Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
6 views138 pages

7 Hash Functions

The document discusses cryptographic hash functions, including their design, analysis, and applications. It outlines the types of hash functions, their properties, and the most commonly used families such as MD and SHA. Additionally, it covers the ideal characteristics of cryptographic hashes, including preimage resistance and collision resistance, along with their practical implications.

Uploaded by

michael
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views138 pages

7 Hash Functions

The document discusses cryptographic hash functions, including their design, analysis, and applications. It outlines the types of hash functions, their properties, and the most commonly used families such as MD and SHA. Additionally, it covers the ideal characteristics of cryptographic hashes, including preimage resistance and collision resistance, along with their practical implications.

Uploaded by

michael
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 138

Cryptographic Hash Functions:

Design, Analysis & Applications

Dhananjoy Dey

Indian Institute of Information Technology, Lucknow


[email protected]

February 16, 2021

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 1 / 99
Disclaimers

1
All the pictures used in this presentation are taken from freely available
websites.

2
If there is a reference on a slide all of the information on that slide is
attributable to that source whether quotation marks are used or not.

3
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement nor does it imply that the products mentioned are
necessarily the best available for the purpose.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 2 / 99
Outline
1 Introduction
Types of Hash Functions
Properties of Hash Functions
2 Most Commonly Used Hash Functions
MD Family
SHA Family
3 What are the design criteria?
Iterated Hash Function
Analysis
Alternative Constructions
4 SHA-3 Hash Function
Inside Keccak
5 Applications

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 3 / 99
Introduction

Outline
1 Introduction
Types of Hash Functions
Properties of Hash Functions
2 Most Commonly Used Hash Functions
MD Family
SHA Family
3 What are the design criteria?
Iterated Hash Function
Analysis
Alternative Constructions
4 SHA-3 Hash Function
Inside Keccak
5 Applications

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 4 / 99
Introduction Types of Hash Functions

Definition & Type

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 5 / 99
Introduction Types of Hash Functions

Definition & Type

A function satisfies the following conditions:


(i) ‘easy’ to compute (efficient & deterministic algorithm)
(ii) taking an input of arbitrary length gives a fixed length of output

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 5 / 99
Introduction Types of Hash Functions

Definition & Type

A function satisfies the following conditions:


(i) ‘easy’ to compute (efficient & deterministic algorithm)
(ii) taking an input of arbitrary length gives a fixed length of output

Definition
The hash function is a function h : D → R where D = {0, 1}∗ and
R = {0, 1}n for some n ≥ 1.

Type of hash functions:


(a) Perfect hash function
(b) Minimal perfect hash function
(c) Cryptographic hash function

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 5 / 99
Introduction Types of Hash Functions

Non-cryptographic Hash

Definition
Let D = {d0 , d1 , . . . , dm−1 } and R = {r0 , r1 , . . . , rn−1 } be sets with m ≤ n.
The hash function h : D → R is called a perfect hash function (PHF), if
for all x, y ∈ D and x , y ⇒ h(x) , h(y).
In particular, if m = n, h is called a minimal perfect hash function
(MPHF).

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 6 / 99
Introduction Types of Hash Functions

Cryptographic Hash

Definition
The (Cryptographic) hash function is a function h : D → R where
D = {0, 1}∗ and R = {0, 1}n for some n ≥ 1.

x h(x)
Introduction Types of Hash Functions

Cryptographic Hash

Definition
The (Cryptographic) hash function is a function h : D → R where
D = {0, 1}∗ and R = {0, 1}n for some n ≥ 1.

easy

x h(x)
Introduction Types of Hash Functions

Cryptographic Hash

Definition
The (Cryptographic) hash function is a function h : D → R where
D = {0, 1}∗ and R = {0, 1}n for some n ≥ 1.

easy

x h(x)

hard

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 7 / 99
Introduction Types of Hash Functions

Ideal Cryptographic Hash

(i) Ease of computation: It is ‘easy ’ to compute the hash value for


any given message.
(ii) Compression: It takes arbitrary length of input and gives a fixed
length of output.
(iii) Preimage resistance: It is infeasible to find a message that has a
given hash.
(iv) Second preimage resistance: It is infeasible to modify a
message without changing its hash.
(v) Collision resistance: It is infeasible to find 2 different messages
with the same hash.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 8 / 99
Introduction Types of Hash Functions

Ideal Cryptographic Hash

(i) Ease of computation: It is ‘easy ’ to compute the hash value for


any given message.
(ii) Compression: It takes arbitrary length of input and gives a fixed
length of output.
(iii) Preimage resistance: It is infeasible to find a message that has a
given hash.
(iv) Second preimage resistance: It is infeasible to modify a
message without changing its hash.
(v) Collision resistance: It is infeasible to find 2 different messages
with the same hash.

