GHA-256: Genetic Hash Algorithm Praneeth Kumar Gunda1,Jangiti Siva Prashanth2 And Vishnu Murthy Gunda3 1

Software Engineer, eIQ Networks R&D India Pvt. Ltd., Hyderabad, A.P, India 1 [email protected] Department of Computer Science and Engineering , CVSR College of Engineering, Ghatkesar,AP,India 2 [email protected] , [email protected] 2,3

Abstract. Hash functions play a prominent role in signing digital documents. The classical one being SHA-1 is used widely in many applications such as Pretty Good Privacy (PGP) and S/MIME (Secure Multipurpose Internet Mail Extension) etc., which is proven that it compromises with collision attacks and birthday attacks. In this paper, we present a Novel Hash algorithm, GHA-256, a universal one way hash function, which uses genetic functions as the primary ones and Blum-Micali algorithm, a Cryptographically Secure Pseudorandom Number Generator (CSPRNG) for generating keys. It gives a 256-bit Hash value. Keywords: GHA-256, Arithmetic Crossover, Merkle-Damgard scheme, and Hash Functions.

1 Introduction The term hash functions originate historically from computer science, where it denotes a function that compresses a string of arbitrary input to a string of fixed length. Hash functions are used to allocate as uniformly as possible storage for the records of a file. The name hash functions has also been widely adopted for cryptographic hash functions or cryptographically strong compression functions, but the result of the hash function has been given a wide variety of names in the cryptographic literature: hashcode, hash total, hash result, imprint, (cryptographic) checksum, compression, compressed encoding, seal, authenticator, authentication tag, fingerprint, test key, condensation, Message Integrity Code (MIC), message digest, etc. The terms Message Authentication Code (MAC) and Manipulation Detection Code (MDC) originated from US standards and are certainly not perfect (a MAC or an MDC are actually no codes, and both can serve for message authentication), but the adoption of these terms offers a practical solution to the momentary “Babel of tongues”. One example of the confusion is that “checksum” is associated with the well known Cyclic Redundancy Checks (CRC) that are of no use for cryptographic applications. In this paper, the names MAC and MDC will also be used for the hashcode obtained with a MAC and an MDC respectively. Sometimes a MAC is

called a keyed hash function, but then one has to use for an MDC the artificial term unkeyed or keyless hash function. According to their properties, the class of MDC’s will be further divided into one-way hash functions (OWHF) and collision resistant hash functions (CRHF). The term collision resistant hash function (CRHF) is preferable over strong one-way hash function, as it explains more clearly the actual property that is satisfied. The term weak one-way hash function was proposed by R. Merkle in [5], in order to stress the difference with a strong or collision resistant hash function. Finally note that in a complexity theoretic context the term universal oneway hash function (UOWHF) was proposed by M. Naor and M. Yung in [6].Cryptographic hash functions can be used to protect information authenticity and to protect against the threat of repudiation. The basic idea of the use of cryptographic hash functions is to reduce arbitrary length to the protection of the secrecy and/or authenticity of quantities of fixed length. 1.1 One-way Hash Function (OWHF) The first informal definition of a OWHF was apparently given by R. Merkle [5,6]. A one-way hash function is a function h satisfying the following conditions: 1. 2. 3. 4.

The description of h must be publicly known and should not require any secret information for its operation (extension of Kerckhoffs’s principle1). The argument X can be of arbitrary length and the result h(X) has a fixed length of n bits (with n≤64) Given h and X, the computation of h(X) must be “easy”. The hash function must be one-way in the sense that given a Y in the image of h, it is “hard” to find a message X such that h(X) = Y and given X and h(X) it is “hard” to find a message X′≠X such that h(X′) = h(X).

