Presentation is loading. Please wait.

Presentation is loading. Please wait.

The MD6 Hash Function Ronald L. Rivest MIT CSAIL CRYPTO 2008 (aka “Pumpkin Hash”)

Published byLenard Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "The MD6 Hash Function Ronald L. Rivest MIT CSAIL CRYPTO 2008 (aka “Pumpkin Hash”)"— Presentation transcript:

1 The MD6 Hash Function Ronald L. Rivest MIT CSAIL CRYPTO 2008 (aka “Pumpkin Hash”)

2 MD6 Team u Dan Bailey u Sarah Cheng u Christopher Crutchfield u Yevgeniy Dodis u Elliott Fleming u Asif Khan u Jayant Krishnamurthy u Yuncheng Lin u Leo Reyzin u Emily Shen u Jim Sukha u Eran Tromer u Yiqun Lisa Yin u Juniper Networks u Cilk Arts u NSF

3 Outline u Introduction u Design considerations u Mode of Operation u Compression Function u Software Implementations u Hardware Implementations u Security Analysis

4 MD5 was designed in 1991… u Same year WWW announced… u Clock rates were 33MHz… u Requirements: –{0,1}* {0,1} d for digest size d –Collision-resistance –Preimage resistance –Pseudorandomness u What’s happened since then? u Lots… u What should a hash function --- MD6 -- - look like today?

5 NIST SHA-3 competition! u Input: 0 to 2 64 -1 bits, size not known in advance u Output sizes 224, 256, 384, 512 bits u Collision-resistance, preimage resistance, second preimage resistance, pseudorandomness, … u Simplicity, flexibility, efficiency, … u Due Halloween ‘08

6 Design Considerations / Responses

7 Wang et al. break MD5 (2004) u Differential cryptanalysis (re)discovered by Biham and Shamir (1990). Considers step-by-step ``difference’’ (XOR) between two computations… u Applied first to block ciphers (DES)… u Used by Wang et al. to break collision- resistance of MD5 u Many other hash functions broken similarly; others may be vulnerable…

8 So… MD6 is… u provably resistant to differential attacks (more on this later…)

9 Memory is now ``plentiful’’… u Memory capacities have increased 60% per year since 1991 u Chips have 1000 times as much memory as they did in 1991 u Even ``embedded processors’’ typically have at least 1KB of RAM

10 So… MD6 has… u Large input message block size: 512 bytes (not 512 bits) u This has many advantages…

11 Parallelism has arrived u Uniprocessors have “hit the wall” –Clock rates have plateaued, since power usage is quadratic or cubic with clock rate: P = VI = V 2 /R = O( freq 2 ) (roughly) u Instead, number of cores will double with each generation: tens, hundreds (thousands!) of cores coming soon 4 16 64 256 …

12 So… MD6 has… u Bottom-up tree-based mode of operation (like Merkle-tree) u 4-to-1 compression ratio at each node

13 Which works very well in parallel u Height is log 4 ( number of nodes )

14 But… most CPU’s are small… u Most biomass is bacteria… u Storage proportional to tree height may be too much for some CPU’s…

15 So… MD6 has… u Alternative sequential mode u (Fits in 1KB RAM) IV

16 Actually, MD6 has… u a smooth sequence of alternative modes: from purely sequential to purely hierarchical… L parallel layers followed by a sequential layer, 0  L  64 u Example: L=1: IV

17 Hash functions often ``keyed’’ u Salt for password, key for MAC, variability for key derivation, theoretical soundness, etc… u Current modes are “post-hoc”

18 So… MD6 has… u Key input K of up to 512 bits u K is input to every compression function

19 Generate-and-paste attacks u Kelsey and Schneier (2004), Joux (2004), … u Generate sub-hash and fit it in somewhere u Has advantage proportional to size of initial computation…

20 So… MD6 has… u 1024-bit intermediate (chaining) values u root truncated to desired final length u Location (level,index) input to each node (2,2) (2,0) (2,1) (2,3)

