Re: SHA-1 Variants

From: Jim Steuert (pjsteuert_at_rcn.com)
Date: 05/31/04 

Date: Mon, 31 May 2004 09:27:50 -0400

Tom St Denis wrote:
> Pardon me. Why? You said yourself SHA-1 is secure. Wouldn't a variant
> specially one of the same size be just undue risk?
>
Like I said, more complexity in the round function means more secure
in general (assuming it doesn't cancel anything out, which is unlikely
in most cases).

> Why not just use the <<< and >>> for rotation? That makes it way easier
> to read.

True, but my c compiler doesn't do >>> for rotation. I've actually used
that notation myself in the past.

> Right away I can see that the lsb of D is canceled out.

So what. These multipermutation is still enhance the original SHA-1.

> Well differential trails through the design depend on the function itself
> [this isn't a wide-trail design afterall]. So your change [which makes
> SHA much slower] would have to be analyzed on it's own.

The trail concept means that the result of an input differential X
yields output difference Y, then Y into the subsequent round yields Z,
and so forth, so the differential is transitive. Since these additions
are multipermutations, they do not affect the overall statistics,
summed over all 2^160 possible inputs. It may, however, "move" a
differential
to other bits, but it cannot "concentrate" one. Since the cryptanalysis
between rounds of this particular cipher does not depend on where
the differentials are, then this can be used effectively.

>
> First, SHA-256 is what people should be starting with in new
> applications.
SHA-256 has far less time-of-exposure than SHA-1. As that is the
primary metric used, I could easily argue that SHA-1 is much more
secure than SHA-256.

> Second, prove that your mods actually do "make it stronger".
Good point. I just sketched a rough proof of that above.

> Essentially [my guess] is you would have to drop your design to less than
> 40 rounds [say 40 rounds for the purpose of this thread] to get the same
> speed as SHA-1 on an Athlon.

No I wouldn't try. Computers are 100 times faster today than in
1993 when SHA-1 was invented. Further SHA-1 can itself be made faster
than AES.

> So are 40 rounds of your design as secure as 80 rounds of SHA-1?
>
Probably not, nor would I suggest that.

> SHA-224 has only 64 rounds. So your design is faster or slower?
SHAMODX is probably more secure.

>>
>> T = (A<<5|A>>27) + ((B&C)|((0xffffffff^B)&D)) + *WP++ + 0x5a827999;
>> T = T + ((B<<13|B>>19)^D)+((C<<10|C>>22)^F)+((D<<11|D>>21)^E);
>> T = T + ((E<<29|E>>3)^C)+((F<<18|F>>14)^B);
>> T = T + ((B<<19|B>>13)^F)+((C<<11|C>>21)^E)+((D<<23|D>>9)^B);
>> T = T + ((E<<6|E>>26)^C)+((F<<17|F>>15)^D);
>> T = T + ((B&F)^(C&D)^((C^D)&E))+G;
>> G=F;F=E;E=D;D=C;C=(B<<30|B>>2);B=A;A=T;
>
> Where do these rotation counts come from? Have you timed this? Can you
> prove anything about it?

Yes, but in general. That is the point. I am looking for a general proof
(see outline above)
which gives me license to just "throw something together" (within some
guidelines).
That is the essence of technical progress, you know, electronic circuits,
plumbing, etc.

>> Again, does anyone have an opinion as to the "security" of extending
>> SHA-1
>> in this manner?
>
> Well your designs seem slower, have no claims of security that are valid
> and otherwise show exactly why I'm right about going after newbies.

I do have claims of security.

> See I go after newbies and pounce on them todo their homework, be
> patient, read, read, read and then try to come up with ideas that extend
> what they have learned over the course of their study. I routinely shoot
> down out-of-left-field newbie designs by pointing out obvious flaws.

That would be true if you actually found a flaw.

> Then a few people backlash calling me rude and what have not.
>
> Well see people, this is EXACTLY what I'm talking about. This isn't
> Jim's first appearance on sci.crypt and look what we have here. Yet
> another useless poorly thought out "idea".

The idea is basic engineering 101. You are the one who cannot
reduce your "theories" to "practice".

-Jim

Relevant Pages

  • Re: SHA-1 Variants
    ... AES is simpler than DES but more secure [from ... These multipermutation is still enhance the original SHA-1. ... What the f'ing f!@# do you think a wide-trail design is? ...
    (sci.crypt)
  • Re: Schneiers "Helix" cipher is remarkably similar to the "generic feistel cipher&qu
    ... > a Feistel Cipher, ... >> Your general form is not secure in general, ... There is more to SHA-1 than your form, ... you're scheme of May 25 2001 was trivially insecure. ...
    (sci.crypt)
  • RE: [fw-wiz] MD5 x SHA-1
    ... I will assume that you are meaning which is more secure. ... Everything that I have read states that SHA-1 is the more secure hashing ... this algorythm compared to MD5. ... I need to know which is better as a file hash, that is, to see if a file ...
    (Firewall-Wizards)
  • Re: SHA-1 Variants
    ... > a construction that is based on certain primitives. ... you better use it in a way that has been proven to be secure. ... (But 'standing still' with SHA-1 ...
    (sci.crypt)
  • Re: Summary of Bit-Level SHA Discussion
    ... >the poster lacks experience in meeting critical safety and security ... to be worried about than whether your SHA-1 module is completely NIST ... The NIST spec for SHA-1 is not flawed. ...
    (sci.crypt)