The first part of the last condition corresponds to the intuitive concept of onewayness, namely that it is “hard” to find a preimage of a given value in the range. In the case of permutations or injective functions only this concept is relevant. The second part of this condition, namely that finding a second preimage should be hard, is a stronger condition, that is relevant for most applications. Formal definitions of a OWHF can be obtained through insertion of a formal definition of “hard” and “easy” in combination with the introduction of a security parameter. In the complexity theoretic approach this means that the number of operations is superpolynomial in the size of the input. For a practical definition, one still has several options. In the case of “ideal security”, introduced by X. Lai and J. Massey, producing a (second) preimage requires 2n operations operations. However, it may be that an attack requires a number of operations that is smaller than O(2n), but is still computationally infeasible. 1.2 Collision resistant hash function The first formal definition of a CRHF was apparently given by I. Damgard [6]. An informal definition was given by R. Merkle in[5]. A collision resistant hash function is a function h satisfying the following conditions:

1. 2. 3. 4. 5.

The description of h must be publicly known and should not require any secret information for its operation (extension of Kerckhoffs’s principle). The argument X can be of arbitrary length and the result h(X) has a fixed length of n bits (with n≥128). Given h and X, the computation of h(X) must be “easy”. The hash function must be one-way in the sense that given a Y in the image of h, it is “hard” to find a message X such that h(X) = Y and given X and h(X) it is “hard” to find a message X′≠X such that h(X′) = h(X). The hash function must be collision resistant: this means that it is “hard” to find two distinct messages that hash to the same result.

In the case of “ideal security”, producing a (second) preimage requires 2n operations and producing a collision requires O(2n/2) operations. This can explain why both conditions have been stated separately. One can however also consider the case where producing a (second) preimage and a collision requires at least O(2n/2) operations, and finally the case where one or both attacks require less than O(2n/2) operations, but the number of operations is still computationally infeasible (e.g., if a larger value of n is selected). 1.3 Message Authentication Code Message Authentication Codes have been used for a long time in the banking community and are thus older than the open research in cryptology that started in the mid seventies. However, MAC’s with good cryptographic properties were only introduced after the start of open cryptologic research. A MAC is a function satisfying the following conditions: 1. 2. 3. 4.

The description of h must be publicly known and the only secret information lies in the key (extension of Kerckhoffs’s principle). The argument X can be of arbitrary length and the result h(K,X) has a fixed length of n bits (with n ≥32 . . . 64). Given h, X and K, the computation of h(K,X) must be “easy”. Given h and X, it is “hard” to determine h(K,X) with a probability of success “significantly higher” than 1/2n. Even when a large set of pairs {Xi, h(K,Xi)} is known, where the Xi have been selected by the opponent, it is “hard” to determine the key K or to compute h(K,X0) for any X0 6= Xi. This last attack is called an adaptive chosen text attack 2.The hash function must be one-way in the sense that given a Y in the image of h, it is “hard” to find a message X such that h(X) = Y and given X and h(X) it is “hard” to find a message X′≠X such that h(X′) = h(X).

Note that this last property implies that the MAC should be both one-way and collision resistant for someone who does not know the secret key K. This definition leaves open the problem whether or not a MAC should be one-way or collision resistant for someone who knows K. In the next section, some applications will be discussed where this property could be useful, and in chapter 5 some new MAC’s based on a block cipher will be proposed that satisfy one or both properties.

2 Genetic Algorithms Genetic Algorithms were invented to mimic some of the processes observed in natural evolution. Many people, biologists included, are astonished that life at the level of complexity that we observe could have evolved in the relatively short time suggested by the fossil record. The idea with GA is to use this power of evolution to solve optimization problems.Genetic Algorithms (GAs) are adaptive heuristic search algorithm based on the evolutionary ideas of natural selection and genetics. As such they represent an intelligent exploitation of a random search used to solve optimization problems. Although randomized, GAs are by no means random, instead they exploit historical information to direct the search into the region of better performance within the search space. 2.1 Arithmetic Crossover In genetic algorithms, crossover is a genetic operator used to vary the programming of a chromosome or chromosomes from one generation to the next. It is analogous to reproduction and biological crossover, upon which genetic algorithms are based. Weighted (Arithmetic) crossover modifies rather than exchanges genetic material. It works at the chromosome level rather than individual loci. Weight w is selected before each crossover and then loci are randomly selected and exchanged. Off1=w*parent1+(1-w)*parent2

(1)

Off2=(1-w)*parent1+w*parent2

(2)

2.2 Value Encoding Mutation Mutation is a genetic operator used to maintain genetic diversity from one generation of a population of chromosomes to the next. It is analogous to biological mutation. Adding a small number (for real value encoding) - to selected values is added (or subtracted) a small number.

