340 likes | 460 Views
Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160. Sabine Wurmhöringer Salzburg University for Applied Sciences and Technology Telecommunications Engineering swurmhoe@fh-sbg.ac.at Stefan Wegenkittl Salzburg University for Applied Sciences and Technology
E N D
Statistical Evidence for the Cryptographic Hash Functions SHA-1 and RIPEMD-160 Sabine Wurmhöringer Salzburg University for Applied Sciences and Technology Telecommunications Engineering swurmhoe@fh-sbg.ac.at Stefan Wegenkittl Salzburg University for Applied Sciences and Technology Telecommunications Engineering Peter Hellekalek Dept. of Mathematics, University of Salzburg, Austria
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Construction of Hash Functions • preimage resistance • second preimage resistance • collision resistance (e.g. Bruce Schneier)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Collisions: 2 messages produce same hash! I owe you 100 $ I owe you 1.000.000 $ h h 00 34 CA ... FE 160 bit hash
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Construction of Hash Functions • preimage resistance • second preimage resistance • collision resistance (e.g. Bruce Schneier) • randomness of hash values
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Randomness of Hash Values: Stoch. Model • Principle: i.i.d. uniform plaintexts result in i.i.d. uniform hash values, thus minimize probability of collisions X= {0,1}n plaintexts M ~ U[X] |X|∞ Y= {0,1}160 hashes C = h(M) ~ U[Y] |Y|= 2160 h !
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Example for Violation of Uniformity space of plaintexts ( X ) space of hash values ( Y) h Attacks 9/10 1/10 1/10 9/10 h
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Randomness of Hash Values: Stat. Testing • Substitute realisations for random variables and apply statistical tests for uniformity to resulting hash values • Even more: hashing should destroy simplestructures: structured plaintexts should produce equidistributed (pseudo-random) hash values • A simple structure: plaintexts are the consecutive values of a counter • same reasoning was applied in tests for cryptographic algorithms (e.g. AES)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Randomness in Cryptology and Simulation (Stochastic) Simulation Cryptology (Pseudo) Randomness
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Randomness in Cryptology and Simulation (Stochastic) Simulation Cryptology (Pseudo) Randomness „unpredictability“ „unbiasedness“ in terms of interpretation „independence“ „equidistribution“ in terms of statistics
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 „independence“ P[0|0] = ½ „equidistribution“ P[0,0]= ¼ 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1 High Dimensional Tests for Uniformity ⇔
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 „independence“ P[0|0] = ½ ... P[1|1] = ½ Tests for independence „equidistribution“ P[0,0]= ¼ ... P[1,1]= ¼ Tests for uniformity in higher dimensions High Dimensional Tests for Uniformity ⇔ =
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Statistical Testing • Standard test batteries • NIST test suite: http://www.nist.gov • Diehard battery: http://stat.fsu.edu/~geo/diehard.html • rather limited sample sizes and range of parameters • able to find several specific defects • Room for improvement: for example, a well-known defect in T800 is not detected(ACM Tomacs ’99, Matsumoto and Wegenkittl) • Referencesup to date hardly any published results • Recommendation: additionally employ systematic testing (WSC ’99, Wegenkittl)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Systematic Testing: Serial Overlapping Tests • Load Test (m-tuple test) • vary sample size in { 218 – 228 } • vary dimension in {1, 2, 4, 8, 16 } • Gambling Test • even higher dimensions in { 32, 64, 128, 256 } • vary sample size in { 222 – 228 } • based on simulation of gambling game
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Test Setup and Test Design • preparation of input • 2-level serial overlapping test • Chi-square distributed level one test • Kolmogorov-Smirnov test at level two applied to 16 repetitions of level one test (see e.g. Knuth)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Preparation of Input m‘=0 m‘‘=1 ... counter 0 .............0 0 ............01 32 bit 32 bit
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Preparation of Input m‘=0 m‘‘=1 ... counter 0 .............0 0 ............01 32 bit 32 bit hash function h(m‘) h(m‘‘)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Preparation of Input m‘=0 m‘‘=1 ... counter 0 .............0 0 ............01 32 bit 32 bit hash function h(m‘) h(m‘‘) ... c‘0 .........c‘159 c‘‘0............c‘‘159 hash values 160 bit 160 bit
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Preparation of Input m‘=0 m‘‘=1 ... counter 0 .............0 0 ............01 32 bit 32 bit hash function h(m‘) h(m‘‘) ... c‘0 .........c‘159 c‘‘0............c‘‘159 hash values 160 bit 160 bit cutting ... c‘‘0 c‘‘8 ... c‘‘152 c‘0 c‘8 ..... c‘152 20 bit 20 bit
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Preparation of Input m‘=0 m‘‘=1 ... counter 0 .............0 0 ............01 32 bit 32 bit hash function h(m‘) h(m‘‘) ... c‘0 .........c‘159 c‘‘0............c‘‘159 hash values 160 bit 160 bit cutting ... c‘‘0 c‘‘8 ... c‘‘152 c‘0 c‘8 ..... c‘152 20 bit 20 bit concatenate
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Preparation of Input m‘=0 m‘‘=1 ... counter 0 .............0 0 ............01 32 bit 32 bit hash function h(m‘) h(m‘‘) ... c‘0 .........c‘159 c‘‘0............c‘‘159 hash values 160 bit 160 bit cutting ... c‘‘0 c‘‘8 ... c‘‘152 c‘0 c‘8 ..... c‘152 20 bit 20 bit concatenate input stream b0 b1...................b19b20 ...................
