300 likes | 581 Views
The Hash Function “Fugue”. Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center. Broad Overview. Maintains Large State (~1000 bits) Large Initial State Tougher to invert Large Final State Tougher to find collision Final Compression (to say, 256 bits)
E N D
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center
Broad Overview Maintains Large State (~1000 bits) • Large Initial State • Tougher to invert • Large Final State • Tougher to find collision • Final Compression (to say, 256 bits) • Lots of Crunching • Tougher to find “properties”, invert, or find collision • Uses ‘super’ AES-like rounds • Focus of the Talk : Collision Resistance
Fugue-256 Initial State (30 words) Process M1 New State M_i Iterate State Final Stage Hash Output (8 words)
Fugue-256 Initial State (30 words) Process ΔM1 New State ΔM_i Iterate State Δ = 0 State Final Stage Δ = 0
Overview (contd.) • Inspired by Grindahl [KRT07] • Small incremental input rounds • Long final stage. • Attacked by Peyrin [P07] -Internal Collisions • Fugue has a Proof Driven Design • Proves that Peyrin-style attacks do not work • Proves bound on differential attacks assuming limits (extremely generous) on message modification. • Proves bound on finding External Collisions. • Like AES, uses MDS codes • but bigger MDS codes • Does not need MD mode theorem
Design Challenges • Non-secret Key/ Un-keyed properties gives adversary “non-standard” approaches to enhance differential attacks • Message Modification • Neutral Bits, Neutral Differentials
Good News • The main “non-secret key” properties are about collisions • Collision, TCR, 2nd Pre-image, Universal Hash • The differential requires output difference to be zero, i.e. Dout = 0. • Is it easy to prove something about such restricted differentials? • Quandary: All good practical designs are based on permutations.
Fugue-256 Initial State (30 words) Process ΔM1 New State ΔM_i Iterate State Δ 0 Invoke Coding Theory Final Stage Δ = 0
What’s in an elementary round? • [Called SMIX in the paper] • Works on 128 bits (just like AES) • Arranged as 4 by 4 matrix (just like AES) • Starts with S-box substitution (same as AES) • Does linear mixing (more advanced than AES)
Fugue elementary round “SMIX” Leads to MDS code over 16 bytes!
Fugue elementary round “SMIX” Leads to MDS code over 16 bytes!
Fugue elementary round “SMIX” At least 13 active S-Boxes • 2^{-6*13} = 2^{-78} Leads to MDS code over 16 bytes!
FINAL STAGE Rapid Mixing (G1) Differential Killer (G2) output
External Collision Provable Bound • Assumption: Differential Attacks • Attacker controls difference, state itself is random • Probabilities of different rounds are assumed independent. • Consider 2 messages leading to two different states at middle of final stage • After the rapid mixing • Allow the adversary to force a difference D of its choice at this point.
External Collision Provable Bound • Theorem: For any state difference D 0, if the states at the start of G2 are chosen randomly then Pr[ Collision in 256 bit output | D ] 2-129 • Recall, assumes independence assumption
Fugue-256 Initial State (30 words) Process Process M1 M1 New State SMIX Repeat once more Iterate State Final Stage
INTERNAL COLLISION PROVABLE BOUND Random States, but _{i-4} = D Process M, M’_i-3 State Process M, M’_i-2 State Process M, M’_i-1 State Process M, M’_i State _i = 0 Theorem Pr [ M, M’ <i-3..i> : _i =0 | _{i-4} = D ] 2-168
Message Modification? • Neutral Bits? • How justified is random state? • We do more advanced analysis, giving extremely generous “free message modification / all bits neutral ” allowance. • Still can prove 2^{-128} bound.
Performance (Fugue-256) • 32 bit Intel Core 2 Duo (Linux) • ANSI C : 36 cycles/byte • 64 bit Intel Xeon (CygWin) • ANSI C : 28 cycles/byte • 8-bit: as good as AES…similar advantages • Decent state size : 120 bytes (1000 cycles/byte) • Hardware: 90nm IBM Cu-8 technology • 360 MB/sec (basic) to 1.8 GB/sec.
Conclusion • Proof-driven Design leads to best of both worlds: • - Security • - Performance
Fugue is a Universal Hash Fn. • Requirement: • For all messages M1,M2, Pr_k[ Fugue_k(M1) = Fugue_k(M2)] is low • Key is 8 words (256 bits), placed in the right most 8 words of initial state. • Assume (for now) same length. • Wlog internal collision, otherwise messages irrelevant.
Internal coll. at end of Round 0 • Number the rounds backwards 0, -1, -2,… • For now, assume states at start of round –3 are random (but say, with some adversary determined difference D). • Then, we have already proven 2^{-168}.
What about the random assump. • Random but diff = D at start of round –3. • That is allowing adversary to get an XOR-diff D with probability 1 (on a random key)! • So seems not that bad an assumption. • But, is entropy depletion a problem? • State starts with 8 word entropy. • Each round adversary inserts a word (pair).
Input State (30 words) Process M1 I_S M1 (D; O_S) => ! (M1;IS) (D1,O_S) ->(M1; IS) (D2,O_S) ->(M1; IS’) ? Nope! SMIX Repeat once more Output State (O_S) D
(D1,O_S) ->(M1; IS) (D2,O_S) ->(M1; IS’) ? Input State (30 words) M1 I_S M1 M1 non-zero SMIX All 4 words non-zero X X non-zero X SMIX All 4 words non-zero D Output State (O_S) = 0 0
Desired Properties • Keyed Properties • Secret Key • PRF (MAC) • Non-Secret Key (Salted) • Universal Hash, Extractor, Key Derivation • Collision Resistance, TCR, Pre-image (1st / 2nd) • Un-Keyed Versions • Collision Resistance, Pre-image (1st /2nd)