Hash Functions

References: Chapter 11
 Cryptographic Hash Function
Motivation
Problem:
Naive signing of long messages generates a signature of same length.

Three Problems
Computational overhead
Message overhead
Security limitations
Solution:
Instead of signing the whole message, sign only a digest (=hash)
Also secure, but much faster
Needed:
Hash Functions
 Digital Signature with a Hash Function

xi
Notes:
zi = h( xi || zi-1 ) x has fixed length
z, y have fixed length
z, x do not have equal length in general
z
h(x) does not require a key.
sigkprz) h(x) is public.

y = sigkpr(z)
 Basic Protocol for Digital Signatures with a Hash Function:

Alice Kpub Bob

z = h(x)
s = sigKpr(z)
(x, s)
z' = h(x)
verKpub(s,z')=true/false
 Principal inputoutput behavior of hash functions
Content of this Chapter

Why we need hash functions

How does it work
Security properties
Algorithms
Example: The Secure Hash Algorithm SHA-1
 The three security properties of hash functions
 Hash Funktionen: Security Properties

Preimage resistance: For a given output z, it is impossible to nd any

input x such that h(x) = z, i.e., h(x) is one-way.

Second preimage resistance: Given x1, and thus h(x1), it is computa-

tionally infeasible to nd any x2 such that h(x1) = h(x2).

Collision resistance: It is computationally infeasible to nd any pairs

x1 x2 such that h(x1) = h(x2).
 A function that is collision resistant is also second preimage
resistant, but the reverse is not necessarily true.A function can
be collision resistant but not preimage resistant and vice
versa. A function can be collision resistant but not second
preimage resistant and vice versa
 Hash
Functions &
Message
Authentication

Confidentiality &
Integrity
Relations
 Other Hash Function Uses
to create a one-way password file

store hash of password not actual password

for intrusion detection and virus detection
keep & check hash of files on system
pseudorandom function (PRF) or pseudorandom
number generator (PRNG)
 Hash Resistance Properties for Data Integrity Application
Hash Function Requirements

Strong and Weak Hash Function Pseudorandomness

 Attacks on Hash Functions

have brute-force attacks and cryptanalysis (TMTO Attack)

a preimage or second preimage attack
find y s.t. H(y) equals a given hash value
collision resistance
find two messages x & y with same hash so H(x) = H(y)
hence value 2m/2 determines strength of hash code against
brute-force attacks
128-bits inadequate, 160-bits suspect
Birthday
Attacks

might think a 64-bit

hash is secure!!!
but by Birthday
Paradox is not

birthday attack works

thus:
conclusion is that need
to use larger
MAC/hash
Content of this Chapter

Why we need hash functions

How does it work
Security properties
Algorithms
Example: The Secure Hash Algorithm SHA-1
 Hash Funktionen: Algorithms

Hash Algorithms

Special Algorithms, based on

e.g. MD5 - family block ciphers

MD5 - family
SHA-1: output - 160 Bit; input - 512 bit chunks of message x; (NIST 93-
95) Also The Hash of DSS
operations - bitwise AND, OR, XOR, complement und cyclic shifts.
RIPE-MD 160: output - 160 Bit; input - 512 bit chunks of message x;
operations like in SHA-1, but two in parallel and combinations of them
after each round.
 That is Merkle-Damgard Strucure if the compression
function is collision resistant

the structure can be used to produce a secure hash function to operate on a

message of any length.
Cryptanalysis of hash functions focuses on the internal structure of f and is based on
attempts to find efficient techniques for producing collisions for a single execution of f
Block Ciphers as Hash Functions
can use block ciphers as hash functions
using H0=0 and zero-pad of final block
compute: Hi = EMi [Hi-1]
and use final block as the hash value
similar to CBC but without a key
resulting hash is too small (64-bit)
both due to direct birthday attack
and to meet-in-the-middle attack
other variants also susceptible to attack
 Meet-in-the-Middle Attack on CBC-based Hash Functions
Secure Hash Algorithm (SHA)
SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences
produces 160-bit hash values
recent 2005 results on security of SHA-1 have
raised concerns on its use in future applications
 Revised Secure Hash Standard
NIST issued revision FIPS 180-2 in 2002
adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512
designed for compatibility with increased security provided
by the AES cipher
structure & detail is similar to SHA-1
hence analysis should be similar
but security levels are rather higher
SHA-512 Overview
the structure of SHA-512, noting that the other versions are quite similar.
SHA-512 Compression Function
heart of the algorithm
processing message in 1024-bit blocks
consists of 80 rounds
updating a 512-bit buffer
using a 64-bit value Wt derived from the current
message block
and a round constant based on cube root of first 80
prime numbers
 SHA-512 Processing of a Single 1024-Bit Block

31/23
 SHA-512 Round Function
 SHA-512 Round Function
 SHA-1: Internals of a Round

Stage t Round j Constant Kt Function ft

1 0019 K=5A827999 f(B,C,D)=(BC)(BD)
2 2039 K=6ED9EBA1 f(B,C,D)=BCD
3 4059 K=8F1BBCDC f(B,C,D)=(BC)(BD)(CD)
4 6079 K=CA62C1D6 f(B,C,D)=BCD
 SHA-3

SHA-1 not yet "broken

but similar to broken MD5 & SHA-0
so considered insecure
SHA-2 (esp. SHA-512) seems secure
shares same structure and mathematical operations as predecessors so have
concern
NIST announced in 2007 a competition for the SHA-3 next gen NIST hash function
goal to have in place by 2012 but not fixed
 SHA-3 Requirements

replace SHA-2 with SHA-3 in any use

so use same hash sizes
preserve the online nature of SHA-2
so must process small blocks (512 / 1024 bits)
evaluation criteria
security close to theoretical max for hash sizes
cost in time & memory
characteristics: such as flexibility & simplicity
CRYPTOGRAPHIC HASH PROJECT

NIST issued a Federal Register Notice in November 2007 for candidate hash algorithms
for public comment
NIST received 64 entries from cryptographers around the world by October 31, 2008
NIST announced five third-round candidates, BLAKE, Grstl, JH, KECCAK & Skein, to
enter the final round of the competition

37
 SHA-3 Hash Function

NIST announced Keccak as the winner of the SHA-3

Cryptographic Hash Algorithm Competition on October 2,
2012.
KECCAK was designed by a team of cryptographers from
Belgium and Italy, they are:

Michal Peeters (Belgium)

Guido Bertoni (Italy),
Gilles V. Assche (Belgium)
Joan Daemen (Belgium)

38
 New Attacks on SHA-3

Asiacrypt 2012,

Keccak is currently the hottest target for cryptanalysis!

Lots of interesting observations, but very few published attacks

Our New Cryptanalytic Technique: Self-Differential

Cryptanalysis

39
40
41
 Further Informations: Hash-Funktionen

Overview over many Hash Functions with Spezifications:

http://ehash.iaik.tugraz.at/wiki/The_Hash_Function_Zoo
Birthday Paradox: Wikipedia has a nice explanation
http://en.wikipedia.org/wiki/Birthday_problem
SHA Standards
SHA1+2: http://csrc.nist.gov/publications/fips/fips180-2/fips180-
2withchangenotice.pdf
SHA3 Overview: http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo
CrypTool is a learning program which also can hash:
http://www.cryptool.org/