Sponge Function Construction and Security

Questions and Answers

In the context of sponge construction phases, which statement most accurately reflects the impact of the parameter $r$?

• A smaller $r$ leads to fewer permutation calls, thus enhancing performance in both the absorbing and squeezing phases.
• A larger $r$ complicates the permutation process, thereby diminishing the performance of both absorbing and squeezing phases due to augmented computational complexity.
• The parameter $r$ dictates the number of permutation calls in both absorbing and squeezing phases; a larger $r$ implies fewer calls, thereby optimizing performance. (correct)
• The parameter $r$ exclusively affects the squeezing phase, determining the size of the output generated at each permutation application; it has no bearing on the absorbing phase.

In a blind tag guessing scenario, aiming to guess a valid MAC tag $t$ for a message $m$ without knowledge of the key $K$, the security strength is accurately represented by $t/2$ bits.

False (B)

Explain how the success probability per guess changes when the MAC tag transitions from 48 bits (as in SHAME) to 64 bits, elucidating the concrete implications for security.

Increasing the MAC tag length from 48 to 64 bits escalates the difficulty of a successful guess, diminishing the success probability from $1/2^{48}$ to $1/2^{64}$.

In the context of the Birthday Paradox concerning MAC collisions, the number of queries approximated by $2^{t/2}$ is principally attributed to the inherent ______.

Birthday Bound

Match the following hash algorithms with their corresponding digest sizes and security statuses:

MD5 = 128 bits, Broken SHA-1 = 160 bits, Broken SHA-2 = 224-512 bits, Secure (as of now)

Which of the following factors most decisively contributed to the imperative redesign from SHA-0 to SHA-1?

To rectify inherent flaws discovered in SHA-0 that undermined its cryptographic integrity. (B)

The Davies-Meyer construction exemplifies a methodology for transforming a block cipher into a mode of operation suitable for parallel processing.

False (B)

Elaborate on how the Merkle–Damgård construction leverages a fixed-size compression function to accommodate variable-length input, ensuring the integrity of the resultant hash.

The Merkle-Damgård construction processes variable-length messages by dividing them into fixed-size blocks, utilizing a compression function iteratively with padding to ensure the final block’s completeness, thus preserving the integrity of the hash.

In the Davies-Meyer construction, $F(h, m) = E_m(h) \oplus h$, the function effectively performs encryption of ______ using ______ as the key, with subsequent XOR operation.

h, m

Associate each algorithm family with its adoption of the Merkle–Damgård construction paradigm:

MD5 = Uses Merkle-Damgård SHA-1 = Uses Merkle-Damgård SHA-2 = Uses Merkle-Damgård

What critical vulnerability is introduced by the utilization of the Merkle–Damgård construction across MD5, SHA-1, and SHA-2?

Vulnerability to length-extension attacks, necessitating countermeasures like HMAC. (B)

Collision resistance unequivocally guarantees second preimage resistance in cryptographic hash functions.

False (B)

Contrast the security goals and operational mechanics between collision resistance and second preimage resistance in cryptographic hash functions, emphasizing their divergent implications for data integrity and security.

Collision resistance aims to prevent finding any two inputs that hash to the same output, whereas second preimage resistance focuses on making it hard to find a second input that produces the same hash as a given input. Collision resistance offers broader implications for general data integrity, while second preimage resistance is critical when a specific message has already been published.

According to the implication hierarchy pertinent to cryptographic hash functions, ______ resistance is classified as the weakest.

Collision

Categorize cryptographic primitives and constructions according to their roles in cryptographic systems:

Primitive = A foundational cryptographic building block like a hash function or block cipher. Construction = A recipe or method to build something bigger like a MAC or stream cipher from primitives.

From a higher-level perspective, what is the definitive characteristic that designates SHA-2 (e.g., SHA-256 or SHA-512) as a primitive, despite its internal utilization of the Merkle–Damgård construction?

SHA-2 undergoes rigorous standardization, rendering it directly usable in a multiplicity of real-world protocols and applications, thus functioning as an atomic unit. (C)

When SHA-2 is characterized as a primitive, it explicitly denotes the necessity for developers to construct it from individual components leveraging the Merkle–Damgård construction and related building blocks.

False (B)

Contrast the roles of the compression function and iteration logic within the construction of a hash function, elucidating how they collectively impact the hash function's security and performance characteristics.

The compression function compresses fixed-size inputs, contributing to the confusion and diffusion properties essential for security. Iteration logic allows processing variable-length inputs, maintaining a secure state across blocks and influencing overall performance.

In the analogy drawn, Merkle-Damgård is akin to a ______, while SHA-256 is akin to a ______.

recipe to make chocolate cake, store-bought chocolate cake

Relate the concept of Pseudorandom Permutation (PRP) security with its defining characteristic regarding adversary access:

PRP Security = Adversary has access only to the encryption function (forward direction).

Under what specific operational conditions is PRP security considered to be sufficiently efficient?

