Hash Function

  • View

  • Download

Embed Size (px)


Hash Function. Contents. Hash Functions Dedicated Hash Functions Useful for lightweight authentication in RFID system Message Authentication Codes CBC-MAC Nested MAC Collusion Search Attacks. Hash function. {0,1} d. d > r. h(). hash, hash code/value/result - PowerPoint PPT Presentation

Text of Hash Function

  • *Hash Function

  • Hash FunctionsDedicated Hash FunctionsUseful for lightweight authentication in RFID systemMessage Authentication CodesCBC-MACNested MACCollusion Search Attacks*

  • Compress a binary string with an arbitrary length into a fixed short message Used for digital signature, integrity, authentication, etc.

    *h(){0,1}d{0,1}rd > rhash, hash code/value/result message digest, checksum, MIC,authentication tag, seal, compressiondigital fingerprint, imprint

  • *original input, xappend padding bitsappend length blockcompression ft, f f gformatted input x=x1,x2,,xtH0=IVHi-1xiHihash function, houtput h(x)=g(Ht)Htpreprocessingiterative processingg : output transformation mapping, e.g., identity mapping

  • CompressionOne-waynessPreimage resistance: Given y, it is computationally infeasible to compute x with y=h(x)Second Preimage resistance: Given x and h(x), it is computationally infeasible to compute x with h(x)=h(x) Collision-free (Prevent internal misuse): It is computational infeasible to find a pair (x, x), x x satisfying h(x)=h(x).EfficiencyEasy to compute h(x) for a given x.


  • Collision resistance (which means collusion cant be efficiently solved) implies 2nd-preimage resistance

    Collision resistance does not guarantee preimage resistanceLet g be a collision resistance hash function to n-bit outputh= 1 || x,if x has bitlength nh= 0 || g(x),otherwiseh is collision resistant with n+1 bit hashnot preimage resistant to find an image easily*

  • Using key or notKeyed hash : MAC (Message Authentication Code)Un-keyed hash : MDC (Manipulation Detection Code)OWHF(One Way Hash Function)CFHF(Collision-Free Hash Function)

    What purposeMACBlock Cipher-Based (DES-CBC MAC)Hash Function-Based(HMAC)MDC Dedicated Hash Functions (MD class, SHS, HAVAL)Block Cipher-Based (MDC-2, MDC-4)Modular Arithmetic: MASH-1, MASH-2


  • Model for ideal hash functionH() behave like a random functionIf H() is fixed, invalid assumptionWhenever H() is used, we call oracle for the random function (black box containing random ft.)Good for screening insecure solutionsSecurity under ROM implies to many (not all !) attackNot a complete proof of security, but a good argument / evidence of security : vs. standard model*

  • Universal forgery : Adversary can find the equivalent algorithm as MAC functionSelective forgery : Adversary can create a pair of new text-MAC.Existential forgery : Even if adversary cant adjust the value of text, he can create a pair of new text-MAC.*

  • Probability that 2 persons have the same birthday among r persons : pr(Assumption) each birthday is independent and uniform in the range 1 to m. pr=1-(m)r / mr =1- m! / mr(m-r)! e-r2/(2m) where, (m)r = m(m-1)(m-r+1)If r= m, pr 0.5 , e.g., m=365, r=23, pr>0.5 n-bit hash function will collide with probability 0.5 after (2n) times operation


  • All input value must affect to compute the hashed value. (Ex) Crytanalysis of Snefru No trapdoorThe length of hashed value must be greater than 128 bit guarantee breaking complexity 264 by brute force attack. 1 month with 10M $ machine in 94 Expected cost today : less than 100,000$Maximum error propagation from input to output.


  • Extend Compression ft to Hash ft so that the resulting hash ft to be collusion resistant if compression does. H0=IV, Hi=f(Hi-1,xi), 1it, h(x)=Ht*f : hs primitive hash function (a compression function)Hi : connection variable from i-1 to I

  • *Matyas-Meyer-OseasDavies-MeyerMiyaguchi-PreneelH0=IVHi=Eg(Hi-1)(xi ) xi H0=IVHi=Exi(Hi-1 ) Hi-1 H0=IVHi=Eg(Hi-1)(xi ) xi Hi-1

  • Yield m-bit hash using n-bit block cipher with k-bit keyAll of them are secure assuming a block cipher satisfies required randomness properties*

    Hash Function(n,k,m)Rate (k/m)Matyas-Meyer-Oseas(n,k,n)1Davis-Meyer(n,k,n)k/nMiyaguchi-Preneel(n,k,n)1MDC-2 (w/DES)(64,56,128)MDC-4(w/DES)(64,56,128)1/4

  • MASH: Modular Arithmetic Secure Hash algorithmWeakness: Efficiency (and Insecurity)

    Quadratic CongruentialHi = (xi + Hi-1)2 mod N, H0=0where N=Mersenne prime 231-1Hi = (xi Hi-1)2 mod N xiHi = (xi Hi-1)e mod N*

  • *Dedicated Hash Functions

  • Preprocessing a message, x1. Padding: d =(447 -|x|) mod 5122. Length of a message: n= |x| mod 264,|n|=64 bit3. M = x ||1||0d||n multiple of 512 where || denotes concatenation