3 Blum Micali PRNG A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG)[1], is an algorithm for generating a sequence of numbers that approximates the properties of random numbers. The sequence is not truly random in that it is completely determined by a relatively small set of initial values, called the PRNG's state. Although sequences that are closer to truly random can be generated using hardware random number generators, pseudorandom numbers are important in practice for simulations, and are central in the practice of cryptography and procedural generation. Common classes of these algorithms are linear congruential generators, Lagged Fibonacci generators, linear feedback shift registers, feedback with carry shift registers, and generalised feedback shift registers. One of the recent issues of this type is Blum Micali Algorithm.

The Blum-Micali algorithm is a cryptographically secure pseudorandom number generator. The algorithm gets its security from the difficulty of computing discrete logarithms. Let p be an odd prime, and let g be a primitive root modulo p. Let x 0 be a seed, then, Xi+1=g^Xi mod p

(3)

4 GHA-256: Genetic Hash Algorithm 4.1 High level description of GHA-256 The algorithm takes as input a message of arbitrary length and produces output a 256bit message digest, i.e., 64 byte message digest. The algorithm takes the approach of big-endian. The input is processed in 256-bit blocks. Figure 1 depicts the overall processing of a message to produce a digest. This follows a general structure known as Merkle Damgard scheme of Hash functions. The processing consists of the following steps:  Step 1: Append padding bits. The message is padded so that its length in bits is congruent to 192 modulo 256(length ≡ 192 mod 256). That is, the length of the padded message is 64 bits less than an integer an integer multiple of 256 bits. The number of padding bits is in the range of 1 to 256 bits. The padding consists of a single 1-bit followed by the necessary number of 0-bits.  Step 2: Append length. A 64-bit representation of the length in bits of the original message(before the padding) is appended to the result in step1 (least significant byte first). If the original length is greater than 2 64 then only the lower order 64-bits of the length are used. Thus, the field contains the length of the original message, modulo 64. The outcome of the first two steps yields a message that is an integer multiple of 256-bits in length. In Figure 1, the expanded message is represented as the sequence of 256-bit blocks Y0, Y1,…., YL-1, so that the total length of the expanded message is L x 256 bits. Equivalently, the result is a multiple of 8 32-bit words. Let M[0…N-1] denote the words of the resulting message, with N an integer multiple of 16. Thus N=L X 8.  Step 3: Process message in 256-bit (8-word) blocks. The heart of the algorithm is a function which primarily consists of two steps “Crossover” and “Mutation” (The Genetic Algorithms). The step takes as input the current 256-bit block being processed (Yk) and then Decomposes the 256 bit block into four blocks of 64-bit blocks. i.e., 4 X 64 = 256, Along with this, the Key Xk, generated from Blum Micali Algorithm and the H k-1, generated from the processing of previous block is also divided into four each of 64-bit size.  Step 4: Output. After all L 256-bit blocks have been processed, the output from Lth stage is the 256-bit message digest.

We summarize the behavior of GHA256 as follows: H0 = IV HK = AC/M (Hk-1, Xk, Yk) MD= HL-1 L x 256 Bits Padding Message 10000……0

mm <-256bits-> <-256bits-> <-256bits-> <-256bits-> Yo

IV 256

GHA

Y1

256 H1

GHA

256

X0

Y2

256

X1

H2

<-256bits->

Y3

GHA 256

X2

H3

<-256bits->

Yk

GHA

256 Hk-1

YL-1

GHA

256

X3

256

Xk

K Msg Length

256 Hl-1

GHA 256

256

Xl-1 256 Bit Message Digest

Figure 1: Block Diagram of GHA-256 Where IV = initial value of H0 Yq = the qth 256-bit block of the message L = the number of blocks in the message (including padding and length fields) Hq = chaining variable processed with qth block of the message. GHA = round function using genetic algorithms Kk = Key used in processing the kth block of the message MD = final message digest value 4.2 GHA-256 Round function Let us look in more detail at the logic in processing of 256-bit block. Each 256-bit blocks of Xi, Yi, and Hi are divided into four 64-bit quarters i.e., Xi is divided into Xi1, Xi2, Xi3 and Xi4, Yi is divided into Yi1, Yi2, Yi3 and Yi4, and Hi is divided into Hi1, Hi2, Hi3 and Hi4. and then each block of them are processed using Arithmetic Crossover/ Mutation operations. Figure 2 descript the GHA Round function in a high level manner and Figure 3 shows the clear picture of Round function of GHA

