Cryptographic hash functions. Trends and challenges

4 downloads 11 Views 672KB Size Report
Whirlpool algorithm has been submitted for hash functions category and UMAC and Two-Track-MAC for MAC. NESSIE project consortium announced final ...

Cryptographic hash functions. Trends and challenges Rodica Tirtea

Department of Computer Science, University of Oradea, Faculty of Electrical Engineering and Information Technology, 410087 Oradea, Bihor, Romania, 1, Universitatii street, E-Mail: [email protected]

Abstract – Hash functions are important in cryptography due to their use in data integrity and message authentication. Different cryptographic implementations rely on the performance and strength of hash functions to answer the need for integrity and authentication. This paper gives an overview of cryptographic hash functions used or evaluated today. Hash functions selected in NESSIE and CRYPTREC projects are shortly presented. SHA-3 selection initiative is also introduced.

the inputs are also equal, and thus that the message has not been altered. The problem of preserving the integrity of a potentially large message is thus reduced to that of a small fixed-size hash value. [1]. To be useful from cryptographic point of view, a hash function has to fulfill some requirements: (a) to be difficult for two distinct messages to have the same hash value; (b) knowing a hash value to be computationally infeasible to find a message with that hash value. B.

Keywords: hash function, cryptography, data integrity, message authentication

Classification of hash functions

For data origin authentication there is a special class of hash functions that use a key. The hash functions without a key are used for data integrity.


According to [1] a function used mainly to detect changes in the signed messages is called modification detection code (MDC) or manipulation detection code, and less commonly as message integrity code (MIC). MDC is a subclass of unkeyed hash functions (in contrast to keyed hash functions discussed later in the section).

A cryptographic hash functions maps a binary string of variable length (i.e. a message or a file) to a binary string (i.e. message digest) of a fix length n, with n sometimes indicated in the name of the hash function algorithm (SHA-256, SHA-512, RIPEMD-160, etc.). Hash functions are used in cryptography for data integrity and message (data origin) authentication.

A one-way hash function (OWHF) is MDC for which it is difficult to find an input which hashes to a prespecified hash-value.

A. Usage of hash functions Hash functions are used for data integrity in conjunction with digital signature schemes. Initially the message is hashed, and then the hash-value (message digest), as a representative of the message, is signed in place of the original message. In this way time and space are saved compared with the case of signing the entire message (block by block).

A collision resistant hash function (CRHF) is characterized by difficulty in finding any two inputs having the same hash-value. For data origin authentication purpose message authentication codes (MAC) are used. The purpose of a MAC is to facilitate, without the use of any additional mechanisms, assurances regarding both the source of a message and its integrity. MACs have two functionally distinct parameters, a message input and a secret key. MACs are keyed hash functions [1]. In case of MAC, the design intent is to be infeasible to produce the same output without knowledge of the key.

A typical usage of hash functions for data integrity is as follows. The hash value (i.e. message digest) corresponding to a particular (original) message is computed at initially. The integrity of this hash-value (but not the message itself) is protected in some manner. Later, the following test is carried out to determine whether the message has been altered, i.e., whether a message is the same as the original message. The hashvalue of the message is computed and compared to the protected hash-value; if they are equal, one accepts that

In this paper we identify the relevant hash function in use at the moment and if there are security concerns as well. The selection processes targeting hash functions


are shortly presented and the selected algorithms are listed. Last section addresses on-going competition SHA-3 initiated by National Institute of Standards and Technology (NIST).

security, market requirements, efficiency, and flexibility have been the main selection criteria specified in NESSIE call for cryptographic primitives [2]. Well established standard algorithms have been added for evaluation together with the algorithms received for evaluation.


Whirlpool algorithm has been submitted for hash functions category and UMAC and Two-Track-MAC for MAC.

Some of the properties of hash functions are due to the requirements in implementation. For instance, it is useful to have a hash function which is easy to implement (easy to compute the hash of a message) on one side and on the other side it has to be able to compress the information (the message).

NESSIE project consortium announced final selection of cryptographic algorithms [3] on February 2003. Whirlpool (proposed by Scopus Tecnologia S.A., Brazil and K.U.Leuven, Belgium) and SHA-256, SHA-384 and SHA-512 (added for evaluation, part of the USA standard FIPS 180-2) have been selected at hash function category.

Other properties are driven from the cryptographic environment requirements. As such we have three properties: preimage resistance (one way function) – it is computationally infeasible to determine the message which gives a certain hash result;

• The SHA (Secure Hash Algorithm) hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. The three SHA algorithms (SHA-0, SHA-1, and SHA-2) have different structures. The SHA-2 family uses an identical algorithm with a variable digest size i.e. SHA-256, SHA-384, and SHA-512. SHA-2 family returns a number of bits identical with the number in the name and uses for operation messages not longer than 264-1, 2128-1 and 2128-1 bits respectively.

2nd-preimage resistance (also known as collision resistance) – it is computationally infeasible to determine a second message with the same hash; collision resistance (also called strong collision resistance) – it is computationally infeasible to determine 2 messages which have the same hash. The one-way hash function is a hash function (i.e., offering ease of computation and compression) with the additional properties, as defined above: preimage resistance, 2nd-preimage resistance [1].

