Embed Size (px)
Citation preview
Hashing Algorithms: Basic Concepts and SHA-2
CSCI 5857: Encoding and Encryption
Outline
• Compression functions and iterated hashes • Creating a hash function from a block cipher• Secure Hash Algorithm-2 (SHA-2)
– Overall structure– Message expansion into round keys– Initial digest creation– Individual round structure
• Rotation function• Majority function• Conditional function
3
Goals of Hashing Functions
Hashing function must be “one way”
• Easy to compute y = h(M)
• Following must be computationally infeasible:– Given message M, find M´ such that h(M) = h(M´)
(not vulnerable to preimage attack)
– Finding any M1 and M2 such that h(M1) = h(M2)(not vulnerable to collision attack)
4
Compression Functions
What is a hash algorithm?• Function that compresses message of arbitrary
length to m-bit digest
Problem:• Difficult to assure collision resistance for arbitrary
compression function
fMessage ofarbitrary size
m-bit digest
5
Compression Functions
• Easier to create function that compresses block of fixed size k > m
• Break message into blocks of fixed size• Apply compression function to each in some way
fk-bit message m-bit digest
6
Iterated Hash Function
Merkle-Damgard scheme
7
Iterated Hash Function• Compression function of form h(Mi, Hi-1)
– M i = i th message block
– Hi-1 = previous message digest
– H0 = initial vector known to sender, recipient
• If f is collision resistant, so is entire algorithm
f
n-bit message block M i m-bit digest H i
m-bit digest H i-1
8
Types of Hash Algorithms• Based on block ciphers
– Rebuild existing cipher into compression function– Already has desirable properties of cryptographic hash
• Confusion, diffusion– Example: Whirlpool
• “Made from scratch”– Specifically designed for hashing– Often no clear structure for maximum confusion– Examples:
• Message Digest (MD) by Ron Rivest (obsolete)• Secure Hash Algorithm (SHA-2, SHA-3)
9
Block Ciphers for Hashing • Rabin scheme
– “Plaintext” = output of previous stage– “Key” = current message block
• Potentially vulnerability:– Since encryption reversible, could use meet in middle attack– Work backwards from final message digest to find another M with
same digest
10
Block Ciphers for Hashing • Miyaguchi-Preneel scheme (used by Whirlpool)
– Output of each stage based on XOR of:• Output of encryption function• Output of previous stage• Current message
– Prevents “meet in middle” attacks • Cannot work backwards through encryption functions without knowing
input to previous stage
11
SHA-2
• Background:– Based on Merkle-Damgard scheme, Rivest MD5
• Ideas:– Large number of rounds (80) for maximum confusion– Heavy use of non-invertible functions
• Combinations of rotation and XOR• Condition and majority functions
– Appearance of “randomness” in initial vector• Designed for efficiency
– All operations are very fast in hardware
12
SHA-2• 512 bit message digest (secure against brute force attack)
– Block size: 1024 bits
– Digest broken down into 64 bit “words” called A – H
13
SHA-2 Initial Digest• Initial values of message
digest H0
• Designed for appearance of “randomness”– Created from first 8 primes
(2, 3, 5, 7, 11, 13, 17, 19)– Take square root– Take first 64 digits of
fractional part
A 6A09E667F3BCC908
B BB67AE8584CAA73B
C 3C6EF372EF94F828
D A54FE53A5F1D36F1
E 510E527FADE682D1
F 9B05688C2B3E6C1F
G 1F83D9ABFB41BD6B
H 5BE0CD19137E2179
14
SHA-2 Compression Function
• 80 rounds– Each creates new
“intermediate” message digest
• Each round uses “round word” wi created from the message block
• Final stage is sum (mod 264 ) of:– Initial round digest– Final round digest
15
Word Expansion in SHA-2• Block of 16 words expanded to 80 words
– Used by 80-round compression function
16
SHA-2 RotShift Function
• Confusion added with rotation and shifting
• Three different rotations/shifts with results XORed together
• Not invertible
RotShift i-j-k
Right rotation i bits
Right rotation j bits
Left shift k bits (adding 0’s to end) 0 0 0 0 0
17
SHA-2 Round Function
• Each round i function of:– Previous message
digest– Word Wi
– Round “key” Ki created from fractional parts of square root of first 80 prime numbers (like initial message digest values)
– Insures different values each round
18
SHA-2 Round Structure
• Blocks A – C and E – G shifted over one– No real effect, other than to make sure every block
affected by more complex operations
19
SHA-2 Round Structure• New blocks A and E created as function of:
– All previous blocks A – G– Round word Wi and round key Ki using addition mod 264
20
SHA-2 Rotation Function
• Rotate 64-bit block by i, j, and k bits• Combine with XOR to mix up bits• A rotated by 28, 34, and 39 bits• E rotated by 14, 18, and 41 bits
Rot i-j-k
Right rotation i bits
Right rotation j bits
Right rotation k bits
21
SHA-2 Majority Function
• Majority function of (A, B, C):– ith bit of result = 1 if at least 2 of ith bits of A, B, C = 1
0 otherwise– Example: A = 11001010
B = 01101001 C = 10011101 majority = 11001001
– Idea: No way to reconstruct A, B, C from majority
22
SHA-2 Conditional Function
• Conditional function of (E, F, G):– ith bit of result = ith bit of F if ith bit of E = 1
= ith bit of G otherwise– Like “If E then F else G”– Example: E = 11001010
F = 01101001 G = 10011101Conditional = 01011101
– Idea: No way to reconstruct E, F, G from conditional
Addition Mod 264
• Binary addition– Not same as XOR
• Example:110000…00101 +100000…01101
1010000…10010 = 010000…10010
23
