The NIST Cryptographic Workshop on Hash Functions - IEEE Xplore

2 downloads 4150 Views 175KB Size Report
SHA-1 and on design principles for hash functions. Recent results ... crosoft Word 97, Adobe PDF for- mats, or even simple graphic file formats such as TIFF to ...
Conference Reports Editor: Carl Landwehr, [email protected]

The NIST Cryptographic Workshop on Hash Functions

I

n light of recent breakthroughs on the cryptanalysis of hash functions, the US National Institute of Standards and Technology (NIST) organized a workshop to solicit input on issues such as the current status of the Secure Hash

Algorithm-1 (SHA-1) family of hash functions and potential CHRISTIAN R ECHBERGER AND VINCENT R IJMEN Graz University of Technology, Austria N ICOLAS S KLAVOS University of Patras, Greece

replacement options. The NIST Cryptographic Workshop on Hash Functions (www.csrc.nist.gov/pki/ HashWorkshop/index.html) took place 31 October to 1 November in Gaithersburg, Maryland. The workshop attracted more than 200 participants from academia, industry, and government organizations. The conference featured two keynote speakers, five paper sessions, and four panel discussions.

Keynotes The keynote speakers focused on recent advances in the cryptanalysis of SHA-1 and on design principles for hash functions.

Recent results on SHA-1 Xiaoyun Wang from Tsinghua University, China, gave the first keynote. Wang presented new attack results on SHA-1, which is part of the reason why this workshop was initiated. In August 2004, more than a year before the workshop, she and her coauthors surprised the cryptographic community with a series of attack results that shattered trust in several of the heavily used cryptographic hash functions to date. Among the first victims were Message Digest 4 (MD4) and Message Digest 5 (MD5). Later, due to Wang’s work, even SHA-1 joined the club of broken hash functions. The 54

PUBLISHED BY THE IEEE COMPUTER SOCIETY



first announcement of the break was in February 2005, and included a complexity estimate of 269 operations. Wang’s speech announced an improvement of this attack to 263 operations. Because of Wang’s earlier visa problems, this was the first time most researchers heard her discuss her attack on SHA-1, and researchers certainly appreciated the talk, even though all the details of the new attack couldn’t be addressed in the assigned time slot.

Design principles Bart Preneel from the Katholieke Universiteit Leuven, Belgium, gave the second keynote speech. In it, he reviewed design principles of iterated hash functions and raised several interesting questions, including how to formalize various hash function requirements or how to input key material into hash functions. He also reviewed general results on the security properties of the hash functions used today. Among the properties are faster-than-expected ways to find multicollisions—a set of n > 2 messages that all produce the same hash value—and ways to find second preimages—another message that hashes to the same value as a given message—for very long messages. Several examples showed that hash function designers have been too op1540-7993/06/$20.00 © 2006 IEEE



timistic so far about the securityrelated properties of hash functions. Preneel closed his presentation by announcing distinguishing attacks on reduced variants of the Hashed Message Authentication Code (HMAC).

Paper sessions The paper sessions included topics ranging from the impact of collision attacks on hash functions and workarounds to issues in compression function design and new proposals for hash algorithms. Each session contained two to five contributions from different authors.

Impact and workarounds With five contributed papers, the largest session focused on hash collisions impacts and workarounds. A paper from a German team highlighted the power of fast collision search attacks. Once completely random-looking collisions for nonstandard initial chaining values (IVs) are found for a hash function, meaningful colliding documents for special file formats are possible. For example, attackers can use the Microsoft Word 97, Adobe PDF formats, or even simple graphic file formats such as TIFF to produce meaningful colliding files. This illustrates a very important gap in our knowledge: we still aren’t sure how severely fast collision attacks impact various applications. Most application standards require collision-resistant hash functions. When fast collision attacks occur, application developers usually claim that this particular type of collision doesn’t pose a threat to the application. The next team highlighted a possible impact to finding collisions in

