A critical sector of cryptographic research, development, and application is that of cryptographic hash functions (CHF). A CHF is a mathematical algorithm defined as a function F :M →H that maps an input message M ∈ M of an arbitrary size to
an output hash H ∈H of a fixed size.
The ideal computationally secure CHF has three main properties:
1. Preimage resistance: Given a hash Hi ∈ H, it is computationally infeasible
for an attacker to find a message Mi ∈ M with the same hash, such that
Hi =F(Mi).
2. Second preimage resistance: Given a message Mi ∈ M, it is computationally
infeasible for an attacker to find a second messageMj ∈Msuch thatMi 6=Mj
but F(Mi) = F(Mj)∈H.
3. Collision resistance: It is computationally infeasible for the attacker to choose any two messages Mi,Mj ∈M with Mi 6=Mj and F(Mi) = F(Mj)∈H.
Table 3.1 includes examples of six distinct messages and their corresponding hashes, which are generated using the MD5 CHF created by Rivest in 1992 [113].
We observe that a small (single character) change to the input message yields a dra- matically different output hash; this desirable property of cryptographic algorithms is known as the avalanche effect [114].
Table 3.1: Examples of arbitrarily sized input messages and their corresponding 128-bit output hashes.
Input Message (Arbitrary Size) Output Hash (128-Bit Size)
M0= “mySup3rS3cr3tp4$$w0rd” F(M0) =519ddd987b078ff873cebb728aa88334
M1= “MySup3rS3cr3tp4$$w0rd” F(M1) =438e74075616dd238dfd0989c372626d
M2= “'In the middle of difficulty lies
opportunity.' -A. Einstein” F(M2) =f6d25cb72eae4cf5c4dcb65580e548d2
M3= “'In the middle of difficulty l1es
opportunity.' -A. Einstein” F(M3) =6c91069711f3ee39af23e05e99e76995
M4= “'Never trust a computer you can’t
throw out a window.' -S. Wozniak” F(M4) =cf237059c1acc17db94290ffe0c887c3
M5= “'Nev3r trust a computer you can’t
throw out a window.' -S. Wozniak” F(M5) =b15b56ab21de119480413cd4a0ed2884
CHFs have been nicknamed the “workhorses of modern cryptography” [115] be- cause they have numerous crucial applications in the territory of cyber security. For instance, a major notable area of application is that ofauthentication: the process of determining whether someone or something is, in fact, who or what they declare to be. For example, CHFs are deployed for password verification, digital signatures, digital fingerprinting, and message authentication codes [116, 117, 118, 119]; see Figures 3.1 and 3.2 for an example depiction of password hashing and authentication. Furthermore, CHFs are also utilized to generate and evaluate checksums for integrity verification[116, 120]; accidental or malicious data corruption of messages, passwords, files, or hard drives can be detected by computing the checksum for such data and then comparing it to the target checksum.
Thus, in order to assess of the degree of protection, strength, and reliability that a given CHF offers, it is paramount to rigorously evaluate the CHF’s preimage
Figure 3.1: A simple depiction of the account password hashing and storing process. First, user Bob’s password (message) is fed into the CHF as input. Then the CHF computes and outputs the hash, which is then stored in a database. Now user Bob has an account on the system.
resistance, second preimage resistance, and collision resistance both computationally and mathematically. Hence, these three important CHF resistance properties imply that a malicious adversary cannot modify or replace the original message without altering the corresponding hash. If a CHF lacks one or more of the said resistance properties, then it exhibits a weakness and thus is vulnerable to attack in practice; this implies that the CHF can potentially be “hacked”, exploited, and/or circumvented in the “real world”. In such a case that a CHF exhibits a weakness, then it is imperative for the analysts to hunt down and identify the weakness mechanism so appropriate fixes and security measures can be immediately implemented. Hence, the need and
Figure 3.2: A simple depiction of the user authentication process. Evil Eve is trying to guess user Bob’s password. Evil Eve submits a password. The CHF computes and outputs Evil Eve’s proposed hash, which is then compared to user Bob’s hash that is stored in the database. In this case, since Evil Eve submits the wrong password, then the hashes don’t match. So Evil Eve will be denied access.
motivation to examine the underlying algebraic and algorithmic characteristics of CHFs arise.
Thus, order to assess the computational security of a crypto-system such as a CHF, one must mathematically and computationally evaluate the algebraic structures upon which it operates. A great strategy for assessing a CHF is through publicly open international competitions, where scientists, mathematicians, programmers, and hackers from around the globe have the opportunity to design, implement, evaluate, and discuss various CHF candidates. One example of such an event was the 2007-2012 NIST Hash Function Competition held by the U.S. National Institute of Standards
and Technology (NIST) [121], where the objective was to openly develop a new CHF called Secure Hash Algorithm 3 (SHA-3) for standardization that is more computationally secure that its SHA-1 and SHA-2 predecessors. NIST selected 51 entries for round 1 [122], where 14 of those teams advanced to round 2 [123, 124], from which the 5 finalists were selected for round 3 [125]:
1. BLAKE by Aumasson, Henzen, Meier, and Phan [126].
2. Grøstl by Gauravaram, Knudsen, Matusiewicz, Mendel, Rechberger, Schl¨affer, and Thomsen [61].
3. JH by Wu [127].
4. Keccak by Bertoni, Daemen, Peeters, and Van Assche [128].
5. Skein by Schneier, Ferguson, Lucks, Whiting, Bellare, Kohno, Callas, and Walker [129].
In October of 2012 NIST selected Keccak as the winner [125] which was subsequently released as the SHA-3 standard in August of 2015 [130].
We selected Grøstl [61] for the cryptographic application component of this thesis. In our opinion, Grøstl is an excellent CHF for study and application. A key design goal for the creators Grøstl was transparency—a goal based on principles that differ from those shared by many other members in the SHA family [61].