Your Security in the IT Market Hash Function Design: Overview of the basic components in SHA-3 competition Daniel Joščák, S.ICZ a.s. & MFF UK

www.i.cz

Your Security in the IT Market

Hash Function Design:

Overview of the basic components in SHA-3 competition

Daniel Joščák, S.ICZ a.s. & MFF UK07/05/2009, SPI Brno

www.i.cz


Hash functions in cryptology

►Key component of many protocols● Electronic signature● Integrity check● One-way function● …

►Fingerprints or message digests

www.i.cz


Good hash ftion must be

►Collision resistant: it is hard to find two distinct inputs m1 and m2, s.t. H(m1) = H(m2).

►1st preimage resistant: given h, it is hard to find any m s.t. h = H(m).

►2nd preimage resistant: given m1, it is hard to find m2≠ m1 s.t. H(m1) = H(m2)

►Efficient (speed matters)

www.i.cz


Why to build them?

►Weaknesses in old wide spread h. f.● MD2, MD4, MD5, SHA 1

►Real collisions producing algorithms● Wang et al. 04● Klíma 05 ● Rechberger et al. 06● Stevens 05 and 06 (new target collisions)‘former

functions

www.i.cz


Need for a new function

new candidates for SHA-3

►“only” SHA 2 functions are fine ►SHA3 competition organized by NIST

● deadline 31. oct. 2008● 51 submissions

www.i.cz


Areas for research and improvements

1. Mode of use for compression function

2. Compression function itself

www.i.cz


Improvements of Merkle-Damgård construction

M1 M2

IV f f

ML||pad

f

www.i.cz


HAIFA, wide pipes, output transformation

M1 M2

IV f

Ml||pad

ff

ctr, salt

outwide pipe

ctr, salt ctr, salt

►Examples: ARIRANG, BMW, Cheetah,Chi, Echo, Edon-R, Crunch, ECHO, ECOH, Grostl, JH, Keccak, Lux, Lane, Luffa, Lux, Skein, MD6, SIMD, Vortex…

www.i.cz


Tree structure

f

M1 M2 M3 M4 M5 M6 M7 Mn

f f

f f

f

►Example: MD6

www.i.cz


Sponge structure

►Absorbing● Initialize state● XOR some of the message to the state● Apply compression function● XOR some more of the message into the state● Apply compression function…

►Squeezing ● Apply compression function● Extract some output● Apply compression function● Extract some output● Apply compression function …

►Examples: Keccak, Luffa.

www.i.cz


Improvements of Compression function

M W

IV

R

Message expansion

Ri = F(Wi , Ri-1, Ri-2, Ri-3, Ri-4,)

www.i.cz


One step of compr. ftion

‘MD5 ‘SHA-1 ‘SHA-2

www.i.cz


Feedback Shift Register

►Pros: efficiency in HW, known theory from stream ciphers, easy to implement

►Cons: SW implementation, stream cipher weaknesses

►Examples: MD6, Shabal, Essence, NaSHA

f

www.i.cz


Feistel Network

►Pros: block cipher theory, easy to implement

►Cons: can not be generalized►Examples: ARIRANG, BLAKE, Chi,

CRUNCH, DynamicSHA2, JH, Lesamnta, Sarmal, SIMD, Skein, TIB3

L0 R0

F

L1 R1K

onst 1

F

L1 R1

Konst 2

...

www.i.cz


S-boxes

►Pros: theory from block ciphers, speed in HW ►Cons: often implemented as look-up tables -

side channel attacks ►Examples: Cheetah, Chi, CRUNCH, ECHO, ECOH,

Grostl, Hamsi, JH, Khichidy, LANE, Lesamnta, Luffa, Lux, SANDstorm, Sarmal, SHAvite-3, SWIFFTX, TIB3. (33 out of 51 candidates uses S-Boxes)

0 10 11 011 10 00

www.i.cz


MDS Matrixes

►Pros: mathematical background and proven diffusion properties

►Cons: memory requirements ►Examples: ARIRANG, Cheetah, ECHO,

Fugue, Grostl, JH, LANE, Lux, Sarmal, Vortex.

MDS matrix

x =

www.i.cz


Where to look at candidates:

►NIST webpage: http://csrc.nist.gov/groups/ST/hash/sha-3/index.html

►Hash ZOO http://ehash.iaik.tugraz.at/index.php?title=The_SHA-3_Zoo&oldid=3106

►Ebash http://bench.cr.yp.to/results-hash.html

►Classification of the SHA-3 Candidates Cryptology ePrint Archive: Report 511/2008, http://eprint.iacr.org/

www.i.cz


Conclusion

►Do not use MD5, MD4, MD2 ►SHA-1 is not recommended after 2009►Use SHA-2 instead (no weaknesses) or►SHA-3 standard is coming in 2-3 years►Cryptanalysis of current submissions is

expected►Second round candidates coming soon

(june-august 2009, 15(?) algorithms)

www.i.cz


Thank you for your attention.

Daniel Joščá[email protected]+420 724 429 248

S.ICZ a.s.www.i.cz

MFF UK, Dept. of Algebra

Documents

Your Security in the IT Market Hash Function Design: Overview of the basic components in SHA-3 competition Daniel Joščák, S.ICZ a.s. & MFF UK