Hash Algorithms

Hash Algorithms
Driven by the slowness of RSA in signing a message. The idea
was to create (relatively fast) a digest of a message and sign that.
This was the origin of MD and MD2 algorithms by Ron Rivest
In 1989.
Merkle developed SNEFRU in 1990. It was many times faster
than MD2.
This prompted Rivest in 1990 to create MD4 which exploited
microprocessor operations on newer chips.
SNEFRU was cracked in 1992 by Shamir.
A variant of MD4 was cracked in 1991.
MD5 nervously rolled out in 1992.
MD4 was severly cracked in 1995.
In the 2000s: can create two files with the same hash, can fake
SSL certificate validity – MD5 no longer recommended.
 Hash Algorithms
SHA1 (Secure Hash Algorithm) NSA (1995)
Successor to and replacement for MD5
Used in IPSec, SSL, TLS, PGP, SSH, and more (shows up in Java)
Was required by US government crypto applications

Also: SHA2-224, SHA2-256, SHA2-384, SHA2-512

SHA2-224 has digest to match 3DES keys
SHA3-224, SHA3-256, SHA3-384, SHA3-512
Now required by US government crypto applications
Takes digest of up to 264 bit messages – digest size is 160 bits
August, 2005: attack announced – find collisions in fewer than
263 operations (should have been 280 – square root of 2160)
Operates in stages – each stage mangles the pre-stage message
by a sequence of operations based on current message block
Hash Algorithms
 Hash Algorithms

Merkle-Damgård construction for SHA-1 and SHA-2

f is a one-way function that transforms two fixed length inputs to
an output of the same size as one of the inputs
IV is an initialization vector
 SHA-1 Algorithm
Pre-process the message – pad and end with size:

... Message – 512 bit block Message 1 0000 size

 
One bit of '1' following message

Pad with 0's to within 64 bits of end of block

Last 64 bits of last block get the size of the message in bits
 SHA-1 Algorithm
Break block into 16 32 bit words:

512 bit block

32 bit words

W0 W1 W2 ... W15
 SHA-1 Algorithm
Break block into 16 32 bit words:

512 bit block

32 bit words

W0 W1 W2 ... W15

Extend to 80 32 bit words (2560 bits):

for t from 16 to 79
Wt = (Wt-3 ⊕ Wt-8 ⊕ Wt-14 ⊕ Wt-16) <<< 1
 SHA-1 Algorithm
Define variables A=0x67452301,B =0xEFCDAB89,
C =0x98BADCFE,D =0x10325476,
E =0xC3D2E1F0
Define F and Kt according to round:
Rounds 1 to 20: F = (B ∧ C) ∨ (¬B ∧ D)
30
Kt = 0x5A827999 2 .sqrt(2)
Rounds 21 to 40: F = (B ⊕ C ⊕ D)
30
Kt = 0x6ED9EBA1 2 .sqrt(3)
Rounds 41 to 60: F = (B ∧ C) ∨ (B ∧ D) ∨ (C ∧ D)
30.
Kt = 0x8F1BBCDC 2 sqrt(5)
Rounds 61 to 80: F = (B ⊕ C ⊕ D)
30.
Kt = 0xCA62C1D6 2 sqrt(10)
 SHA-1 Algorithm

160 bit block Last round:

(5 32 bit words) A-E is the digest

temp = (A <<<5) + F + E + Kt + wt
E = D
D = C
C = B <<<30 addition mod 232
B = A
A = temp
 SHA-1 Algorithm
Finally, update the 160 bit hash:

