Upload
nathan-flynn
View
213
Download
0
Embed Size (px)
Citation preview
www.i.cz
Your Security in the IT Market
Hash Function Design:
Overview of the basic components in SHA-3 competition
Daniel Joščák, S.ICZ a.s. & MFF UK07/05/2009, SPI Brno
www.i.cz
Your Security in the IT Market
Hash functions in cryptology
►Key component of many protocols● Electronic signature● Integrity check● One-way function● …
►Fingerprints or message digests
www.i.cz
Your Security in the IT Market
Good hash ftion must be
►Collision resistant: it is hard to find two distinct inputs m1 and m2, s.t. H(m1) = H(m2).
►1st preimage resistant: given h, it is hard to find any m s.t. h = H(m).
►2nd preimage resistant: given m1, it is hard to find m2≠ m1 s.t. H(m1) = H(m2)
►Efficient (speed matters)
www.i.cz
Your Security in the IT Market
Why to build them?
►Weaknesses in old wide spread h. f.● MD2, MD4, MD5, SHA 1
►Real collisions producing algorithms● Wang et al. 04● Klíma 05 ● Rechberger et al. 06● Stevens 05 and 06 (new target collisions)‘former
functions
www.i.cz
Your Security in the IT Market
Need for a new function
new candidates for SHA-3
►“only” SHA 2 functions are fine ►SHA3 competition organized by NIST
● deadline 31. oct. 2008● 51 submissions
www.i.cz
Your Security in the IT Market
Areas for research and improvements
1. Mode of use for compression function
2. Compression function itself
www.i.cz
Your Security in the IT Market
Improvements of Merkle-Damgård construction
M1 M2
IV f f
ML||pad
f
www.i.cz
Your Security in the IT Market
HAIFA, wide pipes, output transformation
M1 M2
IV f
Ml||pad
ff
ctr, salt
outwide pipe
ctr, salt ctr, salt
►Examples: ARIRANG, BMW, Cheetah,Chi, Echo, Edon-R, Crunch, ECHO, ECOH, Grostl, JH, Keccak, Lux, Lane, Luffa, Lux, Skein, MD6, SIMD, Vortex…
www.i.cz
Your Security in the IT Market
Tree structure
f
M1 M2 M3 M4 M5 M6 M7 Mn
f f
f f
f
►Example: MD6
www.i.cz
Your Security in the IT Market
Sponge structure
►Absorbing● Initialize state● XOR some of the message to the state● Apply compression function● XOR some more of the message into the state● Apply compression function…
►Squeezing ● Apply compression function● Extract some output● Apply compression function● Extract some output● Apply compression function …
►Examples: Keccak, Luffa.
www.i.cz
Your Security in the IT Market
Improvements of Compression function
M W
IV
R
Message expansion
Ri = F(Wi , Ri-1, Ri-2, Ri-3, Ri-4,)
www.i.cz
Your Security in the IT Market
One step of compr. ftion
‘MD5 ‘SHA-1 ‘SHA-2
www.i.cz
Your Security in the IT Market
Feedback Shift Register
►Pros: efficiency in HW, known theory from stream ciphers, easy to implement
►Cons: SW implementation, stream cipher weaknesses
►Examples: MD6, Shabal, Essence, NaSHA
f
www.i.cz
Your Security in the IT Market
Feistel Network
►Pros: block cipher theory, easy to implement
►Cons: can not be generalized►Examples: ARIRANG, BLAKE, Chi,
CRUNCH, DynamicSHA2, JH, Lesamnta, Sarmal, SIMD, Skein, TIB3
L0 R0
F
L1 R1K
onst 1
F
L1 R1
Konst 2
...
www.i.cz
Your Security in the IT Market
S-boxes
►Pros: theory from block ciphers, speed in HW ►Cons: often implemented as look-up tables -
side channel attacks ►Examples: Cheetah, Chi, CRUNCH, ECHO, ECOH,
Grostl, Hamsi, JH, Khichidy, LANE, Lesamnta, Luffa, Lux, SANDstorm, Sarmal, SHAvite-3, SWIFFTX, TIB3. (33 out of 51 candidates uses S-Boxes)
0 10 11 011 10 00
www.i.cz
Your Security in the IT Market
MDS Matrixes
►Pros: mathematical background and proven diffusion properties
►Cons: memory requirements ►Examples: ARIRANG, Cheetah, ECHO,
Fugue, Grostl, JH, LANE, Lux, Sarmal, Vortex.
MDS matrix
x =
www.i.cz
Your Security in the IT Market
Where to look at candidates:
►NIST webpage: http://csrc.nist.gov/groups/ST/hash/sha-3/index.html
►Hash ZOO http://ehash.iaik.tugraz.at/index.php?title=The_SHA-3_Zoo&oldid=3106
►Ebash http://bench.cr.yp.to/results-hash.html
►Classification of the SHA-3 Candidates Cryptology ePrint Archive: Report 511/2008, http://eprint.iacr.org/
www.i.cz
Your Security in the IT Market
Conclusion
►Do not use MD5, MD4, MD2 ►SHA-1 is not recommended after 2009►Use SHA-2 instead (no weaknesses) or►SHA-3 standard is coming in 2-3 years►Cryptanalysis of current submissions is
expected►Second round candidates coming soon
(june-august 2009, 15(?) algorithms)
www.i.cz
Your Security in the IT Market
Thank you for your attention.
Daniel Joščá[email protected]+420 724 429 248
S.ICZ a.s.www.i.cz
MFF UK, Dept. of Algebra