1 © Information Security Group, ICU
Hash FunctionHash Function
2 © Information Security Group, ICU
Contents
Hash FunctionsDedicated Hash Functions
Useful for lightweight authentication in RFID system
Message Authentication CodesCBC-MACNested MAC
Collusion Search Attacks
3 © Information Security Group, ICU
Hash function
Compress a binary string with an arbitrary
length into a fixed short message Used for digital signature, integrity, authentication, etc.
h()
{0,1}d
{0,1}r
hash, hash code/value/result message digest,checksum,MIC,authentication tag, seal,compressiondigital fingerprint, imprint
d > r
4 © Information Security Group, ICU
Configuration
original input, x
append padding bits
append length block
compression ft, f
f
g
formatted input x=x1,x2,…,xt
H0=IVHi-1
xi
Hi
hash function, h
output h(x)=g(Ht)
Ht
preprocessing
iterative processing
g : output transformation mapping, e.g., identity mapping
5 © Information Security Group, ICU
Requirements
CompressionOne-wayness
Preimage resistance: Given y, it is computationally infeasible to compute x with y=h(x)
Second Preimage resistance: Given x and h(x), it is computationally infeasible to compute x’ with h(x)=h(x’)
Collision-free (Prevent internal misuse): It is computational infeasible to find a pair (x, x’), x x’ s
atisfying h(x)=h(x’).
EfficiencyEasy to compute h(x) for a given x.
6 © Information Security Group, ICU
Relationship
Collision resistance (which means collusion can’t be efficiently solved) implies 2nd-preimage resistance
Collision resistance does not guarantee preimage resistanceLet g be a collision resistance hash function to n-bit ou
tputh= 1 || x, if x has bitlength nh= 0 || g(x), otherwiseh is collision resistant with n+1 bit hashnot preimage resistant to find an image easily
7 © Information Security Group, ICU
Classification (I)
Keyed hash : MAC (Message Authentication Code)
Unkeyed hash : MDC (Manipulation Detection Code)OWHF(One Way Hash Function)CFHF(Collision-Free Hash Function)
8 © Information Security Group, ICU
Classification (II)
MDCDedicated Hash Functions (MD class, SHS, HAVAL)Block Cipher-Based (MDC-2, MDC-4)Modular Arithmetic: MASH-1, MASH-2
MACBlock Cipher-Based (DES-CBC MAC)Hash Function-Based(HMAC)
9 © Information Security Group, ICU
Random Oracle Model (ROM)
Model for ideal hash functionH() behave like a random function
If H() is fixed, invalid assumptionWhenever H() is used, we call oracle for the random
function (black box containing random ft.)Good for screening insecure solutionsSecurity under ROM implies to many (not all !)
attackNot a complete proof of security, but a good
argument / evidence of security : vs. standard model
10 © Information Security Group, ICU
MAC forgery
Universal forgery : Adversary can find the equivalent algorithm as MAC function
Selective forgery : Adversary can create a pair of new text-MAC.
Existential forgery : Even if adversary can’t adjust the value of text, he can create a pair of new text-MAC.
11 © Information Security Group, ICU
Probability that 2 persons have the same birthday among r persons : pr
(Assumption) each birthday is independent and uniform in the range 1 to m.
pr=1-(m)r/mr =1- m!/mr(m-r)!
e-r2/(2m)
where, (m)r = m(m-1)…(m-r+1) If r= m, pr 0.5 e.g., m=365, r=23, pr>0.5 n-bit hash function will collide with probability 0.5 aft
er (2n) times operation
Birthday Paradox
12 © Information Security Group, ICU
Design CriteriaAll input value must affect to compute the hashed
value.
(Ex) Crytanalysis of Snefru No trapdoorThe length of hashed value must be greater than
128 bit guarantee breaking complexity 264 by brute force attack. 1 month with 10M $ machine in ‘94 Expected cost today : less than 100,000$
Maximum error propagation from input to output.
13 © Information Security Group, ICU
Merkle-Damgard Construction Extend Compression ft to Hash ft so that the
resulting hash ft to be collusion resistant if compression does.
