The MD 6 hash function A proposal to NIST for SHA-3

This report describes and analyzes the MD6 hash function and is part of our submission package for MD6 as an entry in the NIST SHA-3 hash function competition. Significant features of MD6 include: • Accepts input messages of any length up to 2 − 1 bits, and produces message digests of any desired size from 1 to 512 bits, inclusive, including the SHA-3 required sizes of 224, 256, 384, and 512 bits. • Security—MD6 is by design very conservative. We aim for provable security whenever possible; we provide reduction proofs for the security of the MD6 mode of operation, and prove that standard differential attacks against the compression function are less efficient than birthday attacks for finding collisions. We also show that when used as a MAC within NIST recommendedations, the keyed version of MD6 is not vulnerable to linear cryptanalysis. The compression function and the mode of operation are each shown to be indifferentiable from a random oracle under reasonable assumptions. • MD6 has good efficiency: 22.4–44.1M bytes/second on a 2.4GHz Core 2 Duo laptop with 32-bit code compiled with Microsoft Visual Studio 2005 for digest sizes in the range 160–512 bits. When compiled for 64-bit operation, it runs at 61.8–120.8M bytes/second, compiled with MS VS, running on a 3.0GHz E6850 Core Duo processor. • MD6 works extremely well for multicore and parallel processors; we have demonstrated hash rates of over 1GB/second on one 16-core system, and over 427MB/sec on an 8-core system, both for 256-bit digests. We have also demonstrated MD6 hashing rates of 375 MB/second on a typical desktop GPU (graphics processing unit) card. We also show that MD6 runs very well on special-purpose hardware. • MD6 uses a single compression function, no matter what the desired digest size, to map input data blocks of 4096 bits to output blocks of 1024 bits— a fourfold reduction. (The number of rounds does, however, increase for larger digest sizes.) The compression function has auxiliary inputs: a “key” (K), a “number of rounds” (r), a “control word” (V ), and a “unique ID” word (U). • The standard mode of operation is tree-based: the data enters at the leaves of a 4-ary tree, and the hash value is computed at the root. See Figure 2.1. This standard mode of operation is highly parallelizable. 1http://www.csrc.nist.gov/pki/HashWorkshop/index.html

[1]  Fabio Massacci,et al.  Using Walk-SAT and Rel-Sat for Cryptographic Key Search , 1999, IJCAI.

[2]  Antoine Joux,et al.  Collisions of SHA-0 and Reduced SHA-1 , 2005, EUROCRYPT.

[3]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[4]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[5]  Mihir Bellare,et al.  Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms , 2007, ICALP.

[6]  Elaine B. Barker,et al.  SP 800-57. Recommendation for Key Management, Part 1: General (revised) , 2007 .

[7]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[8]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[9]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[10]  Palash Sarkar,et al.  A Parallelizable Design Principle for Cryptographic Hash Functions , 2002, IACR Cryptol. ePrint Arch..

[11]  Kunle Olukotun,et al.  Niagara: a 32-way multithreaded Sparc processor , 2005, IEEE Micro.

[12]  Pierre L'Ecuyer,et al.  TestU01: A C library for empirical testing of random number generators , 2006, TOMS.

[13]  Krzysztof Pietrzak Indistinguishability and composition of random systems , 2006 .

[14]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[15]  Silvio Micali,et al.  On the Cryptographic Applications of Random Functions , 1984, CRYPTO.

[16]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[17]  Yevgeniy Dodis,et al.  A New Mode of Operation for Block Ciphers and Length-Preserving MACs , 2008, EUROCRYPT.

[18]  Mihir Bellare,et al.  Improved Security Analyses for CBC MACs , 2005, CRYPTO.

[19]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[20]  Antoine Joux,et al.  Differential Collisions in SHA-0 , 1998, CRYPTO.

[21]  Matti Tommiska,et al.  Hardware Implementation Analysis of the MD5 Hash Algorithm , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[22]  Predrag Janicic,et al.  Logical Analysis of Hash Functions , 2005, FroCoS.

[23]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[24]  Hiroshi Miyauchi,et al.  Cryptanalysis of DES Implemented on Computers with Cache , 2003, CHES.

[25]  Odysseas G. Koufopavlou,et al.  Implementation of the SHA-2 Hash Family Standard Using FPGAs , 2005, The Journal of Supercomputing.

[26]  Hui Chen,et al.  Cryptanalysis of the Hash Functions MD4 and RIPEMD , 2005, EUROCRYPT.

[27]  Charanjit S. Jutla,et al.  A Simple and Provably Good Code for SHA Message Expansion , 2005, IACR Cryptol. ePrint Arch..

[28]  Joos Vandewalle,et al.  Differential cryptanalysis of hash functions based on block ciphers , 1993, CCS '93.

