Security of a New Cryptographic Hash Function - Titanium

ABSTRACT


INTRODUCTION
Hash functions are one-way functions used for mapping variable input size and produce fixed length output digest. It is a powerful algorithm to verify data integrity over peers. There are many hash functions, such as MD5 [1], SHA1 [2] and Double-A [3]. Many hash functions acted as a random oracle for a time being. However, the revolution of computer processors enhanced the attacks on such algorithms. The concerns of hash function security are its resistance to the basic security criteria; preimage, second preimage, collision and length extensions.
Attackers try to create a scenario to break one of the security criteria by compromising and the analyzing hash states. Thus, designers' goal is building high confusing and defusing to create what so called random oracle.
The basic security criteria of hashes is its resistance to preimage, second-preimage, collision and recently length extensions.
Titanium is a new constructed sponge hash function that uses 512bit SF block cipher [4]. SF is a block cipher that takes 512 plaintext input, 512bit key and applies four operations on the input to produce 512bit output ciphertext. Titanium takes variable length input and produces fixed output digest 512bit.

RESEARCH METHODOLOGY 2.1 Sponge Function Overview
Sponge is one of the hash function construction. There are some constructions used for building hash function algorithem such as, Merkle-Damgård construction. It has issues with the digest length as its security is depending on that length. Sponge construction has been introduced by Keccak team [5][6]. It aims to split the security level of the algorithm from the digest length. Sponge construction has three main phases; Absorbing phase, Squeezing phase and the truncation phase.

Inner State
Message input goes through several iterated operations inside the blender. Each operation produces different output forming in S-box. Each S-box is a state which contains the binary pattern of the algorithm result. The states in the middle of the blender operations called inner states. It is the intermediate chaining values that is formed from the last operation performed on the pattern. (1) Length padding rule has been implemented on Titanium. Adding prefixes or suffixes to the message will not create collisions with length padding. Assuming message length for two messages are same, then the binary pattern will be different. Adding bits to the input will affect the message binary and padding bits. Then, different input.

Cipher
F cipher [1] is processing over four operations; sub-byte, Convert row, shifting and add round key.

Sub-Byte.
Data elements is sub-byted over 576bit S-boxes. Sub byte operation properties remove the linear characteristics. Therefore, linear cryptanalysis is not applicable on Titanium S-boxes. Moreover, it increases the diffusion and confusion so, studying the linearity effectiveness of differentials is out of complexity scope and does not create an advantage to the attacker.

Convert Row Round.
In this stage, Titanium data element is blended with each other's, preparing it to the next stage. After subbyte round, convert row round blends the bits, increasing diffusion and confusion such that keeping the properties of small differences in input is obscure.

Cryptanalysis Preimage.
Hash functions should be one-way property such that knowing the original message from the digest is not possible with complexity lower than 2 c . There are many ways to break this property such as giving prefixes to the message or going backwards through intermediate chaining values reaching to the mother state then the original message or even with brute force attack. Preimage is to obtain the original state from a given digest [Figure2].
Titanium sponge hash function has 1024-bit capacity and bitrate of 576bit. Since the capacity is the security parameter for sponge construction and its security is split from the digest length [5], the minimum complexity for Titanium against preimage attack is 2 2c

Collisions.
Collision is to find different input that leads to the same digest [7]. Collision resistance itself is a general criterion, so there are many ways that attackers use to obtain collisions in the hash function such as finding collisions in intermediate chaining values by applying different scenarios to establish the attacks. The minimum complexity required for random oracle is 2 c . Attackers can break the complexity to half by using birthday theory in probability science [Figure3]. In simple, it could be by surrounding all probability statics for the digest. For instance, a classroom with twelve students. One student should share the same birthday with a colleague. By some probability calculations, the complexity might be broken to the half.

Second Preimage.
Second preimage is the advances of collision attack. It is to find the second message from a given digest and known first message with its hash value[Figure4] [7].

Length extension.
Length extension is one of the security criteria for hash functions. Hash functions can be used as Message Authentication Codes. H(Secret||Message). Therefore, any weakness in the hash structure will threat the MAC and affect the server files validation [9].
In this case, server calculates the message digest and determines if it is a valid request or not. Theoretically, attackers may forge modified request without knowing the secret that the server uses by appending some data to the message and server still sees it as a valid request (2).
| | (2) Since length extension attacks depend on finding collisions in the internal state, Titanium iterates on 24 times and each operation updates the whole state. Furthermore, changing one bit will change at least half of the state bites and the attacker does not know which part has been truncated.

Advanced Security analysis
The basic security criteria for hash functions are preimage, second preimage, collision and length extension (Used with MACs). The basic security claims for all of criteria should be at least 2 c . Attackers create a scenario to break one or more of those criteria or reduce the complexity of algorithm, whether it is a theoretical or a practical way.

Multi-collision attack.
Cascading hashes appeared in the PhD thesis of B. Preneel [9]. It is to build a concreted hash digest from two independent hash algorithms. It increases the security level with affecting the total cost of implementation (3).
Joux [11] proved that cascading hashes does not make difference. The complexity of it remains as if it is only one hash algorithm. Joux [11] found collisions with message's blocks by exhausted search using pre-computed data structure to compare all message's pairs to obtain four collisions (Collision finding machine) such that giving initial value that will produces two blocks of the message (4) [Figure5]. Herding hashes is the advances of Multi-collision attack by using brute-force to create a tree of data [12]. Its idea is to create an array of data structure which is a pre-computed tree for intermediate values by using brute-force. Then, run exhaustive search for internal states that collide with one or more data structure values. After the collision, adding short prefixes to the string is possible with approved validation.
Titanium follows sponge construction and uses SF cipher. The digest is truncated and the truncated part is unknown to the attacker. Furthermore, initial value is same for all inputs. Changes in inputs affect first state then the whole inner states.
By using brute-force, the complexity of Titanium remains at minimum 2 c with the consideration of birthday theory.

