1.5K views

Uploaded by Chris Nash

Ron Rivest's proposal for a modern cryptographically secure hash function.

save

You are on page 1of 56

(aka “Pumpkin Hash”)

Ronald L. Rivest

MIT CSAIL

CRYPTO 2008

MD6 Team

◆ Dan Bailey ◆ Juniper Networks

◆ Sarah Cheng ◆ Cilk Arts

◆ Christopher Crutchfield ◆ NSF

◆ Yevgeniy Dodis

◆ Elliott Fleming

◆ Asif Khan

◆ Jayant Krishnamurthy

◆ Yuncheng Lin

◆ Leo Reyzin

◆ Emily Shen

◆ Jim Sukha

◆ Eran Tromer

◆ Yiqun Lisa Yin

Outline

◆ Introduction

◆ Design considerations

◆ Mode of Operation

◆ Compression Function

◆ Software Implementations

◆ Hardware Implementations

◆ Security Analysis

MD5 was designed in

1991…

◆ Same year WWW announced…

◆ Clock rates were 33MHz…

◆ Requirements:

– {0,1}* {0,1}d for digest size d

– Collision-resistance

– Preimage resistance

– Pseudorandomness

◆ What’s happened since then?

◆ Lots…

◆ What should a hash function ---

MD6 --- look like today?

NIST SHA-3 competition!

◆ Input: 0 to 264-1 bits, size not

known in advance

◆ Output sizes 224, 256, 384, 512

bits

◆ Collision-resistance, preimage

resistance, second preimage

resistance, pseudorandomness, …

◆ Simplicity, flexibility, efficiency, …

◆ Due Halloween ‘08

Design Considerations /

Responses

Wang et al. break MD5

(2004)

◆ Differential cryptanalysis

(re)discovered by Biham and

Shamir (1990). Considers step-by-

step ``difference’’ (XOR) between

two computations…

◆ Applied first to block ciphers

(DES)…

◆ Used by Wang et al. to break

collision-resistance of MD5

◆ Many other hash functions broken

So… MD6 is…

◆ provably resistant to differential

attacks (more on this later…)

Memory is now

``plentiful’’…

◆ Memory capacities have increased

60% per year since 1991

◆ Chips have 1000 times as much

memory as they did in 1991

◆ Even ``embedded processors’’

typically have at least 1KB of RAM

So… MD6 has…

◆ Large input message block size:

512 bytes (not 512 bits)

◆ This has many advantages…

Parallelism has arrived

◆ Uniprocessors have “hit the wall”

– Clock rates have plateaued, since

power usage is quadratic or cubic

with clock rate:

P = VI = V2/R = O( freq2 )

(roughly)

◆ Instead, number of cores will

double with each generation: tens,

hundreds (thousands!) of cores

coming soon

4 16 64 256 …

So… MD6 has…

◆ Bottom-up tree-based mode of

operation (like Merkle-tree)

◆ 4-to-1 compression ratio at each

node

Which works very well in

parallel

◆ Height is log4( number of nodes )

But… most CPU’s are

small…

◆ Most biomass is bacteria…

◆ Storage proportional to tree height

may be too much for some

CPU’s…

So… MD6 has…

◆ Alternative sequential mode

IV

**◆ (Fits in 1KB RAM)
**

Actually, MD6 has…

◆ a smooth sequence of alternative

modes: from purely sequential to

purely hierarchical… L parallel

layers followed by a sequential

layer, 0 ≤ L ≤ 64

◆ Example: L=1:

IV

Hash functions often

``keyed’’

**◆ Salt for password, key for MAC,
**

variability for key derivation,

theoretical soundness, etc…

◆ Current modes are “post-hoc”

So… MD6 has…

◆ Key input K of up to 512 bits

◆ K is input to every compression

function

Generate-and-paste

attacks

◆ Kelsey and Schneier (2004), Joux

(2004), …

◆ Generate sub-hash and fit it in

somewhere

◆ Has advantage proportional to size

of initial computation…

So… MD6 has…

◆ 1024-bit intermediate (chaining)

values

◆ root truncated to desired final

length

(2,0) (2,1) (2,2) (2,3)

◆ Location (level,index) input to each

node

Extension attacks…

◆ Hash of one message useful to

compute hash of another message

(especially if keyed):

H( K || A || B ) = H( H( K || A) ||

B)

So… MD6 has…

◆ ``Root bit’’ (aka “z-bit” or

“pumpkin bit”) input to each

compression function:

True

Side-channel attacks

◆ Timing attacks, cache attacks…

◆ Operations with data-dependent

timing or data-dependent resource

usage can produce vulnerabilities.

