Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University

2 Results from CRYPTO 2004 “Near-collisions” in SHA-0 [Biham] Collisions in SHA-0 [Joux, rump session] Collisions in reduced-round SHA-1 [Biham, rump session] Collisions in MD4, MD5, RIPEMD, HAVAL-128 [Wang et al., rump session] Multicollisions in iterated constructions [Joux]

3 Today What are these objects? What cryptographic properties do we like for them to have? How do we build them (particularly, from a blockcipher) What do we currently understand about proofs, models, bounds on efficiency, etc.? A call to action!

4 What are cryptographic hash functions? Cryptographic “Fingerprint” File e.g., md5sum,SHA-1 Hash

5 T  A << 5 + g t (B, C, D) + E + K t + W t SHA-1 [NIST]... M1M1 M2M2 MmMm for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 0 to 79 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end return H 0 m H 1 m H 2 m H 3 m H 4 m 512 bits 160 bits

6 Today What are these objects? What cryptographic properties do we like for them to have? How do we build them (particularly, from a blockcipher) What do we currently understand about proofs, models, bounds on efficiency, etc.? A call to action! 

7 2 nd -preimage resistance strong hash weak collision resistance strong collision resistance collision resistance target collision resistance one-way function universal one-way hash function inversion resistance collision-free preimage resistance ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? collision-intractable ? ? ?

8 A motivating quote, and a “fact” This “fact” depends on how you answer the above questions! “Fact Collision resistance implies 2nd-preimage resistance of hash functions” [MOV] “2 nd -preimage resistance — it is computationally infeasible to find any second-input which has the same output as any specified input, i.e., given x, to find a 2 nd -preimage x ’  x such that h(x) = h(x ’ ).” [MOV] How are inputs specified? How is h selected?

9 A cryptographic property BAD: H(M) = M mod 701 (quite informal) 1. Preimage resistance: given a hash function and given a hash output it is hard to invert that output

10 Preimage resistance HKHK {0,1} m M Y {0,1} n HKHK M’M’ This direction is “hard” for any “reasonable” adversary (intuition, but slightly more formal) : a finite, nonempty set Strings : set of strings   * n : the hash length H :  Strings  {0,1} n keyed-SHA1: {0,1} 160  {0,1} *  {0,1} 160 SHA1 is one particular function from this family

11 Preimage resistance: a definition “name of game” (formal) probabilistic game event: did A win (find preimage)? - random key - random domain pt - hash the domain pt - A runs, returns domain pt

12 A formal framework aPre ePrePre fixed range point random range point fixed key random key Preimage “ a ” = “always” “ e ” = “everywhere” [RS04] Every range point is hard to invert Every hash function in the family is hard to invert

13 More cryptographic properties 3. Collision resistance given a hash function it is hard to find two colliding inputs 1. Preimage resistance given a hash function and given an hash output it is hard to invert that output 2. Second-preimage given a hash function and resistance given a first input, it is hard to find a second input that collides with the first 

Pre ePre aPre fixed key random key Preimage Collision aSec eSecSec Second Preimage Coll fixed key random key fixed key random key fixed domain point fixed range point random range point random domain point Also known as UOWHF

15 Our results Coll aSeceSec aPre ePre Sec Pre Conventional Provisional Separation [no arrow] [RS04]

16 What about near-collisions? HKHK M Y {0,1} n HKHK M’M’ This should be “hard” for any “reasonable” adversary Strings Y’ Such that Y  Y’ (Hmm.. what does this mean now?)

17 Research project #1 Continue definitional work What’s the “right” definition for the task? How do we make it formal?

18 Today What are these objects? What cryptographic properties do we like for them to have? How do we build them (particularly, from a blockcipher) What do we currently understand about proofs, models, bounds on efficiency, etc.? A call to action!  