(i) − (iv) ⇒ OWHF, (i) − (v) ⇒ CRHF

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 8 / 99
Introduction Types of Hash Functions

Ideal Cryptographic Hash

(vi) Avalanche: Flipping 1 bit in an input would change approximately


50% the output bits.
(vii) Near-collision resistance: It is computationally infeasible to find
2 input strings x and x0 s/t h(x) and h(x0 ) hardly differ.
(viii) Partial-preimage resistance: It is computationally infeasible to
find any substring of input string x for any given output string s
even for any given distinct substring of input string x.

ix. Non-correlation: Input string x and output string h(x) are not
correlated in any way.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 9 / 99
Introduction Types of Hash Functions

Types of Hash Functions

Hash Functions

Hash Functions

Cryptographic Non-Cryptographic

MDC MAC Minimal Perfect Perfect

OWHF CRHF

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 10 / 99
Introduction Types of Hash Functions

Types of Hash Functions

Hash Functions

Hash Functions

Cryptographic Non-Cryptographic

MDC MAC Minimal Perfect Perfect

OWHF CRHF

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 11 / 99
Introduction Types of Hash Functions

MAC

A MAC is a function h that satisfies the following:

(i) Compress: x can be of arbitrary length and h(k, x) has a fixed


length of n bits, where k is a fixed length of ` bits.
(ii) Ease of computation: Given h, k and an input x, the computation
of h(k, x) must be easy.
(iii) ‘Preimage resistance’: Given a message x, it must be hard to
determine h(k, x), when k is not given; even when a large set of
pairs {xi , h(k, xi )} is known.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 12 / 99
Introduction Types of Hash Functions

Requirements

Knowing a message and MAC, is infeasible to find another


message with same MAC.

MACs should be uniformly distributed.

MAC should depend equally on all bits of the message.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 13 / 99
Introduction Types of Hash Functions

Requirements

Knowing a message and MAC, is infeasible to find another


message with same MAC.

MACs should be uniformly distributed.

MAC should depend equally on all bits of the message.

Definition
A MAC is a function h : K × M → R, s/t K = {0, 1}` is the key space,
M = {0, 1}∗ is the message space and R = {0, 1}n is the range, for some
`, n ≥ 1.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 13 / 99
Introduction Properties of Hash Functions

Required Output Length for a Hash Function

An n-bit hash function is said to have ideal security if the following


conditions hold:

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 14 / 99
Introduction Properties of Hash Functions

Required Output Length for a Hash Function

An n-bit hash function is said to have ideal security if the following


conditions hold:

i. The expected workload of generating a collision = 2n/2 .


ii. Given a hash value, the expected workload of finding a preimage
= 2n .
iii. Given a message and its hash result, the expected workload of
finding a second preimage = 2n .

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 14 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Pre-Image

Model H as a uniform random function, i.e., on distinct inputs, the


outputs of H are independent and uniformly distributed over {0, 1}n .
Finding pre-image: input y.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 15 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Pre-Image

Model H as a uniform random function, i.e., on distinct inputs, the


outputs of H are independent and uniformly distributed over {0, 1}n .
Finding pre-image: input y.
Choose M; compute H(M); if H(M) = y, return M.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 15 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Pre-Image

Model H as a uniform random function, i.e., on distinct inputs, the


outputs of H are independent and uniformly distributed over {0, 1}n .
Finding pre-image: input y.
Choose M; compute H(M); if H(M) = y, return M.
Probability of success: Pr[H(M) = y] = 1/2n .
Expected number of trials: 2n .
Similarly, for finding 2nd pre-image, the expected number of trials is
also 2n .

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 15 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Collision

Birthday Attack

Problem
Let there be m + 1 people {P1 , P2 , . . . , Pm+1 } in a room. What should be
the value of m so that the probability that atleast one of the persons
{P2 , P3 , . . . , Pm+1 } shares birthday with P1 is greater than 12 ?

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 16 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Collision

Birthday Attack

Problem
Let there be m + 1 people {P1 , P2 , . . . , Pm+1 } in a room. What should be
the value of m so that the probability that atleast one of the persons
{P2 , P3 , . . . , Pm+1 } shares birthday with P1 is greater than 12 ?

Problem
How many people must be there in a room, so that the probability of
atleast 2 of them sharing the same birthday is greater than 21 ?

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 16 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Collision

Choose distinct M1 , M2 , · · · , Mq ;
compute y1 = H(M1 ), y2 = H(M2 ), · · · , yq = H(Mq );
if yi = y j , return Mi , M j .

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 17 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Collision

Choose distinct M1 , M2 , · · · , Mq ;
compute y1 = H(M1 ), y2 = H(M2 ), · · · , yq = H(Mq );
if yi = y j , return Mi , M j .

Pr[Coll] = 1 − Pr[Distinct(y1 , · · · , yq )].

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 17 / 99
Introduction Properties of Hash Functions

Generic Algorithm: Collision

Choose distinct M1 , M2 , · · · , Mq ;
compute y1 = H(M1 ), y2 = H(M2 ), · · · , yq = H(Mq );
if yi = y j , return Mi , M j .

Pr[Coll] = 1 − Pr[Distinct(y1 , · · · , yq )].

Pr[Distinct(y1 , · · · , yq )] =
   q−1

1
1− 2n × ··· × 1 − 2n

Using standard approximations and simplifications, for q ≈ 2n/2 , a


collision occurs with constant probability.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 17 / 99
Introduction Properties of Hash Functions

Relations Among Properties

If one can find 2nd pre-images, then one can find collisions.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 18 / 99
Introduction Properties of Hash Functions

Relations Among Properties

If one can find 2nd pre-images, then one can find collisions.

Suppose A is an algorithm to find 2nd pre-images.


take an arbitrary x1 ;
apply A on x1 to find a 2nd pre-image x2 ;
return x1 and x2 .

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 18 / 99
Introduction Properties of Hash Functions

Relations Among Properties

If one can find 2nd pre-images, then one can find collisions.

Suppose A is an algorithm to find 2nd pre-images.


take an arbitrary x1 ;
apply A on x1 to find a 2nd pre-image x2 ;
return x1 and x2 .