Hi

Yi

Xi Arithmetic Crossover/Mutation

H(i+1)

Figure 2 :High level description of GHA Round function After the division is done, the blocks undergo two operations, Arithmetic Crossover and Arithmetic Mutation. Arithmetic Crossover. As described earlier (in section 2.1), the formula for this step is:

(4)

H(i+1) j=K ij*Y ij +(264-K ij)*H ij Arithmetic Mutation. As described earlier (in section 2.2), the formula for this step is:

(5)

H(i+1) j =H(i+1) j + H(i+1) j /K ij

Hi 256 Bit 64 Bit

64 Bit

Hi1

Xi

64 Bit

Hi2

Hi3

64 Bit

Hi4

Yi

256 Bit 64 Bit

64 Bit

64 Bit

64 Bit

256 Bit

(AC/M)

Xi1

Yi1 (AC/M)

Xi2

Yi2

Xi3

Yi3

(AC/M)

Xi4

(AC/M) 64 Bit

64 Bit

Yi4

64 Bit

64 Bit

64 Bit

64 Bit

64 Bit 64 Bit

H(i+1)1

H(i+1)2

H(i+1)3

H(i+1)4

H(i+1)

Figure 3: Low level description of GHA Round function Finally, when all the processing is done, club all the processed 64-bit quarters into one of 256-bit size, which is known as Hk+1.

5 Algorithms Algorithm 1: High level Description of GHA-256 Data: 256-bit blocks of the message M with padding; IV: Initialization Vector of size 256-bit Result: 256 bit Message Digest.

begin n ← no. of blocks in the message with padding. GHA(IV, Y0, X0) for i ←2 to n do GHA(Hi-1, Yi, Xi) end Algorithm 2: Description of GHA Round func. Data: ith block of Message [Li] IV/ Hi-1 based on the value of i Xi ,Generated from Blum Micali PRNG (Algo. 5) Result: Hi : Hash of ith block of Message begin Decompose each of the 256- bit blocks Li , Hi-1, Xi into 4 blocks, each of size 64-bit i.e., Li → Li1║Li2║Li3║Li4 Hi →Hi1║Hi2║Hi3║Hi4 Xi →Xi1║Xi2║Xi3║Xi4 for j ←1 to 4 do Hij ← Arithmetic Crossover Hij ← Arithmetic Mutation Merge them again into 256 block, Hi i.e., H(i+1) ←H(i+1)1║H(i+1)2║H(i+1)3║H(i+1)4 end Algorithm 3: Arithmetic Crossover Data: Lij, H(i-1)j, Xij, of size 64 bit (in decimal format) Result: 64 bit value, in decimal format begin H(i+1) ← Xij*Lij+(264-Xij)*Hij end Algorithm 4: Arithmetic Mutation Data: Hij, generated from Algo. 3 (in decimal format) Result: Hij,64 bit value (in binary fomat) begin H(i+1)j ← H(j+1)j+ Hij/ Xij Convert H(i+1)j to binary end Algorithm 5: Blum Micali Algorithm Data: p, an odd prime. g, a primitive root modulo p X0, seed value Result: Series of Pseudo Random numbers. begin

end

for i←0 to n do X(i+1)←gXi mod p

6 Security Analysis We claim that GHA-256 satisfies full security against (second) preimage attacks and collision attacks. Moreover, GHA-256 hash function is secure against multicollision attacks such as the one given in [9]. 6.1 Collision Resistance Collision resistance is a property of cryptographic hash functions: a hash function is collision resistant if it is hard to find two inputs that hash to the same output; that is, two inputs a and b such that H(a) = H(b).Every hash function with more inputs than outputs will necessarily have collisions. We claim that the best attack to find a collision with GHA-256 is the brute force attack with workload 2^n where n is digest size(256). 6.2 Preimage Resistance In cryptography, a preimage attack on a cryptographic hash is an attempt to find a message that has a specific hash value. First Preimage Attack given a hash h, find a message m such that hash(m) = h. As the hash derived by the algorithm is of large size, it is difficult to derive a message m such that its hash value is h.