19 How to do this? n-bit string arbitrary length string H :  Strings  {0,1} n

20 Merkle-Damgard construction IV M1M1 M2M2 M3M3 h1h1 h2h2 h 3 = H (M) n k Fixed initial value Chaining value Compression function [Me89],[Da89] fff k MD Theorem: if f is CR, then so is H

21 MiMi T  A << 5 + g t (B, C, D) + E + K t + W t... M1M1 M2M2 MmMm for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 0 to 79 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end return H 0 m H 1 m H 2 m H 3 m H 4 m 512 bits 160 bits H 0..4 i bits

22 Why build hash function from blockciphers? –weak keys causes design difficulties –small blocksize  easier wins for adversary “Do as much as possible with as little as possible” Economy of primitives (late 70s-early 90s): DES (now): AES has changed the playing field –no known weak keys –bigger blocksize  harder wins for adversary

23 M1M1 M2M2 Blockcipher-based compression function #1 (CBC) Is this collision-resistant? EE K IV K 0 E K ( E K (0)) 0 E K ( IV )  E K (0) = E K ( E K (0)) [Akl83]

24 E 0 (0)  IV M1M1 M2M2 Attempt #2 How about this? IV IV  1 E 1 (1)  IV = IV [PGV93] EE IV

25 12 provably-secure compression functions

26 Davies-Meyer compression function E MiMi h i-1 hihi [PGV93],[BRS02]

27 MiMi T  A << 5 + g t (B, C, D) + E + K t + W t for i = 1 to m do Wt ={Wt ={ t-th word of M i 0  t  15 ( W t-3  W t-8  W t-14  W t-16 ) << 1 16  t  79 A  H 0 i-1 ; B  H 1 i-1 ; C  H 2 i-1 ; D  H 3 i-1 ; E  H 4 i-1 for t = 0 to 79 do E  D; D  C; C  B >> 2; B  A; A  T H 0 i  H 0 i-1 ; H 1 i  B + H 1 i-1 ; H 2 i  C+ H 2 i-1 ; H 3 i  D + H 3 i-1 ; H 4 i  E + H 4 i-1 end H 0..4 i- 1 SHA-0, SHA-1 are blockcipher-based hash functions! Davies-Meyers feedforward Blockcipher 512-bit key, 160-bit block

28 Collision resistance in the “ideal cipher” model E A E -1E -1 EK(x)EK(x) EK (y)EK (y) K, x K, y M, M ’ Adv coll ( A ) = Pr [ A E, E -1 finds a collision in H E ] H Adv coll ( q ) = max { Adv coll ( A )} H H A at most q queries... Model blockcipher as a random permutation for each key... Computationally unbounded adversary Only counted resource is oracle queries E

29 Why such a strong model? PRP assumption isn’t enough in general [Simon] Specifically, for each of the 12 there is a PRP that makes collisions easy [Hopwood][Wagner] More importantly, PRP is the wrong tool Security depends on a random, secret key

30 Research project #2 Find new models and/or assumptions What properties does a blockcipher need for hashing? How can we abstract them to models/assumptions? Can we prove things?

31 E MiMi h i-1 hihi E M i+1 h i+1 Expensive operations Moving theory towards practice

32 No secure rate-1, fixed-key constructions [BCS 04] Secure rate-1, fixed-key constructions? EKEK f1f1 MiMi h i-1 f2f2 hihi iterated function — collisions in  (n + lg(n)) calls In the black-box model: compression function — collision after 2 blockcipher calls nnnn n

33 Research project #3 Find secure, fixed-key, rate < 1, iterated constructions (some progress being made)

bits too small? Cascaded constructions! No! Joux: for MD constructions, n/2 bits of CR n bits of CR H K1 (M) || H K2 (M) = G (K1,K2) (M) n bits    ?

35 Multicollisions IV M1M1 M2M2 MmMm h1h1 h2h2 h m = H (M) n n fff n h m-1 For m(2 n/2 ) work, we can make 2 m messages that collide …

36 Collisions in cascaded constructions For G (K1,K2) (M) = H K1 (M) || H K2 (M) : 160 bits 1. Create way multicollision under H K1 2. Hash these messages under H K2 Collision in G for work O(2 80 ) << O(2 160 )

37 What about MDC-2? E MiMi h i-1 hihi E gigi g i-1

38 Huge opportunities for research Continue definitional work –Formalize “near collisions”, etc. –What are the right properties for specific tasks? Flesh out the theoretical landscape –Ideal cipher model  proofs –PRP assumption  no proofs Find secure, fixed-key, rate < 1, iterated scheme Analysis of MDC-2

39

40