A Four-Component Framework for Designing and Analyzing Cryptographic Hash Algorithms

Cryptographic hash algorithms are important building blocks in cryptographic protocols, providing authentication and assurance of integrity. While many different hash algorithms are available including MD5, Tiger, and HAVAL, it is difficult to compare them since they do not necessarily use the same techniques to achieve their security goals. This work informally describes a framework in four parts which allows different hash algorithms to be compared based on their strengths and weaknesses. By breaking down cryptographic hash algorithms into their preprocessing, postprocessing, compression function, and internal structure components, weaknesses in existing algorithms can be mitigated and new algorithms can take advantage of strong individual components

Security of the SHA-3 candidates Keccak and Blue Midnight Wish: Zero-sum property

The SHA-3 competition for the new cryptographic standard was initiated by National Institute of Standards and Technology (NIST) in 2007. In the following years, the event grew to one of the top areas currently being researched by the CS and cryptographic communities. The first objective of this thesis is to overview, analyse, and critique the SHA-3 competition. The second one is to perform an in-depth study of the security of two candidate hash functions, the finalist Keccak and the second round candidate Blue Midnight Wish. The study shall primarily focus on zero-sum distinguishers. First we attempt to attack reduced versions of these hash functions and see if any vulnerabilities can be detected. This is followed by attacks on their full versions. In the process, a novel approach is utilized in the search of zero-sum distinguishers by employing SAT solvers. We conclude that while such complex attacks can theoretically uncover undesired properties of the two hash functions presented, such attacks are still far from being fully realized due to current limitations in computing power

Inverting Cryptographic Hash Functions via Cube-and-Conquer

MD4 and MD5 are seminal cryptographic hash functions proposed in early 1990s. MD4 consists of 48 steps and produces a 128-bit hash given a message of arbitrary finite size. MD5 is a more secure 64-step extension of MD4. Both MD4 and MD5 are vulnerable to practical collision attacks, yet it is still not realistic to invert them, i.e. to find a message given a hash. In 2007, the 39-step version of MD4 was inverted via reducing to SAT and applying a CDCL solver along with the so-called Dobbertin's constraints. As for MD5, in 2012 its 28-step version was inverted via a CDCL solver for one specified hash without adding any additional constraints. In this study, Cube-and-Conquer (a combination of CDCL and lookahead) is applied to invert step-reduced versions of MD4 and MD5. For this purpose, two algorithms are proposed. The first one generates inversion problems for MD4 by gradually modifying the Dobbertin's constraints. The second algorithm tries the cubing phase of Cube-and-Conquer with different cutoff thresholds to find the one with minimal runtime estimation of the conquer phase. This algorithm operates in two modes: (i) estimating the hardness of a given propositional Boolean formula; (ii) incomplete SAT-solving of a given satisfiable propositional Boolean formula. While the first algorithm is focused on inverting step-reduced MD4, the second one is not area-specific and so is applicable to a variety of classes of hard SAT instances. In this study, 40-, 41-, 42-, and 43-step MD4 are inverted for the first time via the first algorithm and the estimating mode of the second algorithm. 28-step MD5 is inverted for four hashes via the incomplete SAT-solving mode of the second algorithm. For three hashes out of them this is done for the first time.Comment: 40 pages, 11 figures. A revised submission to JAI

HW/SW Architecture Exploration for an Efficient Implementation of the Secure Hash Algorithm SHA-256

Hash functions are used in the majority of security protocol to guarantee the integrity and the authenticity. Among the most important hash functions is the SHA-2 family, which offers higher security and solved the insecurity problems of other popular algorithms as MD5, SHA-1 and SHA-0. However, theses security algorithms are characterized by a certain amount of complex computations and consume a lot of energy. In order to reduce the power consumption as required in the majority of embedded applications, a solution consists to exploit a critical part on accelerator (hardware). In this paper, we propose a hardware/software exploration for the implementation of SHA256 algorithm. For hardware design, two principal design methods are proceeded: Low level synthesis (LLS) and high level synthesis (HLS). The exploration allows the evaluation of performances in term of area, throughput and power consumption. The synthesis results under Zynq 7000 based-FPGA reflect a significant improvement of about 80% and 15% respectively in FPGA resources and throughput for the LLS hardware design compared to HLS solution. For better efficiency, hardware IPs are deduced and implemented within HW/SW system on chip. The experiments are performed using Xilinx ZC 702-based platform. The HW/SW LLS design records a gain of 10% to 25% in term of execution time and 73% in term of power consumption

Chosen-Prefix Collisions for MD5 and Applications

We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of \emph{chosen-prefix collisions}. We have shown how, at an approximate expected cost of $2^{39}$ calls to the MD5 compression function, for any two chosen message prefixes $P$ and $P'$, suffixes $S$ and $S'$ can be constructed such that the concatenated values $P\|S$ and $P'\|S'$ collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf.\ \url{http://www.win.tue.nl/hashclash/rogue-ca/}). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on \url{http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/}

