Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abelian Square-Free Dithering and Recoding for Iterated Hash Functions Ronald L. Rivest MIT CSAIL ECRYPT Hash Function Conference June 23, 2005.

Published byViolet Lee Modified over 9 years ago

Similar presentations

Presentation on theme: "Abelian Square-Free Dithering and Recoding for Iterated Hash Functions Ronald L. Rivest MIT CSAIL ECRYPT Hash Function Conference June 23, 2005."— Presentation transcript:

1 Abelian Square-Free Dithering and Recoding for Iterated Hash Functions Ronald L. Rivest MIT CSAIL ECRYPT Hash Function Conference June 23, 2005

2 Outline u Dean/Kelsey/Schneier Attacks u Square-Free Sequences –Prouhet-Thue-Morse Sequences –Towers of Hanoi u Abelian Square-Free Sequences –Ker ä nen’s Sequence u Dithering and Recoding u Open Questions u Conclusions

3 Typical Iterated hashing ffff h0h0 h1h1 h2h2 h3h3 hLhL h L-1 H(M) M1M1 M2M2 MLML M3M3 u Message extended with 10* & length (MD) u f is compression function. u h 0 is initialization vector (IV) u h i is i-th chaining variable u Last chaining variable h L is hash output H(M)

4 Dean/Kelsey/Schneier Attacks u Assumes one can find fixpoint h for f,M 0 : h = f(h,M 0 ) u Can then have message expansion attacks that find second preimage by –Finding many fixpoint pairs (h,M) –Finding a fixpoint h in actual chain for given message –Finding another shorter path from h 0 to some chaining variable –Creating second preimage with this new starting path using message expansion to handle Merkle-Damgard strengthening ffff h0h0 h1h1 h2h2 h3h3 hLhL h L-1 H(M) M1M1 M2M2 MLML M3M3

5 Dithering and Recoding u Make hash function round dependent on round index i as well as h i-1 and M i u Dithering: include dither input d i to compression function: h i = f(h i-1,M i,d i ) u Recoding: Include dither input as part of i-th message block h i = f(h i-1,M’ i ) where M’ i = (M i,d i ) u (These are equivalent, of course…)

6 Iterated hashing with dithering u How to choose dither input d i ? –Could choose d i = i –Could choose d i = r i (pseudo-random) –Use square-free sequence d i (repetition-free sequence; no repeated symbols or subwords.) d1d1 d2d2 d3d3 dLdL ffff h0h0 h1h1 h2h2 h3h3 hLhL h L-1 H(M) M1M1 M2M2 MLML M3M3

7 Square-Free Sequence u A sequence is square-free if it contains no two equal adjacent subwords.  Examples: abracadabra is square-free hobbit is not (repeated “ b ” ) banana is not (repeated “ an ” ) u Dithering with a square-free sequence prevents message expansion attacks. (Would need fixpoint that works for all dither inputs.)

8 Infinite square-free sequences u There exists infinite square-free sequences over 3-letter alphabet.  Start with parity sequence: 0110100110010110… i-th element is parity of integer i. This (Prouhet-Thue-Morse, or PTM) sequence is only cube-free, but…  Sequence of inter-zero gap lengths in PTM is square-free: 2102012101202102012021…

9 Generating infinite sf sequences u Or: –Take two copies of PTM sequence; shift second one over by one, then code vertical pairs: A = 00, B = 01, C = 10, D = 11 : 0 1 1 0 1 0 0 1 1 0 0 1 0 1 … - 0 1 1 0 1 0 0 1 1 0 0 1 0 … - C D B C B A C D B A C B C … u Result is also square-free.

10 Towers of Hanoi Sequence u Optimal play moves small disk on odd moves cyclically 1->2->3->1->2->3…; even moves are then forced.  Code moves with six letters as A [1->2], B [1->3], C [2->1], D [2->3], E [3->1], F [3->2] u Optimal sequence is square-free! (Shallit &c) 1 2 3

11 Towers of Hanoi Sequence  Code moves with six letters as A [1->2], B [1->3], C [2->1], D [2->3], E [3->1], F [3->2] u Optimal play: 1 2 3 A D B AE FABDC… u Easy to generate sequence for infinitely many disks…

12 Abelian square-free sequences u An even stronger notion of “repetition- free” than (ordinary) square-free. u A sequence is abelian square-free if it contains no two adjacent subwords yy’ where y’ is a permutation of y (possibly identity permutation).  Example: abelianalien is square-free but not abelian square-free, since “ alien ” is a permutation of “ elian ”.

13 Infinite ASF sequences exist  Thm (Ker ä nen). There exists infinite ASF sequences on four letters.  Ker ä nen’s sequence based on “magic sequence” S of length 85: abcacdcbcdcadcdbdabacabadbabc bdbcbacbcdcacbabdabacadcbcdca cdbcbacbcdcacdcbdcdadbdcbca  Let  (w) denote word w with all letters shifted one letter cyclically:  ( abcacd ) = bcdbda

14 Generating infinite asf sequence(I)  Start with Ker ä nen’s magic sequence S = abcac…dcbca (length 85)  Apply morphism: a  S = abcac…dcbca b   (S) = bcdbd…adcdb c   2 (S) = cdaca…badac d   3 (S) = dabdb…cbabd simultaneously to all letters. u Repeat to taste (each sequence is prefix of next, and of infinite limit sequence).

15 Generating infinite asf sequence(II) u Count i = 0 to infinity in base 85 u Apply simple four-state machine to base-85 representation of i (high-order digit processed first).  Output a/b/c/d is last state. u Requires constant (amortized) time per output symbol.

16 Dithering with ASF sequence  Since Ker ä nen’s ASF sequence on four letters is so easy to generate efficiently, we propose using it to dither an iterated hash function. u This add negligible computational overhead, and only two new bits of input to compression function.

17 Recoding with ASF sequence u Can also recode message using given ASF sequence. (This is essentially equivalent to dithering, just viewed another way…)

18 Open Questions u Can Dean/Kelsey/Schneier attacks be adapted to defeat use of ASF sequences in hash function? u Does ASF really add anything over SF? u Are there generalizations of ASF that could be used? (“Even more” pattern-free?) u Where else in cryptography can ASF sequences be used?

19 Conclusions u Abelian square-free sequences seem to be a very inexpensive way to prevent repetitive inputs from causing vulnerabilities in hash functions.  (Thanks to Jeff Shallit and Veikko Ker ä nen for teaching me about square-free and abelian square-free sequences.)

20 (The End)

Download ppt "Abelian Square-Free Dithering and Recoding for Iterated Hash Functions Ronald L. Rivest MIT CSAIL ECRYPT Hash Function Conference June 23, 2005."

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Multiplication Rule. A tree structure is a useful tool for keeping systematic track of all possibilities in situations in which events happen in order.

Multiplication Rule. A tree structure is a useful tool for keeping systematic track of all possibilities in situations in which events happen in order.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.

MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir.

Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part I.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Similar presentations

Ads by Google