Presentation is loading. Please wait.

Presentation is loading. Please wait.

The SHA Family of Hash Functions: Recent Results

Published byReynard Reeves Modified over 6 years ago

Similar presentations

Presentation on theme: "The SHA Family of Hash Functions: Recent Results"— Presentation transcript:

1 The SHA Family of Hash Functions: Recent Results
Christian Rechberger and Vincent Rijmen SPI 2007, Brno

2 Motivation

3 Motivation How ? x x x x x x x x

4 Agenda The MD4 and SHA family Basic attack on SHA
Advanced methods for fast collision search (example SHA-1) SHA-2? Conclusions

5 Outline of MD4-style Hash Functions

6 Message Expansions in the MD4 family
MD4/5, RIPEMD SHA / SHA-1 SHA-2 members

7 Outline of MD4-style Hash Functions

8 Evolution of the State Updates in the MD4 Family
SHA/SHA-1 SHA-2 members Design Complexity

9 How to produce a collision?
o1=SHA(M1) o2=SHA(M2) Goal: Find any M1 and M2 such that o1 = o2

10 Propagation of a small difference
Flip a bit in m0 Message Expansion

11 Propagation of a small difference
- 1 B C D E + f << 5 >> 2 DW D AN Step N Flipping a bit Die Notation 2^j wird hier verwendet um eine Differenz in der Bitposition j zu beschreiben. J kann Werte zwischen 0 und 31 annehmen. Flip a bit

12 Propagation of a small difference

13 Propagation of a small difference

14 Propagation of a small difference

15 Propagation of a small difference
Das ist der Zwischenstand nach nur ein paar Schritten. Nun kann man sich ungefähr vorstellen was passiert, wenn man das ganze Spiel über 80 Runden betreibt. Und das ist nun genau eine Eigenschaft die von einer Hash funktion erwartet wird. Selbst bei kleinsten Änderungen des Eingangs (hier haben wir nur ein einziges Bit geändert) ändert sich der Ausgangswert komplett.

16 Perturbation Step N ∆ E D C B A + << 5 ∆ K = + + f W = 2 +
- 1 N - 1 N - 1 N - 1 N - 1 + << 5 K = + + f W = 2 j N + >> 2 E E D D C C B B A A = 2 j N + N 1 N + N 1 N + N 1 N + N 1 N N + 1

17 Correction 1

18 Correction 2

19 Correction 3

20 Correction 4

21 Correction 5

22 Outline of SHA – Message Expansion
If too much time: illustrate the ME better

23 Building a collision for SHA
Perturbation pattern Low weight Last 5 words are zero

24 A collision-producing difference pattern
Apply 5 corrections with the same pattern displaced over steps rotated over bit positions That was one correction Note that all these corrections follow the Message Expansion Rule as well.

25 A collision-producing expanded-message difference pattern
Completed difference pattern consisting of 1 perturbation pattern 5 correction patterns

26 Conditions imposed by nonlinear elements
Boolean function f Modular addition

27 Results of CJ98 Low- weight patterns exist for SHA => break
For SHA-1: weight is too high

28 Improvements Better characteristics
1-block  multi-block Better suited for hash functions Better ways to construct right pairs Message modification

29 2-block attack Two related near-collisions give a 2-block collision
Work effort of two blocks is only sum of them

30 Key properties of new approach [DR06]
Generalized conditions: Looks for (parts of) the colliding pair and characteristic at the same time Type Possibilities XOR 2 Signed-bit 4-6 Generalized: 16

31 Result of Improvements

32 Problem of optimization
Message difference Enough freedom left for search? Characteristic Speed-up method

33 Problem of optimization
Message difference Enough freedom left for search? Real workfactor of attack Characteristic Speed-up method

34 Some results SHA SHA-1 1998: 261 [CJ98] 2004: 251 [BCJ+05]
2005: 239 [WYY05a] 2006: 236 [N+06] 2007: 100-fold improvement? ongoing work SHA-1 2005: 58 steps 233 [WYY05b] 2006: 64 steps 235 [DR06] 2007: 70 steps 244 [DMR06] Full SHA-1 (80 steps): ongoing work

35 Example: Collision for 64-step SHA-1
I hereby solemnly promise to finish my PhD thesis by the end of 2005 [Garbage] Same Hash I hereby solemnly promise to finish my PhD thesis by the end of 2006’ [different Garbage]

36 What about SHA-2 members?

37 Probabilities of local collisions
SHA/SHA-1: 2-2 to 2-5 SHA-2: to 2-41 Strategy: cancel differences as soon as possible with corrective differences

38 Comparing the message expansions of the SHA family
(linearized)

39 Conclusions How ? x x x x x x x x

40 x x x x x x x x 1) Special characteristics
Conclusions 1) Special characteristics 2) Clever ways of solving equations (fast) x x x x x x x x

41 Conclusions Collision for full (80-step) SHA-1 is getting closer
Optimization is ongoing 2006: * x (unpublished work, estimates) Automated techniques can exploit degrees of freedom in a more efficient way 2007: ? Improved Attacks on NMAC/HMAC? Results on (2nd-)preimage resistance? Analysis and design of new hash function proposals important

42 Hash Function Workshop
Barcelona, May 24-25, 2007 events.iaik.tugraz.at/hashworkshop07

43 The SHA Family of Hash Functions: Recent Results Q&A
Christian Rechberger and Vincent Rijmen SPI 2007, Brno

Download ppt "The SHA Family of Hash Functions: Recent Results"

Similar presentations

Which Hash Functions will survive?

Which Hash Functions will survive?
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
SHA-1 collision found Lukáš Miňo, Richard Bartuš.

SHA-1 collision found Lukáš Miňo, Richard Bartuš.
About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant

About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant
1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.

1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.
Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.

Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.
Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?

Towards SHA-3 Christian Rechberger, KU Leuven. Fundamental questions in CS theory Do oneway functions exist? Do collision-intractable functions exist?
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
“Chinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.“Chinese” collision attacks 3.Results for MD4 and MD5.

“Chinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.“Chinese” collision attacks 3.Results for MD4 and MD5.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Fast Software Encryption 2007 1 Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics.

Fast Software Encryption Producing collisions for P ANAMA, instantaneously Joan Daemen and Gilles Van Assche STMicroelectronics.
Authenticating streamed data in the presence of random packet loss March 17th, 2000. Philippe Golle, Stanford University.

Authenticating streamed data in the presence of random packet loss March 17th, Philippe Golle, Stanford University.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google