Grøstl a SHA-3 candidate

Similar documents

Introduction to SHA-3 and Keccak

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

SHA-2 will soon retire

2 Classification of the SHA-3 Candidates

An Efficient Cryptographic Hash Algorithm (BSA)

Hash Function JH and the NIST SHA3 Hash Competition

Differential Cryptanalysis of Hash Functions: How to find Collisions?

Comparison of seven SHA-3 candidates software implementations on smart cards.

Length extension attack on narrow-pipe SHA-3 candidates

Hash Function of Finalist SHA-3: Analysis Study

Cryptography Lecture 8. Digital signatures, hash functions

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Introduction to Computer Security

The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition

Permutation-based encryption, authentication and authenticated encryption

Pre-silicon Characterization of NIST SHA-3 Final Round Candidates

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Cryptography and Network Security Chapter 11

Message Authentication

How To Attack Preimage On Hash Function 2.2 With A Preimage Attack On A Pre Image

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

Evaluation of Digital Signature Process

Tools in Cryptanalysis of Hash Functions

Computer Security: Principles and Practice

One-Way Encryption and Message Authentication

On the Impact of Known-Key Attacks on Hash Functions

Hash Functions. Integrity checks

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Recommendation for Applications Using Approved Hash Algorithms

A NEW HASH ALGORITHM: Khichidi-1

Cryptographic Hash Functions Message Authentication Digital Signatures

Chapter 8: On the Use of Hash Functions in. Computer Forensics

Chapter 1 On the Secure Hash Algorithm family

Authentication requirement Authentication function MAC Hash function Security of

Message Authentication Codes. Lecture Outline

Lecture 15 - Digital Signatures

SECURITY IN NETWORKS

Elliptic Curve Hash (and Sign)

Public Key Cryptography Overview

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

State of PKI for SSL/TLS

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Cryptography and Network Security Chapter 12

Message authentication and. digital signatures

Certificate Authorities and Public Keys. How they work and 10+ ways to hack them.

The Future of Digital Signatures. Johannes Buchmann

On the Influence of the Algebraic Degree of the Algebraic Degree of

Announcing Approval of Federal Information Processing Standard (FIPS) 197, Advanced. National Institute of Standards and Technology (NIST), Commerce.

Overview Most of the documentation out there on the transition from SHA-1 certificates to SHA-2 certificates will tell you three things:

M.S. Project Proposal. SAT Based Attacks on SipHash

Introduction to Cryptography CS 355

Hardware Implementation of the Compression Function for Selected SHA-3 Candidates

Practice Questions. CS161 Computer Security, Fall 2008

CIS433/533 - Computer and Network Security Cryptography

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

The Advanced Encryption Standard: Four Years On

The Advanced Encryption Standard (AES)

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

Table of Contents. Bibliografische Informationen digitalisiert durch

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

A block based storage model for remote online backups in a trust no one environment

Advanced Cryptography

EXAM questions for the course TTM Information Security May Part 1

1 Signatures vs. MACs

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006

AsicBoost A Speedup for Bitcoin Mining

Security Analysis of DRBG Using HMAC in NIST SP

John Mathieson US Air Force (WR ALC) Systems & Software Technology Conference Salt Lake City, Utah 19 May 2011

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Data Reduction: Deduplication and Compression. Danny Harnik IBM Haifa Research Labs

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Introduction. Digital Signature

Crittografia e sicurezza delle reti. Digital signatures- DSA

Side Channel Analysis and Embedded Systems Impact and Countermeasures

1 Data Encryption Algorithm

Transcription:

Grøstl a SHA-3 candidate Krystian Matusiewicz Wroclaw University of Technology CECC 2010, June 12, 2010 Krystian Matusiewicz Grøstl a SHA-3 candidate 1/ 26

Talk outline Cryptographic hash functions NIST SHA-3 Competition Grøstl Krystian Matusiewicz Grøstl a SHA-3 candidate 2/ 26

Cryptographic hash functions Krystian Matusiewicz Grøstl a SHA-3 candidate 3/ 26

Cryptographic hash functions: why? We want to have a short, fixed length fingerprint of any piece of data Different fingerprints certainly different data Identical fingerprints most likely the same data No one can get any information about the data from the fingerprint Krystian Matusiewicz Grøstl a SHA-3 candidate 4/ 26

Random Oracle Construction: Box with memory On a new query: pick randomly and uniformly the answer, remember it and return the result On a repeating query, repeat the answer (function) Krystian Matusiewicz Grøstl a SHA-3 candidate 5/ 26

Random Oracle Construction: Box with memory On a new query: pick randomly and uniformly the answer, remember it and return the result On a repeating query, repeat the answer (function) Properties: No information about the data To find a preimage: 2 n queries for n-bit outputs To find collisions: 2 n/2 queries Random behaviour Krystian Matusiewicz Grøstl a SHA-3 candidate 5/ 26

Random Oracle Construction: Box with memory On a new query: pick randomly and uniformly the answer, remember it and return the result On a repeating query, repeat the answer (function) Properties: No information about the data To find a preimage: 2 n queries for n-bit outputs To find collisions: 2 n/2 queries Random behaviour We want to construct concrete algorithms which are as close to this behaviour as possible. Krystian Matusiewicz Grøstl a SHA-3 candidate 5/ 26

