branching heuristics in differential collision search
play

Branching Heuristics in Differential Collision Search: Application - PowerPoint PPT Presentation

Apr 11, 2023 •352 likes •602 views

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

  1. Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl¨ affer IAIK, Graz University of Technology, Austria FSE 2014

  2. Practical Collisions for Round-Reduced Hash Functions 64/64 MD5 [WY05] 75/80 SHA-1 [AG12] 38/64 SHA-256 [MNS13] 24/80 SHA-512 [IMPR08, SS08] 4/24 Keccak [DDS12] � semi-free-start collision for 38 steps of SHA-512 Contribution: using improved automatic search tools 1

  3. Practical Collisions for Round-Reduced Hash Functions 64/64 MD5 [WY05] 75/80 SHA-1 [AG12] 38/64 SHA-256 [MNS13] 38 / 24/80 now SHA-512 [IMPR08, SS08] 4/24 Keccak [DDS12] � semi-free-start collision for 38 steps of SHA-512 Contribution: using improved automatic search tools 1

  4. SHA-2 Family – SHA-256 / SHA-512 Iterated hash function 32-bit/64-bit words 16-word message blocks (= 512/1024 bits) 8-word hash value and chaining value (= 256/512 bits) m 1 m 2 m 3 m t f f f f IV hash Compression function f Message expansion: expand 16 words M i to 64/80 words W i State update: 64/80 steps with status words A i , E i 2

  5. SHA-2 Compression Function Message expansion: expand 16 words M i to 64/80 words W i W i = f W ( W i − 2 , W i − 7 , W i − 15 , W i − 16 ) for i ≥ 16 State update: 64/80 steps with status words A i , E i E i = f E ( A i − 4 , E i − 1 , . . . , E i − 4 , K i , W i ) , A i = f A ( E i , A i − 1 , . . . , A i − 4 ) A i − 1 A i − 2 A i − 3 A i − 4 E i − 1 E i − 2 E i − 3 E i − 4 − Σ 0 Σ 1 + K i MAJ IF W i A i − 1 A i − 2 A i − 3 E i − 1 E i − 2 E i − 3 A i E i 3

  6. SHA-2 Compression Function State -4 IV ( A ) IV ( E ) -3 -2 -1 0 1 2 m 0 3 4 m 0 5 6 7 8 9 10 f h 1 IV 11 12 13 14 15 16 17 18 19 SHA-2 compression function: 20 21 22 23 shows state words A i , E i , W i 24 25 26 27 inputs IV, m 0 28 29 30 output h 1 31 32 33 34 A i E i W i 35 36 37 0 h ( A ) h ( E ) 1 2 1 1 3 4

  7. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) ∆ =0 ∆ =0 -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 ∆ = ? 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 16 17 Automated search tool [DR06] 18 19 20 1 Guess undetermined bits 21 22 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 ∆ A i = ? ∆ E i = ? ∆ W i = ? Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) =0 ∆ =0 ∆ 1 2 1 1 3 5

  8. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 ⇓ ⇓ 16 17 Automated search tool [DR06] ⇐ 18 19 ⇓ 20 1 Guess undetermined bits 21 22 ⇐ 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  9. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 ⇓ ⇓ 16 17 Automated search tool [DR06] ⇐ 18 19 ⇓ 20 1 Guess undetermined bits 21 22 ⇐ 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  10. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 16 17 Automated search tool [DR06] 18 19 20 1 Guess undetermined bits 21 22 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  11. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 16 17 Automated search tool [DR06] 18 19 20 1 Guess undetermined bits 21 22 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  12. Problem – SHA-256 vs. SHA-512 -4 -4 IV ( A ) IV ( E ) IV ( A ) IV ( E ) -3 -3 -2 -2 -1 -1 0 0 1 1 2 2 3 3 4 4 m 0 m 0 5 5 6 6 7 7 8 8 9 9 10 10 11 11 12 12 13 13 14 14 15 15 16 16 17 17 18 18 19 19 20 20 21 21 22 22 23 23 24 24 25 25 26 26 27 27 28 28 29 29 30 30 31 31 32 32 33 33 A i E i W i A i E i W i 34 34 35 35 36 36 37 37 0 h ( A ) h ( E ) 0 h ( A ) h ( E ) 1 1 2 1 1 2 1 1 3 3 state size Consequences: Larger search space Contradictions take longer to detect More conditions to fulfill 6

  13. Improving Guess & Determine? Problem description [MNS13] Starting point Hash function description High-level strategy Guessing strategy, branching rules [MNS11] Which variable to pick first? Which value to guess first for this variable? Propagation [MNS11, EMN + 13, Leu12, Leu13] How to detect contradictions? How to determine implications of a guess? Backtracking [MNS11] How many guesses to undo? Restart? 7

  14. Improving Guess & Determine? Problem description [MNS13] Starting point Hash function description High-level strategy Guessing strategy, branching rules [MNS11] Which variable to pick first? Which value to guess first for this variable? Propagation [MNS11, EMN + 13, Leu12, Leu13] How to detect contradictions? How to determine implications of a guess? Backtracking [MNS11] How many guesses to undo? Restart? 7

  15. Branching: Inspiration from SAT Solvers. . . SAT Solvers (Guess-and-Determine for CNF formulas) Different strategies and paradigms: Many small clauses first (B¨ ohm, MOM, JW) Many clauses first (DLCS, DLIS) Conflict-driven, recent conflicts first (VSIDS) Localized, recently updated clauses first Preview consequences (UPLA) 8