H0=IV, Hi=f(Hi-1,xi), 1it, h(x)=Ht
f ffH0
x1 x2 xtpadding
hashed code
f : h’s primitive hash function (a compression function)Hi : connection variable from i-1 to I
14 © Information Security Group, ICU
Hash ft (MDC) by block cipher
Matyas-Meyer-Oseas Davies-Meyer Miyaguchi-Preneel
Eg
Hi
Hi-1
xi
H0=IVHi=Eg(Hi-1)(xi ) xi
E
Hi
xi
Hi-1
H0=IVHi=Ex
i(Hi-1 ) Hi-1
EgHi-1
xi
Hi
H0=IVHi=Eg(Hi-1)(xi ) xi Hi-1
15 © Information Security Group, ICU
Comparison
Yield m-bit hash using n-bit block cipher with k-bit keyAll of them are secure assuming a block cipher
satisfies required randomness properties
Hash Function (n,k,m) Rate (k/m)Matyas-Meyer-Oseas (n,k,n) 1
Davis-Meyer (n,k,n) k/nMiyaguchi-Preneel (n,k,n) 1
MDC-2 (w/DES) (64,56,128) ½
MDC-4(w/DES) (64,56,128) 1/4
16 © Information Security Group, ICU
Hash by modular operation
MASH: Modular Arithmetic Secure Hash algorithm
Weakness: Efficiency (and Insecurity)
Quadratic CongruentialHi = (xi + Hi-1)2 mod N, H0=0
where N=Mersenne prime 231-1
Hi = (xi Hi-1)2 mod N xi
Hi = (xi Hi-1)e mod N
17 © Information Security Group, ICU
Dedicated Hash FunctionsDedicated Hash Functions
18 © Information Security Group, ICU
Round 1 in MD4
1. A=(A+f(B,C,D)+X[0])<<<3
2. D=(D+f(A,B,C)+X[1])<<<7
3. C=(C+f(D,A,B)+X[2])<<<11
4. B=(B+f(C,D,A)+X[3])<<<19
5. A=(A+f(B,C,D)+X[5])<<< 3
.
.
16. B=(B+f(C,D,A)+X[15])<<<19
where, f(X,Y,Z) = (X Y) ((X) Z) , : OR, : AND,
:complement, <<<s : circular left rotate by s
19 © Information Security Group, ICU
MD4(I)
Preprocessing a message, x
1. Padding: d =(447 -|x|) mod 512
2. Length of a message: n= |x| mod 264,|n|=64 bit
3. M = x ||1||0d||n multiple of 512
where || denotes concatenation
* little-endian : W=224B4+216B3+28B2+B1
(B1: lowest address)
20 © Information Security Group, ICU
MD4(II)
Message Block
Round
1
ABCD
ABCD
Round
2Round
3
21 © Information Security Group, ICU
MD4(III)
1. Preprocess: M is 512 * N bits (512 bits=16 words)
2. Define 32 bits constants: A=67452301h, B=efcdab89h, C=98badcfeh, D=10325476h
3. for i=0 to N/16 -1 do (N mod 16=0)
3-1 for j=0 to 15 do X[j] =M[16i+j] (M[i] : 32 bit string)
3-2 AA=A, BB=B, CC=C, DD=D
3-3 Round 1(for j=0..15), Round 2(for j=16..31),
Round 3(j=32..47)
3-4 A=A+AA, B=B+BB, C=C+CC, D=D+DD
where + is modular addition over 232.
4. output A||B||C||D||
22 © Information Security Group, ICU
MD5(I)
Add 4-th rounds (16 steps)Change g function in 2 round from symmetric ft
(XY) v (XZ) v (YZ) to non-symmetric ft (XZ) v (Y(Z))
Modify the access order for message words in Rounds 2 and 3
Modify the shift amountsUse unique constants in each of the 416 stepsEach step is added to the output of a previous step
to achieve avalanche effect as earlier as possible.
23 © Information Security Group, ICU
MD5(II)
Round
2
ABCD
ABCD
Message Block
Round
1
Round
3
Round
4
24 © Information Security Group, ICU
MD5’s primitive ft
a
b
c
d
nonlinearoperation
<<<s
Mj
ti
FF(a,b,c,d,Mj,ti,s)
25 © Information Security Group, ICU
SHA-1(I)
nonlinearoperation
FF(a,b,c,d,Mj,ti,s)
ai-1
bi-1
ci-1
di-1
ei-1
<<<30
ai
bi
ci
di
ei
W t Kt
<<<5
26 © Information Security Group, ICU
SHA-1(II)
160 bit hashed value (5 words), Big-endian 4 round hash, each round has 20 step Change internal primitive ft and constants
(B C) v ((B) D) 0 ≤ t ≤19
Ft(B,C,D) = B C D 20 ≤t ≤39
(B C) v ((B) D) 40 ≤t ≤59
B C D 60 ≤t ≤79
Secure Hash Standard(SHS), FIPS Pub 180-1, 1995.
