Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?

Slides:



Advertisements
Similar presentations
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Advertisements

SHA-1 collision found Lukáš Miňo, Richard Bartuš.
About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant
1 EUNICE 2010, June, 2010, Swiss army knife in cryptography and information security - cryptographic hash functions Swiss army knife in cryptography.
Hashing Algorithms: SHA-3 CSCI 5857: Encoding and Encryption.
1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.
AES-based primitives LUX, Cheetah Alex Biryukov University of Luxembourg 2009.
Your Security in the IT Market Hash Function Design: Overview of the basic components in SHA-3 competition Daniel Joščák, S.ICZ a.s. & MFF UK.
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.
Cryptography and Network Security
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security Hash Algorithms.
AES clear a replacement for DES was needed
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Lecture 23 Symmetric Encryption
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Cryptographic Hash Functions July Topics  Overview of Cryptography Hash Function  Usages  Properties  Hashing Function Structure  Attack on.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable."
HASH Functions.
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.
AES Background and Mathematics CSCI 5857: Encoding and Encryption.
Cryptographic Hash Functions June Topics  Overview of Cryptography Hash Function  Usages  Properties  Hashing Function Structure 
KATAN & KTANTAN A Family of Small and Efficient Hardware-Oriented Block Ciphers Christophe De Cannière 1, Orr Dunkelman 1,2, Miroslav Knežević 1 (1) Katholieke.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Hash and MAC Functions CS427 – Computer Security
A Case for a Parallelizable Hash Alan Kaminsky and Stanislaw Radziszowski Department of Computer Science B. Thomas Golisano College of Computing and Information.
The Latest Attacks on AES Mehrdad Abdi 1 بسم الله الرحمن الرحیم.
STATISTICAL AND PERFORMANCE ANALYSIS OF SHA-3 HASH CANDIDATES Ashok V Karunakaran Department of Computer Science Rochester Institute of Technology Committee.
Cryptographic Hash Functions and Protocol Analysis
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 11 – Hash Functions.
Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.
AES: Rijndael 林志信 王偉全. Outline Introduction Mathematical background Specification Motivation for design choice Conclusion Discussion.
CS548_ ADVANCED INFORMATION SECURITY Jong Heon, Park / Hyun Woo, Cho Evaluation of Hardware Performance for the SHA-3 Candidates Using.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description:
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Block Cipher- introduction
Cryptographic Hash Functions
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Information Security and Management 11. Cryptographic Hash Functions Chih-Hung Wang Fall
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Hash Algorithms.
The SHA Family of Hash Functions: Recent Results
School of Computer Science and Engineering Pusan National University
ICS 454 Principles of Cryptography
Cryptography Lecture 19.
Practical Aspects of Modern Cryptography
ICS 454 Principles of Cryptography
Seyed Amir Hossain Naseredini
Presentation transcript:

Towards SHA-3 Christian Rechberger, KU Leuven

Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist? We don't know.

Do we care? What we care about: computational properties For cryptographic hash functions, it should be sufficiently hard to find preimages find collisions... © CC BY-SA 2.0

Secure? What properties? Collision resistance Preimage resistance 2nd preimage resistance Near-collision resistance Pseudorandom generator Pseudorandom function Key derivation function Random oracle … © CC BY-SA 2.0

Users Systems Protocols Primitives Hash functions as a fundamental primitive

MD4 family

x xx x x x ????

Collisions for reduced SHA-1 40 rounds: Biham, Chen, rounds: Wang, Yu, Yin, rounds: De Cannière, R., rounds: De Cannière, Mendel, R., 2007 Full 80 rounds?

What are the problems Too fast? Designers too optimistic New powerful variants of differential cryptanalysis

x xx x x x ???? Road towards SHA-3 SHA-3 (selected in an open competition)

Design challenges for SHA-3 Faster than SHA-2 on many platforms More secure than SHA-2, confidence All the properties that you could think of now and in the years to come

Design challenges for SHA-3 Faster than SHA-2 on many platforms More secure than SHA-2, confidence All the properties that you could think of now and in the years to come © CC BY-SA 2.0

Outline Motivation SHA-3 competition Grøstl and the rebound attack SHA-3 candidates through the rebound lens Concluding discussions

SHA-3 competition 2006/2007: NIST drafts requirements and calls for submissions 10/2008: 64 submissions, >200 designers 12/2008: 51 round-1 candidates announced 07/2009: 14 round-2 candidates announced 12/2010: Five finalists announced Q2 2012: Final selection

The candidates Slides credits: Christophe De Cannière

Preliminary cryptanalysis

SHA-3 Zoo ECRYPT2 SHA-3 Zoo:

Round-2 candidates

How to categorize them?

