570 likes | 656 Views
Ashok V Karunakaran Department of Computer Science Rochester Institute of Technology Committee Chair: Prof. Stanislaw Radziszowski. Reader: Prof. Peter Bajorski. Observer: Prof. Christopher Homan. STATISTICAL AND PERFORMANCE ANALYSIS OF SHA-3 HASH CANDIDATES. Project Abstract.
E N D
Ashok V Karunakaran Department of Computer Science Rochester Institute of Technology Committee Chair: Prof. Stanislaw Radziszowski. Reader: Prof. Peter Bajorski. Observer: Prof. Christopher Homan. STATISTICAL AND PERFORMANCE ANALYSIS OF SHA-3 HASH CANDIDATES
Project Abstract • Randomness - A good hash function should behave as close to a random function as possible. Statistical tests help in determining the randomness of a hash function and NIST has provided a series of tests in a statistical test suite for this purpose. This tool has been used to analyze the randomness of the final five hash functions. • Performance - It is the second most important factor in determining a good hash function. Performance of the all the fourteen Round 2 candidates was measured using Java as the programming language on Sun platform machines for small sized messages. • Security - Security is the most important criteria when it comes to hash functions. Grøstl is one of the final five candidates and its architecture, design and security features have been studied in detail. Some of the successful attacks on reduced versions have also been explained. Also, the lesser known candidates, Fugue and ECHO, from Round 2 have been studied.
Hash function • Input: String of arbitrary size. • Output: Predetermined fixed size string.
Hash function requirements • Pre-image, second pre-image and collision resistant. • Collisions – When we find x and y such that h(x) = h(y). • Birthday paradox – Gives lower bound on collision attack • q ≈ 1.17√m for ε= ½ (m = 365, q = 23). • Birthday bound for a m-bit message is 2m/2.
The need for a new hash function • Most commonly used hash functions are broken • Collisions in MD5 and SHA-0. • Security flaws in SHA-1. • Increasing hardware power and parallelization capabilities.
SHA-3 Competition • Organized by NIST. • Started on Nov. 2, 2007. • Received 64 entries. • 51 met minimum requirements. • Round 1 • First candidate conference at KU Leuven, Belgium on Feb 25-28, 2009. • 14 candidates on July 24, 2009.
Round 2 and 3 • Round 2 • Second candidate conference at Santa Barbara, CA on August, 23-24, 2010. • 5 candidates on Dec. 9, 2010. • Round 3/ Final Round • Final conference in Spring 2012. • Select a winner later in 2012.
Round 2 and 3 Candidates • BLAKE • BMW • CubeHash • ECHO • Fugue • Grøstl • Hamsi • JH • Keccak • Luffa • Shabal • SHAvite-3 • SIMD • Skein
Randomness and Statistics • Hash function should behave indistinguishably from a random function. • Avoid finding patterns, which lead to collisions. • Statistical randomness tests to determine hash function randomness. • Pseudo-randomness is sufficient.
Statistical Tests • Motivation: Decide whether a particular statement or claim is correct. • Null hypothesis: The output of a hash function is random, irrespective of the input. • Alternative hypothesis: The output is not random. • Test statistic: Computed from sample data. Helps in deciding whether to reject/accept the null hypothesis.
NIST Test Suite • Statistical test suite for random and pseudo-random number generators for cryptographic applications. • Helpful in detecting deviations of a binary sequence from randomness. • Total of 15 tests. • Ex., Frequency Test, Longest runs of ones in a block.
P-value and Significance level • P-value is calculated from the test statistic. • The probability that a perfect random number generator would have produced a sequence less random than the sequence that was tested. • P-value = 1implies perfect randomness. • P-value = 0 implies complete non-randomness.
P-value and Significance level (cont.) • Significance level (α) denotes the probability of Type 1 error. • False positive, occurs when a statistical test rejects a true null hypothesis. • If P-value ≥ α then the null hypothesis is accepted. • Meaning, the sequence appears to be random. • If P-value < α then the null hypothesis is rejected.
P-value and Significance level (cont.) • For the project, • α = 0.01 • One would expect 1 sequence in 100 sequences to be rejected. • P-value ≥ 0.01 indicates that the sequence would be considered random with a confidence of 99%. • P-value < 0.01 indicates that the sequence is considered non-random with a confidence of 99%.
Frequency Test • Tests the proportion of zeros and ones in the sequence. • For a random sequence, the proportion should be the same. • Test Description: • Convert bits to -1 or +1 and then add. Sn = X1 + X2 + … + Xn. For ex., if ε = 1011010101, then n =10 andSn = 2.
Frequency Test (cont.) • Compute the test statistic, Sobs = Mod( Sn) ⁄ √n. Sobs = 2 ⁄ √10 = .63245 • Compute P-value = erfc(Sobs ⁄ √2). P-value = erfc(.63245⁄ √2) = 0.527089. • Decision: P-value > 0.01, so accept sequence as random.
Longest Runs of one in a block • Tests the longest run of ones within M-bit blocks. • It should be similar to what is expected of a random sequence. • Test Description: • Input: 11001100000101010110110001001100111000000000001001001101010100010001001111010110100000001101011111001100111001101101100010110010. • Input length n: 128 bits. • Divide the input into M-bit blocks. M = 8.
Longest Runs of one in a block (cont.) • Longest run of ones in each subblock is noted • Calculate the frequencies of the longest run ν0 = 4; ν1 = 9; ν2 = 3; ν4 = 0. • Compute X2(obs), it is ameasure of how well the observed longest run length matches the expected longest length within M-bit blocks.
Longest Runs of one in a block (cont.) • X2(obs) = • Values of N and K are based on M. If M = 8, K=3 and N=16. • X2(obs) = 4.882457. • Calculate P-value = P –value = 0.180598 • Decision: P-value > 0.01, so accept sequence as random.