    * little-endian : W=224B4+216B3+28B2+B1 (B1: lowest address)


  • *Message Block





  • 1. A=(A+f(B,C,D)+X[0])
  • 1. Preprocess: M is 512 * N bits (512 bits=16 words) 2. Define 32 bits constants: A=67452301h, B=efcdab89h, C=98badcfeh, D=10325476h3. for i=0 to N/16 -1 do (N mod 16=0)3-1. for j=0 to 15 do X[j] =M[16i+j] (M[i] : 32 bit string)3-2. AA=A, BB=B, CC=C, DD=D3-3. Round 1(for j=0..15), Round 2(for j=16..31), Round 3(j=32..47)3-4. A=A+AA, B=B+BB, C=C+CC, D=D+DD where + is modular addition over 232.4. output A||B||C||D||


  • Add 4-th rounds (16 steps) in MD4Change g function in 2 round from symmetric ft (XY) v (XZ) v (YZ) to non-symmetric ft (XZ) v (Y(Z))Modify the access order for message words in Rounds 2 and 3Modify the shift amountsUse unique constants in each of the 416 stepsEach step is added to the output of a previous step to achieve avalanche effect as earlier as possible.


  • *Round 2ABCDABCDMessage BlockRound 1Round 3Round 4

  • *

  • *nonlinearoperationFF(a,b,c,d,Mj,ti,s)
  • 160 bit hashed value (5 words), Big-endian 4 round hash, each round has 20 step Change internal primitive ft and constants (B C) v ((B) D) 0 t 19Ft(B,C,D) = B C D 20 t 39 (B C) v ((B) D) 40 t 59 B C D 60 t 79Secure Hash Standard(SHS), FIPS Pub 180-1, 1995. For details, refer to p.138.*

  • *Algorithm Length Speed (Kb/s)Davies-Meyer with DESHAVAL (3 pass)HAVAL (4 pass)HAVAL (5 pass)MD2MD4MD5N-Hash(12 round)N-Hash(15 round)RIPEMDSHA-164variablevariablevariable12812812812812812816091681189523236174292418275486SX(33MHZ)

  • Nested MAC algorithm from the composition of two (keyed) hash familyThe Keyed-Hash Message Authentication Code (HMAC), FIPS Pub 198, 2002HMACk(x) = SHA-1[(K opad) || SHA-1((K ipad) || x)] where ipad = 3636 . 36, opad = 5C5C 5C K : 512 bit key x: message to be authenticated Secure against unknown-key collusion attack*

  • SHS: Secure Hash StandardRIPE: Race Integrity Primitive Evaluation*

    NameDesignerYearBitCharacteristicsSecurityMD4Rivest(US)1990128- 32 bit Op., 3 R- Boolean ft of deg 4Collision(95)(220 Oper)MD5Rivest(US)1991128- Modified MD4- 4 roundsPrimitive FtCollision(96)SHA-1NIST1993160- Modified MD4 - Federal StandardCollusion Search(05)HAVALSeberry et. al(Australia)1992Var.(128~256) Exp. of MD5(3,4,5R)- Boolean ft of deg 7Collusion Search of HAVAL-128(05)RIPEMD-160RIPE(Europe)1997160- Modified MD4- Indep. 2 ftCollusion Search(05)HAS-160KISA(Korea)1998160-

  • *Collusion Search Attack

  • Chaubaud and Joux [Cr98]SHA-0, 261, local collision and disturbance vectorBiham and Chen [Cr04]Near collision attack on SHA-0, 240Biham, Joux and Chen [Cr04 rump, EC05]First real collision on SHA-0 (4 message blocks) foundCollision attack on SHA-1 reduces to 50+ stepsRijmen and Osward [RSA-CT05]Collision attack on SHA-1 reduces to 53 steps.*

  • X. Wang, Y.L. Yin and H.Yu, Finding Collusions in the Full SHA-1, Proc. of Crypto2005, pp.17-36, LNCS3621

    X. Wang, H.Yu and Y.L. Yin, Efficient Collusions Search Attacks on SHA-0, Proc. of Crypto2005, pp.1-16, LNCS3621

    X.Y.Wang, D.G.Feng, X.J.Lai and H.B. Yu, Collusions for hash Functions MD4, MD5, HAVAL-128 and RIPEND, IACR eprint, 2004/199 and Crypto2005 Rump Session


  • Find disturbance vector with low Hamming weights (difference for subtractions mod 232)

    Construct differential paths by specifying conditions so that the differential path will occur with high probabilities.

    Generate a message randomly, modify it using message modification techniques, and find a collusion*

  • Complexity of best known attack of MD4 : 26, MD5 : 233, SHA-0: 239, SHA-1: 269

    More complex message preprocessing can provide more securityBut SHA-1, message expansion does not seem to have enough avalanche effectAll step functions have unexpected weaknessAddition and Boolean function can faciliate the attack

    More analysis is needed for SHA-256, -384, -512 which was defined in Secure Hash Standard (SHS), FIPS 180-2, 2002, Aug*

  • Message collusion of 58 steps SHA-1