H1 += A
H2 += B
H3 += C
H4 += D
H5 += E
 SHA-256 Algorithm
//Initialize variables
// First 32 bits of fractional part of the square
// roots of the first 8 primes
h0 = 0x6a09e667
h1 = 0xbb67ae85
h2 = 0x3c6ef372
h3 = 0xa54ff53a
h4 = 0x510e527f
h5 = 0x9b05688c
h6 = 0x1f83d9ab
h7 = 0x5be0cd19
 SHA-256 Algorithm
//Initialize table of round constants:
// First 32 bits of the fractional part of the cube
// roots of the first 64 primes
K1 – K64 =
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
 SHA-256 Algorithm
Same pre-processing, same initialization of W1 - W15
//Extend the 16 32-bit words into 64 32-bit words:
for t from 16 to 63
s0 = (Wi-15 >>>7)⊕(Wi-15 >>>18)⊕(Wi-15 >>3)
s1 = (Wi-2 >>>17)⊕(Wi-2 >>>19)⊕(Wi-2 >>10)
Wi = Wi-16 + s0 + Wi-7 + s1
 SHA-256 Algorithm
Same pre-processing, same initialization of W1 - W15
//Extend the 16 32-bit words into 64 32-bit words:
for t from 16 to 63
s0 = (Wi-15 >>>7)⊕(Wi-15 >>>18)⊕(Wi-15 >>3)
s1 = (Wi-2 >>>17)⊕(Wi-2 >>>19)⊕(Wi-2 >>10)
Wt = Wi-16 + s0 + Wi-7 + s1

//Initialize hash value for this chunk:

A = h0
B = h1
C = h2
D = h3
E = h4
F = h5
G = h6
H = h7
 SHA-256 Algorithm
Same pre-processing, same initialization of W1 - W15
//Main loop:
for t from 0 to 63
s0 = (A >>>2)⊕(A >>>13)⊕(A >>>22)
maj = (A ∧ B) ∨ (B ∧ C) ∨ (C ∧ A)
t0 = s0 + maj
s1 = (E >>>6)⊕(E >>>11)⊕(E >>>25)
ch = (E ∧ F) ∨ (¬E ∧ G)
t1 = H + s1 + ch + Kt + Wt
H = G
G = F
F = E
E = D + t1
D = C
C = B
B = A
A = t0 + t1
 SHA-256 Algorithm

//Add this chunk's hash to result so far:

h0 := h0 + A
h1 := h1 + B
h2 := h2 + C
h3 := h3 + D
h4 := h4 + E
h5 := h5 + F
h6 := h6 + G
h7 := h7 + H

//Output the final hash value (big-endian):

digest = hash =
h0 || h1 || h2 || h3 || h4 || h5 || h6 || h7
 Types of Attack on Hashes

1. Preimage – An attacker has an output and finds an input

that hashes to that output

2. 2nd Preimage – An attacker has an output and an input x

and finds a 2nd input that produces the same output as x
3. Collision – An attacker finds two inputs that hash to the
same output
4. Length Extension – An attacker, knowing the length of
message M and a digest of M signed by a sender can
extend M with an additional message N and can
compute the digest of M || N even without the key used
to sign the digest of M
 Types of Attack on Hashes

SHA-1 and SHA-2 are susceptible to length extension attacks

if the algorithm is misused as follows:
Let S be the secret that is shared by sender and receiver
The sender sends message M to the receiver with
digest Hash(S || M) = D
The receiver should computer Hash(S || M) and check for match
with D ; M is authentic in case of a match, not otherwise
Attacker appends N to M and is able to continue the digest
algorithm to complete the Hash(S || M || N) – attacker replaces
M with M || N and Hash(S || N) with Hash(S || M || N)

Original Data: count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo

New Data: count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo
\x80\x00\x00 … \x00\x00\x02\x28&waffle=liege
Where 0x228 is length of key plus original message; 0x80 is the ‘1’ at start of pad
 Types of Attack on Hashes

SHA1, SHA2:
2nd preimage attacks against long messages are always much
more efficient than brute force

Multicollisions (many messages with the same hash) can be

found with only a little more work than collisions
 Hash Algorithms

SHA-3 Competition (2007-2013)

NIST sponsored competition to replace SHA-2 due to fears
that the 2005 success against SHA-1 could be duplicated for
SHA-2, especially in private (Merkle-Damgård construction)
Required:
● function had to perform well regardless of implementation

● should withstand known attacks while maintaining a large

safety factor. It should emit the same four hash sizes as

SHA-2 (224-, 256-, 384-, or 512-bits wide), but be able to
supply longer hash sizes if need be
● function had to be subjected to cryptanalysis

● could not use the Merkle-Damgård construction to produce

the message hash

 Hash Algorithms

SHA-3 Competition (2007-2013)