Collision resistance ⇒ 2nd pre-image resistance.

Collision resistance ; pre-image resistance.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 18 / 99
Introduction Properties of Hash Functions

Relations Among Properties

No clear deterministic relation between finding pre-images and


finding collisions.

There is, however, a probabilistic relation.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 19 / 99
Introduction Properties of Hash Functions

Relations Among Properties

No clear deterministic relation between finding pre-images and


finding collisions.

There is, however, a probabilistic relation.

Suppose B is an algorithm to find pre-images.


take an arbitrary x1 ;
compute y = H(x1 );
apply B on y to find a pre-image x2 ;
return x1 and x2 .

Under some assumptions, x2 is different from x1 with significant


probability.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 19 / 99
Most Commonly Used Hash Functions

Outline
1 Introduction
Types of Hash Functions
Properties of Hash Functions
2 Most Commonly Used Hash Functions
MD Family
SHA Family
3 What are the design criteria?
Iterated Hash Function
Analysis
Alternative Constructions
4 SHA-3 Hash Function
Inside Keccak
5 Applications

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 20 / 99
Most Commonly Used Hash Functions MD Family

MD4 Family

MD4 Family
MD4

MD5 SHA HAVAL RIPEMD Extended MD4

SHA-1 RIPEMD-128 RIPEMD-160

SHA-224 SHA-256 SHA-384 SHA-512

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 21 / 99
Most Commonly Used Hash Functions MD Family

MD4 Family
MD4
-> 3 rounds of 16 steps, output bit-length is 128.
MD5
-> 4 rounds of 16 steps, output bit-length is 128.
Designed by Ron Rivest in 1991 & 1992 rsp

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 22 / 99
Most Commonly Used Hash Functions MD Family

MD4 Family
MD4
-> 3 rounds of 16 steps, output bit-length is 128.
MD5
-> 4 rounds of 16 steps, output bit-length is 128.
Designed by Ron Rivest in 1991 & 1992 rsp
SHA-1
-> 4 rounds of 20 steps, output bit-length is 160.
Designed by NIST in 1995 (FIPS-180-1)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 22 / 99
Most Commonly Used Hash Functions MD Family

MD4 Family
MD4
-> 3 rounds of 16 steps, output bit-length is 128.
MD5
-> 4 rounds of 16 steps, output bit-length is 128.
Designed by Ron Rivest in 1991 & 1992 rsp
SHA-1
-> 4 rounds of 20 steps, output bit-length is 160.
Designed by NIST in 1995 (FIPS-180-1)
RIPEMD-160
-> 5 rounds of 16 steps, output bit-length is 160.
Designed by Dobbertin, Bosselaers & Preneel in 1995 (RIPE-RACE 1040)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 22 / 99
Most Commonly Used Hash Functions MD Family

MD4 Family
MD4
-> 3 rounds of 16 steps, output bit-length is 128.
MD5
-> 4 rounds of 16 steps, output bit-length is 128.
Designed by Ron Rivest in 1991 & 1992 rsp
SHA-1
-> 4 rounds of 20 steps, output bit-length is 160.
Designed by NIST in 1995 (FIPS-180-1)
RIPEMD-160
-> 5 rounds of 16 steps, output bit-length is 160.
Designed by Dobbertin, Bosselaers & Preneel in 1995 (RIPE-RACE 1040)

SHA-2
-> Produces various output bit-lengths: 224, 256, 384 and 512.
Designed by NIST in 2002 (FIPS-180-2)
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 22 / 99
Most Commonly Used Hash Functions MD Family

Merkle-Damgård

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 23 / 99
Most Commonly Used Hash Functions MD Family

MD5 Hash

Padding

Word Permutation

p[16 · · · 31] = [1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12],


p[32 · · · 47] = [5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2],
p[48 · · · 63] = [0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9].

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 24 / 99
Most Commonly Used Hash Functions MD Family

MD5 Hash

Algorithm

b ← b + rotlrt (a + ft (b, c, d) + Kt + W p(t) )

a ← d

d ← c

c ← b

h(i) (i−1)
0 = a + h0 , h1(i) = b + h(i−1)
1 , h(i) (i−1)
2 = c + h2 , h(i) (i−1)
3 = d + h3 .

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 25 / 99
Most Commonly Used Hash Functions MD Family

MD5 Hash

Round Functions

ft (x, y, z) = (x ∧ y) ∨ (¬x ∧ z) 0 ≤ t ≤ 15
ft (x, y, z) = (x ∧ z) ∨ (y ∧ ¬z) 16 ≤ t ≤ 31
ft (x, y, z) = x⊕y⊕z 32 ≤ t ≤ 47
ft (x, y, z) = y ⊕ (x ∨ ¬z) 48 ≤ t ≤ 63

Round Constants

Kt = f irst 32 bits o f binary value o f |sin(t + 1)|, 0 ≤ t ≤ 63

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 26 / 99
Most Commonly Used Hash Functions MD Family

Step Transformation of MD5

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 27 / 99
Most Commonly Used Hash Functions SHA Family

Description of SHA-1

Padding

Message Expansion

Wt = Mt(i) 0 ≤ t ≤ 15

Wt = rotl1 (Wt−3 ⊕ Wt−8 ⊕ Wt−14 ⊕ Wt−16 ) 16 ≤ t ≤ 79

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 28 / 99
Most Commonly Used Hash Functions SHA Family

Description of SHA-1

Round Operation of Compression Function

T ← rotl5 (a) + ft (b, c, d) + e + Kt + Wt


e ← d
d ← c
c ← rotl30 (b)
b ← a
a ← T

h(i) (i−1)
0 = a + h0 , h1(i) = b + h(i−1)
1 , h(i) (i−1)
2 = c + h2 , h(i) (i−1)
3 = d + h3 ,
(i) (i−1)
h4 = e + h4 .