21 Extension attacks… u Hash of one message useful to compute hash of another message (especially if keyed): H( K || A || B ) = H( H( K || A) || B )

22 So… MD6 has… u ``Root bit’’ (aka “z-bit” or “pumpkin bit”) input to each compression function: True

23 Side-channel attacks u Timing attacks, cache attacks… u Operations with data-dependent timing or data-dependent resource usage can produce vulnerabilities. u This includes data-dependent rotations, table lookups (S-boxes), some complex operations (e.g. multiplications), …

24 So… MD6 uses… u Operations on 64-bit words u The following operations only: –XOR –AND –SHIFT by fixed amounts: x >> r >> x << l << 

25 Security needs vary… u Already recognized by having different digest lengths d (for MD6: 1  d  512) u But it is useful to have reduced-strength versions for analysis, simple applications, or different points on speed/security curve.

26 So… MD6 has … u A variable number r of rounds. ( Each round is 16 steps. ) u Default r depends on digest size d : r = 40 + (d/4) u But r is also an (optional) input. d160224256384512 r8096104136168

27 MD6 Compression function

28 Compression function inputs u 64 word (512 byte) data block –message, or chaining values u 8 word (512 bit) key K u 1 word U = (level, index) u 1 word V = parameters: –Data padding amount –Key length (0  keylen  64 bytes) –z-bit (aka ``root bit’’ aka``pumpkin bit”) –L (mode of operation height-limit) –digest size d (in bits) –Number r of rounds u 74 words total

29 Prepend Constant + Map + Chop  1-1 map  const key+UVdata 15 8+2 64 89 words 16 words Prepend Map Chop

30 Simple compression function: Input: A[ 0.. 88 ] of A[ 0.. 16r + 88] for i = 89 to 16 r + 88 : x = S i  A[ i-17 ]  A[ i-89 ]  ( A[ i-18 ]  A[ i-21 ] )  ( A[ i-31 ]  A[ i-67 ] ) x = x  ( x >> r i ) A[i] = x  ( x << l i ) return A[ 16r + 73.. 16r + 88 ]

31 Constants u Taps 17, 18, 21, 31, 67 optimize diffusion u Constants S i defined by simple recurrence; change at end of each 16-step round u Shift amounts repeat each round (best diffusion of 1,000,000 such tables): 0123456789101112131415 riri 10513101112271415713117612 lili 1124916159271562298155319

32 Large Memory (sliding window) 23145321 2 033422 u Array of 16r + 89 64-bit words. u Each computed as function of preceding 89 words. u Last 16 words computed are output.

33 Small memory (shift register) 232156327132631401 SiSi   Shifts u Shift-register of 89 words (712 bytes) u Data moves right to left 89 words

34 Software Implementations

35 Software implementations u Simplicity of MD6: –Same implementation for all digest sizes. –Same implementation for SHA-3 Reference or SHA-3 Optimized Versions. –Only optimization is loop-unrolling (16 steps within one round).

36 NIST SHA-3 Reference Platforms 32-bit64-bit MD6-16044 MB/sec97 MB/sec MD6-22438 MB/sec82 MB/sec MD6-25635 MB/sec77 MB/sec MD6-38427 MB/sec59 MB/sec MD6-51222 MB/sec49 MB/sec SHA-51238 MB/sec202 MB/sec

37 Multicore efficiency SHA-256 MD6-256 Cilk!

38 Efficiency on a GPU u Standard $100 NVidia GPU u 375 MB/sec on one card

39 8-bit processor (Atmel) u With L=0 (sequential mode), uses less than 1KB RAM. u 20 MHz clock u 110 msec/comp. fn for MD6-224 (gcc actual) u 44 msec/comp. fn for MD6-224 (assembler est.)

