Cryptographic Hashing: Blockcipher-Based Constructions, Revisited

1
Cryptographic HashingBlockcipher-Based
Constructions, Revisited
Tom Shrimpton Portland State University
2
Results from CRYPTO 2004

• Near-collisions in SHA-0 Biham
• Collisions in SHA-0 Joux, rump session
• Collisions in reduced-round SHA-1 Biham, rump
  session
• Collisions in MD4, MD5, RIPEMD, HAVAL-128
• 
  Wang et al., rump session
• Multicollisions in iterated constructions Joux

3
Today

• What are these objects?
• What cryptographic properties do we like for them
  to have?
• How do we build them (particularly, from a
  blockcipher)
• What do we currently understand about proofs,
  models, bounds on efficiency, etc.?
• A call to action!

4
What are cryptographic hash functions?
File
Hash
e.g., md5sum,SHA-1
Cryptographic Fingerprint
5
SHA-1
512 bits
NIST
...
M1
M2
Mm
for i 1 to m do
Wt
t-th word of Mi
0 t 15
( Wt-3 Å Wt-8 Å Wt-14 Å Wt-16 ) ltlt 1 16
t 79
A H0i-1 B H1i-1 C H2i-1 D
H3i-1 E H4i-1
for t 0 to 79 do
T A ltlt 5 gt (B, C, D) E Kt Wt
E D D C C B gtgt 2 B A A T
end
H0i A H0i-1 H1i B H1i-1 H2i
C H2i-1 H3i D H3i-1 H4i E
H4i-1
end
return H0m H1m H2m H3m H4m
160 bits
6
Today
P

• What are these objects?
• What cryptographic properties do we like for them
  to have?
• How do we build them (particularly, from a
  blockcipher)
• What do we currently understand about proofs,
  models, bounds on efficiency, etc.?
• A call to action!

7
2nd-preimage resistance
universal one-way hash function
?
?
?
?
weak collision resistance
inversion resistance
collision-intractable
?
?
?
?
?
?
strong hash
?
one-way function
?
strong collision resistance
?
collision resistance
?
?
target collision resistance
?
?
?
?
preimage resistance
?
collision-free
8
A motivating quote, and a fact
2nd-preimage resistance it is computationally
infeasible to find any second-input which has the
same output as any specified input, i.e., given
x, to find a 2nd-preimage x ? x such that h(x)
h(x). MOV
How are inputs specified?
How is h selected?
Fact Collision resistance implies 2nd-preimage
resistance of hash functions MOV
This fact depends on how you answer the above
questions!
9
A cryptographic property
(quite informal)
1. Preimage resistance given a hash function
and given
a hash output it is
hard to invert that output
BAD H(M) M mod 701
10
Preimage resistance
(intuition, but slightly more formal)
H Strings 0,1n
a finite, nonempty set
Strings set of strings Í 0,1
n the hash length
M
HK
Y
HK
0,1n
M
keyed-SHA1 0,1160 0,1 0,1160
SHA1 is one particular function from this family
This direction is hard for any reasonable
adversary
0,1m
11
Preimage resistance a definition
(formal)
probabilistic game
- random key - random domain pt - hash the domain
pt - A runs, returns domain pt
name of game
event did A win (find preimage)?
12
A formal framework
RS04
Preimage
Every hash function in the family is hard to
invert
fixed range point
random range point
aPre
ePre Pre
fixed key
random key
Every range point is hard to invert
a always e everywhere
13
More cryptographic properties
1. Preimage resistance given a hash function
and given
an hash output it is
hard to invert that output
P
2. Second-preimage given a hash function
and resistance given a first
input, it is hard to find a
second input
that collides with the first
3. Collision resistance given a hash function
it is hard
to find two colliding inputs
14
Second Preimage
Preimage
fixed domain point
fixed range point
random range point
random domain point
aPre
aSec
eSec Sec
fixed key
fixed key
Pre
ePre
random key
random key
Collision
Also known as UOWHF

Coll
fixed key
random key
15
Our results
RS04
Coll
aSec
eSec
Provisional
Sec
Conventional
Separation
no arrow
aPre
ePre
Pre
16
What about near-collisions?
M
HK
Y
Such that Y Y
HK
Y
0,1n
M
This should be hard for any reasonable
adversary
(Hmm.. what does this mean now?)
Strings
17
Research project 1
Continue definitional work
Whats the right definition for the task?
How do we make it formal?
18
Today
P

• What are these objects?
• What cryptographic properties do we like for them
  to have?
• How do we build them (particularly, from a
  blockcipher)
• What do we currently understand about proofs,
  models, bounds on efficiency, etc.?
• A call to action!