IEEE SECURITY & PRIVACY

Conference Reports

hash functions. Their paper pointed out the importance of a special type of preimage resistance—a chosen target forced prefix (CTFP) preimage—which although never a formal requirement of hash functions, is implicitly used in several settings. It turns out that many examples can be constructed that rely on this special type of preimage resistance. The team described a herding attack on all iterated hash functions that’s faster than expected for an ideal hash function. For example, for an iterated hash function with a 128-bit output size, the presented herding attack has a workfactor of 287, whereas a workfactor of 2128 is expected for ideal hash functions. Problems of deploying new hash algorithms in environments such as secure MIME (S/MIME), Transport Layer Security (TLS), Internet Protocol security (IPsec), and others was the focus of another contribution. Their conclusion is that many standards and protocols are neither prepared for a smooth transition nor have the agility to switch from an older hash function to a newer hash function. The solutions offered require changes in all protocols. Michael Szydlo of RSA Laboratories and Hugo Krawzyk of IBM T.J. Watson Research Center presented two approaches that attempted to reduce the impact of currently known fast collision search attacks on the hash functions used today. One approach is to add a preprocessing step before using the MD5 or SHA-1 hash functions; the other adds randomness to the hash function input.

whereas SHA-256 has 64. SHA-1 security doesn’t increase with the number of steps; adding additional steps sometimes decreases the resistance against some of the new attacks. By using our proposed framework, we also showed that the choice of rotation constants influences this property. By developing new techniques, we showed a similar effect for SHA-256 in a second paper. Specifically, we noted that some nontrivial, low-weight expanded messages are useful in the future analysis of members of the SHA-2 family, which is still in its infancy. Afterward, Hirotaka Yoshida from Hitachi gave another look at the SHA-256 compression function and some of its variants.

Design issues Three proposals showed how to address recently discovered deficiencies in the way a compression function is iteratively applied to hash any arbitrary-length input in current hash functions. One research team proposed, among other things, using prefix-free inputs to eliminate generic attacks. Another team suggested using square-free sequences as an efficient way to counter message-extension attacks. The third team’s proposal introduced the concept of tagging to enhance the security that conventional MD construction provides. Two contributions proposed fixes or improvements for the compression function of the MD4 family and for SHA-1. The proposed fix for the

that finding low-weight expanded messages is a crucial building block for the recent attacks on SHA-1. Therefore, Charanjit Jutla of the IBM T.J. Watson Research Center suggested a new message expansion whose lower-bound for the Hamming weight of expanded messages is provably higher than the bound for SHA-1’s original message expansion. Finally, two teams proposed three new hash function designs. The first two proposals are variations of current designs that were designed to thwart recent attacks. The third design takes a completely different approach: its defense against fast collision-search attacks is reduced to the number-theoretic problem of finding a nontrivial modular square root of a very smooth number modulo n. This design is fast compared to other approaches that are based on number-theoretic problems, but it’s still very slow when compared to hash functions such as SHA-256.

Panel discussions One reason NIST organized this workshop was to bring together people from academia, industry, and government organizations to discuss various topics and recent work on hash functions. Thus, the panel discussions were vital to the workshop’s success. Panels concerned topics such as the practical security implications of the continued use of SHA-1, SHA-256 as a suitable replacement for SHA-1, and a research agenda for future hash

Many standards and protocols are neither

Attack results on the SHA family

prepared for a smooth transition nor have the

In this session, three talks covered the recent attack results on SHA-1 and its successor SHA-256. We presented a framework for design-space explorations of SHA-like hash functions. Most modern hash functions consist of the iteration of a relatively simple step transformation. For instance, SHA-1 and SHA-512 have 80 steps,

agility to switch from an older hash function to a newer one. MD4 family uses a bijective substitution box at every step based on Quasigroup theory. The SHA-1 improvement relies on the observation

functions. An open discussion on future strategy concluded the workshop. In general, the panel discussions initiated lively debate not only

www.computer.org/security/



IEEE SECURITY & PRIVACY

55

Conference Reports

among the panelists, but also among the workshop participants.