When the application exclusively necessitates encryption capabilities, obviating the requirement for decryption. (C)

Strong PRP (SPRP) deviates from standard PRP by mandating that the function remains indistinguishable from a random permutation, even when the adversary possesses access exclusively to the encryption or decryption functionalities, but not both.

False (B)

Differentiate between the access privileges accorded to an adversary in the contexts of PRP and SPRP security models, underscoring the implications for cryptographic system design and analysis.

In PRP, an adversary accesses only the encryption function. Conversely, SPRP grants access to both encryption and decryption functions, necessitating more rigorous security design considerations.

In contrast to PRP security, SPRP security is crucially required when the ______ function (decryption) is used, which is common in ______ and some modes.

inverse, MACs

Match each mode/construction with its corresponding classification as either a mode/construction or a primitive/building block:

CBC, Merkle-Damgård, HMAC = Modes / Constructions AES, SHA-2, Whirlpool = Primitives / Building Blocks

According to the provided classifications, which of the following cryptographic algorithms is categorized as a primitive/building block rather than a mode/construction?

SHA-3 (A)

In cryptographic taxonomy, the sponge function is regarded as a primitive constituent, directly employed in the structural formation of more elaborate constructs.

False (B)

Discriminate rigorously between primitives and constructions, illustrating their contrasting roles in the hierarchical organization of cryptographic instruments and highlighting emblematic instances.

Primitives consist of fundamental cryptographic entities, such as hash functions or encryption algorithms, utilized directly. Constructions employ these primitives to assemble complex tools, like MACs or authenticated encryption schemas.

While CBC and GCM are recognized as /, ChaCha20 and AES are classified as /.

Modes, constructions, primitives, building blocks

Flashcards

Absorbing Phase

Input message is processed in blocks of r bits, with a permutation applied to each block.

Squeezing Phase

Output is generated r bits at a time, applying the permutation until enough output is produced.

r (in Sponge)

Determines performance in absorbing and squeezing phases; larger r means fewer permutation calls.

Blind Tag Guessing

Trying to guess a tag for a known message without knowing the key.

Success Probability

If the MAC tag is t bits long, the success probability per guess is 1 / 2^t.

Birthday Paradox (Collision)

Trying to find any two messages that produce the same MAC tag.

Collisions

Approximately 2^(t/2), where t is the tag size. Security strength is t/2 bits.

MD5

Designed by Ron Rivest in 1991; produces a 128-bit digest.

SHA-1

Inspired by MD5, designed by the NSA, produces a 160-bit digest.

SHA-2 Series

Reinforced versions of SHA-1, includes SHA-224, SHA-256, SHA-384, SHA-512, etc.

Merkle-Damgård

Method for building a variable-length hash function from a fixed-size compression function.

Iteration Mode

Splitting the message into blocks and processing them sequentially.

Compression function F

The core function used in Merkle-Damgård.

Davies-Meyer

Way to turn a block cipher into a compression function F(h,m) = Em(h) XOR h.

Collision resistance

Finding two different inputs that produce the same hash output.

Second preimage resistance

Given a specific input, finding a different input that produces the same hash output.

Collision resistance (choosing)

About finding any two messages that collide; you get to choose both freely.

Second preimage resistance (given msg)

Being given a specific message and trying to find a second one that collides with it.

Primitive

A basic cryptographic building block, designed to be used by other constructions.

Construction

A method or recipe that builds something bigger from primitives.

SHA-2 as a Primitive

It is used directly, takes variable-length input, and has known security properties.

Contrast with a construction

Building a hash function from a compression function, padding, and iteration logic.

Pseudorandom Permutation (PRP)

A function computationally indistinguishable from a truly random permutation with only forward queries.

Key Characteristic of PRP

Distinguishing between the function and a random permutation is computationally infeasible.

Adversary Access (PRP)

The adversary only has access to the encryption function F_k(x).

PRP Security Sufficiency

An application only requires encryption, not decryption.

Strong PRP (SPRP)

Extends PRP by requiring indistinguishability even with access to both encryption and decryption functions.

SPRP Security Needed

The inverse function (decryption) is used, common in MACs.

Study Notes

Sponge Construction Phases

• Input message is absorbed in blocks of r bits.
• Each block has a permutation applied once.
• Number of permutation calls = ceil(message_length / r).
• Output is generated r bits at a time, repeatedly applying permutation until sufficient output is produced (if n > r).
• The rate r determines performance in both absorbing and squeezing phases.
• Larger r results in fewer permutation calls.

Blind Tag Guessing

• Given a message m, the aim is to guess a tag t such that MACK(m) = t without knowing the key.
• Goal is to guess the correct tag for a given m, not to find a collision.
• Success probability per guess is 1 / 2^t, where t is the length of the MAC tag in bits (e.g., 48 bits in SHAME).
• With a t-bit tag, the security strength is t bits, not t/2.

