Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus.

Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik

Informationssicherheit und KryptologieInformationssicherheit und Kryptologie

Which Hash FunctionsWhich Hash Functions

will survive?will survive?Xiaoyun Wang Xuejia Lai Magnus Daum

Shanghai Jiaotong Shanghai Jiaotong UniversityUniversity

Shandong Shandong UniversityUniversity

Ruhr University Ruhr University BochumBochum

05.11.2004 Which Hash Functions will survive? 2



OverviewOverview

• Applications and Properties• Hash Functions of the MD4-Family• Different Methods of Attacks

• Attacks on Iterated Hash Functions

• The Modular Differential Attack




Applications and PropertiesApplications and Properties




What is a Hash Function?What is a Hash Function?

• A hash function – is efficiently computable– compresses information of arbitrary length to

some information of fixed length („digital fingerprint“)

messageHash function




ApplicationApplication in Digital Signature Schemesin Digital Signature Schemes

BobAlice

Alice

Alice

Alice

Alice

Signature okay?

?=

h h




Properties ofProperties of Cryptographic HashfunctionsCryptographic Hashfunctions

• preimage-resistance:„Given V, find M such that h(M)=V“ is infeasible

• 2nd-preimage-resistance:„Given M, find M‘M such that h(M‘)=h(M)“

is infeasible

• collision-resistance:„Find M‘M such that h(M‘)=h(M)“ is infeasible




ApplicationApplication in Digital Signature Schemesin Digital Signature Schemes

BobAlice

Alice

Alice

?=

Eve

€ 10k € 50k

h h

Alice, please sign this contract!

€ 10k

Bob, Alice signed this contract!

€ 50k

Alice

h h

Okay, I will sign the contract about €10k.

Alice signed the contract about

€50k.

Signature is okay !

Collision!




Hash Functions of the MD4 FamilyHash Functions of the MD4 Family




Hash FunctionsHash Functions

MD4-Family

• Of practical interest:– Hashfunctions based on blockciphers:

• Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel• MDC-2, MDC-4

– Dedicated Hashfunctions:• MD4, MD5• RIPEMD-{0,128,160,256,320}• SHA-{0,1,224,256,384,512}• Tiger• Whirlpool




SHA-224SHA-256SHA-384SHA-512 (NIST, ’02/04)

SHA-0 (NIST, ’93)

Overview MD4-FamilyOverview MD4-Family

MD4 (Rivest ‚‘90)Ext. MD4

(Rivest ‚‘90)

RIPEMD-0 (RIPE, ‘92) MD5

(Rivest ‚‘92)

RIPEMD-128RIPEMD-160RIPEMD-256RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96)

SHA-1 (NIST, ’95)HAVAL

(Zheng, Pieprzyk, Seberry ‚‘93)




General StructureGeneral Structure

• Iterated Compression Functions

collision-resistance of the compression function

collision-resistance of the hash function




Common Structure of theCommon Structure of the Compression FunctionsCompression Functions

Message Expansion




Different Message ExpansionsDifferent Message Expansions

MD / RIPEMD• roundwise permu-

tations of the Mi

SHA• recursive definition

e.g. SHA-1:




Step OperationStep Operation

SHA-0/1:MD5:

• Only 1 register changed per step• Mixture of different kinds of operations




Attack MethodsAttack Methods




• collision-resistance:„Find M‘M such that h(M‘)=h(M)“ is infeasible„Find M‘M such that h(M‘)=h(M)“

• Three different kinds of (successfull) attacks:– Dobbertin (1995/96)– Chabaud/Joux (1998),

Biham/Chen(2004),Joux(2004)

– Wang/Feng/Lai/Yu (2004)

Collision AttacksCollision Attacks




Dobbertin‘s AttacksDobbertin‘s Attacks

• Idea: Describe the whole compression functions by the means of a huge system of equations

• Variables: Equations:– Message words - Step operation– Contents of the registers - Message Expansion

- Collision

• Equations include many very different kinds of operations, e.g. F2-linear, „modulo 232“ operations and bitwise defined Boolean functionsHard to solve with algebraic meansSpecial methods are needed




Example: Attack on MD5Example: Attack on MD5

• Find with•

• Each Mi is used in exactly four steps in the computation

• Choose and for all other i

• Computations run in parallel to each other up to the first appearance of i 0

• Another special restriction:Require Inner Collisions

i=0

i=0

i=0

150

150

150

150

M 6 fM hM h fM

fM ¡ M fM i M i





SHA-0 (NIST, ’93)



(Rivest ‚‘90)

RIPEMD (RIPE, ‘92) MD5

(Rivest ‚‘92)




Dobbertin ‚’95/96Kasselman/ Penzhorn‚ 2000




Chabaud/Joux-Attack on SHA-0Chabaud/Joux-Attack on SHA-0

• Idea:– Approximate compression function by a linear

function– Find collisions for this linearised function– Find messages with the same „differential

behaviour“ in the real compression function

• 3 non-linear parts in SHA-0:– addition modulo 232

– –

• Can all be approximated by bitwise © (linear)

X ;Y;Z X Y ©X Z ©Y Z X ;Y;Z X Y ©X Z




Elementary CollisionsElementary Collisions

A B C D E

• each collision of the complete (linearised) compression function is a linear combination of such elementary collisions




Biham/Chen: Neutral BitsBiham/Chen: Neutral Bits

• Idea:– Find bits of the message that can be changed

without changing the „differential behaviour“ up to some step k

– produce a big number of messages which fulfill some of the needed conditions automatically

– increased probability of success





SHA-0 (NIST, ’93)



(Rivest ‚‘90)

RIPEMD (RIPE, ‘92) MD5

(Rivest ‚‘92)




Chabaud/Joux ‚’98Biham/Chen‚ 2004

Joux‚ 2004

Wang/Feng/ Lai/Yu‚ 2004

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus.

Documents

properties hash functions

iterated hash functions

hash functions md4family

infeasible slide

h h slide

md4 family slide

tiger whirlpool slide

collision attacks