For details, refer to p.138 of your textbook
27 © Information Security Group, ICU
Performance
Algorithm Length Speed (Kb/s)
Davies-Meyer with DESHAVAL (3 pass)HAVAL (4 pass)HAVAL (5 pass)MD2MD4MD5N-Hash(12 round)N-Hash(15 round)RIPEMDSHA-1
64variablevariablevariable128128128128128128160
91681189523
2361742924
18275
486SX(33MHZ)
28 © Information Security Group, ICU
HMAC
Nested MAC algorithm from the composition of two (keyed) hash family
The Keyed-Hash Message Authentication Code (HMAC), FIPS Pub 198, 2002
HMACk(x) = SHA-1[(K opad) || SHA-1((K ipad) || x)]
where ipad = 3636 …. 36, opad = 5C5C … 5C
K : 512 bit key
x: message to be authenticated Secure against unknown-key collusion attack
29 © Information Security Group, ICU
Dedicated Hash Functions
SHS: Secure Hash Standard RIPE: Race Integrity Primitive Evaluation
Name Designer Year Bit Characteristics Security
MD4Rivest
(US)1990 128
- 32 bit Op., 3 R
- Boolean ft of deg 4
Collision(‘95)
(220 Oper)
MD5Rivest
(US)1991 128
- Modified MD4
- 4 rounds
Primitive Ft
Collision(’96)
SHA-1 NIST 1993 160- Modified MD4
- Federal StandardCollusion
Search(‘05)
HAVALSeberry et. al
(Australia)1992
Var.(128~256)
- Exp. of MD5(3,4,5R)
- Boolean ft of deg 7
Collusion Search of HAVAL-128(‘05)
RIPEMD-160
RIPE
(Europe)1997 160
- Modified MD4
- Indep. 2 ftCollusion
Search(‘05)
HAS-160 KISA(Korea) 1998 160 -
30 © Information Security Group, ICU
Collusion Search AttackCollusion Search Attack
31 © Information Security Group, ICU
Previous Work on SHA-0/1
Chaubaud and Joux [Cr98]SHA-0, 261, local collision and disturbance vector
Biham and Chen [Cr04]Near collision attack on SHA-0, 240
Biham, Joux and Chen [Cr04 rump, EC05]First real collision on SHA-0 (4 message blocks) foun
dCollision attack on SHA-1 reduces to 50+ steps
Rijmen and Osward [RSA-CT05]Collision attack on SHA-1 reduces to 53 steps.
32 © Information Security Group, ICU
Publications
X. Wang, Y.L. Yin and H.Yu, “Finding Collusions in the Full SHA-1”, Proc. of Crypto2005, pp.17-36, LNCS3621
X. Wang, H.Yu and Y.L. Yin, “Efficient Collusions Search Attacks on SHA-0”, Proc. of Crypto2005, pp.1-16, LNCS3621
X.Y.Wang, D.G.Feng, X.J.Lai and H.B. Yu, “Collusions for hash Functions MD4, MD5, HAVAL-128 and RIPEND”, IACR eprint, 2004/199 and Crypto2005 Rump Session
33 © Information Security Group, ICU
Flow of Collusion Search
1. Find disturbance vector with low Hamming weights (difference for subtractions mod 232)
2. Construct differential paths by specifying conditions so that the differential path will occur with high probabilities.
3. Generate a message randomly, modify it using message modification techniques, and find a collusion
34 © Information Security Group, ICU
Summary
Complexity of best known attack of MD4 : 26, MD5 : 233, SHA-0: 239, SHA-1: 269
More complex message preprocessing can provide more security But SHA-1, message expansion does not seem to have enough
avalanche effect All step functions have unexpected weakness Addition and Boolean function can faciliate the attack
More analysis is needed for SHA-256, -384, -512 which was defined in Secure Hash Standard (SHS), FIPS 180-2, 2002, Aug
35 © Information Security Group, ICU
Example and HW
Message collusion of 58 steps SHA-1
Verification: DIY !!