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 29 / 99
Most Commonly Used Hash Functions SHA Family

Description of SHA-1

Additive Constants

Kt = 0x5a827999, 0 ≤ t ≤ 19
Kt = 0x6ed9eba1, 20 ≤ t ≤ 39
Kt = 0x8f1bbcdc, 40 ≤ t ≤ 59
Kt = 0xca62c1d6, 60 ≤ t ≤ 79

Round Functions

ft (x, y, z) = (x ∧ y) ∨ (¬x ∧ z) 0 ≤ t ≤ 19
ft (x, y, z) = (x ⊕ y ⊕ z) 20 ≤ t ≤ 39
ft (x, y, z) = (x ∧ y) ∨ (y ∧ z) ∨ (z ∧ x) 40 ≤ t ≤ 59
ft (x, y, z) = (x ⊕ y ⊕ z) 60 ≤ t ≤ 79

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 30 / 99
Most Commonly Used Hash Functions SHA Family

Step Transformation of SHA-1

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 31 / 99
Most Commonly Used Hash Functions SHA Family

Description of SHA-256

Padding

Message Expansion

Wt = Mt(i) 0 ≤ t ≤ 15

Wt = σ1 (Wt−2 ) + Wt−7 + σ0 (Wt−15 ) + Wt−16 16 ≤ t ≤ 63

σ0 (x) = Rotr7 (x) ⊕ Rotr18 (x) ⊕ S hr3 (x)


σ1 (x) = Rotr17 (x) ⊕ Rotr19 (x) ⊕ S hr10 (x)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 32 / 99
Most Commonly Used Hash Functions SHA Family

Step Transformation of SHA-256

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 33 / 99
Most Commonly Used Hash Functions SHA Family

Round Operation of Compression Function of


SHA-256

T1 ← H + Σ1 (E) + Ch(E, F, G) + Kt + Wt
T2 ← Σ0 (A) + Ma j(A, B, C)
H ← G
G ← F
F ← E
E ← D + T1
D ← C
C ← B
B ← A
A ← T1 + T2

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 34 / 99
Most Commonly Used Hash Functions SHA Family

Round Operation of Compression Function of


SHA-256

Σ0 (x) = Rotr2 (x) ⊕ Rotr13 (x) ⊕ Rotr22 (x)

Σ1 (x) = Rotr6 (x) ⊕ Rotr11 (x) ⊕ Rotr25 (x)

Ch(x, y, z) = (x ∧ y) ∨ (¬x ∧ z)

Ma j(x, y, z) = (x ∧ y) ∨ (y ∧ z) ∨ (z ∧ x)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 35 / 99
Most Commonly Used Hash Functions SHA Family

Evolution of MD4

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 36 / 99
Most Commonly Used Hash Functions

Standard Hash Functions at a Glance

Name Block Size Word Size Output Size Rounds Year of the
(bits) (bits) (bits) Standard
MD5 512 32 128 64 1992
RIPEMD 512 32 128 48 1992
SHA-0 512 32 160 80 1993
SHA-1 512 32 160 80 1995
RIPEMD-128 512 32 128 64 1995
RIPEMD-160 512 32 160 80 1997
SHA-256 512 32 256 64 2002
SHA-384 1024 64 384 80 2002
SHA-512 1024 64 512 80 2002
SHA-224 512 32 224 64 2004
SHA-3 1600 64 224, 256, 384, 512 24 2015

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 37 / 99
Most Commonly Used Hash Functions

SHA Family

Secure Hash Standard


SHA-1 (32-bit)
SHA-224 & SHA-256 Functions (32-bit)
SHA-384, SHA-512, SHA-512/224 & SHA-512/256
Functions (64-bit)

NIST,
Secure Hash Standard (SHS), FIPS PUB 180-4, 2012.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 38 / 99
Most Commonly Used Hash Functions

MD4 Family

MD4 Family
MD4

MD5 SHA HAVAL RIPEMD Extended MD4

SHA-1 RIPEMD-128 RIPEMD-160

SHA-224 SHA-256 SHA-384 SHA-512

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 39 / 99
Most Commonly Used Hash Functions

Hash Stew

Pour the initial value in a big cauldron and place it over a nice fire. Now
slowly add salt if desired and stir well. Marinade your input bit string by
appending some strengthened padding. Now chop the resulting bit
string into nice small pieces (512-bit) of the same size and stretch
each piece to at least 4 times its original length. Slowly add each
single piece while continually stirring at the speed given by rotation
constants and spicing it up with some addition constants. When the
hash stew is ready, extract a nice portion of at least 224 bits 1 and
present this hash value on warm with some garnish.

1
Earlier it was 160 bits
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 40 / 99
Most Commonly Used Hash Functions

Hash Stew

Pour the initial value in a big cauldron and place it over a nice fire. Now
slowly add salt if desired and stir well. Marinade your input bit string by
appending some strengthened padding. Now chop the resulting bit
string into nice small pieces (512-bit) of the same size and stretch
each piece to at least 4 times its original length. Slowly add each
single piece while continually stirring at the speed given by rotation
constants and spicing it up with some addition constants. When the
hash stew is ready, extract a nice portion of at least 224 bits 1 and
present this hash value on warm with some garnish.

