Embed Size (px)
Citation preview
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 Hash Function
Michał Trojnara
Institute of TelecommunicationsFaculty of Electronics and Information Technology
Warsaw University of Technology
26 May 2010
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
Outline
1 Origins of StreamHash FamilyHistoryPrior Cryptanalysis
2 Hash FunctionsRequirementsTraditional Design
3 StreamHash2StreamHash2 DesignProperties
4 Conclusion
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Next Section
1 Origins of StreamHash FamilyHistoryPrior Cryptanalysis
2 Hash FunctionsRequirementsTraditional Design
3 StreamHash2StreamHash2 DesignProperties
4 Conclusion
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
History of StreamHash Family
Jan 2007 NIST published draft of requirements for theSHA-3 competition
Nov 2007 NIST requested submissions for new hashfunctions
Oct 2008 StreamHash function submitted for the SHA-3competition
Dec 2008 StreamHash function published by NISTDec 2008 Published attacks against StreamHash function
2009-2010 Working on the successor – StreamHash2
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
History of StreamHash Family
Jan 2007 NIST published draft of requirements for theSHA-3 competition
Nov 2007 NIST requested submissions for new hashfunctions
Oct 2008 StreamHash function submitted for the SHA-3competition
Dec 2008 StreamHash function published by NISTDec 2008 Published attacks against StreamHash function
2009-2010 Working on the successor – StreamHash2
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
History of StreamHash Family
Jan 2007 NIST published draft of requirements for theSHA-3 competition
Nov 2007 NIST requested submissions for new hashfunctions
Oct 2008 StreamHash function submitted for the SHA-3competition
Dec 2008 StreamHash function published by NISTDec 2008 Published attacks against StreamHash function
2009-2010 Working on the successor – StreamHash2
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
History of StreamHash Family
Jan 2007 NIST published draft of requirements for theSHA-3 competition
Nov 2007 NIST requested submissions for new hashfunctions
Oct 2008 StreamHash function submitted for the SHA-3competition
Dec 2008 StreamHash function published by NISTDec 2008 Published attacks against StreamHash function
2009-2010 Working on the successor – StreamHash2
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
History of StreamHash Family
Jan 2007 NIST published draft of requirements for theSHA-3 competition
Nov 2007 NIST requested submissions for new hashfunctions
Oct 2008 StreamHash function submitted for the SHA-3competition
Dec 2008 StreamHash function published by NISTDec 2008 Published attacks against StreamHash function
2009-2010 Working on the successor – StreamHash2
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
History of StreamHash Family
Jan 2007 NIST published draft of requirements for theSHA-3 competition
Nov 2007 NIST requested submissions for new hashfunctions
Oct 2008 StreamHash function submitted for the SHA-3competition
Dec 2008 StreamHash function published by NISTDec 2008 Published attacks against StreamHash function
2009-2010 Working on the successor – StreamHash2
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Next Section
1 Origins of StreamHash FamilyHistoryPrior Cryptanalysis
2 Hash FunctionsRequirementsTraditional Design
3 StreamHash2StreamHash2 DesignProperties
4 Conclusion
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Preimage Attack
Dmitry Khovratovich and Ivica Nikolic, University ofLuxembourgMulticollision Attack (Antoine Joux: Multicollisions inIterated Hash Functions, CRYPTO 2004)
Complexity of n2 · 2
n/4 for finding collisionsComplexity of n
2 · 2n/2 for finding preimages
Issue addressed in StreamHash2 by introducing a counter
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Preimage Attack
Dmitry Khovratovich and Ivica Nikolic, University ofLuxembourgMulticollision Attack (Antoine Joux: Multicollisions inIterated Hash Functions, CRYPTO 2004)
Complexity of n2 · 2
n/4 for finding collisionsComplexity of n
2 · 2n/2 for finding preimages
Issue addressed in StreamHash2 by introducing a counter
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Preimage Attack
Dmitry Khovratovich and Ivica Nikolic, University ofLuxembourgMulticollision Attack (Antoine Joux: Multicollisions inIterated Hash Functions, CRYPTO 2004)
Complexity of n2 · 2
n/4 for finding collisionsComplexity of n
2 · 2n/2 for finding preimages
Issue addressed in StreamHash2 by introducing a counter
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Collision Attack
Tor E. Bjørstad, Department of Informatics, University ofBergen, NorwayInternal state cyclesThe ⊕ operation of StreamHash did not propagatechanges between the four bytes of the 32-byte state wordIssue addressed by replacing ⊕ operation with �
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Collision Attack
Tor E. Bjørstad, Department of Informatics, University ofBergen, NorwayInternal state cyclesThe ⊕ operation of StreamHash did not propagatechanges between the four bytes of the 32-byte state wordIssue addressed by replacing ⊕ operation with �
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
HistoryPrior Cryptanalysis
Collision Attack
Tor E. Bjørstad, Department of Informatics, University ofBergen, NorwayInternal state cyclesThe ⊕ operation of StreamHash did not propagatechanges between the four bytes of the 32-byte state wordIssue addressed by replacing ⊕ operation with �
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Next Section
1 Origins of StreamHash FamilyHistoryPrior Cryptanalysis
2 Hash FunctionsRequirementsTraditional Design
3 StreamHash2StreamHash2 DesignProperties
4 Conclusion
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Functional Requirements
Hash function h(m) is expected to meet the followingrequirements
Input m can be of any lengthOutput of h(m) has a predefined, fixed lengthh(m) is fast to compute for any given m
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Functional Requirements
Hash function h(m) is expected to meet the followingrequirements
Input m can be of any lengthOutput of h(m) has a predefined, fixed lengthh(m) is fast to compute for any given m
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Functional Requirements
Hash function h(m) is expected to meet the followingrequirements
