A heuristic for finding compatible differential paths with application to HAS-160 Aleksandar Kircanski, Riham AlTawy, Amr M. Youssef Concordia University Concordia Institute for Information Systems Engineering Montréal, Québec, Canada ASIACRYPT 2013 A heuristic for finding compatible differential paths with application to HAS-160 1 / 23
Outline ◮ HAS-160 specification ◮ de Canniére and Rechberger (2006) differential path search ◮ Second-order collisions ◮ Searching for compatible/non-conflicting paths ◮ Heuristic workflow ◮ Propagation types ◮ Single-path propagation ◮ Quartet propagations ◮ Quartet carry propagations ◮ Conclusion and future work A heuristic for finding compatible differential paths with application to HAS-160 2 / 23
Some of the previous work on HAS-160 HAS-160: KISA (Korea Information Security Agency) + Academia, “Hash Function Standard (HAS-160),”, TTA.IS-10118, 1998. SHA-based hash, Merkle-Damgård construction, Davies-Meyer mode ◮ ICISC 2005, Yun et al. : Practical 45-step collision ◮ ICISC 2006, Cho et al. : 53-step collision in 2 55 ◮ ICISC 2007, Mendel and Rijmen: Practical 65-step two-block collision ◮ ICISC 2011, Mendel et al. : Practical semi-freestart collision on 65 steps ◮ ICISC 2012, Sasaki et al. : Practical boomerang distinguisher for 75-step reduced compression function ◮ Boomerang distinguisher for full HAS-160 with 2 76 . 06 Our work Is it possible to build a practical full 80-step distinguisher? A heuristic for finding compatible differential paths with application to HAS-160 3 / 23
The HAS-160 hash function step update . . . A i − 5 t i A i − 4 1 t i A i − 3 2 A i − 2 t i + f K i 3 A i − 1 t i A i + W i 4 A i + 1 A i + 2 . . . Compression function (represented as a shift register): < t i < t i < t i A i + 1 = A i − 4 < < 1 + K i + f i ( A i − 1 , A i − 2 < < 3 , A i − 3 < < 2 ) < t i + W i + A i < 4 , where i = 0 , . . . 79 < Design very similar to SHA-1, except that the rotation constants change in every step. A heuristic for finding compatible differential paths with application to HAS-160 4 / 23
Message expansion in HAS-160 i Steps 1-20 Steps 21-40 Steps 41-60 Steps 61-80 0 m 8 ⊕ m 9 m 11 ⊕ m 14 m 4 ⊕ m 13 m 15 ⊕ m 10 ⊕ m 10 ⊕ m 11 ⊕ m 1 ⊕ m 4 ⊕ m 6 ⊕ m 15 ⊕ m 5 ⊕ m 0 1 m 0 m 3 m 12 m 7 2 m 1 m 6 m 5 m 2 3 m 2 m 9 m 14 m 13 4 m 3 m 12 m 7 m 8 5 m 12 ⊕ m 13 m 7 ⊕ m 10 m 8 ⊕ m 1 m 11 ⊕ m 6 ⊕ m 14 ⊕ m 15 ⊕ m 13 ⊕ m 0 ⊕ m 10 ⊕ m 3 ⊕ m 1 ⊕ m 12 6 m 4 m 15 m 0 m 3 7 m 5 m 2 m 9 m 14 8 m 6 m 5 m 2 m 9 9 m 7 m 8 m 11 m 4 10 m 0 ⊕ m 1 m 3 ⊕ m 6 m 12 ⊕ m 5 m 7 ⊕ m 2 ⊕ m 2 ⊕ m 3 ⊕ m 9 ⊕ m 12 ⊕ m 14 ⊕ m 7 ⊕ m 13 ⊕ m 8 11 m 8 m 11 m 4 m 15 12 m 9 m 14 m 13 m 10 13 m 10 m 1 m 6 m 5 14 m 11 m 4 m 15 m 0 15 m 4 ⊕ m 5 m 15 ⊕ m 2 m 0 ⊕ m 9 m 3 ⊕ m 14 ⊕ m 6 ⊕ m 7 ⊕ m 5 ⊕ m 8 ⊕ m 12 ⊕ m 11 ⊕ m 9 ⊕ m 4 16 m 12 m 7 m 8 m 11 17 m 13 m 10 m 1 m 6 18 m 14 m 13 m 10 m 1 19 m 15 m 0 m 3 m 12 A heuristic for finding compatible differential paths with application to HAS-160 5 / 23