• Whirlpool is a hash function based the Square block cipher (used also for designing Rijndael which was selected as Advanced Encryption Standard (AES)). Whirlpool returns a 512-bit message digest out of a message that can have 2256 bits length. Whirlpool has been adopted as part of the joint ISO/IEC 10118-3 international standard (International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)).

The collision resistant hash function is a hash function characterized by 2nd-preimage resistance and collision resistance. III. EVALUATIONS OF HASH FUNCTIONS In this section we are shortly presenting the hash functions evaluated and selected in NESSIE and CRYPTREC projects.

TABLE 1. Hash algorithms selected by NESSIE. Algorithm

A. NESSIE research project

SHA-256, SHA-384, and SHA-512 Whirlpool

The main objective of the NESSIE (New European Schemes for Signature, Integrity, and Encryption), European funded IST project, was to select strong cryptographic primitives of various types (block ciphers, stream ciphers, digital signature algorithms, hash functions, etc.).

Hash length 256, 384, and 512 512

Block size 512, 1024, 1024 512


Max. message length 264-1, 2128-1, and 2128-1 bits 2256 bits

Table I summarizes the parameters of hash functions selected by NESSIE research project. Two-Track-MAC (proposed by K.U.Leuven, Belgium and debis AG, Germany), UMAC (proposed by Intel Corp., USA, Univ. of Nevada at Reno, USA, IBM Research Laboratory, USA, Technion, Israel and Univ.

The project started with an open call for the submission of cryptographic primitives as well as for evaluation methodologies for these primitives. The scope of the call has been published in March 2000 [2]. Long-term


of California at Davis, USA), and, CBC-MAC (ISO/IEC 9797-1) and HMAC (ISO/IEC 9797-1) have been selected at MAC category (last two, have been added for evaluation as MAC standards.)

TABLE II. Hash algorithms Algorithm RIPEMD-160 RIPEMD-256, RIPEMD -384, RIPEMD-512

B. CRYPTREC IPA research project (CRYPTography Research and Evaluation Committees)

Hash length 160 256, 384, and 512

Block size 512 512, 512, 512


The Information-technology Promotion Agency (IPA) in Japan has initiated the CRYPTREC project (CRYPTography Research and Evaluation Committees) with the scope to define standard cryptographic algorithms for use within the Japanese e-Government infrastructure [4].

In section II are presented the properties of hash functions using the expression “computationally infeasible”. All properties are fulfilled given the current computing power; as computing power increases every year, even if no new attacks are developed, the increase of computing power weakens the resistance of current hash functions.

CRYPTREC project started in 2000. Different types of cryptographic techniques have been submitted to the formal Call for Cryptographic Techniques.

New attacks addressing collision resistance of hash functions have been published recently [5, 6, 7, 8]. Such attacks are trying to determine 2 messages which have the same hash using fewer operations.

As in case of NESSIE initiative, CRYPTREC call was open for different types of primitives. Some of the algorithms evaluated in NESSIE project (e.g. RC6, MISTY1, Camellia, AES) were also submitted to CRYPTREC for evaluation [3]. In CRYPTREC, as in NESSIE evaluation, some well known or standard primitives have been added for evaluation.

In 2005 has been presented an attack, using differential analysis, on MD5 which allows finding collisions efficiently [5]. The same attack, [5], applied on HAVAL-128, MD4, RIPEMD, and SHA-0 reduced the number of operation for determining a second message with the same hash.

At hash function category no algorithm has been received. However, the CRYPTREC team included MD5, RIPEMD-160, SHA-1 for evaluation due to their use in internet security mechanisms.

Even if the number of operations required for the attack is considerable, such attacks are reducing the ideal number of operations assumed to be required for breaking hash functions. Such findings motivated NIST to find new, resistant hash functions.

After evaluation, in 2003, only RIPEMD-160, SHA-1, SHA-256, SHA-384, SHA-512 have been recommended with a note for RIPEMD-160, SHA-1 that if any cipher with a longer hash value are available, it is preferable that a 256-bit (or more) hash function to be selected [4]. However, this does not apply in cases where the hash to be used has already been designed according to the public-key cryptographic specifications.

Other attacks addressing hash functions and message authentication codes are presented in [9, 10, 11]. V. SHA-3 EVALUATION PROCESS National Institute of Standards and Technology (NIST) launched an open competition for a new SHA-3 function in 2007 [12]. NIST initiated this competition to select one or more hash functions. At the end of October 2008 has been scheduled the deadline for submission of hash functions. NIST received for this call 51 algorithms.

• RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) is a 160-bit message digest algorithm (and cryptographic hash function) developed in K.U.Leuven (Belgium) and first published in 1996. It is an improved version of RIPEMD, and uses the design principles of MD4, and has performance similar with SHA-1.

At this moment the selection process started and the results will be published in 2012 when the proclamation of a winner and publication of the new standard are scheduled.

• RIPEMD-128, RIPEMD-256, and RIPEMD320 are the 128, 256 and 320-bit versions of this algorithm. The 256 and 320-bit versions reduce the chance of collision, without reaching a higher level of security as compared to RIPEMD-160.

