7

I am writing a program in Python for elliptic curve cryptography (for school and out of interest). I am currently working on the digital signature algorithm.

I am currently looking for a good and secure hashing function which is either standard in Python or can easily be downloaded and imported. I thought about SHA-256, since that's the only one I know which hasn't been broken yet (as far as I know). However, I have also read that SHA shouldn't be used for cryptography.

Is SHA-256 appropriate for a digital signature algorithm? Or should a different hashing function be used? If so, which one would be a good choice?

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
Dasherman
  • 353
  • 1
  • 5
  • 17
  • if I needed message signing in a project I would use http://pythonhosted.org/itsdangerous/ and they use HMAC and SHA1 apparently – Anentropic Dec 04 '14 at 17:46
  • Isn't SHA1 outdated? I thought it was proven to be very vulnerable? Anyway, I am looking to program as much as I can myself. This means that I want to program pretty much everything for the ECDSA, except a hashing function, since I am by far not knowledgeable enough about that subject. – Dasherman Dec 04 '14 at 17:48
  • 1
    @Anentropic That's a MAC, not a signature. A MAC is symmetric. – CodesInChaos Dec 05 '14 at 08:44
  • @Dasherman HMAC-SHA-1 is still secure as a MAC. Using SHA-1 in a digital signature algorithm is weak. Use SHA-2 (SHA-256, SHA-512, etc.) for a signature. – CodesInChaos Dec 05 '14 at 08:45

2 Answers2

6

I use SHA-512 for a similar purpose, I think you'd be hard pressed to get much more secure than that. SHA-512 is available in python's hashlib, and can be used like so:

import hashlib
hashGen = hashlib.sha512()
hashGen.update("What you want to hash")
hash = hashGen.hexdigest()
print "your hash is: ", hash
Patrick T Nelson
  • 1,234
  • 12
  • 21
  • 1) Is it possible to "clear" the object from all its updates, so that it starts all over, as it were? 2) Is SHA512 worth using if my elliptic curve only uses a 256 bit prime and order?? – Dasherman Dec 04 '14 at 18:41
  • 1) Not really, but you can accomplish the same effect by repeating the hashGen = hashlib.sha512() line. 2) It should still be worth using but you won't have it's full potential (I'm not 100% on this one). – Patrick T Nelson Dec 04 '14 at 18:51
3

The best standardized algorithm currently available is still SHA-2. SHA-2 now consists of 6 hash functions: SHA-256, SHA-384 and SHA-512 were first defined. SHA-224 was later added to allow for a smaller output size. After that the less well available SHA-512/224 and SHA-512/256 were introduced.

SHA-2 mainly consists of the 32-bit oriented SHA-256 variants - SHA-256 and SHA-224 - and the 64-bit SHA-512 variants - the others. The performance of the SHA-512 variants may actually be higher on 64 bit machines, hence the introduction of SHA-512/224 and SHA-512/256. Basically the variants of SHA-256 / SHA-512 only differ in the constants they use internally and the amount of bits used as output size. Some newer Intel and AMD processors SHA extensions that only accelerate SHA-256, not SHA-512, possibly shifting the favor again towards SHA-256 with regard to speed.

During the SHA-3 competition it came to light that SHA-2 is still pretty strong, even if SHA-1 is under attack. I would suggest only to look at other hashes if SHA-2 is under attack or if better hash algorithms get standardized and used.

From Wikipedia:

In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable.[6] Although SHA-2 bears some similarity to the SHA-1 algorithm, these attacks have not been successfully extended to SHA-2.

Note that SHA-2 uses a considerably more complex round function compared to SHA-1. So although it has a similar structure (both are so called Merkle-Damgard hashes) SHA-2 may be much more resistant than SHA-1 against attack none-the-less.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • 1) Would hashing the message for the digital signature once suffice? Or should I hash multiple times before signing? 2) Would SHA-2 suffice for deriving symmetric encryption keys, for example from user input or from an elliptic curve point or x-coordinate? Or should I use a different algorithm for that? – Dasherman Dec 05 '14 at 10:28
  • 1) Just once. 2) You should use a PBKDF such as PBKDF2 or bcrypt/scrypt for passwords, and *officially* you should use a KBKDF such as HKDF for the second. For the second you could cheat a bit and use (the leftmost bits of) the output of one of the SHA-2 algorithms as KDF. Note that PBKDF2 is build upon a HMAC, which in turn is build upon a hash function such as SHA-2. – Maarten Bodewes Dec 05 '14 at 10:33
  • Would your "cheat" be more vulnerable to attacks than using HKDF? – Dasherman Dec 05 '14 at 10:43
  • Not likely, but it may be considerably harder to proof that it isn't, and it may use some "unintentional" properties of the underlying hash. More info e.g. [here](http://crypto.stackexchange.com/questions/15673/security-of-kdf1-and-kdf2-hash-based-kdfs) - KDF1/2 simply adds a counter to the value to be hashed in their most simple forms. You would probably even be rather secure if you used the value of x directly but I would at least hash. – Maarten Bodewes Dec 05 '14 at 10:48
  • What about using the x coordinate in byte form directly as a key? And should I hash both the x and y? Or just the x, or just the y? (For key derivation) – Dasherman Dec 05 '14 at 10:50
  • The default seems to be hashing x and y. I just had to make a note on a product that just used x, getting me into trouble :) – Maarten Bodewes Dec 05 '14 at 10:52
  • So just hashGen.update(x), hashGen.update(y), hashGen.digest() would work correctly for a secure key, derived from a point on an elliptic curve? – Dasherman Dec 05 '14 at 10:59
  • That would do nicely, but if you would also update the value `00 00 00 00` then you would have KDF1 and you could easily extend the function to support multiple keys/IV's. – Maarten Bodewes Dec 05 '14 at 12:17