Input m can be of any lengthOutput of h(m) has a predefined, fixed lengthh(m) is fast to compute for any given m
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Security Requirements
Preimage resistancePractically infeasible for any given h(m) to compute mSecond preimage resistancePractically infeasible for any given m1 message it isinfeasible to find another m2 such that h(m1) = h(m2)
Collision resistancePractically infeasible to find two different messages m1 andm2 such that h(m1) = h(m2)
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Security Requirements
Preimage resistancePractically infeasible for any given h(m) to compute mSecond preimage resistancePractically infeasible for any given m1 message it isinfeasible to find another m2 such that h(m1) = h(m2)
Collision resistancePractically infeasible to find two different messages m1 andm2 such that h(m1) = h(m2)
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Security Requirements
Preimage resistancePractically infeasible for any given h(m) to compute mSecond preimage resistancePractically infeasible for any given m1 message it isinfeasible to find another m2 such that h(m1) = h(m2)
Collision resistancePractically infeasible to find two different messages m1 andm2 such that h(m1) = h(m2)
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Next Section
1 Origins of StreamHash FamilyHistoryPrior Cryptanalysis
2 Hash FunctionsRequirementsTraditional Design
3 StreamHash2StreamHash2 DesignProperties
4 Conclusion
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Merkle-Damgård Construction
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
RequirementsTraditional Design
Davies-Meyer Compression Function
Hi ← Emi (Hi−1)⊕ Hi−1
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Next Section
1 Origins of StreamHash FamilyHistoryPrior Cryptanalysis
2 Hash FunctionsRequirementsTraditional Design
3 StreamHash2StreamHash2 DesignProperties
4 Conclusion
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
State Vector
State vector consists of 32-bit words7× 32 = 224 bits8× 32 = 256 bits12× 32 = 384 bits16× 32 = 512 bits
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
NLF Transformation
NLF is a non-linear transformation based on an S-BOX
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
StreamHash Family Structure
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
NLF Implementation of StreamHash2 Function
statei+1 ← statei � S-BOX [LSB(statei)⊕ b ⊕ i] � c
, where:b processed byte valuec processed byte indexi state vector index
S-BOX S-BOX tablestate state vector
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Next Section
1 Origins of StreamHash FamilyHistoryPrior Cryptanalysis
2 Hash FunctionsRequirementsTraditional Design
3 StreamHash2StreamHash2 DesignProperties
4 Conclusion
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Simplicity
Clear and easy to analyze designMinimal size of codeMinimal size of variablesLow size of static dataFlexible hash value length
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Simplicity
Clear and easy to analyze designMinimal size of codeMinimal size of variablesLow size of static dataFlexible hash value length
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Simplicity
Clear and easy to analyze designMinimal size of codeMinimal size of variablesLow size of static dataFlexible hash value length
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Simplicity
Clear and easy to analyze designMinimal size of codeMinimal size of variablesLow size of static dataFlexible hash value length
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Simplicity
Clear and easy to analyze designMinimal size of codeMinimal size of variablesLow size of static dataFlexible hash value length
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Performance
Easy to parallelize internal structureNegligible performance impact of machine endiannessHigh performance on 8-bit and 16-bit architecturesLow latencyHigh throughput for short messages
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Performance
Easy to parallelize internal structureNegligible performance impact of machine endiannessHigh performance on 8-bit and 16-bit architecturesLow latencyHigh throughput for short messages
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Performance
Easy to parallelize internal structureNegligible performance impact of machine endiannessHigh performance on 8-bit and 16-bit architecturesLow latencyHigh throughput for short messages
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Performance
Easy to parallelize internal structureNegligible performance impact of machine endiannessHigh performance on 8-bit and 16-bit architecturesLow latencyHigh throughput for short messages
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
Streamhash2 Advantages – Performance
Easy to parallelize internal structureNegligible performance impact of machine endiannessHigh performance on 8-bit and 16-bit architecturesLow latencyHigh throughput for short messages
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
StreamHash2 Disadvantages
Expensive hardware implementationSide-channel attacks on S-BOX lookupsMathematical background not well studied in cryptographicapplications
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
StreamHash2 Disadvantages
Expensive hardware implementationSide-channel attacks on S-BOX lookupsMathematical background not well studied in cryptographicapplications
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
StreamHash2 DesignProperties
StreamHash2 Disadvantages
Expensive hardware implementationSide-channel attacks on S-BOX lookupsMathematical background not well studied in cryptographicapplications
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
Conclusion
A new family of cryptographic hash functions was proposedSecurity properties of this new family require some furtheranalysis
Michał Trojnara StreamHash2 Hash Function
Origins of StreamHash FamilyHash Functions
StreamHash2Conclusion
Conclusion
A new family of cryptographic hash functions was proposedSecurity properties of this new family require some furtheranalysis
Michał Trojnara StreamHash2 Hash Function
![The Boomerang Attacks on the Round-Reduced Skein-512 · 2012. 4. 29. · 2 H. Yu, J. Chen and X. Wang At Asiacrypt 2010 [11], Khovratovich et al. combined the rotational attack and](https://img.dokumen.tips/doc/110x75/60d1632b2833cd79d622d58e/the-boomerang-attacks-on-the-round-reduced-skein-512-2012-4-29-2-h-yu-j.jpg)