· · · Marc Stevens

1
Earlier it was 160 bits
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 40 / 99
Most Commonly Used Hash Functions

Hash Stew

Pour the initial value in a big cauldron and place it over a nice fire. Now
slowly add salt if desired and stir well. Marinade your input bit string by
appending some strengthened padding. Now chop the resulting bit
string into nice small pieces (512-bit) of the same size and stretch
each piece to at least 4 times its original length. Slowly add each
single piece while continually stirring at the speed given by rotation
constants and spicing it up with some addition constants. When the
hash stew is ready, extract a nice portion of at least 224 bits 1 and
present this hash value on warm with some garnish.

· · · Marc Stevens

Shattered: The first collision for full SHA-1

1
Earlier it was 160 bits
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 40 / 99
Most Commonly Used Hash Functions

Recommended Hash Functions

Output Recommendation
Primitive Length Legacy Future

SHA-2 256, 384, 512 X X


SHA3 256, 384, 512 X X
Whirlpool 512 X X

SHA3 224 X ×
SHA-2 224 X ×
RIPEMD-160 160 X ×

SHA-1 160 × ×
MD-5 128 × ×
RIPEMD-128 128 × ×

Algorithms, key size and parameters report – 2014


www.enisa.europa.eu
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 41 / 99
Most Commonly Used Hash Functions

Recommended Hash Functions

Legacy × Attack exists or security considered not sufficient.


Mechanism should be replaced in Fielded products
as a matter of urgency.

Legacy X No known weaknesses at present.


Better alternatives exist.
Lack of security proof or limited key size.

Future X Mechanism is well studied (often with security proof).


Expected to remain secure in 10-50 year lifetime.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 42 / 99
Most Commonly Used Hash Functions

Outdated MD5

https://www.zdnet.com/article/

a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme/

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 43 / 99
What are the design criteria?

Outline
1 Introduction
Types of Hash Functions
Properties of Hash Functions
2 Most Commonly Used Hash Functions
MD Family
SHA Family
3 What are the design criteria?
Iterated Hash Function
Analysis
Alternative Constructions
4 SHA-3 Hash Function
Inside Keccak
5 Applications

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 44 / 99
What are the design criteria?

How to Build a Hash Function

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 45 / 99
What are the design criteria?

How to Build a Hash Function

Design a compression function (a black box that accepts n + b-bit


& produces n-bit).
Find a good mode of iteration (a way to handle messages of
length longer or shorter than n + b-bit).
Combine the two.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 45 / 99
What are the design criteria?

How to Build a Hash Function

Design a compression function (a black box that accepts n + b-bit


& produces n-bit).
Find a good mode of iteration (a way to handle messages of
length longer or shorter than n + b-bit).
Combine the two.

Merkle-Damgård Construction

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 45 / 99
What are the design criteria?

Merkle-Damgård Construction

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 46 / 99
What are the design criteria? Iterated Hash Function

Iterative hash function

Compression function is a function f : D → R, where


D = {0, 1}a × {0, 1}b & R = {0, 1}c for some a, b, c ≥ 1 with (a + b) ≥ c.

Output transformation is a function g : D → R, where D = {0, 1}a &


R = {0, 1}n for some a, n ≥ 1 with a ≥ n.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 47 / 99
What are the design criteria? Iterated Hash Function

Iterative hash function

Compression function is a function f : D → R, where


D = {0, 1}a × {0, 1}b & R = {0, 1}c for some a, b, c ≥ 1 with (a + b) ≥ c.

Output transformation is a function g : D → R, where D = {0, 1}a &


R = {0, 1}n for some a, n ≥ 1 with a ≥ n.

Iterative hash function h : ({0, 1}b )∗ → {0, 1}n defined by


h(X0 . . . Xt−1 ) = g(Ht ), where Hi+1 = f (Hi , Xi ) for 0 ≤ i ≤ t − 1 and the
chaining value H0 = IV ∈ {0, 1}c .

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 47 / 99
What are the design criteria? Iterated Hash Function

Iterative hash function

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 48 / 99
What are the design criteria? Iterated Hash Function

MD & SHA

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 49 / 99
What are the design criteria? Iterated Hash Function

Compression Function Mode

Davis-Meyer Construction

Hi−1

mi
E


Hi
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 50 / 99
What are the design criteria? Iterated Hash Function

Compression Function Mode

Matyas-Meyer-Oseas

mi

Hi−1 g E


Hi
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 51 / 99
What are the design criteria? Iterated Hash Function

Compression Function Mode

Miyaguchi-Preneel

mi

Hi−1 g E


Hi
Dhananjoy Dey (Indian Institute of Information
Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 52 / 99
What are the design criteria? Iterated Hash Function

Security of Iterative Hash Function

i. The choice of initial value i.e. IV


If IV is not fixed, collision can be found.
ii. The choice of padding rule
If padding procedure does not include length of the input, fixed
point attack is possible.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 53 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

Indifferentiability Attack

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 54 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

Length Extension Attack

Given h(m) and length of the message m.


m is not known.
One can compute h(m||m0 ).

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 55 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

Length Extension Attack

Given h(m) and length of the message m.


m is not known.
One can compute h(m||m0 ).
The HMAC construction works around these problems.