40 Hardware Implementations

41 FPGA Implementation (MD6-512) u Xilinx XUP FPGA (14K logic slices) u 5.3K slices for round-at-a-time u 7.9K slices for two-rounds-at-a-time u 100MHz clock u 240 MB/sec (two-rounds-at-a-time) (Independent of digest size due to memory bottleneck)

42 Security Analysis

43 Generate and paste attacks (again) u Because compression functions are “location-aware”, attacks that do speculative computation hoping to “cut and paste it in somewhere” don’t work.

44 Property-Preservations u Theorem. If f is collision-resistant, then MD6 f is collision-resistant. u Theorem. If f is preimage-resistant, then MD6 f is preimage-resistant. u Theorem. If f is a FIL-PRF, then MD6 f is a VIL-PRF. u Theorem. If f is a FIL-MAC and root node effectively uses distinct random key (due to z- bit), then MD6 f is a VIL-MAC. u (See thesis by Chris Crutchfield.)

45 Indifferentiability (Maurer et al. ‘04) u Variant notion of indistinguishability appropriate when distinguisher has access to inner component (e.g. mode of operation MD6 f / comp. fn f). MD6 f FIL ROVIL ROS D ? or ?

46 Indifferentiability (I) u Theorem. The MD6 mode of operation is indifferentiable from a random oracle. u Proof: Construct simulator for compression function that makes it consistent with any VIL RO and MD6 mode of operation… u Advantage: ϵ  2 q 2 / 2 1024 where q = number of calls (measured in terms of compression function calls).

47 Indifferentiability (II) u Theorem. MD6 compression function f  is indifferentiable from a FIL random oracle (with respect to random permutation  ). u Proof: Construct simulator S for  and  -1 that makes it consistent with FIL RO and comp. fn. construction. u Advantage: ϵ  q / 2 1024 + 2q 2 / 2 4672  

48 SAT-SOLVER attacks u Code comp. fn. as set of clauses, try to find inverse or collision with Minisat… u With many days of computing: –Solved all problems of 9 rounds or less. –Solved some 10- or 11-round ones. –Never solved a 12-round problem. u Note: 11 rounds ≈ 2 rotations (passes over data)

49 Statistical tests u Measure influence of an input bit on all output bits; use Anderson-Darling A* 2 test on set of influences. u Can’t distinguish from random beyond 12 rounds.

50 Differential attacks don’t work u Theorem. Any standard differential attack has less chance of finding collision than standard birthday attack. u Proof. Determine lower bound on number of active AND gates in 15 rounds using sophisticated backtracking search and days of computing. Derive upper bound on probability of differential path.

51 Differential attacks (cont.) u Compare birthday bound BB with our lower bound LB on work for any standard differential attack. u (Gives adversary fifteen rounds for message modification, etc.) u These bounds can be improved… drBBLB 160802 80 2 104 224962 112 2 130 2561042 128 2 150 3841362 192 2 208 5121682 256 2 260

52 Choosing number of rounds u We don’t know how to break any security properties of MD6 for more than 12 rounds. u For digest sizes 224 … 512, MD6 has 80 … 168 rounds. u Current defaults probably conservative. u Current choice allows proof of resistance to differential cryptanalysis.

53 Summary u MD6 is: –Arguably secure against known attacks (including differential attacks) –Relatively simple –Highly parallelizable –Reasonably efficient

54 THE END MD6 03744327e1e959fbdcdf7331e959cb2c28101166

55

56 Round constants S i u Since they only change every 16 steps, let S’ j be the round constant for round j.  S’ 0 = 0x0123456789abcdef u S’ j+1 = (S’ j <<< 1)  (S’ j  mask)  mask = 0x7311c2812425cfa0

Download ppt "The MD6 Hash Function Ronald L. Rivest MIT CSAIL CRYPTO 2008 (aka “Pumpkin Hash”)"

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
SHA-1 collision found Lukáš Miňo, Richard Bartuš.

SHA-1 collision found Lukáš Miňo, Richard Bartuš.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash and MAC Algorithms

Hash and MAC Algorithms
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google