Your Security in the IT Market Hash Function Design: Overview of the basic components in SHA-3 competition Daniel Joščák, S.ICZ a.s. & MFF UK 07/05/2009, SPI Brno

Your Security in the IT Market Hash functions in cryptology ►Key component of many protocols ●Electronic signature ●Integrity check ●One-way function ●… ►Fingerprints or message digests

Your Security in the IT Market Good hash ftion must be ►Collision resistant: it is hard to find two distinct inputs m 1 and m 2, s.t. H(m 1 ) = H(m 2 ). ►1 st preimage resistant: given h, it is hard to find any m s.t. h = H(m). ►2 nd preimage resistant: given m 1, it is hard to find m 2 ≠ m 1 s.t. H(m 1 ) = H(m 2 ) ►Efficient (speed matters)

Your Security in the IT Market Why to build them? ►Weaknesses in old wide spread h. f. ●MD2, MD4, MD5, SHA 1 ►Real collisions producing algorithms ●Wang et al. 04 ●Klíma 05 ●Rechberger et al. 06 ●Stevens 05 and 06 (new target collisions) ‘ former functions

Your Security in the IT Market Need for a new function new candidates for SHA-3 ►“only” SHA 2 functions are fine ►SHA3 competition organized by NIST ●deadline 31. oct ●51 submissions

Your Security in the IT Market Areas for research and improvements 1.Mode of use for compression function 2.Compression function itself

Your Security in the IT Market Improvements of Merkle- Damgård construction

Your Security in the IT Market HAIFA, wide pipes, output transformation ►Examples: ARIRANG, BMW, Cheetah,Chi, Echo, Edon-R, Crunch, ECHO, ECOH, Grostl, JH, Keccak, Lux, Lane, Luffa, Lux, Skein, MD6, SIMD, Vortex…

Your Security in the IT Market Tree structure ►Example: MD6

Your Security in the IT Market Sponge structure ►Absorbing ●Initialize state ●XOR some of the message to the state ●Apply compression function ●XOR some more of the message into the state ●Apply compression function… ►Squeezing ●Apply compression function ●Extract some output ●Apply compression function ●Extract some output ●Apply compression function … ►Examples: Keccak, Luffa.

Your Security in the IT Market Improvements of Compression function

Your Security in the IT Market One step of compr. ftion ‘ MD5 ‘ SHA-1 ‘ SHA-2

Your Security in the IT Market Feedback Shift Register ►Pros: efficiency in HW, known theory from stream ciphers, easy to implement ►Cons: SW implementation, stream cipher weaknesses ►Examples: MD6, Shabal, Essence, NaSHA

Your Security in the IT Market Feistel Network ►Pros: block cipher theory, easy to implement ►Cons: can not be generalized ►Examples: ARIRANG, BLAKE, Chi, CRUNCH, DynamicSHA2, JH, Lesamnta, Sarmal, SIMD, Skein, TIB3

Your Security in the IT Market S-boxes ►Pros: theory from block ciphers, speed in HW ►Cons: often implemented as look-up tables - side channel attacks ►Examples: Cheetah, Chi, CRUNCH, ECHO, ECOH, Grostl, Hamsi, JH, Khichidy, LANE, Lesamnta, Luffa, Lux, SANDstorm, Sarmal, SHAvite-3, SWIFFTX, TIB3. (33 out of 51 candidates uses S-Boxes)

Your Security in the IT Market MDS Matrixes ►Pros: mathematical background and proven diffusion properties ►Cons: memory requirements ►Examples: ARIRANG, Cheetah, ECHO, Fugue, Grostl, JH, LANE, Lux, Sarmal, Vortex.

Your Security in the IT Market Where to look at candidates: ►NIST webpage: 3/index.html ►Hash ZOO The_SHA-3_Zoo&oldid=3106 ►Ebash hash.html ►Classification of the SHA-3 Candidates Cryptology ePrint Archive: Report 511/2008,

Your Security in the IT Market Conclusion ►Do not use MD5, MD4, MD2 ►SHA-1 is not recommended after 2009 ►Use SHA-2 instead (no weaknesses) or ►SHA-3 standard is coming in 2-3 years ►Cryptanalysis of current submissions is expected ►Second round candidates coming soon (june-august 2009, 15(?) algorithms)

Your Security in the IT Market Thank you for your attention. Daniel Joščák S.ICZ a.s. MFF UK, Dept. of Algebra