de Canniére and Rechberger heuristic (2006) ◮ Applied on SHA-1, SHA-2, SM3, RIPEMD-160,. . . ◮ Switch from bit-values to bit-constraints ◮ Bit-constraints: a symbol for each bit pair configuration ( b , b ′ ) ◮ ’?’ if there is no constraint on ( b , b ′ ) ◮ ’x’ if b � = b ′ ◮ ’-’ if b = b ′ ◮ ’u’ if b = 0 and b ′ = 1 ◮ ’n’ if b = 1 and b ′ = 0 ◮ ... Workflow: ◮ Guess : select a ? or x and replace by - or { u , n }, respectively. ◮ Propagate : propagate all new knowledge. A heuristic for finding compatible differential paths with application to HAS-160 6 / 23
Boomerang distinguishers for hash functions Definition A second order collision for h is a set { x , ∆ , ∇} consisting of an input for h and two differences, such that h ( x + ∆ + ∇ ) − h ( x + ∆) − h ( x + ∇ ) + h ( x ) = 0 Boomerang attack for the purpose of second order collisions: ◮ Biryukov et al. in the context of BLAKE (2011) ◮ Lamberger and Mendel in the context of SHA-256 (2011) A heuristic for finding compatible differential paths with application to HAS-160 7 / 23
x D x C α α x A x B n 0 n 1 n 1 n 2 n 2 n 2 n 3 n 3 n 3 e ( x D ) β e ( x C ) n 4 n 4 n 5 e ( x A ) β e ( x B ) ◮ Due to Davies-Meyer, the goal is to have: ◮ d ( x A , x D ) = d ( x B , x C ) = α ◮ d ( e ( x A ) , e ( x B )) = d ( e ( x D ) , e ( x C )) = β ◮ Step notation: 0 ≤ n 0 , n 1 , n 2 , n 3 , n 4 , n 5 ≤ n ◮ n 0 , n 5 : attacked steps ◮ n 1 , n 2 , n 3 , n 4 : activation/deactivation steps A heuristic for finding compatible differential paths with application to HAS-160 8 / 23
x D x C α α x A x B n 0 n 1 n 1 n 2 n 2 n 2 n 3 n 3 n 3 e ( x D ) β e ( x C ) n 4 n 4 n 5 e ( x A ) β e ( x B ) ◮ Start from the middle: construct the quartet for steps n 2 , n 3 ◮ Extend the quartet to steps n 1 , n 4 ◮ Extend the quartet for some more steps n 0 , n 5 ◮ Randomize the quartet restarting from the first stage, until ◮ d ( x A , x D ) = d ( x B , x C ) ◮ d ( e ( x A ) , e ( x B )) = d ( e ( x D ) , e ( x C )) A heuristic for finding compatible differential paths with application to HAS-160 9 / 23
x D x C α α x A x B n 0 n 1 n 1 n 2 n 2 n 2 n 3 n 3 n 3 e ( x D ) β e ( x C ) n 4 n 4 n 5 e ( x A ) β e ( x B ) ◮ Suboptimal number of middle steps ◮ e.g., less than 16 steps ◮ Our work: improve the number of steps in the middle ◮ In case of HAS-160: 20 steps in the middle A heuristic for finding compatible differential paths with application to HAS-160 10 / 23
Recommend
More recommend
