hi hi-1 E
Mi SHA-0, SHA-1 are blockcipher-based hash functions! Blockcipher 512-bit key, 160-bit block fori = 1 tomdo Wt= { t-thword of Mi0£t £15 ( Wt-3Å Wt-8Å Wt-14Å Wt-16 ) << 1 16£t £79 A ¬ H0i-1; B¬H1i-1; C¬ H2i-1; D¬H3i-1; E¬H4i-1 fort = 0 to 79 do T¬ A << 5 + gt (B, C, D) + E + Kt + Wt E¬ D; D¬ C; C¬ B >> 2; B¬A; A¬ T end H0..4i-1 H0i¬ A + H0i-1; H1i¬B + H1i-1; H2i¬ C+ H2i-1; H3i¬D + H3i-1; H4i¬E + H4i-1 Davies-Meyers feedforward
E Advcoll( q) = max {Advcoll( A)} H H Collision resistance in the “ideal cipher” model E-1 E K, x K, y -1 EK(y) EK(x) ... ... A M, M’ Model blockcipher as a random permutation for each key Advcoll( A) = Pr [ AE, E -1finds a collision inH E] H Computationally unbounded adversary Only counted resource is oracle queries A at most q queries
Why such a strong model? PRP assumption isn’t enough in general [Simon] Specifically, for each of the 12 there is a PRP that makes collisions easy [Hopwood][Wagner] More importantly, PRP is the wrong tool Security depends on a random, secret key
Research project #2 Find new models and/or assumptions What properties does a blockcipher need for hashing? How can we abstract them to models/assumptions? Can we prove things?
Moving theory towards practice Mi Mi+1 E E hi hi+1 hi-1 Expensive operations
Secure rate-1, fixed-key constructions? No secure rate-1, fixed-key constructions[BCS 04] Mi n EK hi-1 hi f1 f2 n n n n In the black-box model: compression function — collision after 2 blockcipher calls iterated function — collisions in Q(n + lg(n)) calls
Research project #3 Find secure, fixed-key, rate < 1, iterated constructions (some progress being made)
128 bits too small? Cascaded constructions! n bits n bits HK1(M) || HK2(M) = G (K1,K2) (M) ß ß ? Þ n bits of CR n/2 bits of CR n/2 bits of CR Joux: for MD constructions, No!
f f f Multicollisions Mm M1 M2 n hm-1 h1 h2 hm = H(M) IV … n n For m(2n/2) work, we can make 2m messages that collide
Collisions in cascaded constructions 160 bits 160 bits For G (K1,K2) (M) = HK1(M) || HK2(M) : 1. Create 281-way multicollision under HK1 2. Hash these messages under HK2 Collision in G for work O(280) << O(2160)
What about MDC-2? Mi E hi-1 hi E gi-1 gi
Huge opportunities for research • Continue definitional work • Formalize “near collisions”, etc. • What are the right properties for specific tasks? • Flesh out the theoretical landscape • Ideal cipher model Þ proofs • PRP assumption Þ no proofs • Find secure, fixed-key, rate < 1, iterated scheme • Analysis of MDC-2