◆ This includes data-dependent

rotations, table lookups (S-boxes),

some complex operations (e.g.

multiplications), …

So… MD6 uses…

◆ Operations on 64-bit words

◆ The following operations only:

– XOR

– AND ∧

– SHIFT by fixed amounts:

x >> r

>>

x << l

<<

Security needs vary…

◆ Already recognized by having

different digest lengths d (for

MD6: 1 ≤ d ≤ 512)

◆ But it is useful to have reduced-

strength versions for analysis,

simple applications, or different

points on speed/security curve.

So… MD6 has …

◆ A variable number r of rounds.

( Each round is 16 steps. )

◆ Default r depends on digest size d :

r = 40 + (d/4)

d 160 224 256 384 512

r 80 96 104 136 168

**◆ But r is also an (optional) input.
**

MD6 Compression function

Compression function

inputs

◆ 64 word (512 byte) data block

– message, or chaining values

◆ 8 word (512 bit) key K

◆ 1 word U = (level, index)

◆ 1 word V = parameters:

– Data padding amount

– Key length (0 ≤ keylen ≤ 64 bytes)

– z-bit (aka ``root bit’’ aka``pumpkin bit”)

– L (mode of operation height-limit)

– digest size d (in bits)

– Number r of rounds

◆ 74 words total

Prepend Constant + Map +

Chop

const key+UV data

15 8+2 64

89 words

1-1 map π Map

Prepend

π89 words

16 words

Chop

Simple compression

function:

Input: A[ 0 .. 88 ] of A[ 0 .. 16r +

88]

for i = 89 to 16 r + 88 :

x = Si ⊕ A[ i-17 ] ⊕ A[ i-89 ]

⊕ ( A[ i-18 ] ∧ A[ i-21 ] )

⊕ ( A[ i-31 ] ∧ A[ i-67 ] )

x = x ⊕ ( x >> ri )

A[i] = x ⊕ ( x << li )

return A[ 16r + 73 .. 16r + 88 ]

Constants

◆ Taps 17, 18, 21, 31, 67 optimize

diffusion

◆ Constants Si defined by simple

recurrence; change at end of each

16-step round

◆ Shift amounts repeat each round

0 1 2 3 4 5 6 7 8 9 1 1 1 1 1 1

(best diffusion of 1,000,000

0 such

1 2 3 4 5

ri 1 5 1 1 1 1 2 7 1 1 7 1 1 7 6 1

tables):

0 3 0 1 2 4 5 3 1 2

li 1 2 9 1 1 9 2 1 6 2 2 8 1 5 3 9

1 4 6 5 7 5 9 5 1

Large Memory (sliding

window)

2 3 1 4 5 3 2 1 2 0 3 3 4 2 2

**◆ Array of 16r + 89 64-bit words.
**

◆ Each computed as function of

preceding 89 words.

◆ Last 16 words computed are output.

Small memory (shift

register)

89 words 2 3 2 1 5 6 3 2 7 1 3 2 6 3 1 4 0 1

∧ ∧

Si Shifts

**◆ Shift-register of 89 words (712
**

bytes)

◆ Data moves right to left

Software Implementations

Software implementations

◆ Simplicity of MD6:

– Same implementation for all digest

sizes.

– Same implementation for SHA-3

Reference or SHA-3 Optimized

Versions.

– Only optimization is loop-unrolling

(16 steps within one round).

NIST SHA-3 Reference

Platforms

32-bit 64-bit

MD6-160 44 MB/sec 97 MB/sec

MD6-224 38 MB/sec 82 MB/sec

MD6-256 35 MB/sec 77 MB/sec

MD6-384 27 MB/sec 59 MB/sec

MD6-512 22 MB/sec 49 MB/sec

SHA-512 38 MB/sec 202 MB/sec

Multicore efficiency

MD6-256

SHA-256

Cilk!

Efficiency on a GPU

◆ Standar

d $100

NVidia

GPU

◆ 375

MB/sec

on one

card

8-bit processor (Atmel)

◆ With L=0 (sequential mode), uses

less than 1KB RAM.

◆ 20 MHz clock

◆ 110 msec/comp. fn for MD6-224

(gcc actual)

◆ 44 msec/comp. fn for MD6-224

(assembler est.)