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Construction of Overlapping Tuples input stream b0b1................................bn+t-1 ... V0 b0 .....bt-1 b1 .......bt V1 . . . overlapping vectors with dimension t bi ....bi+t-1 Vi . . . Vn bn ...bn+t-1
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Test Setup counter hash function bit stream
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Test Setup counter hash function bit stream Load Test Gambling Test Level One Statistic (χ2) p-values Level One Statistic (χ2) Level Two Statistic (KS) KS plot Level Two Statistic (KS)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 SHA-1 and RIPEMD-160 • hash value: 160 bit • published: • SHA-1: FIPS 180 • RIPEMD-160: ISO/IEC 10118-3:2003 • considered to be secure until 2005 (Austrian Signature Regulations)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Visualization: Load Test • Level One • p-values (upper-tail) of chi-square statistic • 16 repetitions • arrange resulting p-values in small rectangles • black color indicates significance at 1% level scale: 1 highly uniform 0 highly non uniform
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Results (p-values) 16 - 8 - 4 - 2 - 1 - SHA-1: RIPEMD-160: dimension sample size (218 – 228) 16 - 8 - 4 - 2 - 1 - dimension sample size (218 – 228)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Results (p-values) 16 - 8 - 4 - 2 - 1 - SHA-1: RIPEMD-160: dimension sample size (218 – 228) 16 - 8 - 4 - 2 - 1 - dimension sample size (218 – 228)
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 scale: 0 > 1.57 4 Visualization: Load Test • Level Two • KS-values of two-sided Kolmogorov-Smirnov test • arrange resulting KS-values in a bar diagram • red color indicates KS-value under 1% level
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Results (Kolmogorov-Smirnov values) SHA-1: RIPEMD-160:
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Results: Gambling Test • sample size in {222,...,228} • dimension t in {32,64,128,256} • 16 repetitions of Gambling Test • p-values (upper-tail) of KS Statistic at level two
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Results: Gambling Test SHA-1 RIPEMD-160
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Summary and Conclusion • tests did not find any systematic defects • even highly correlated input results in uncorrelated hash values • all examined probabilities were on target • work in progress: • study influence of other simple structures in plaintexts (patterns and motives) and optimize testing strategy • increase power of test w.r.t. detection of increased collision probability
Sabine Wurmhöringer: Statistical Evidence for the Cryptographic Hashfunctions SHA-1 and RIPEMD-160 Links and References • S. Wegenkittl. Monkeys, gambling, and return times: Assessing pseudorandomness. Proceedings of the 1999 Winter Simulation Conference, pages 625–631, Piscataway, N.J., 1999. IEEE Press. • P. Hellekalek and S. Wegenkittl. Empirical evidence concerning AES. ACM Trans. Model. Comput. Simul., 13(4):322–333, 2003. • S. Wegenkittl. The pLab picturebook: Load tests and ultimate load tests, part I. Report no. 1, pLab – reports, University of Salzburg, 1997. • H. Leeb and S. Wegenkittl. Inversive and linear congruential pseudorandom number generators in empirical tests. ACM Transactions on Modeling and Computer Simulation, 7(2):272–286, 1997. • S. Wegenkittl. Gambling tests for pseudorandom number generators. Mathematics and Computers in Simulation, 55(1–3):281–288, 2001. • B. Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley and Sons, New York, second edition, 1996. • S. Wurmhöringer. Statistische Analyse der Hashfunktionen die gemäß der österreichischen Signaturverordnung empfohlen werden. Master Thesis at the Salzburg University of Applied Science and Technology, 2004.