Design and Analysis of Multi-Block-Length Hash Functions

Cryptographic hash functions are used in many cryptographic applications, and the design of provably secure hash functions (relative to various security notions) is an active area of research. Most of the currently existing hash functions use the Merkle-Damgård paradigm, where by appropriate iteration the hash function inherits its collision and preimage resistance from the underlying compression function. Compression functions can either be constructed from scratch or be built using well-known cryptographic primitives such as a blockcipher. One classic type of primitive-based compression functions is single-block-length : It contains designs that have an output size matching the output length n of the underlying primitive. The single-block-length setting is well-understood. Yet even for the optimally secure constructions, the (time) complexity of collision- and preimage-finding attacks is at most 2n/2, respectively 2n ; when n = 128 (e.g., Advanced Encryption Standard) the resulting bounds have been deemed unacceptable for current practice. As a remedy, multi-block-length primitive-based compression functions, which output more than n bits, have been proposed. This output expansion is typically achieved by calling the primitive multiple times and then combining the resulting primitive outputs in some clever way. In this thesis, we study the collision and preimage resistance of certain types of multi-call multi-block-length primitive-based compression (and the corresponding Merkle-Damgård iterated hash) functions : Our contribution is three-fold. First, we provide a novel framework for blockcipher-based compression functions that compress 3n bits to 2n bits and that use two calls to a 2n-bit key blockcipher with block-length n. We restrict ourselves to two parallel calls and analyze the sufficient conditions to obtain close-to-optimal collision resistance, either in the compression function or in the Merkle-Damgård iteration. Second, we present a new compression function h: {0,1}3n → {0,1}2n ; it uses two parallel calls to an ideal primitive (public random function) from 2n to n bits. This is similar to MDC-2 or the recently proposed MJH by Lee and Stam (CT-RSA'11). However, unlike these constructions, already in the compression function we achieve that an adversary limited (asymptotically in n) to O (22n(1-δ)/3) queries (for any δ > 0) has a disappearing advantage to find collisions. This is the first construction of this type offering collision resistance beyond 2n/2 queries. Our final contribution is the (re)analysis of the preimage and collision resistance of the Knudsen-Preneel compression functions in the setting of public random functions. Knudsen-Preneel compression functions utilize an [r,k,d] linear error-correcting code over 𝔽2e (for e > 1) to build a compression function from underlying blockciphers operating in the Davies-Meyer mode. Knudsen and Preneel show, in the complexity-theoretic setting, that finding collisions takes time at least 2(d-1)n2. Preimage resistance, however, is conjectured to be the square of the collision resistance. Our results show that both the collision resistance proof and the preimage resistance conjecture of Knudsen and Preneel are incorrect : With the exception of two of the proposed parameters, the Knudsen-Preneel compression functions do not achieve the security level they were designed for

Chosen-prefix collisions for MD5 and applications

We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of chosen-prefix collisions. We have shown how, at an approximate expected cost of 239 calls to the MD5 compression function, for any two chosen message prefixes P and P', suffixes S and S' can be constructed such that the concatenated values P||S and P'||S' collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf. http://www.win.tue.nl/hashclash/rogue-ca/). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/

SAT-based preimage attacks on SHA-1

Hash functions are important cryptographic primitives which map arbitrarily long messages to fixed-length message digests in such a way that: (1) it is easy to compute the message digest given a message, while (2) inverting the hashing process (e.g. finding a message that maps to a specific message digest) is hard. One attack against a hash function is an algorithm that nevertheless manages to invert the hashing process. Hash functions are used in e.g. authentication, digital signatures, and key exchange. A popular hash function used in many practical application scenarios is the Secure Hash Algorithm (SHA-1). In this thesis we investigate the current state of the art in carrying out preimage attacks against SHA-1 using SAT solvers, and we attempt to find out if there is any room for improvement in either the encoding or the solving processes. We run a series of experiments using SAT solvers on encodings of reduced-difficulty versions of SHA-1. Each experiment tests one aspect of the encoding or solving process, such as e.g. determining whether there exists an optimal restart interval or determining which branching heuristic leads to the best average solving time. An important part of our work is to use statistically sound methods, i.e. hypothesis tests which take sample size and variation into account. Our most important result is a new encoding of 32-bit modular addition which significantly reduces the time it takes the SAT solver to find a solution compared to previously known encodings. Other results include the fact that reducing the absolute size of the search space by fixing bits of the message up to a certain point actually results in an instance that is harder for the SAT solver to solve. We have also identified some slight improvements to the parameters used by the heuristics of the solver MiniSat; for example, contrary to assertions made in the literature, we find that using longer restart intervals improves the running time of the solver