Hardware

Implementations

FPGA Implementation (MD6-

512)

◆ Xilinx XUP FPGA (14K logic slices)

◆ 5.3K slices for round-at-a-time

◆ 7.9K slices for two-rounds-at-a-

time

◆ 100MHz clock

◆ 240 MB/sec (two-rounds-at-a-time)

(Independent of digest size due to

memory bottleneck)

Security Analysis

Generate and paste attacks

(again)

◆ Because compression functions

are “location-aware”, attacks that

do speculative computation hoping

to “cut and paste it in somewhere”

don’t work.

Property-Preservations

◆ Theorem. If f is collision-resistant,

then MD6f is collision-resistant.

◆ Theorem. If f is preimage-resistant,

then

MD6f is preimage-resistant.

◆ Theorem. If f is a FIL-PRF, then MD6f is

a VIL-PRF.

◆ Theorem. If f is a FIL-MAC and root

node effectively uses distinct random

key (due to z-bit), then MD6f is a VIL-

MAC.

Indifferentiability (Maurer et al.

‘04)

◆ Variant notion of

indistinguishability appropriate

when distinguisher has access to

inner component (e.g. mode of

operation MD6f / comp. fn f).

MD6f FIL RO VIL RO S

? or ?

D

Indifferentiability (I)

◆ Theorem. The MD6 mode of

operation is indifferentiable from a

random oracle.

◆ Proof: Construct simulator for

compression function that makes

it consistent with any VIL RO and

MD6 mode of operation…

◆ Advantage: ϵ ≤ 2 q2 / 21024

where q = number of calls

(measured in terms of

Indifferentiability (II) π

π

◆ Theorem. MD6 compression function

f π is indifferentiable from a FIL

random oracle (with respect to

random permutation π).

◆ Proof: Construct simulator S for π

and π-1 that makes it consistent with

FIL RO and comp. fn. construction.

◆ Advantage: ϵ ≤ q / 21024 + 2q2 /

24672

SAT-SOLVER attacks

◆ Code comp. fn. as set of clauses,

try to find inverse or collision with

Minisat…

◆ With many days of computing:

– Solved all problems of 9 rounds or

less.

– Solved some 10- or 11-round ones.

– Never solved a 12-round problem.

◆ Note: 11 rounds ≈ 2 rotations

(passes over data)

Statistical tests

◆ Measure influence of an input bit

on all output bits; use Anderson-

Darling A*2 test on set of

influences.

◆ Can’t distinguish from random

beyond

12 rounds.

Differential attacks don’t

work

◆ Theorem. Any standard

differential attack has less chance

of finding collision than standard

birthday attack.

◆ Proof. Determine lower bound on

number of active AND gates in 15

rounds using sophisticated

backtracking search and days of

computing. Derive upper bound

on probability of differential path.

Differential attacks (cont.)

◆ Compare birthday d r BB LB

bound BB with our

lower bound LB on 160 80 280 2104

work for any

standard differential 224 96 2112 2130

attack.

256 104 2128 2150

◆ (Gives adversary

fifteen rounds for

384 136 2192 2208

message

modification, etc.)

512 168 2256 2260

◆ These bounds can

Choosing number of

rounds

◆ We don’t know how to break any

security properties of MD6 for

more than 12 rounds.

◆ For digest sizes 224 … 512 , MD6

has

80 … 168 rounds.

◆ Current defaults probably

conservative.

◆ Current choice allows proof of

resistance to differential

Summary

◆ MD6 is:

– Arguably secure against known

attacks (including differential

attacks)

– Relatively simple

– Highly parallelizable

– Reasonably efficient

THE END

MD6

03744327e1e959fbdcdf7331e959cb2c28101166

Round constants Si

◆ Since they only change every 16

steps, let S’j be the round constant

for round j .

◆ S’0 = 0x0123456789abcdef

**◆ S’j+1 = (S’j <<< 1) ⊕ (S’j ∧ mask)
**

◆ mask = 0x7311c2812425cfa0

- 93981806-ExerciseUploaded byRobert Joseph
- ch05Uploaded bybalajinaik07
- hmacUploaded byAlbarra Didi
- Duplicate Cleaner LogUploaded byZaheed Humaidy
- Hash FunctionsUploaded bySibusiso Gama
- Metodos de Sistemas de CriptoanálisisUploaded byZosemu Bot
- CEH Practice ExamUploaded byphsgb1
- High performance password cracking by implementing rainbow tables.pdfUploaded byElsa Cristina David
- Ex1Uploaded byneko slayer
- Reverse Engineering Commercial SoftwareUploaded byErnest Obeida
- Why Johnny Can’t Store Passwords Securely?Uploaded byJexia
- Main Doc FinalUploaded byHari Harul Vullangi
- cse7Uploaded byAhilan Aahnia
- Assignment#4answers (1)Uploaded byDon
- Am29f400bb-55se0 Psop44 AmdUploaded byBRUNO
- ISGT2012-000051Uploaded bya_damrong
- nips09Uploaded bySal Ie Em
- Big Data Principles and Best Practices of Scalable Realtime Data Systems by Nathan Marz WITH James Warren(Pradyutvam2)[CPU-200-216Uploaded byEs Quitada
- Password Security NIS SystemsUploaded bykokoalove