Semi-finalists: Blake (Israel), GrØstl (Austria) , Luffa (Hitachi),
Blue midnight wish (Norway), Hamsi (Belgium), Shabal
(Europe), CubeHash (USA), JH (China?), SHAvite-3 (Israel,
France), ECHO (France), Keccak (Dutch), SIMD (Germany?),
Fugue (IBM), Skein (USA – Schneier and others)

Finalists: Blake, GrØstl, JH, Keccak, Skein

Winner: Keccak (final NIST specification August 2015)
Did not make the first cut:
MD6 (MIT) + 10 others
Broken Entries:
31
 Hash Algorithms

SHA-3
sponge construction:
Data is ‘absorbed’ into the ‘sponge’ then ‘squeezed’ out.
absorbing: message blocks are xored with a subset of state
then transformed using a permutation function f
squeezing: output blocks are read from the same subset of
state alternated with an application of f
security-level: level n means an attacker will have to perform
2n operations to break a system
rate: the size of the part of the state that is written and read
capacity: the size of the part of the state untouched by I/O
capacity determined security: max security level = capacity/2
 Hash Algorithms

SHA-3
sponge construction:
hash function: input is a bit string called message, output
called a digest
extendable output function: function on bit strings where
output can be extened to any length.
state: an array of b bits represented as a 3 dimensional array
of size 5x5xw where w = b/25. A bit is accessed by A[x,y,z]
sub-arrays are planes and columns
Keccak-p permuation: comprised of b bits – nr iterations
or rounds are performed before and output is generated
denoted Keccak-p[b, nr]
Associated parameters w = b/25, l = log2(b/25)
 Hash Algorithms

SHA-3
sponge construction:
conversion from bits S to Array: A[x,y,z] = S[w(5y+x)+z]
other conversions:
lane(i,j) = column of bits in 2-d position i,j (both < 5)
plane(j) = lane(0,j) || lane(1,j) || lane(2,j) || lane(3,j) || lane(4,j)
S = plane(0) || plane(1) || plane (2) || plane(3) || plane(4)
 Hash Algorithms

SHA-3
sponge construction:
step mappings:
There are 5 of these - each takes b bits input and
produces b bits output
 Hash Algorithms

SHA-3
sponge construction - step mappings:
First mapping: input is original array A
for all pairs (x, z) such that 0 ≤ x < 5 and 0 ≤ z < w
let C[x, z] = A[x, 0, z] ⊕ A[x, 1, z] ⊕ A[x, 2, z] ⊕
A[x, 3, z] ⊕ A[x, 4, z]
for all pairs (x, z) such that 0 ≤ x < 5 and 0 ≤ z < w
let D[x, z] = C[(x-1) mod 5, z]⊕C[(x+1) mod 5, (z-1) mod w]
for all triples (x, y, z) such that 0 ≤ x,y < 5, and 0 ≤ z < w
let A′[x, y, z] = A[x, y, z] ⊕ D[x, z]

XOR each bit in the state with

the parities of two columns in the array
 Hash Algorithms

SHA-3
sponge construction - step mappings:
Second mapping: input is array A from first mapping
for all z such that 0 ≤ z < w, let A′ [0, 0, z] = A[0, 0, z]
let (x, y) = (1, 0)
for t from 0 to 23:
a. for all z such that 0 ≤ z < w,
let A′[x, y, z] = A[x, y, (z – (t + 1)(t + 2)/2) mod w];
b. let (x, y) = (y, (2x + 3y) mod 5)

Black dots are bits whose z

coordinates are 0. The
shaded cube is the
location of the bit
after 2nd mapping
 Hash Algorithms

SHA-3
sponge construction - step mappings:
Third mapping: input is array A from second mapping
for all triples (x, y, z) such that 0 ≤ x,y < 5, and 0 ≤ z < w
let A′[x, y, z]= A[(x + 3y) mod 5, x, z]

rearrange the positions

of the lanes, as shown
for slices in the figure
 Hash Algorithms

SHA-3
sponge construction - step mappings:
Fourth mapping: input is array A from third mapping
for all triples (x, y, z) such that 0 ≤ x,y < 5, and 0 ≤ z < w,
let A′ [x, y, z] =
A[x, y, z] ⊕ ((A[(x+1) mod 5, y, z] ⊕ 1) ⋅ A[(x+2) mod 5, y, z])
(dot means integer multiplication which translates to logic and)