Distinguishers:
Distinguishers is used widely to break security algorithms as it has many techniques to use. It is the study of the relationship between inputs, keys and the outputs to disclose full of the key or part of it. Distinguishers' cryptanalysis aims to break one or more of the hash function security criteria (Preimage -Second preimage -Collisionlength extension) through particular cryptanalysis, such as differential cryptanalysis.

Differentials cryptanalysis.
Differentials is the study of the relationship between inputs and outputs. It is aiming to trace the function and where it does a particular behavior such that exploiting that vulnerability and disclose the key or part of the key [14]. It is based on known plaintext-ciphertext cryptanalysis which is a pair of messages that has a particular statistical properties. Attackers apply their differential attacks using different scenarios and techniques such as, slide attack, rotational and truncated differentials. Generally, for Titanium, the total cost of generating pair of messages that has that particular statistical properties is 2 2c .

Slide Attack.
Slide attack is known plaintext chiphertext attack. However, it does not use brute force attack to generate the pairs. It depends on what so called, slid pairs. The given variables for the attacker is the message (P 0 ), chiphertext (C 0 ) of the P 0 and the assumed message (P 1 ). Attacker pretends that P 1 equals R 1 of P 1 then f 4 of p 0 should equal R 4 of P 1 . After that, attacker make some analysis to disclose the key used between f 4 and C 1 . If attacker got the corresponding key, applying the same key with P 0 and the key will produce f 1 . If f 1 equals P 1 , then the pair is a good pair and considered as slid pair as shown below[Figure6] [12].
Slide attack is efficient with algorithm that uses one key for all rounds and the output of all rounds is known for the attacker. However, Titanium updates its state each round and its states do not present any biases to each other. Using XORing between states makes the states take the diffusion and the confusion properties. Furthermore, the output of Titanium is truncated and the attacker does not know which part has been truncated from the digest. Using brute force attack, the complexity of generating slid pair will depends totally on known plaintext attack which requires 2 2c possibilities. By considering birthday theory to establish the attack, the complexity of generating slid pair remains 2 c .

Rotational cryptanalysis
It is the analysis that relies on ARX [Modular addition, Rotation and XOR]. Rotations can be obtained by rotating the corresponding word. Rotational cryptanalysis can be established if the bits are friendly to rotate property. However, Titanium does not follow ARX and uses constant in its operation. IVs are same for all messages and capacity remains with a fixed value (zero) [15].

Truncated differential cryptanalysis
It is the cryptanalysis on the differences in inputs and outputs to discover the key or part of it. Truncated differentials relies on known plaintext ciphertext attack. It studies the behavior of the function and tracing it to the stage that the function makes a different behavior hoping to find statistical patterns in Sboxes distribution. Attacker should obtain plaintext and the corresponding ciphertext. Once the attacker gets the statistical property, then pairs called differentials [16].
Titanium has a constant value (C, IV) for all messages and finding the required pairs needs 2 2c possibilities. Assuming that the attacker is able to find the pairs with less work (<2 c ), the digest is truncated and attacker does not know which part has been truncated.

Square attack
Square or integral attack is a differential attack based on known plaintext ciphertext attack [17]. It was first applied on block ciphers. However, the technique here is to find the corresponding differences in the block rather than several bits. It exploits the property of one-way S-box. Its pairs should have constants in the pairs' blocks plus variables and then attack could be established with those studied variables and considered as integral pairs.
Titanium has a capacity of 1024bit and never affect the output. Bitrate values of Titanium are changing after each operation and round. Furthermore, the digest is truncated and the full digest is obscure.

Linear cryptanlysis
Linear cryptanalysis is efficient with algorithm that uses ARX [Add -Rotate -XOR]. In this attack, attacker tries to obtain known plaintext ciphertext pairs with linearity proportion of ½ by some XORs operation and statistical studies. It depends on the zeros and ones distribution in the state[Figure7] [18]. Titanium has a capacity of 1024bit which forces attacker to generate 2 2c pairs by using brute force attack. Moreover, S-boxes used in Titanium are non-linearity property. Assuming the attacker succeeds in applying the linear on Sboxes somehow, the total cost of establishing the attack is 2 2c . Figure 5. Linear pairs Table 1 is a discussion for Titanium on any desired digest length with different attacks and security criteria. The complexities are the required cost to establish the attack using brute force attack technique. Titanium-n R.sponge-n 2 n/2 2 2c 2 2c 2 2c

CONCLUSION
Titanium hash function has been analyzed. It shows a resistance of 22c against the studied attacks. Its construction and cipher fortified the algorithm by surrounding it with high diffusion and confusion with taking its performance of the algorithm in the consideration. Using bigger capacity increases hash complexities. However, bigger capacity means higher executive costs on modern CPUs. 1024bit capacity is a reasonable size. The security claims of it fulfill random sponge claims which is the ideal hash function.