HMACk (X) = h((k ⊕ opad)||h((k ⊕ ipad)||X))

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 55 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

One collision =⇒ Infinitely many collisions.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 56 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

One collision =⇒ Infinitely many collisions.

S uppose h(m) = h(m0 ), where m , m0 & |m| = |m0 |

=⇒ h(m||x) = h(m0 ||x), ∀ x.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 56 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

t compression f unction collisions =⇒ 2t − multicollision

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 57 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

Herding Attack

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 58 / 99
What are the design criteria? Iterated Hash Function

Weaknesses in MD Construction

Herding Attack

Hash output diamond suffix length work


Function size width(k) (blocks)
MD5 128 41 48 287

SHA-1 160 52 59 2108

SHA-256 256 84 92 2172

J. Kelsey & T. Kohno,


Herding Hash Functions and the Nostradamus Attack,
EUROCRYPT’06, LNCS 4004

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 59 / 99
What are the design criteria? Analysis

Differential Attack of Chabaud & Joux

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 60 / 99
What are the design criteria? Analysis

Attacking Step Reduced SHA-2 Family

Cross Dependence Equation

Ei = Ai + Ai−4 − − Ma j(Ai−1 , Ai−2 , Ai−3 ).


P
0 (Ai−1 )

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 61 / 99
What are the design criteria? Analysis

Attacks on Standard Hash Functions

Hash Attack
Author Type Complexity Year
MD4 Dobbertin collision 222 1996
Wang et. al. collision 28 2005
dan Boer & Bosselaers pseudo-collision 216 1993
MD5 Dobbertin free-start 234 1996
Wang et. al. collision 239 2005
Chabaud & Joux collision 261 (theory) 1998
Biham & Chen near-collision 240 2004
SHA-0 Biham et. al. collision 251 2005
Wang et. al. collision 239 2005
Biham et. al. collision (40 rounds) very low 2005
Biham et. al. collision (58 rounds) 275 (theory) 2005
SHA-1 Wang et. al. collision (58 rounds) 233 2005
Wang et. al. collision 263 (theory) 2005
Stevens et. al. collision < 263.1 (practical) 2017

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 62 / 99
What are the design criteria? Analysis

Attacks on Standard Hash Functions

Hash Attack
Author Type Complexity Year
SHA-256 Sarkar et. al. collision(24 rounds) 215.5 2008
Sasaki et. al. preimage(41-step) 2253.5 2009
SHA-512 Sarkar et. al. collision(24 rounds) 222.5 2008
Sasaki et. al. preimage(46-step) 2511.5 2009

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 63 / 99
What are the design criteria? Alternative Constructions

Widepipe/ChopMD
S. Lucks proposed this design in 2005.
Designed the hash functions using two compression functions
i. f : {0, 1}w+b → {0, 1}w
ii. g : {0, 1}w → {0, 1}n , where w > n.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 64 / 99
What are the design criteria? Alternative Constructions

Randomised Hashing
This was proposed by Halevi and Krawczyk in 2006.
Designed to strengthen the MD construction.
Introduced two ways to design this
i. Each message block Mi is XORed with a random block r
hi+1 := f (hi , Mi ⊕ r).

ii. Used a random block r as prefix of the message while still


performing XOR with r for all message blocks.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 65 / 99
What are the design criteria? Alternative Constructions

HAIFA (HAsh Iterative FrAmework)

1 It was proposed by Biham and Dunkelman in 2006.


2 Compression function f : {0, 1}n+m+b+s → {0, 1}n

hi+1 := f (hi k Mi k #bits k salt)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 66 / 99
What are the design criteria? Alternative Constructions

3C Constructions

Gauravaram proposed this designs in 2006.


Aimed at strengthening the Merkle-Damgård construction against
multi-block collision attacks.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 67 / 99
What are the design criteria? Alternative Constructions

Sponge Construction

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 68 / 99
SHA-3 Hash Function

Outline
1 Introduction
Types of Hash Functions
Properties of Hash Functions
2 Most Commonly Used Hash Functions
MD Family
SHA Family
3 What are the design criteria?
Iterated Hash Function
Analysis
Alternative Constructions
4 SHA-3 Hash Function
Inside Keccak
5 Applications

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 69 / 99
SHA-3 Hash Function

Requirements for SHA-3

Plug-compatible with SHA-2 in current applications


Support digests of 224, 256, 384, and 512 bits,
Support messages of at least 264 bits
Support digital signatures, hash-based MACs, PRFs, RNGs,
KDFs, etc.
Required security properties

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 70 / 99
SHA-3 Hash Function

Requirements for SHA-3

Plug-compatible with SHA-2 in current applications


Support digests of 224, 256, 384, and 512 bits,
Support messages of at least 264 bits
Support digital signatures, hash-based MACs, PRFs, RNGs,
KDFs, etc.
Required security properties
Collision resistance of approximately n/2 bits,
Preimage resistance of approximately n bits,
2nd-preimage resistance of approximately n − k bits for any
message shorter than 2k bits,
Resistance to length-extension attacks.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 70 / 99
SHA-3 Hash Function

Time Line of Major Events

31 Oct 08 : SHA-3 Submission Deadline.

09 Dec 08 : Announced 51 First round candidates

24 Jul 09 : Announced 14 Second round candidates

09 Dec 10 : Announced 5 Third round candidates

02 Oct 12 : Announced the winner - Keccak

31 May 2014 : Published draft of FIPS 202

5 Aug 2015 : SHA-3 Standardised, FIPS-202: Permutation based


hash and Extendable-output functions (XOFs).
SHA3-224, SHA3-256, SHA3-384, SHA3-512,
SHAKE128 and SHAKE256.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 71 / 99
SHA-3 Hash Function