- Reconsidering Physical Key Secrecy: Teleduplication via Optical DecodingUploaded byChris Nash
- A Relational Model of Data for Large Shared Data BanksUploaded byChris Nash
- The Skein Hash Function FamilyUploaded byChris Nash
- Catalan's Conjecture: Another Old Diophantine Problem SolvedUploaded byChris Nash
- Guide to Enterprise Telework and Remote Access Security (Draft)Uploaded byChris Nash
- Television's Performance on Election Night 2000: A Report for CNNUploaded byChris Nash
- Designing and implementing malicious hardwareUploaded byChris Nash
- Unraveling A Well Woven SoloUploaded byChris Nash
- When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISCUploaded byChris Nash
- Digital Computational ImagingUploaded byChris Nash
- Cross-Site Request Forgeries: Exploitation and PreventionUploaded byChris Nash
- The ABC-conjectureUploaded byChris Nash
- Review of the Safety of LHC CollisionsUploaded byChris Nash
- Cross-Cultural Analysis of Students with Exceptional Talent in Mathematical Problem SolvingUploaded byChris Nash
- google ogb article29 responseUploaded byChris Nash
- Multi-hop whistler-mode ELF/VLF signals and triggered emissions excited by the HAARP HF heaterUploaded byChris Nash
- On the potential for extinction by Muller's Ratchet in Caenorhabditis elegansUploaded byChris Nash

- An MC script for Final ShowcaseUploaded byMuhammad Arif
- Learning LTE_ Circuit Switched Fallback (CSFB)Uploaded bysukanganulho
- CS F213 RL 12.2Uploaded bySAURABH MITTAL
- Transform Epc 2 Bpm nTransformation from EPC to BPMNUploaded byBanu Aysolmaz
- SPSSUploaded byPRIYANK
- CUDA Toolkit Release NotesUploaded byVamshiKrishna
- Neville Goddard - Mental Diets - The Key to Wishes FulfilledUploaded byTwenty Twenty
- LA UNCIONUploaded byDiego Aranda A
- Algunas Variantes Morfosintéticas del Libro de La Montería del rey Alfonso XI de León y de CastillaUploaded byJavier Blanco González
- Versión 2 en Word de Dioses y Hombres de HuarochiríUploaded byRaul A. Burneo
- Proposiciones Estructura Discreta 1Uploaded byHernán Peña
- La Importancia de La Lectura en La UniversidadUploaded byMarisstella Leyva Valenzuela
- Calculo III - Primer Tema - CurvasUploaded byElvis Damiano Perez
- Thesis on wayfinding by Christopher KuehUploaded bypoongaar
- 27340078-As-400e-Series.pdfUploaded bynagas4002130
- Gabriele Amorth - Wyznania EgzorcystyUploaded byKarma
- Apuntes de Teoría de La CulturaUploaded byimply1208
- MT130 Apuntes Análisis NuméricoUploaded byAdriana Soto
- An Improved AES Cryptosystem Based Genetic Method on S-Box, With, 256 Key Sizes and 14-RoundsUploaded byIJAERS JOURNAL
- EspacioUploaded byAna Martinez
- Fundamentos Sistemas OperativosUploaded byDashaLylyN
- CoovaRADIUS-1.0.1.pdfUploaded byAnonymous 6BvR5IlN
- 1. Ideogramas a Nivel UrbanoUploaded byGissel Santa Cruz
- 2-Herramientas de Apoyo en El DesarrolloUploaded byWilliam Portillo
- Blanco Segura, Ricardo - Historia Eclesiastica de Costa Rica (1902 1850)Uploaded by12deusto
- Cours Architecture Ordinateur ViennetUploaded byapi-3706108
- 151Uploaded byotoe12
- ucm-t27665Uploaded byLeon Viajes
- La Importancia de La MisaUploaded byLILLY LLAP
- Ed 541498Uploaded byMulugeta Mamu