SHA-256 as a suitable replacement for SHA-1 This panel discussion started with an estimate of SHA-256’s effectiveness in 10 years’ time. Half of the panel agreed that there will be a collisionsearch algorithm faster than brute force in the next 10 years—maybe even sooner. We certainly agree with that because out of all the currently known and used hash function designs, only MD2 survived 10 years of cryptanalysis. The panelists agreed that it’s possible to extend currently known collision-search techniques to SHA-256, but new techniques must be developed to make them useful. Thus, compared to SHA-1, the panelists viewed its higher design complexity as a point where new techniques might be mounted. The suitability of SHA256 for long-term use was left open.

The continued used of SHA-1 The consensus among the panelists was that existing applications must be re-evaluated and developers shouldn’t use SHA-1 in any new applications. Because it takes more than five years until a new algorithm is fielded, many in the audience felt that a rush to change existing algorithms or propose new ones isn’t appropriate. Additionally, Preneel pointed out that if SHA-1 had twice the number of steps, the workshop wouldn’t be needed in the first place. However, he felt just playing it safe by adding more steps was problematic because various application constraints don’t allow for a waste of resources, and steps are a scarce resource. Adding steps decreases performance for the same cost. Because a future hash standard—the term SHA-3 was mentioned—might be used ubiquitously, over-design is seen to be problematic.

The magazine that helps scientists to apply high-end software in their research!

he general opinion was that the workshop was a success and many important issues were addressed. Because not all problems could be solved in two days, a follow-up workshop is planned for August 2006. Most of the newly proposed hash function designs are small variations on the classical structure that the MD4 design pioneered. The new structures are carefully fine-tuned to make the current attacks on SHA-1 infeasible. Our personal opinion however, is that we can reach better performance security trade-offs by considering radically different designs. At the very least, a substantial effort should be made to evaluate designs that have little in common with the current SHA family. One of the goals of follow-up workshops should definitely be to encourage the submission of new and original designs.

T

Christian Rechberger is pursuing his PhD at the Institute of Applied Information Processing and Communications, Graz University of Technology, Austria. His research interests include design, analysis and implementation of efficient cryptographic primitives, cryptanalysis of hash functions, and side-channel analysis. Contact him at christian.rechberger@ iaik.tugraz.at

Top-Flight Departments in Each Issue! • Visualization Corner • Computing Prescriptions • Computer Simulations • Education • Book Reviews • Your Homework • Scientific Assignment Programming • Technology Reviews

$43

Peer- Reviewed Theme & Feature Articles 2006

Jan/Feb

Special-Purpose Computing

Mar/Apr Monte Carlo Method May/Jun Noise and Signal Interaction Jul/Aug

Computing in Anatomic Rendering

Sep/Oct Multigrid Computing Nov/Dec Mechanical Engineering Design and Tools Subscribe to CiSE online at http://cise.aip.org/cise and www.computer.org/cise

56

IEEE SECURITY & PRIVACY



JANUARY/FEBRUARY 2006

Vincent Rijmen is a professor of applied cryptography at the Graz University of Technology, Austria. He co-designed the block cipher Rijndael, which was selected in 2000 to become the Advanced Encryption Standard. Currently, he leads a research group focusing on the analysis and design of symmetric-cryptography primitives, mainly block ciphers and hash functions. Contact him at vincent. [email protected]. Nicolas Sklavos is a research fellow with the electrical and computer engineering department at the University of Patras, Greece. His research interests include cryptography, wireless communications security, network security, and very largescale integration (VLSI) design. Sklavos has a PhD in electrical and computer engineering from the University of Patras, Greece. He is a member of the IEEE, the Technical Chamber of Greece, and the Greek Electrical Engineering Society. Contact him at [email protected].