NIST SHA-3 Competition Krystian Matusiewicz Grøstl a SHA-3 candidate 6/ 26

Krystian Matusiewicz Grøstl a SHA-3 candidate 7/ 26

The world after Wang (after 2004) hash designed Wang-inspired attacks MD4 1990 collisions by hand calculation MD5 1992 collisions in ms on a computer SHA-0 1993 collisions in 1hr SHA-1 1995 attacked, 2 69 SHA-2 2002 no attack Many other hash functions similar to MD5/SHA-1 were subsequently broken using Wang s method. Krystian Matusiewicz Grøstl a SHA-3 candidate 8/ 26

NIST SHA-3 competition There is only one hash function standardized by NIST which is not broken (SHA-256/SHA-512) But design principles are somehow similar to the broken ones, is it secure enough? Would be good to have a backup plan Let s organize a competition like the one for Advanced Encryption Standard! Krystian Matusiewicz Grøstl a SHA-3 candidate 9/ 26

First-round SHA-3 candidates Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1 LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall Krystian Matusiewicz Grøstl a SHA-3 candidate 10/ 26

Second-round SHA-3 candidates Abacus ARIRANG AURORA BLAKE Blender Blue Midnight Wish BOOLE Cheetah CHI CRUNCH CubeHash DCH Dynamic SHA Dynamic SHA2 ECHO ECOH EDON-R EnRUPT ESSENCE FSB Fugue Grøstl Hamsi JH Keccak Khichidi-1 LANE Lesamnta Luffa LUX MCSSHA-3 MD6 MeshHash NaSHA SANDstorm Sarmal Sgail Shabal SHAMATA SHAvite-3 SIMD Skein Spectral Hash StreamHash SWIFFTX Tangle TIB3 Twister Vortex WaMM Waterfall Krystian Matusiewicz Grøstl a SHA-3 candidate 11/ 26

What happens next? August 2010 second NIST workshop Around 5 finalists will be announced before the end of the year The winner selected in 2012 Krystian Matusiewicz Grøstl a SHA-3 candidate 12/ 26

The SHA-3 Zoo / Hash function Zoo Everything you ever wanted to know about SHA-3 candidates ehash.iaik.tugraz.at/wiki/the_sha-3_zoo ehash.iaik.tugraz.at/wiki/the_hash_function_zoo Krystian Matusiewicz Grøstl a SHA-3 candidate 13/ 26

Grøstl Krystian Matusiewicz Grøstl a SHA-3 candidate 14/ 26

The Grøstl team Søren S. Thomsen Martin Schläffer Christian Rechberger Florian Mendel Lars R. Knudsen Praveen Gauravaram & K.M. Krystian Matusiewicz Grøstl a SHA-3 candidate 15/ 26

Grøstl hash function m 1 m 2 m 3 m t iv f f f... f Ω H(m) Iterated wide-pipe Output transformation Krystian Matusiewicz Grøstl a SHA-3 candidate 16/ 26

Grøstl Compression Function h m f P Q P, Q large, fixed permutations Security reductions: collision, preimage resistance provided that permutations behave like ideal ones Krystian Matusiewicz Grøstl a SHA-3 candidate 17/ 26

Grøstl Output Transformation x P Provides protection against some attacks Random behaviour Krystian Matusiewicz Grøstl a SHA-3 candidate 18/ 26

Designing an ideal permutation How to design an ideal permutation? No way of telling it apart from randomly chosen permutation No visible structure No differential trail with significant probability Wide-trail strategy Krystian Matusiewicz Grøstl a SHA-3 candidate 19/ 26

Grøstl : One round of P, Q ( 10) AddRoundConstant SubBytes ShiftBytes MixBytes Krystian Matusiewicz Grøstl a SHA-3 candidate 20/ 26

Grøstl : AddRoundConstant i AddRoundConstant of P i ff AddRoundConstant of Q Permutations must be different (security) Different constants for P and Q Krystian Matusiewicz Grøstl a SHA-3 candidate 21/ 26

Grøstl : SubBytes S( ) Krystian Matusiewicz Grøstl a SHA-3 candidate 22/ 26

Grøstl : ShiftBytes shift by 0 shift by 1 shift by 2 shift by 3 shift by 4 shift by 5 shift by 6 shift by 7 Krystian Matusiewicz Grøstl a SHA-3 candidate 23/ 26

Grøstl : MixBytes B = circ(02,02,03,04,05,03,05,07) Krystian Matusiewicz Grøstl a SHA-3 candidate 24/ 26

Cryptanalytic Results Hash function collisions Grøstl-256 4/10 Grøstl-512 5/14 Compression function collisions Grøstl-256 7/10 Grøstl-512 7/14 Permutation non-randomness Grøstl-256 8/10 Krystian Matusiewicz Grøstl a SHA-3 candidate 25/ 26

Grøstl : Enjoy! Krystian Matusiewicz Grøstl a SHA-3 candidate 26/ 26