Inputs for the experiment • Numbers – Hash of numbers 0-3999. • Tests require length of at least 106 bits. • For 256 bit output, 256 x 4000 = 1,024,000 bits. • KAT Inputs – 2048 hexadecimal inputs from the official candidate documentation.
Inputs for the experiment (cont.) • From file – The NIST document on the statistical test suite. • Every 10Kb – Each input block has 10Kb. The first input is the first 10Kb, second input skips first m=1Kb and takes next n=10Kb. • Every 100Kb – Each input block has 100Kb. In this case, every 100 bytes are skipped before the next input block. • Ensures there is some over-lapping and non-overlapping in the data blocks.
Results and Conclusions • 0.0 P-values don’t indicate failed tests but inapplicable tests for input. • All hash functions are random. • Failed results are outliers rather than the norm. • Aren’t enough to classify as non-random. • Areas of failed tests can be explored further.
Performance • Second most important criteria. • Most of the work has been done with C as the programming language. • The following combination has not been studied comprehensively before • Language – Java • Platform – Sun • Messages size – Small
Specification • Machine – Sun Microsystems Ultra 20. • Config – AMD 2.2GHz processor. • OS – OS5.10 or Solaris 10. • Small messages – size < 8192 bytes. • Java code – Sphlib, hash function implementations in C and Java.
Performance and Message length • Most of them claim performance is better than SHA-2. • Interesting to see how it is affected by message length. • For final five candidates, 16-byte and 4096-byte inputs were hashed.
Performance and Message length (cont.) • Rate of hashing • Keccak-256 > SHA-256. • Grøstl-512 > SHA-512.
Performance and Block size • For JH, the performance remains the same for 256 and 512 version. • Only one large internal state of 1024 bits. • For BLAKE and Keccak, the performance difference is almost twice. • The 256 version has block size of 512 whereas the 512 version has block size of 1024.
Hardware vs Software implementation • Visualizing area-time tradeoffs for SHA-3 has hardware implementation of the candidates.
Hardware vs Software implementation (cont.) • Among the final five candidates • Grøstl remains last in both implementations. • Keccak has the biggest difference in terms of position. • JH and BLAKE swap positions with BLAKE performing better in software. • Skein is the only one to perform reasonably well in both.
Security of Grøstl • One of the final five candidates. • Developed at the University of Denmark. • What makes Grøstl interesting? • Does not use block cipher components like SHA family. • Based on few individual permutations. • Borrows components from AES like the S-box.
Hash Function Construction • Message M is padded and split into l bit message blocks. • If H(x) <= 256, l = 512else l = 1024. • The compression function f is as follows: • hi← f (hi-1, mi) for i = 1 to t. • Initial value of h, h0 = iv is predefined. • The final value of h, htis passed to the output transformation function • H(M) = Ω(ht)
Compression Function • Based on two permutations P and Q. • Defined as • f(h, m) = P(h ⊕ m) ⊕ Q(m) ⊕ h • Design of P and Q • Inspired from Rijndael. • Consists of r rounds, which consists of a number of round transformations.
Design of P and Q (cont.) • The four round transformations • AddRoundConstant • SubBytes • ShiftBytes • MixBytes • One round consists of the above transformations in the following order • R = MixBytes ◦ ShiftBytes ◦ SubBytes◦ AddRoundConstant.
Byte Sequence to State Matrix • Mapping is done in a similar way to Rijndael. • The 64-byte sequence 00 01 02 … 3f is mapped to a 8x8 matrix
AddRoundConstant • Adds a round dependent constant to the matrix. • Transformation in round i is defined as A ← A ⊕ C[i]
SubBytes • Each byte in the matrix is substituted with a corresponding value from the S-box. • S-box is same as the one used in Rijndael. • The transformation is as follows ai,j ← S(ai,j), 0 ≤ i < 8, 0 ≤ j < v. ai,j is the element in row i and column j.
ShiftBytes • Shifts the bytes within a row to the left by a number of positions. • In round i, all bytes in row i are shifted σ positions to the left. σ = [0, 1, 2, 3, 4, 5, 6, 7]
MixBytes • Each column in the matrix is multiplied by a constant 8x8 matrix. • The transformation is defined as A ← B × A.
Output Transformation • Defined as • Ω(x) = truncn (P(x) ⊕ x) • truncn (x) discards all but the trailing n bits of x. • n is the length of the message digest.
Cryptanalysis Differential Cryptanalysis • There are at least 92 active S-boxes in a 4 round differential trail. • MixBytes ensures branch number is 9. Meaning, a difference of k >0 bytes of a column will result in a difference of at least 9-k bytes after one mix bytes operation. • ShiftBytes moves bytes in one column to 8 different columns. • Maximum distance propagation probability of S-box = 2-6.
Cryptanalysis (cont.) • Linear Cryptanalysis • Propagates similar to differential trail. • Max distance propagation of S-box = 2-3. • Integrals • Sets of plaintexts are chosen with one part held constant and other part varies through all possibilities. • For ex., an attack may chose 256 plaintexts that have all but 8 of their bits the same, but all differ in those 8 bits. • Has an XOR sum of 0. • XOR sums of corresponding ciphertexts provide information about the cipher’s operation.
Integrals (cont.) • Similar to integrals on AES. • Grøstl- 256 • 2120 texts for 6 and 7 rounds. • The texts are balanced in every byte of input and output. • Grøstl-512 • 2704 for 8 and 9 rounds. • For 8 rounds, the texts are balanced in every byte of input and output. • For 9 rounds, every byte of input and every bit of output is balanced. • Conclusion: Integrals cannot expose non-random behavior in Grøstl.