In table III are listed the 51 algorithms submitted for SHA-3 competition [12]. As can be seen from the table, some of the algorithms are already broken. Evaluations of algorithms submitted to SHA-3 are expected to be published in 2009. However the evaluation will be carried out till 2012

Table II summarizes the parameters of hash functions which are meeting the requirements of CRYPTREC research project.


Some algorithms have been withdrawn by the authors or are broken and are marked by *1 in observation column. Later, another algorithm has been withdrawn (SHAMATA).

when the final results are going to be published by NIST. TABLE III. Algorithms submitted for SHA-1 selection. Nr. Algorithm Name Crt.

Principal Submitter



1 Abacus Neil Sholer *1 2 ARIRANG Jongin Lim 3 AURORA Masahiro Fujita (Sony) 4 BLAKE Jean-Philippe Aumasson 5 Blender Dr. Colin Bradbury 6 Blue Midnight Wish Svein Johan Knapskog 7 BOOLE Greg Rose *1 8 Cheetah Dmitry Khovratovich 9 CHI Phillip Hawkes 10 CRUNCH Jacques Patarin 11 CubeHash D. J. Bernstein 12 DCH David A. Wilson *1 13 Dynamic SHA Xu Zijie 14 Dynamic SHA2 Xu Zijie 15 ECHO Henri Gilbert 16 ECOH Daniel R. L. Brown 17 EDON-R Danilo Gligoroski 18 EnRUPT Sean O’Neil 19 ESSENCE Jason Worth Martin 20 FSB Matthieu Finiasz 21 Fugue Charanjit S. Jutla 22 Gröstl Lars Ramkilde Knudsen 23 Hamsi Ozgul Kucuk 24 JH Hongjun Wu 25 Keccak Joan Daemen 26 Khichidi-1 M Vidyasagar *1 27 LANE Sebastiann Indesteege 28 Lesamnta Hirotaka Yoshida 29 Luffa Dai Watanabe 30 LUX Ivica Nikolic 31 MCSSHA-3 Mikhail Maslennikov 32 MD6 Ronald L. Rivest 33 MeshHash Björn Fay *1 34 NaSHA Smile Markovski 35 SANDstorm Rich Schroeppel 36 Sarmal Kerem VARICI 37 Sgàil Peter Maxwell 38 Shabal Jean-Francois Misarsky 39 SHAMATA Orhun Kara 40 SHAvite-3 Orr Dunkelman 41 SIMD Gaetan Leurent 42 Skein Bruce Schneier 43 Spectral Hash Cetin Kaya Koc 44 StreamHash Michal Trojnara *1 45 SWIFFTX Daniele Micciancio 46 Tangle Rafael Alvarez *1 47 TIB3 Daniel Penazzi 48 Twister Michael Gorski 49 Vortex Michael Kounavis 50 WaMM John Washburn *1 51 Waterfall Bob Hattersley *1 *1 Submitter has conceded that the algorithm is broken

This paper presents the state-of-the-art regarding selected / evaluated hash functions and on going competitions. This paper indentifies the evaluation and selection processes addressing hash functions. Hash functions selected by NESSIE and CRYPTREC research projects are shortly introduced. SHA-3 competition is presented as well. REFERENCES [1] A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996, available at: http://www.cacr., last visited March 2009. [2] NESSIE, Call for Cryptographic Primitives, Version 2.2, 8th March 2000, available at: nessie/call/, last visited March 2009. [3] NESSIE consortium, NESSIE project announces final selection of crypto algorithms, February 27, 2003, available at: nessie/deliverables/ press_release_feb27.pdf, last visited March 2009. [4] CRYPTEC site, Evaluation of Cryptographic Techniques, available at: security/enc/CRYPTREC/index-e.html, last visited March 2009. [5] Xiaoyun Wang and Hongbo Yu, How to Break MD5 and Other Hash Functions, Advances in Cryptology – EUROCRYPT 2005, 2005, pages 19-35. [6] E. Biham, R. Chen, Near collision for SHA-0, Advances in Cryptology, Crypto’04, 2004, LNCS 3152, pp. 290305. [7] A. Joux. Collisions for SHA-0, rump session of Crypto’04, 2004. [8] X.Y. Wang, F.D. Guo, X.J. Lai, H.B. Yu, Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD, rump session of Crypto’04, E-print, 2004. [9] S. Contini, Y. L. Yin, Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions, Advances in Cryptology – ASIACRYPT 2006, LNCS, November 15, 2006, pp.37-53. [10] M Gorski, S Lucks, T Peyrin, Slide Attacks on Hash Functions, ASIACRYPT, Lecture Notes in Computer Science. Springer, 2008. [11] E Andreeva, C Bouillaguet, PA Fouque, JJ Hoch, et al., Second preimage attacks on dithered hash functions, Advances in Cryptology – EUROCRYPT 2008, LNCS, April 05, 2008, pp. 270-288. [12] National Institute of Standards and Technology (NIST), webpage for SHA-3 selection - Cryptographic hash project, Background Information, last visited march 2009,