[29]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[30]  Bart Preneel,et al.  On the Security of Two MAC Algorithms , 1996, EUROCRYPT.

[31]  Odysseas G. Koufopavlou,et al.  Efficient architecture and hardware implementation of the Whirlpool hash function , 2004, IEEE Transactions on Consumer Electronics.

[32]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[33]  Ueli Maurer,et al.  Composition of Random Systems: When Two Weak Make One Strong , 2004, TCC.

[34]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[35]  Sergey Bratus,et al.  Fast Constructive Recognition of a Black Box Group Isomorphic to Sn or An using Goldbach's Conjecture , 2000, J. Symb. Comput..

[36]  Sean O'Neil Algebraic Structure Defectoscopy , 2007, IACR Cryptol. ePrint Arch..

[37]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[38]  John Black,et al.  On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions , 2005, EUROCRYPT.

[39]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[40]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[41]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[42]  Douglas R. Stinson,et al.  Multicollision Attacks on Some Generalized Sequential Hash Functions , 2007, IEEE Transactions on Information Theory.

[43]  Ilya Mironov,et al.  Applications of SAT Solvers to Cryptanalysis of Hash Functions , 2006, SAT.

[44]  Stefan Lucks,et al.  Design Principles for Iterated Hash Functions , 2004, IACR Cryptol. ePrint Arch..

[45]  Eli Biham,et al.  Near-Collisions of SHA-0 , 2004, CRYPTO.

[46]  Phillip Rogaway,et al.  Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys , 2006, IACR Cryptol. ePrint Arch..

[47]  D. Coppersmith,et al.  Generators for Certain Alternating Groups with Applications to Cryptography , 1975 .

[48]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[49]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[50]  Vincent Rijmen,et al.  A compact FPGA implementation of the hash function whirlpool , 2006, FPGA '06.

[51]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[52]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[53]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[54]  Stamatis Vassiliadis,et al.  Improving SHA-2 Hardware Implementations , 2006, CHES.

[55]  Elaine B. Barker,et al.  The Keyed-Hash Message Authentication Code (HMAC) | NIST , 2002 .

[56]  Constantinos E. Goutis,et al.  A low-power and high-throughput implementation of the SHA-1 hash function , 2005, 2005 IEEE International Symposium on Circuits and Systems.

[57]  Ralph C. Merkle,et al.  Secrecy, authentication, and public key systems , 1979 .

[58]  Serge Vaudenay,et al.  Black Box Cryptanalysis of Hash Networks Based on Multipermutations , 1994, EUROCRYPT.

[59]  Joos Vandewalle,et al.  Hash Functions Based on Block Ciphers: A Synthetic Approach , 1993, CRYPTO.

[60]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[61]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[62]  Shahram Khazaei,et al.  Chosen IV Statistical Analysis for Key Recovery Attacks on Stream Ciphers , 2008, AFRICACRYPT.

[63]  John Waldron,et al.  Practical Symmetric Key Cryptography on Modern Graphics Hardware , 2008, USENIX Security Symposium.

[64]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[65]  Christopher Yale Crutchfield Security Proofs for the MD6 Hash Function Mode of Operation , 2008 .

[66]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[67]  Thomas Johansson,et al.  A Framework for Chosen IV Statistical Analysis of Stream Ciphers , 2007, INDOCRYPT.

[68]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[69]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[70]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[71]  Pierre L'Ecuyer,et al.  On the xorshift random number generators , 2005, TOMC.

[72]  Angelos D. Keromytis,et al.  CryptoGraphics: Secret Key Cryptography Using Graphics Cards , 2005, CT-RSA.

[73]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[74]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[75]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[76]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[77]  Ronald L. Rivest,et al.  Abelian square-free dithering for iterated hash functions , 2005 .

[78]  Fabio Massacci,et al.  How to fake an RSA signature by encoding modular root finding as a SAT problem , 2003, Discret. Appl. Math..

[79]  Douglas R. Stinson,et al.  Multicollision Attacks on a Class of Hash Functions , 2004 .

[80]  Onur Aciiçmez,et al.  A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL , 2008, CT-RSA.

[81]  J. Leasure,et al.  Announcing request for candidate algorithm nominations for a new cryptographic hash algorithm (SHA-3 , 2007 .

[82]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[83]  G. V. Assche,et al.  Sponge Functions , 2007 .

[84]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[85]  Adi Shamir,et al.  Breaking the ICE - Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions , 2006, FSE.

[86]  Máire O'Neill,et al.  High-speed & Low Area Hardware Architectures of the Whirlpool Hash Function , 2007, J. VLSI Signal Process..

[87]  Mihir Bellare,et al.  Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions , 1999, CRYPTO.