Final Round of SHA-3

Algorithm Principal Submitter


Name
BLAKE Jean-Philippe Aumasson

Grøstl Lars Ramkilde Knudsen

JH Hongjun Wu

Keccak Joan Daemen

Skein Bruce Schneier

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 72 / 99
SHA-3 Hash Function

Keccak Team

(L to R) Michaël Peeters, Guido Bertoni, Gilles Van Assche and Joan Daemen

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 73 / 99
SHA-3 Hash Function

SHA-3 Hash: Keccak

NIST chose Keccak over the 4 other excellent finalists for its

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 74 / 99
SHA-3 Hash Function

SHA-3 Hash: Keccak

NIST chose Keccak over the 4 other excellent finalists for its
elegant design,
large security margin,
good general performance,
excellent efficiency in hardware implementations and for its
flexibility.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 74 / 99
SHA-3 Hash Function

SHA-3 Hash: Keccak

NIST chose Keccak over the 4 other excellent finalists for its
elegant design,
large security margin,
good general performance,
excellent efficiency in hardware implementations and for its
flexibility.
Keccak uses a new “sponge construction" chaining mode, based
on a fixed permutation, that can readily be adjusted to trade
generic security strength for throughput, and can generate larger
or smaller hash outputs as required.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 74 / 99
SHA-3 Hash Function

SHA-3 Hash: Keccak

NIST chose Keccak over the 4 other excellent finalists for its
elegant design,
large security margin,
good general performance,
excellent efficiency in hardware implementations and for its
flexibility.
Keccak uses a new “sponge construction" chaining mode, based
on a fixed permutation, that can readily be adjusted to trade
generic security strength for throughput, and can generate larger
or smaller hash outputs as required.
The Keccak designers have also defined a modified chaining
mode for Keccak that provides authenticated encryption.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 74 / 99
SHA-3 Hash Function

SHA-3 Hash: Keccak

Keccak family of hash functions are based on the sponge


construction.
They use as a building block a permutation from a set of 7
permutations {viz., 25, 50, 100, 200, 400, 800, 1600}.

Algorithm Rate Capacity Depth


(r) (c) (d)
Keccak-224 1152 448 28
Keccak-256 1088 512 32
Keccak-384 832 768 48
Keccak-512 576 1024 64

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 75 / 99
SHA-3 Hash Function

XOFs: Extendable-Output Functions

In Fips-202, SHA-3 family consists of six functions.


Four cryptographic hash functions called SHA3-224, SHA3-256,
SHA3-384 and SHA3-512 with two extendable-output functions
called SHAKE128 and SHAKE256 which are

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 76 / 99
SHA-3 Hash Function

XOFs: Extendable-Output Functions

In Fips-202, SHA-3 family consists of six functions.


Four cryptographic hash functions called SHA3-224, SHA3-256,
SHA3-384 and SHA3-512 with two extendable-output functions
called SHAKE128 and SHAKE256 which are
the first XOFs that NIST have standardised
specialized to hash functions in which the output can be extended
to any desired length
“128" and “256" indicate the security strength in SHAKE128 and
SHAKE256

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 76 / 99
SHA-3 Hash Function

XOFs: Extendable-Output Functions

In Fips-202, SHA-3 family consists of six functions.


Four cryptographic hash functions called SHA3-224, SHA3-256,
SHA3-384 and SHA3-512 with two extendable-output functions
called SHAKE128 and SHAKE256 which are
the first XOFs that NIST have standardised
specialized to hash functions in which the output can be extended
to any desired length
“128" and “256" indicate the security strength in SHAKE128 and
SHAKE256
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 76 / 99
SHA-3 Hash Function Inside Keccak

The sponge construction

More general than a hash function:

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 77 / 99
SHA-3 Hash Function Inside Keccak

The sponge construction

More general than a hash function: arbitrary-length output


Calls a b-bit permutation f , with b = r + c
r bits of rate
c bits of capacity (security parameter)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 77 / 99
SHA-3 Hash Function Inside Keccak

Keccak

Instantiation of a sponge function


the permutation Keccak- f
7 permutations: b ∈ {25, 50, 100, 200, 400, 800, 1600}
Security-speed trade-offs using the same permutation, e.g.,
SHA-3 instance: r = 1088 and c = 512
permutation width: 1600
security strength 256: post-quantum sufficient
Lightweight instance: r = 40 and c = 160
permutation width: 200
security strength 80: same as SHA-1

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 78 / 99
SHA-3 Hash Function Inside Keccak

The state: an array of 5 × 5 × 2` bits

5 × 5 lanes, each containing 2` bits (1, 2, 4, 8, 16, 32 or 64)


(5 × 5)-bit slices, 2` of them
https://summerschool-croatia.cs.ru.nl/2015/SHA3.pdf

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 79 / 99
SHA-3 Hash Function Inside Keccak

Pieces of State in Keccak

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 80 / 99
SHA-3 Hash Function Inside Keccak

Keccak- f summary

Round function:

R=ι◦χ◦π◦ρ◦θ

Number of rounds: 12 + 2`
Keccak- f [25] has

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 81 / 99
SHA-3 Hash Function Inside Keccak

Keccak- f summary

Round function:

R=ι◦χ◦π◦ρ◦θ

Number of rounds: 12 + 2`
Keccak- f [25] has 12 rounds
Keccak- f [1600] has

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 81 / 99
SHA-3 Hash Function Inside Keccak

Keccak- f summary

Round function:

R=ι◦χ◦π◦ρ◦θ

Number of rounds: 12 + 2`
Keccak- f [25] has 12 rounds
Keccak- f [1600] has 24 rounds

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 81 / 99
SHA-3 Hash Function Inside Keccak

Diffusion of θ

The effect of θ is to XOR each bit in the state with the parities of two columns in the array
https://keccak.team/figures.html

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 82 / 99
SHA-3 Hash Function Inside Keccak

ρ for inter-slice dispersion

The effect of ρ is to rotate the bits of each lane by a length

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 83 / 99
SHA-3 Hash Function Inside Keccak

π for disturbing horizontal/vertical alignment

The effect of π is to rearrange the positions of the lanes

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 84 / 99
SHA-3 Hash Function Inside Keccak

χ – the nonlinear mapping in Keccak- f

The effect of χ is to XOR each bit with a non-linear function of two other bits in its row

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 85 / 99
SHA-3 Hash Function Inside Keccak

ι to break symmetry

XOR of round-dependent constant to lane in origin


Without ι, the round mapping would be symmetric
Without ι, all rounds would be the same
Without ι, we get simple fixed points
The effect of ι is to modify some of the bits of Lane(0, 0) in a
manner that depends on the round index. The other 24 lanes are
not affected by ι.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 86 / 99
Applications

Outline
1 Introduction
Types of Hash Functions
Properties of Hash Functions
2 Most Commonly Used Hash Functions
MD Family
SHA Family
3 What are the design criteria?
Iterated Hash Function
Analysis
Alternative Constructions
4 SHA-3 Hash Function
Inside Keccak
5 Applications

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 87 / 99
Applications

Applications of Hash Functions

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 88 / 99
Applications

Applications of Hash Functions

Truncated Message Digest


Digital Signatures
Message Authentication Codes (MAC)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 88 / 99
Applications

Applications of Hash Functions

Truncated Message Digest


Digital Signatures
Message Authentication Codes (MAC)
Key Derivation Functions (KDF)
Pseudo-Random Bit Generation (PRBG)

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 88 / 99
Applications

Applications of Hash Functions

Truncated Message Digest


Digital Signatures
Message Authentication Codes (MAC)
Key Derivation Functions (KDF)
Pseudo-Random Bit Generation (PRBG)

Quynh Dang,
Recommendation for Applications Using Approved Hash
Algorithms, NIST SP 800-107, 2012.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 88 / 99
Applications

SHA-3 Derived Functions

NIST recommended four types of SHA-3 derived functions which are


mentioned as follows:
cSHAKE: customizable variant of SHAKE function

KMAC: Keccak Message Authentication Code

TupleHash: a variable-length hash function designed to hash


tuples of input strings without trivial collisions

ParallelHash: a variable-length hash function that can hash very


long messages in parallel

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 89 / 99
Applications

SHA-3 Derived Functions

NIST recommended four types of SHA-3 derived functions which are


mentioned as follows:
cSHAKE: customizable variant of SHAKE function

KMAC: Keccak Message Authentication Code

TupleHash: a variable-length hash function designed to hash


tuples of input strings without trivial collisions

ParallelHash: a variable-length hash function that can hash very


long messages in parallel
https:
//nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 89 / 99
Applications

Applications of Sponge Function

Regular hashing
Salted hashing
Mask generation function
Message authentication codes
Stream cipher
Single pass authenticated encryption

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 90 / 99
Applications

Applications of Sponge Function

Regular hashing

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 91 / 99
Applications

Applications of Sponge Function

Salted hashing

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 92 / 99
Applications

Applications of Sponge Function

Mask generation function

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 93 / 99
Applications

Applications of Sponge Function

MAC

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 94 / 99
Applications

Applications of Sponge Function

Stream cipher

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 95 / 99
Applications

Applications of Sponge Function

Single pass authenticated encryption

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 96 / 99
Applications

Applications of Sponge Function

Single pass authenticated encryption

All the pictures related to Applications are taken from the presentation slide of Keccak
Team

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 96 / 99
References

E. Fleischmann, C. Forler & M. Gorski,


Classification of the SHA-3 Candidates. Available online at
http://eprint.iacr.org/2008/511
A. Joux,
Algorithmic Cryptanalysis, CRC Press, 2009.
K. Matusiewicz,
Analysis of Modern Dedicated Cryptographic Hash Functions, Ph.
D. Thesis, 2007.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 97 / 99
References

M. Nandi et. al.,


Status Report on the First Round of the SHA-3 Cryptographic
Hash Algorithm Competition, NISTIR 7620, NIST Report, 2009.
B. Preneel,
Analysis and Design of Cryptographic Hash Functions, PhD thesis,
1993.
B. Rompay,
Analysis and Design of Cryptographic Hash Functions, MAC
Algorithms and Block Ciphers, PhD Thesis, 2004.
D R Stinson & M B Paterson,
Cryptography – Theory and Practice, Fourth Edition, CRC Press,
2019.

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 98 / 99
The End

Thanks a lot for your attention


and
QUESTIONS Please!

Dhananjoy Dey (Indian Institute of Information


Cryptographic
Technology,
Hash
[email protected])
Functions: Design, Analysis & Applications
February 16, 2021 99 / 99

You might also like