Your Security in the IT Market Hash Function Design: Overview of the basic components in SHA-3...

www.i.cz

Your Security in the IT Market

Hash Function Design:

Overview of the basic components in SHA-3 competition

Daniel Joščák, S.ICZ a.s. & MFF UK07/05/2009, SPI Brno

www.i.cz

Your Security in the IT Market

Hash functions in cryptology

►Key component of many protocols● Electronic signature● Integrity check● One-way function● …

►Fingerprints or message digests

www.i.cz

Your Security in the IT Market

Good hash ftion must be

►Collision resistant: it is hard to find two distinct inputs m1 and m2, s.t. H(m1) = H(m2).

►1st preimage resistant: given h, it is hard to find any m s.t. h = H(m).

►2nd preimage resistant: given m1, it is hard to find m2≠ m1 s.t. H(m1) = H(m2)

►Efficient (speed matters)

www.i.cz

Your Security in the IT Market

Why to build them?

►Weaknesses in old wide spread h. f.● MD2, MD4, MD5, SHA 1

►Real collisions producing algorithms● Wang et al. 04● Klíma 05 ● Rechberger et al. 06● Stevens 05 and 06 (new target collisions)‘former

functions

www.i.cz

Your Security in the IT Market

Need for a new function

new candidates for SHA-3

►“only” SHA 2 functions are fine ►SHA3 competition organized by NIST

● deadline 31. oct. 2008● 51 submissions

www.i.cz

Your Security in the IT Market

Areas for research and improvements

1. Mode of use for compression function

2. Compression function itself

www.i.cz

Your Security in the IT Market

Improvements of Merkle-Damgård construction

M1 M2

IV f f

ML||pad

f

www.i.cz

Your Security in the IT Market

HAIFA, wide pipes, output transformation

M1 M2

IV f

Ml||pad

ff

ctr, salt

outwide pipe

ctr, salt ctr, salt

►Examples: ARIRANG, BMW, Cheetah,Chi, Echo, Edon-R, Crunch, ECHO, ECOH, Grostl, JH, Keccak, Lux, Lane, Luffa, Lux, Skein, MD6, SIMD, Vortex…

www.i.cz

Your Security in the IT Market

Tree structure

f

M1 M2 M3 M4 M5 M6 M7 Mn

f f

f f

f

►Example: MD6

www.i.cz

Your Security in the IT Market

Sponge structure

►Absorbing● Initialize state● XOR some of the message to the state● Apply compression function● XOR some more of the message into the state● Apply compression function…

►Squeezing ● Apply compression function● Extract some output● Apply compression function● Extract some output● Apply compression function …

►Examples: Keccak, Luffa.

www.i.cz

Your Security in the IT Market

Improvements of Compression function

M W

IV

R

Message expansion

Ri = F(Wi , Ri-1, Ri-2, Ri-3, Ri-4,)

www.i.cz

Your Security in the IT Market

One step of compr. ftion

‘MD5 ‘SHA-1 ‘SHA-2

www.i.cz

Your Security in the IT Market

Feedback Shift Register

►Pros: efficiency in HW, known theory from stream ciphers, easy to implement

►Cons: SW implementation, stream cipher weaknesses

►Examples: MD6, Shabal, Essence, NaSHA

f

www.i.cz

Your Security in the IT Market

Feistel Network

►Pros: block cipher theory, easy to implement

►Cons: can not be generalized►Examples: ARIRANG, BLAKE, Chi,

CRUNCH, DynamicSHA2, JH, Lesamnta, Sarmal, SIMD, Skein, TIB3

L0 R0

F

L1 R1K

onst 1

F

L1 R1

Konst 2

...

www.i.cz

Your Security in the IT Market

S-boxes

►Pros: theory from block ciphers, speed in HW ►Cons: often implemented as look-up tables -

side channel attacks ►Examples: Cheetah, Chi, CRUNCH, ECHO, ECOH,

Grostl, Hamsi, JH, Khichidy, LANE, Lesamnta, Luffa, Lux, SANDstorm, Sarmal, SHAvite-3, SWIFFTX, TIB3. (33 out of 51 candidates uses S-Boxes)

  0 10 11 011 10 00

www.i.cz

Your Security in the IT Market

MDS Matrixes

►Pros: mathematical background and proven diffusion properties

►Cons: memory requirements ►Examples: ARIRANG, Cheetah, ECHO,

Fugue, Grostl, JH, LANE, Lux, Sarmal, Vortex.

MDS matrix

x =

www.i.cz

Your Security in the IT Market

Where to look at candidates:

►NIST webpage: http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

►Hash ZOO http://ehash.iaik.tugraz.at/index.php?title=The_SHA-3_Zoo&oldid=3106

►Ebash http://bench.cr.yp.to/results-hash.html

►Classification of the SHA-3 Candidates Cryptology ePrint Archive: Report 511/2008, http://eprint.iacr.org/

www.i.cz

Your Security in the IT Market

Conclusion

►Do not use MD5, MD4, MD2 ►SHA-1 is not recommended after 2009►Use SHA-2 instead (no weaknesses) or►SHA-3 standard is coming in 2-3 years►Cryptanalysis of current submissions is

expected►Second round candidates coming soon

(june-august 2009, 15(?) algorithms)

www.i.cz

Your Security in the IT Market

Thank you for your attention.

Daniel Joščákdaniel.joscak@i.cz+420 724 429 248

S.ICZ a.s.www.i.cz

MFF UK, Dept. of Algebra