Mar 19, 1996 - Hash functions, in cryptography, are used for digital signature applications and ... ( ii) define the complexity class of the hash function, using the ...
PROCEEDINGS OF THE THIRTEEhTH NATIONAL
RADIO SCIENCE COhTE3EENCE M a r c h 19-21 ,1996, Cairo, Egypt
I
I -*ogra.phic Secarify Evaluation Of l W X D 4 Rash Fanction
Essam Abdel-azeem. Cairo UnncrsiQ, Facult) of eng
Reda Seireg.. Militaq Research Centcr
Samir LShaheen Cairo Unnersih. Faculn of eng
Abstract Cryptography is the only powerful tool for achieving high levels of information security in a computer networks environment. IS0 had proposed five security service groups including, confidentiality, authentication, data integrity, non-repudiation, and access control. Cryptography can support implementation of all these security services, by using various cryptographic techniques, which include among other things conventionall secret key algorithms, public-key algorithms, authentication procedures, and different digital signature schemes. Hash functions, in cryptography, are used for digital signature applications and authentication procedures. It is advisable, for cryptographic reasons, to sign only hashed messages. A secure hash function must be a one-way and collision-free function. Cryptographic security of hash functions could be evaluated, so far, either by conducting detailed cryptanalysis, or by using computational complexity theory. Each of these methods has its own shortcomings. In this paper, a new scheme for evaluating the cryptographic security of hash functions is propbsed. The proposed scheme is simple, fast. and based on solid mathematical model offered by Markov process. Then the proposed scheme is used to evaluate the cryptographic security of the Message Digest MD-4 algorithm. Results came in accordance with what was conjectured and published. 1. Introduction
Hash fhctions have a long history in computer science [ 11 Their earliest application was that of mapping a large sparsely filled file into a much smaller one In cryptography they are used with authentication procedures. and digital signature applications It is always advisable to sign the hashed message (and not the message itself), because this will achieve (i) Preventing the ctyptanalyst from restoring plaintext of an encrypted message Because if the signature function D( ) has an inverse E( ) = DO’( ), the item signed could be a concealed form of the encrypted message E(m), so signing it (rather than signing the hashed version of the message). would result in decrypting the encrypted message (ii) Preventing the attacker fiom having a valid signature for a forgery message (iii) Reducing time needed for signature generation and validation, since the size of the hashed message is much more smaller than the size of the message itself (iv) Saving storage required for signed messages In general hash fimctions perform three main tasks First, they compress or digest information (messages) Second. they randomize the compressed information with the aim of minimizing collisions By collision. it is intended that two distinct messages hash to the L a m e hash value Third. they must be one-wav functions. i e . given an output hash value I rJ
PROCEEDINGS OF THE THIRTEENTH NATIONAL
RADIO SCIENCE CONFEREENCE March 19-21 , 1996, Cairo, Egypt ~
~~
~
~
~
_
_
_ ~~
~
is not possible to find the input message for that specified output. From cryptographic point of view. collision-free, and one-way properties are required to thwart the attacker from finding an alternative message that has the same hash value, as the original message, and hence prevent him from producing a forgery message signed by a valid signature. Since collision in hash hnctions is unavoidable, it must be rare and if happened, it must be in an unpredictable way [ 3 ] , [SI. [ 6 ] .In order to evaluate the cryptographic security of a hash function, one or the other of the following two methods may be used: ( i ) subject the hash fiinction to all possible conceivable cryptanalytic attacks, and provide resu 1t s. ( ii) define the complexity class of the hash function, using the computational complexity theory. Computational complexity theory classified functions in broad classes (class P, and class hT),according to their difficulty. Each of the above methods has its own shortcomings. The extensive cryptanalytic attack method. is lengthy and generally based on intuitive analysis While the computational complexity theov. if applicable. defines complexity of the hnction in the worst case condition only, and gives no indication for other cases [3]. A new Evaluating Security Scheme (ESS) based on 124~ri.ko\l~)roc~~.s.s model is proposed in section IV. Before introducing the proposed scheme, a brief description of the Message Digest algorithm MD4 is presented in section 11, as a candidate hash hnction for use with the expected Digital Signature Standard (DSS). Section 111 reviews the Markov process model, and explains its applicability to model cryptographic fbnctions. Then the proposed scheme (ESS) is used to evaluate the cryptographic security,of MD4 Conclusions and recommendations for h t u r e work are outlined in section VI. 11. Message Digest MD4 The MDJ Message Digest algonthm had been put in public domain in 1990. for review and possible adoption as a standard, in conjunction with the expected digital signature standard DSS The algonthm takes an input message of arbitrary length, and produces an output 128-bit fingerprint or message digest. such that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a siven pre-specified target message digest [ 3 ] It is based on 5 l2-bit block inputs (each block consists of 16, 32-bit words) processed in three rounds usins three non-linear bnctions The hnctions are defined as
f(X.Y.Z)=XYv(7X)Z
x.