Birthday Paradox

• Applies to finding any two messages m1, m2 such that MACK(m1) = MACK(m2) (a collision).
• Does not target a specific tag, but find any two matches.
• Number of queries until a collision ≈ 2^t/2 (due to birthday bound).
• Security strength = t/2 bits.

MD5 (Ron Rivest, 1991)

• Designed by Ron Rivest.
• Based on MD4 (earlier, less secure design).
• Produces a 128-bit digest (output hash).
• Known to be broken (collision attacks exist).

SHA-1 (NIST, 1995)

• Inspired by MD5.
• Followed SHA-0 (1993 version with flaws).
• Produces a 160-bit digest.
• Not considered secure (practical collision attacks exist since 2017).

SHA-2 Series (NIST, 2001 & 2008)

• Reinforced versions of SHA-1.
• Redesigned to resist known attacks.
• Includes 6 hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
• Output lengths vary from 224 to 512 bits.
• Still considered secure, SHA-3 is recommended for future-proofing.

Internals of MD5, SHA-1, and SHA-2

• All use Merkle-Damgård iteration mode.
• Merkle-Damgård: builds variable-length hash functions from fixed-size compression functions.
• Splits the message into blocks, processes them sequentially.
• Compression function F is used.
• In SHA-1 and SHA-2, F is based on a block cipher-like structure using Davies-Meyer mode.

Davies-Meyer Construction

• Davies-Meyer construction turns a block cipher into a compression function via F(h, m) = E_m(h) ⊕ h.
• E_m(h) = block cipher encryption of h using m as the key.
• h XOR with input chaining variable.
• MD5, SHA-1, SHA-2 all use Merkle–Damgård which makes them vulnerable to length-extension attacks that HMAC constructions are designed to avoid.

Collision Resistance Definition

• Collision resistance means it's computationally hard to find any two distinct inputs x ≠ x´ such that h(x) = h(x´).

Second Preimage Resistance Definition

• Second pre-image resistance: Given a specific input x, it is hard to find a different input x´≠ x such that h(x) = h(x´).
• Collision resistance doesn't mean second pre-image resistance because collision resistance is about finding any two messages that collide.
• Second pre-image resistance means given a specific message, you need to find a second one that collides with it
• To that end, if the compression function F is collision-resistant, then the full Merkle–Damgård hash function h is also collision-resistant

Primitives

• Primitives are basic cryptographic building blocks, for use in constructions.
• Constructions are methods that build something bigger (hash function, MAC, stream cipher, etc.) from primitives.
• SHA-2 (SHA-256, SHA-512) is built internally using Merkle–Damgård, and Davies-Meyer compression.
• It is a hash function ready to use.
• SHA-2 uses constructions internally.
• As a whole, it's a standardized hash function primitive for protocols, applications, and digital signatures.
• It is used in real-world protocols: TLS, Bitcoin, HMAC.
• It takes variable-length input.
• It produces a fixed-length digest.
• It is used as-is as a black-box function with known security properties.
• Building a hash function using Merkle–Damgård means you're taking a new function from a compression function, padding, and iteration logic
• construction -- A recipe to make chocolate cake (Merkle–Damgård).
• primitive -- Store-bought chocolate cake (SHA-256) — ready to eat, used in recipes like desserts (e.g., HMAC, SHA256).

Pseudorandom Permutation Security (PRP)

• Pseudorandom Permutation (PRP) is a function computationally indistinguishable from a truly random permutation when given only forward queries.
• Block cipher E: {0,1}^k x {0,1}^n -> {0,1}^n is PRP if, for any efficient adversary, distinguishing between E_k(.) (where k is a secret key) and a random permutation is computationally infeasible.
• The adversary only has access to the encryption function E_k(x) (forward direction).
• PRP security doesn't require that the adversary is given access to the inverse function E_k^{-1}(y).
• PRP security is sufficient when an application only requires encryption (not decryption).
• PRP security does not require that the adversary is given access to the inverse function E_k^{-1}(y)
• Example: Counter (CTR) mode, Output Feedback mode (stream modes).

Strong PRP (SPRP) Security

• SPRP extends PRP in requiring that the function is indistinguishable from a random permutation even if the adversary is given access to both encryption and decryption functions.
• A block definition E: {0,1}^k x {0,1}^n -> {0,1}^n is SPRP, if for any efficient adversary with access to both E_k(.), E_k^{-1}(.), distinguishing it from a truly random permutation is computationally infeasible.
• SPRP security needed when the inverse function (decryption) is used, common in MACs and some modes.
• CBC-MAC Requires access to decryption, CMC, EMAC.

Modes / Constructions

• CBC
• ECB
• OFB
• CTR
• CFB
• XTS
• Sponge
• Merkle-Damgård
• CBC-MAC
• HMAC
• GCM

Primitives / Building Blocks

• AES
• DES
• RC4
• ChaCha20
• SHA-1
• SHA-2
• SHA-3
• MD5
• Whirlpool
• Keccak-f
• Trivium
• Blowfish
• Serpent