Credits to Dai Watanabe How to categorize them?

How to compare them? Security Performance/Implementation costs Software (code size, speed,...) Hardware (lowest gate count, highest throughput, power consumption characteristics, …) Side-Channel countermeasures Confidence?

Grøstl Grøstl is inspired by Rijndael/AES (Daemen, Rijmen, 1997) SMASH (Knudsen, 2005) Grindahl (Knudsen, R., Thomsen, 2007) Proofs against differential attacks Proofs against generic shortcut attacks

Rebound attack New variant of differential cryptanalysis, FSE 2009 Developed during the design of Grøstl

Origins of the rebound attack Differential attack, Biham and Shamir, 1989 Inside-out approach, Dobbertin 1995, Wagner 1998 Truncated differential, Knudsen, 1994 Original Goal: Get a good estimate of the security margin of Grøstl

Example of a rebound attack Within a few months, others became a “victim”: – Twister (round-1 SHA-3 candidate) – LANE (round-1 SHA-3 candidate) – Whirlpool (ISO standard, unbroken since 2001) – …

Further technical developments The Linear solving variant (SAC 2009) Start-in-the-middle variant (SAC 2009) Super(S)box variant (Asiacrypt 2009 and FSE 2010) Multiple-inbound phase variant (Asiacrypt 2009) Rotational variant (Asiacrypt 2010)...of the rebound attack

SHA-3 finalists

SHA-3 round-2 candidates through the rebound lens 4 or 8-bit S-box based Grøstl ECHO JH Luffa Shavite-3 Fugue Hamsi Others Skein BMW Blake Cubehash Keccak SIMD Shabal

4 or 8-bit S-box based Grøstl ECHO JH Luffa Shavite-3 Fugue Hamsi Others Skein BMW Blake Cubehash Keccak SIMD Shabal SHA-3 round-2 candidates through the rebound lens

Most recent case: Skein Recent analysis by Khovratovich, Nikolic, R. in 2010 Rebound idea for the first time applied to ARX construction Results in perspective: – 2009: Related-key differential attack: 34 rounds – 2010: Rotational attack: 42 rounds – New: Rebound rotational attack: 57 rounds

4 or 8-bit S-box based Grøstl ECHO JH Luffa Shavite-3 Fugue Hamsi Others Skein BMW Blake Cubehash Keccak SIMD Shabal SHA-3 finalists through the rebound lens

SHA-3 finalists in numbers Geography: 3 from Europe, 1 from Asia, 1 from America Tweaks: |all 5 got tweaked, 2 got tweaked twice Team members also AES finalist: 3 Teams that designed a hash function before: 2

Credits to Dai Watanabe How to categorize them?

SHA-3 finalists Compression strategy: Single Permutation: Blake (with finalization), JH, Keccak Two Permutations: Grøstl Large family of permutations (block cipher): Skein Source of non-linearity: 64-bit: Skein 32/64-bit: Blake 8-bit: Grøstl 4/5-bit: JH 3-bit: Keccak

Conclusion (1/2) Assurance? Very complicated attacks against MD5 and SHA-1 (1) Differential trail with complicated carry interactions (2) Degrees of freedom utilization for speedup Level of assurance provided by finalists against this class of attacks: Blake, Skein: ARX, issues similar to SHA-1/SHA-2 Grøstl: both (1) and (2) done by rebound attacks JH: (1) and (2) may be possible, open problem Keccak: seems infeasible

Conclusion (2/2) Building confidence in a new cryptographic primitive takes time A lot remains to be done for a final SHA-3 selection by 2012 Upcoming: ECRYPT Hash Workshop 2011, May 19-20, Tallinn

The road ahead Application of new cryptanalytic techniques to other areas, examples – Internal fixed points: Collision and preimage attack on GOST hash: 2008 Key recovery attack on GOST block cipher: 2011 – Local collisions: Collisions in SHA-0: 1998 Related-key attacks on AES: 2009 New lightweight algorithms, where designers cut corners

Towards SHA-3 Q&A Christian Rechberger, KU Leuven

Backup slides

Addendum: Grøstl?

Call for input