(1)
9 ( Y. z ) = Y v LI Y z (2) h(X.Y,i!)=X@ YG, Z ( 31 Each hnction takes as input three 32-bit words, and produces as output one 32-bit word X denote bit-wise complement of X. where. X v Y denote bit-wise Oring o f X and Y, and X E' Y denote bit-wise X O R q of X and Y Four ;?-bit registers A. B. C. D.are used for representing intermediate. and final hash
x
7
L
xz
PROCEEDINGS OF THE THlRTEENTB NATIONAL
RADIO SCIENCE CONFEREENCE
'
March 19-21 ,1996, Cairo, Egypt
values The M D 4 algorithm consists of the following steps ( I ) Expand the message to a multiple of 5 12 bits. including a figure holding the message length Expansion is made by adding a 1 bit and suficient 0's (2) The four-register buffer is initialized to initial value, so that the algorithm can handle all zero messages ( 3 ) Process 512-bit blocks in sequence. each in three rounds Round 1 consists of 16 operations, which updates A. B, C, D four times usins old values, a hnction f( ), and the input blocks Rounds 2. and 3 are similar to round 1 with different logical functions, and magic constants Complete definition for all operations involved. is found in [.I] (4) The message digest will be the final concatenated value of A. B. C, and D 111. Markov Process Model From section 11. it is indicated that MD4 algorithm is a sequential and probabilistic finction. Therefore Markov process is convenient for modeling i t . In an N-state process. s(n) denotes the state number (i.e.. 1. 2, _ . . , . N), at any integer time n = 0. 1. ?,.. . . . . ...... that shows the number oftransitions made by the process. Markov process is defined. if for each state in the process and for each transition time the probability ofmaking the next transition to each other state is known Thus the transition probability plJ. which is the probability that a process in state i will occupy state j after its next transition. is defined as p,, = Pi s(n+l ) = j! s(n) = i (4) where. 1 5 i.jk N . a n d n = O . 1 . 2. . . _ . . . The N' transition probabilities, that describe conip/ck!i. a Markov process are conveniently represented by Y N transition probability matrix P (TPM) [ 7 ] .For any iblarko\. process the TPM is a s f o c h r s f k matrix. because each row sums to one. The Markov process can be represented graphically by a trmnr//o~r dkip.nni, .which is formed of nodes (represent states). and 'directed line segments (represent transition probabilities). Important relations and definitions. used in this paper, are stated below wnthout derivation or prooE 1)- The n-step TPhl. @ ( n ) is an NxN matrix. whose element, q l , ( n ) ,is the probability that the process will occupy state j at time n, given,that it occupied state i at time 0. ?)-The relation between Q>(n),and P is given by the equation @(n) = P" (5) where, P" = I is the identity matrix . and n = 0. 1, 2. . . . . . 3)- The limiting multistep TPXI. Q> . is the value of Q>(n). when n is very large i.e.,
.