XOR each bit with a non-linear function

of two other bits in its row, as illustrated
in the figure
 Hash Algorithms

SHA-3
sponge construction - step mappings:
Algorithm rc(t):
if t mod 255 = 0, return 1.
let R = 10000000.
for i from 1 to t mod 255, let:
R = 0 || R;
R[0] = R[0] ⊕ R[8];
R[4] = R[4] ⊕ R[8];
R[5] = R[5] ⊕ R[8];
R[6] = R[6] ⊕ R[8];
R =Trunc 8 [R].
Return R[0]
 Hash Algorithms

SHA-3
sponge construction - step mappings:
Fifth mapping: input is array A and round index ir
for all triples (x, y, z) such that 0 ≤ x,y < 5, and 0 ≤ z < w,
let A′[x, y, z] = A[x, y, z]
let RC = 0w
for j from 0 to l, let RC[2j – 1] = rc(j + 7ir).
for all z such that 0 ≤ z < w
let A′ [0, 0, z] = A′ [0, 0, z] ⊕ RC[z]

The effect is to modify some of the bits of lane (0,0) in a

manner that depends on the round index ir. The other 24
lanes are not affected by this operation.
 Hash Algorithms

SHA-3
sponge construction – perform the permutation:
KECCAK-p[b,nr](S): S is string of length b, nr is # rounds
convert S into a state array, A
for ir from 12 + 2l – nr to 12 + 2l – 1
let A = ResultOfFiveMappingSteps(A, ir).
convert A into a string S′ of length b
return S′
 Hash Algorithms

SHA-3
sponge construction:
The sponge construction is a framework for specifying
functions on binary data with arbitrary output length.
The construction employs the following three components:
1. An underlying function f on fixed-length strings
2. A parameter r called the rate
3. A padding rule, denoted by pad
The function that the construction produces from these
components is called a sponge function, denoted by
SPONGE [f, pad, r]. A sponge function takes two inputs:
a bit string N and the bit length d of the output string,
SPONGE [f, pad, r](N, d)
 Hash Algorithms

SHA-3
sponge construction:

The rate r is a positive integer that is strictly less than the width b.
The capacity c is such that r + c = b.
 Hash Algorithms

SHA-3
sponge construction:
SPONGE[f,pad,r](N,d): output is string Z s.t. len(Z) = d
let P = N || pad(r, len(N))
let n = len(P)/r
let c = b-r
let P0, ... , Pn-1 be the unique sequence of strings of length r
such that P = P0 || ... || P n-1
let S = 0b
for i from 0 to n-1, let S = f (S ⊕ (Pi || 0 c ))
let Z be the empty string
q: let Z = Z || Trunc r (S).
if d ≤ |Z|, then return Truncd (Z); else continue.
let S = f(S), and goto q
 Hash Algorithms

SHA-3
sponge construction:
pad(x,m): x is positive integer, m is non-negative integer
output is string P s.t. m+len(P) is multiple of x
let j = (– m – 2) mod x
return P = 1 || 0 j || 1
 Hash Algorithms

SHA-3
SHA-3 functions:
SHA3-224(M) = Keccak[448](M || 01, 224)
SHA3-256(M) = Keccak[512](M || 01, 256)
SHA3-384(M) = Keccak[768](M || 01, 384)
SHA3-512(M) = Keccak[1024](M || 01, 512)

The 01 appended to the message is a code that distinguishes

this family of SHA-3 functions from others that may be
defined later
 Hash Algorithms

SHA-3: Security
Not susceptible to length extension attack

SHA-2 splits data into elementary blocks and produces,

for each block, an output which has exactly the same size
as the function output. Moreover, the output for a complete
message is the current output after processing all blocks of
the message

The sponge construction has an internal state that is much

larger than the hash function output. So hashing an output
block – with most of the state missing – is not going to work
as the entire state is needed to continue the digest
 Hash Algorithms

SHA-3: Security