JH Review Group 3
JHReview
Jan 01, 2016
JHReview. Group 3. Outline. Why we choose JH Description of JH Comments of NIST and MIT students Preimage Attack by Mendel and Thomsen Analysis of Author in Round1 and Round2 Compare with CubeHash Reference. Why we choose JH. ECHO... Preimage Attack Simplicity. Description of JH. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
JHReview
Group 3
Outline
Why we choose JH Description of JH Comments of NIST and MIT students Preimage Attack by Mendel and Thomsen Analysis of Author in Round1 and Round2 Compare with CubeHash Reference
Why we choose JH
ECHO... Preimage Attack Simplicity
Description of JH
Normal Padding Split to 512-bit-long M_i (1 <= i <= n) Init H_0 H_i = f(M_i, H_{i-1}) (1 <= i <= n)
f = f_8 = F8 in our descripions Truncate H_n to get Hash Value
Description of JH (Jump this)
我们的描述 1 JH算法首先将Message用课上的加一个 1,若干个 0,再加上一个表示长度的二进制数得到一个 512n位的初始信息,然后分成 n个 512位的段,进行 HASH。 HASH过程非常简单,主要就用到了一个 F8函数,将 512位的信息段和一个 1024位的HASH 值计算得到一个 1024位的新 HASH值。算法开始时首先通过长度生成一个初始值 H0,然后对 n个 512位的信息段M1, M2等分别用 F8函数获得 H1, H2...最后得到的 Hn就是结果。如果最终需要得到的 HASH值应该是m位,那么就将 Hn的最后m 位提取出来即可。
Description of JH (Jump this)
Our Description 2 The main hash first pad the message to be a multiple
of 512 bits, in which the length of the message is padded to the message. After padding, the message is split into blocks of 512 bits. Then, starting from an initial hash value H (0) (1024-bit), the algorithm itera- tively uses a compression function F8 to compress each block, resulting in a final hash value H (N ) . Finally H (N ) is truncated into message digest of designated length.
Description of JH (Jump this)
我们的描述 3 JH算法中所使用的函数都是一些常见的用于 Hash的处理过程。 JH通过两个 S-boxes、若干 Permutation及线性变换来完成对定长数据的压缩( F_d)。给定一个输入后, JH 先进行一般的 Padding和分块处理,然后根据数据摘要的长度计算出一个初始的 H^(0),然后用 F_d函数进行若干轮计算后得到最终的 Hash 值。 总的来说, JH的算法比较简单和常见。我认为, JH在数据处理方面并没有什么创新,它的安全性主要是通过合理地设计各个子过程的执行步骤以及增加块长度和增加加密轮数来实现的。但是,正因为 JH “ “所使用的算法非常 大众化 ,
所以恰好方便了我们对其安全性和运行效率进行分析。
Compression Function
E is a permutation of 1024 elements
Comments of NIST“JH uses a novel construction, somewhat reminiscent of
a sponge construction, to build a hash algorithm out of a single, large, fixed permutation. The fixed permutation is an SP network, combining two 4-bit S-boxes with a set of linear mixing operations and bit permutations. All nonlinearity in this design is derived from the S-boxes. The most innovative part of this design is the compression function construction, which XORs a 512-bit message block into the left half of the input of the fixed permutation, and then XORs the same message block into the right half of the output of the fixed permutation. The design of the fixed permutation is also new.”
Comments of NISTJH’s performance is good, and has modest memory
requirements. Unlike most second-round candidates, all output sizes of JH use the same function, but with different initial hash values and different amounts of truncation at the end. The most serious cryptanalytic result on JH is a theoretical preimage attack on the 512-bit version, which is barely cheaper than a brute force attack. As this attack does not appear to threaten the design, it does not concern us. However, the compression function construction of JH is not well-understood, and the submitter did not provide a great deal of analysis of this construction.
Comments of MIT Students (?)
“We found that in terms of quality and depth of proofs, Lesamnta o ered the best security analysis.ff The authors o ered extensive analysis of the security features of all parts ffof the Lesamnta algorithm, including the modes of operation and the underlying compression function. In addition, they showed that Lesamnta was provably secure against both common and emerging attacks against hash functions. Particularly impressive was that Lesamnta was shown to be provably secure against known key distinguisher attacks, something that we did not even see mentioned in other papers.”
Comments of MIT Students (?)“Among the other submissions, SHAvite-3 was a close second in terms of security analysis. Though they too o ered a good number of proofs against many common ffattacks, their analysis was not quite as in depth as that of Lesamnta. The other algorithms, FSB and JH, were often very simplistic in their assumptions and limited in the types of attacks that they were able to prove security against.”
Keywords
Compression Function New, not well understood
Security Analysis Not enough
Simplicity and Performance Good
Preimage Attackby Mendel and Thomsen
“we present a generic preimage attack on JH-512. We do not claim that our attack breaks JH-512 (due to the high memory requirements), but it uses some interesting properties in the design principles of JH-512 which do not exist in other hash functions, e.g., the SHA-2 family.”
Compression Function
Observations
Attack Detail
Given H_4 (final hash value), use M_4 to get H_3(Obs.1) where M_4 is arbitrary block satisfying padding scheme.
Enumerate M_3 to get enough pairs of (H_2, M_3) where f(H_2, M_3) = H_3
Find multiple collisions H_1^k (0 <= k < r), preparing for Obs.2
Using Obs.2 to enumerate M_2^k satisfying f(H_1^k, M_2^k) = (H_2, M_3)
Attack Analysis
Suppose that f satisfies POISSON distribution => multiple collission
Use Obs.2 to skip some Compression Function calculation. However, very poor:2^510.3 => (2^510.3) * 51
The reason of 51 and 510.3 : the balance of the complexity of finding multiple collission
Attack Result
No effect on JH's security (So we ignore Author's defence)
Just some interesting things about Compression Function
“Nevertheless, we think that the attack shows some interesting properties of JH-512, which do not exist in other hash functions. Maybe these properties can be combined with a dedicated preimage attack on JH-512 in the future. At the moment, our attack does not compromise the security claims of JH-512.”
Author's Analysis
Paullznand Chimney Liu's Reports(click the hyperlink above to see the report)
Compare With CubeHash
What is Cube Hash? A very SIMPLE cryptographic hash function. Algorithm introduction in 2 pages. Process
Initialization Padding & Blocking Identical rounds to change states. Finalization
Ten steps per round with only xor, add, and rotate “That's it”
Compare With CubeHash
JH CubeHash
Performance Hardware optimized (Bit-Slice)SSE2 optimized
Modest memory requirementsSIMD optimized
Security Most serious result barely cheaper than brute force.Lack of analysis on compression function.
Best-understood candidate.Semi-free-start collision and the symmetry properties the mose troubling.
Variants
(Performance & security trade-off)
Relatively fixed (Algorithm limitation)
Variable(2 tunable parameters)
Easy to choose parameters for different requirements
A little bit hard to design proper combination of parameters
Compression function construction
Reference
JH: http://icsd.i2r.a-star.edu.sg/staff/hongjun/jh/
NIST官方评价: http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/documents/sha3_NISTIR7620.pdf
MIT Students Summary:http://courses.csail.mit.edu/6.857/2009/sha3/group7.pdf
Preimage Attack by Mendel and Thomsen: http://ehash.iaik.tugraz.at/uploads/d/da/Jh_preimage.pdf
Author's defence of Preimage Attack: http://ehash.iaik.tugraz.at/uploads/6/6f/Jh_mt_complexity.pdf