@ = @ ( x ) = P' (6) 4)-The state probability x,(n).is the probability that state i is occupied at time n, without including the state in which the process was started The row vector formed by the N state probabilities at time n is called the .\/tr/c'/,r.ohtrh/li!~,ivc/or at time n . and is denoted by n(n) n(n)= [ x,(n). x:(n). x d n ) ] (7) i t can be p r m d that = n(0)@(n) (8)
n(n)
L
I
PROCEEDINGS OF THE TEURTEEhTH NATlONAL RADIO SCIENCE COhFIEREENCE March 19-21 , 1996, Cairo, Egypt
1
n(n)is called the liniitnig state probability vector n,where n = n(x)= nco, rf, (9)
As n becomes very larye,
5 ) - Shrinkage factor (SF), is an indicator for how fast the process reaches the steady state condition. i e., attaining the limiting state probabilities. SF equals the absolute value of the determinant of the TPM. 6 ) - A d " i t is defined to be a set of states with the property that when the process enters any of them, it can never leave the set. One-, two-, and many - chain processes, are called monodesmic, duodesmic, and polydesmic respectively. All states belonging to the same chain will have identical rows in the limiting multistep TPM. together with any transient states associated only with that chain [7] A n7011(~dc~,stii/c procc.\.\ is characterized by a limiting multistep TPM, 4) with identical which is one of these identical rows. A rows , and a limiting state probability vector Jorih!,. . \ / ~ J L ~ C I . \ / / C~ ~ ~ J M J ~ P . S Wp~occ.%.s C is a process that has a TPM. P with the property that both rows and columns sun1 to 1. The limiting tnultistep TPM, @ in this case consists of equal elements. where each element equals 1/N, and hence the process is independent of the state, where the process has been started. The limiting state probability vector Il is also independeni of the initial starting state, and all limiting state probabilities are identical is a process that all it's states can be and equal to I/h' At last a mr~~r~rhlc~/)roc~..s.s divided into groups satisfying certain conditions, and by designating these groups as super states, the dimensionality of the TPM will be reduced, resulting in reducing computation ef'fort involved in manipulating the matrix P. Merging will not atTect the nature or behavior of the Markov process. Unfortunately, finding such a grouping is not easy. Trying all possible groupings until one is found is not a smart way to perceive merger possibilities
'
n.
IV. A New Proposed Scheme for Evaluating Cryptographic Security of Hash Functions (ESS) U'e propose in this section an Evaluating Security Scheme (ESS) for cryptographic security e~aluationof hash hnctions based on hlarkov process The idea is to represent the hash function under stud) as a manageable Markov process Then 4 parameters are calculated. two of them characterize the limiting state conditions of the process. which are the probability of inverting the one-way hash function. p,. and the probability of collision p. The other two parameters are the eigenvalues of the TPM and the Shrinkage factor They describe the transient behavior of t h e Marho\ process Probability of inversion is defined as the probability of gettins a possible input to the hash hncrion for a given output ~ a l u ewhile , collision probability is the probability of having two distinct inputs hash to the same hash value As p,. and pL become more smaller, the hash fhction is cryptographically inore secure On the other hand eigenLalues. and the shrinkage factor give an indication of how fast the process reaches its limiting state conditions As the transient time becomes
of iransliions. \\liile ii trirpping si,ttc is tlic SlilIe . oncc cniered con nc\cr bc left
L
I
PROCEEDLNGS OF THE THTRTEENTB KATIOISAIL RADJO SCIENCE CONFEREENCE
'
March 19-21 , 1996, Cairo, Egypt
smaller, the hash function is considered cryptographically more stronger. The new ESS scheme consists of the following steps: I ) Step 1 Reduce the number of states for the Markov process representing the hash function, to a manageable number N. provided that this reduction does not affect the process type. Let N' and N denote the number of states for the complete (original) process. and the reduced or scaled down process respectively. Reducing the number of states can be done either by. ( i ) using mergeable process technique. as explained in section 111. Usually it is not easy to perceive merger possibilities. therefore this method is not practical for most cases. (ii) scaling down the algorithm ofthe hash function by dividing the number ofbits in each step of the algorithm by appropriate scaling down factor, as in the case of prototype modeling in mechanical engineering. and in control problems Reducing the number of states to a manageable number makes calculations much easier. and minimizes the evaluation time. 2 ) Step 2 Determine, from the definition of the hash function, the TPM, P for the reduced (scaled down) Markov process that represents the hash hnction under evaluation. This step is of vital importance. since the Markov process is defined completely by the idefinition of P and all subsequent steps are dependent on it. 3 ) Step 3 Calculate @, eigenvalues. and the shrinkage factor SF. then: ( i ) Determine the number of chains in the Markov process, which equals the number of eigenvalues that have a value of I . Note that every stochastic matrix, and hence every TPM must have at least one eigenvalue that equals to 1 ( i i ) Compute the probability of inversion P,. and the probability of collision P, , from