6.3 Second-Preimage Resistance Given a fixed message m1, find a different message m2 such that hash(m2) = hash(m1). This attack is known as Second Preimage attack. We claim that the best attack to find a second-preimage with GHA-256 is the brute force attack with workload 2n even for extremely long messages bounded by 264 bits, where n is the digest size, 256. 7. Juxtaposition of Traditional Hash Algorithms with GHA-256 Table 1 shows the comparison of GHA-1 with SHA-1, RIPEMD-160 and MD5 in the aspects of there features and Table 2 distinguishes how prone the algorithm GHA1 is when compared to the above said algorithms. Function RIPEMD-160 MD 5 SHA-1 GHA-256

Word 32 32 32 64

Com putation Values 320 512 160 2

Endia n

operati on

Little Little Big Big

ABS ABS ABS B

Table 1: Comaprision of Various algorithms in terms of processing In the above table, the representations used are: A(Addition),B(Bitwise operations), S(Shift, Rotation). From the above, we infer that the processing of GHA-256 is economic in all the aspects when compared with the other algorithms. Function

Hash No. of Best-Known attacks Size Rounds Collision Preimage RIPEMD-160 160 80 251.48 MD 5 128 64 210 2127 51 SHA-1 160 80 2 GHA-256 512 2 235.24 Table 2: Comparison of Various algorithms in terms of vulnerability to attacks The above table clearly shows that GHA-256 is much more resistant to all the attacks than the above said algorithms. 8. Conclusion The above analysis proves that GHA-256 is an economic and an efficient algorithm which is competent enough with SHA-1 in all the aspects and in future, GHA-1 may replace SHA-1. 9. Future Enhancements The authors will dedicate the future work in making this algorithm work accordingly with PGP and S/MIME. References 1. Manuel Blum, and Silvio Micali: How to generate Cryptographically secure pseudorandom bits. SIAM J. on Computing.13,No.4 ,850--864 (1984) 2. William Stallings, “Cryptography and Network Security”, Prentice Hall 3rd Edition 3. Subramil Som, Jyotsna Kumar Mandal and Soumya Basu, “A Genetic Functions Based Cryptosystem (GFC)”, IJCSNS, September 2009

4. I.B. Damg°ard, “A design principle for hash functions,” Advances in Cryptology, Proc. Crypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp.416-427. 5. R.Merkle.: Secrecy, Authentication, and Public Key Systems. UMI Research Press(2002) 6. R.Merkle.: One way Hash functions and DES. Adv. In Cryptology, Proc. Crypto’89, LNCS 435, G. Brassard, Ed., Springer-Verlag, 1990, pp. 428-446. 7. I.B. Damg°ard, “Collision free hash functions and public key signature schemes,” Advances in Cryptology, Proc. Eurocrypt’87, LNCS 304, D. Chaum and W.L. Price, Eds., SpringerVerlag, 1988, pp. 203–216. 8. Praneeth Kumar G, Vishnu Murthy G, “Design of a Novel Cryptographic Algorithm using Genetic Functions”, IJCNS Vol.2 No.4, April 2010, pp. 55-57 9. A. Joux. Multicollisions in Iterated Hash Functions. In M.K. Franklin, editor Advances in Cryptology, CRYPTO 2004, LNCS 3152, pp.306-316, Springer, 2004. 10. Vishnu Murthy G, Praneeth Kumar G, and A Krishna Kumari, “Design of a Novel Image Encryption Technique using Genetic Algorithms”, 1st Intl. Conference on Emerging Trends in Signal Processing & VLSI Design, pp-459-461 11. Siva Prashanth J, Vishnu Murthy G and Praneeth Kumar Gunda International Journal of Computer and Network Security ISSN 2076-2739 Volume: 2; Issue: 10; Start page: 133; Date: 2010;