P
19
How to do this?
arbitrary length string
n-bit string
20
Merkle-Damgard construction
Me89,Da89
Compression function
M3
M1
M2
n
h1
h2
IV
h3 H (M)
k
k
Chaining value
Fixed initial value
MD Theorem if f is CR, then so is H
21
...
M1
M2
Mm
Mi
512 bits
for i 1 to m do
Wt
t-th word of Mi
0 t 15
( Wt-3 Å Wt-8 Å Wt-14 Å Wt-16 ) ltlt 1 16
t 79
A H0i-1 B H1i-1 C H2i-1 D
H3i-1 E H4i-1
for t 0 to 79 do
T A ltlt 5 gt (B, C, D) E Kt Wt
E D D C C B gtgt 2 B A A T
end
H0..4i-1
H0i A H0i-1 H1i B H1i-1 H2i
C H2i-1 H3i D H3i-1 H4i E
H4i-1
end
160 bits
return H0m H1m H2m H3m H4m
160 bits
160 bits
22
Why build hash function from blockciphers?
Economy of primitives
Do as much as possible with as little as
possible

• weak keys causes design difficulties
• small blocksize Þ easier wins for adversary

(late 70s-early 90s) DES
(now) AES has changed the playing field

• no known weak keys
• bigger blocksize Þ harder wins for adversary

23
Blockcipher-based compression function 1 (CBC)
Akl83

• Is this collision-resistant?

IV
0
0
EK(IV) Å EK(0)
IV
EK(EK(0))
EK(EK(0))
E
E
K
K
24
Attempt 2
PGV93

• How about this?

IV Å 1
E1(1) Å IV
E0(0) Å IV
M1
M2
IV
IV
E
E
IV
IV
25
12 provably-secure compression functions
26
Davies-Meyer compression function
PGV93,BRS02
Mi
hi
hi-1
E
27
Mi
SHA-0, SHA-1 are blockcipher-based hash functions!
Blockcipher 512-bit key, 160-bit block
for i 1 to m do
Wt
t-th word of Mi
0 t 15
( Wt-3 Å Wt-8 Å Wt-14 Å Wt-16 ) ltlt 1 16
t 79
A H0i-1 B H1i-1 C H2i-1 D
H3i-1 E H4i-1
for t 0 to 79 do
T A ltlt 5 gt (B, C, D) E Kt Wt
E D D C C B gtgt 2 B A A T
end
H0..4i-1
H0i A H0i-1 H1i B H1i-1 H2i
C H2i-1 H3i D H3i-1 H4i E
H4i-1
Davies-Meyers feedforward
28

Collision resistance in the ideal cipher model
E
E -1
K, x
K, y
-1
EK (y)
EK(x)
...
...
A
M, M
Model blockcipher as a random permutation for
each key
Advcoll ( A ) Pr A E, E -1 finds a collision
in H E
H
Computationally unbounded adversary Only counted
resource is oracle queries
A
at most q queries
29
Why such a strong model?
PRP assumption isnt enough in general Simon
Specifically, for each of the 12 there is a
PRP that makes collisions easy HopwoodWagner
More importantly, PRP is the wrong tool
Security depends on a random, secret key
30
Research project 2
Find new models and/or assumptions
What properties does a blockcipher need for
hashing?
How can we abstract them to models/assumptions?
Can we prove things?
31
Moving theory towards practice
Mi
Mi1
E
E
hi
hi1
hi-1
Expensive operations
32
Secure rate-1, fixed-key constructions?
No secure rate-1, fixed-key constructionsBCS 04
Mi
n
EK
hi-1
hi
f1
f2
n
n
n
n
In the black-box model
compression function collision after 2
blockcipher calls
iterated function collisions in Q(n lg(n))
calls
33
Research project 3
Find secure, fixed-key, rate lt 1, iterated
constructions
(some progress being made)
34
128 bits too small? Cascaded constructions!
n bits
n bits
HK1(M) HK2(M) G (K1,K2) (M)
ß
ß
?
Þ
n bits of CR
n/2 bits of CR
n/2 bits of CR
No!
Joux for MD constructions,
35
Multicollisions
Mm
M1
M2
n
h1
h2
hm-1
IV
hm H (M)

n
n
For m(2n/2) work, we can make 2m messages that
collide
36
Collisions in cascaded constructions
160 bits
160 bits
For G (K1,K2) (M) HK1(M) HK2(M)
1. Create 281-way multicollision under HK1
2. Hash these messages under HK2
Collision in G for work O(280) ltlt O(2160)
37
What about MDC-2?
Mi
E
hi-1
hi
E
gi-1
gi
38
Huge opportunities for research

• Continue definitional work
• Formalize near collisions, etc.
• What are the right properties for specific tasks?
• Flesh out the theoretical landscape
• Ideal cipher model Þ proofs
• PRP assumption Þ no proofs
• Find secure, fixed-key, rate lt 1, iterated scheme
• Analysis of MDC-2

39
(No Transcript)
40
(No Transcript)