  16. Look-Ahead Branching Heuristic Rationale: Propagation is good Reduce search space Better explicit than implicit conditions Contradictions are good Better handle them sooner rather than later -4 -3 IV ( A ) IV ( E ) -2 -1 0 1 2 3 4 5 m 0 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 A i E i W i 35 36 37 0 1 h ( A ) h ( E ) 1 1 2 3 ⇒ simulate outcome for candidate guessing variables and pick best 9

  17. Randomized Look-Ahead Problems of basic approach: Simulating for many candidates is very costly Search is not well randomized – essential after restarts Solution: Limit absolute candidate set size Limit relative set size Avoid redundant evaluation of candidates -4 -3 IV ( A ) IV ( E ) -2 -1 0 1 2 3 4 5 m 0 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 A i E i W i 35 36 37 0 1 h ( A ) h ( E ) 1 1 2 3 10

  18. Effect of Branching Heuristic (16 Candidates) Semi-free-start collisions: 27 or 38 steps of SHA-256 with heuristic: about 5–50 times faster 27 steps of SHA-512 without heuristic: 4 days on 40 CPUs with heuristic: seconds on standard PC 38 steps of SHA-512 without heuristic: no results with heuristic: ≈ 1 . 5 h on 40 CPUs Collisions with correct IV: not enough freedom in message left 11

  19. Application to 38 steps of SHA-512 – Characteristic -4 IV ( A ) IV ( E ) -3 -2 -1 0 1 2 3 4 m 0 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 A i E i W i 34 35 36 37 0 h ( A ) h ( E ) 1 2 1 1 3 12

  20. Application to 38 steps of SHA-512 – Result Semi-free-start collision for 38 of 80 steps ( ≈ 1 . 5 h on 40 CPUs): e8626f53a3771964 2ae427b8c5065790 c8fd5a1628fc3337 0f362d297f82f987 h 0 89166a0c022ffc40 c2c49c30e629239f d1fa8bd692843025 ad4bba64c797e6ec 610519a88f0d2809 3addc83f01c8b179 84afa7a2772c6141 ad539854e64c9cce 85450b73549b2085 7296b5291f31c0d9 fc978d9624e2c2cc fffffffffffffffe m 92114cb9d2f4cd9b 34a3198b79871212 cca7f43154e38081 ac0598a589168fe1 f32ae6a0070a8d2e 755aa5cada87e894 4b9bd7df3c94b667 65291f2b80cc8c51 610519a88f0d2809 3addc83f01c8b179 84afa7a2772c6141 ad539854e64c9cce 85450b73549b2085 7296b5291f31c0d9 fc978d9624e2c2cc 0000000000000001 m ∗ 92114cb9d2f4cd9c 34a3198b79871212 cca8143154e38079 ac0598a589168fe1 f32ae6a0070a8d2e 755aa5cada87e894 4b9bd7df3c94b667 65291f2b80cc8c50 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 ffffffffffffffff ∆ m 0000000000000007 0000000000000000 000fe000000000f8 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000001 946a28eedc3b2ff6 c4573d0a13ea6268 11f07b04b06900dd 897c606e4053bbe4 h 1 2406aae9d58504b4 89b237932b061ba8 663402cb4bb1972c d99c062dce945423 13

Recommend

The CPLEX Library: MIP Heuristics Ed Rothberg, ILOG, Inc. 1 Motivation for Heuristics Why not

The CPLEX Library: MIP Heuristics Ed Rothberg, ILOG, Inc. 1 Motivation for Heuristics Why not

The CPLEX Library: MIP Heuristics Ed Rothberg, ILOG, Inc. 1 Motivation for Heuristics Why not wait for branching? Produce feasible solutions as quickly as possible Often satisfies user demands Avoid exploring unproductive subtrees

465 views • 12 slides
Construction Heuristics Iterated Greedy GRASP Adaptive Iterated Construction Search Multilevel

Construction Heuristics Iterated Greedy GRASP Adaptive Iterated Construction Search Multilevel

Outline DM811 1. Complete Search Methods A best-first search HEURISTICS AND LOCAL SEARCH ALGORITHMS FOR COMBINATORIAL OPTIMZATION 2. Incomplete Search Methods 3. Other Tree Search Based Incomplete Methods Rollout/Pilot Method Lecture 5

521 views • 14 slides
Set 3: Informed Heuristic Search ICS 271 Fall 2014 Kalev Kask Overview Heuristics and

Set 3: Informed Heuristic Search ICS 271 Fall 2014 Kalev Kask Overview Heuristics and

Set 3: Informed Heuristic Search ICS 271 Fall 2014 Kalev Kask Overview Heuristics and Optimal search strategies heuristics hill-climbing algorithms Best-First search A*: optimal search using heuristics Properties of A*

1.08k views • 78 slides
Outline 1. (Meta-) Heuristics for Local Search Local Search (Meta-) Heuristics Heuristics for

Outline 1. (Meta-) Heuristics for Local Search Local Search (Meta-) Heuristics Heuristics for

Topic 17: Constraint-Based Local Search 1 (Version of 26th November 2020) Pierre Flener Optimisation Group Department of Information Technology Uppsala University Sweden Course 1DL441: Combinatorial Optimisation and Constraint Programming,

1.18k views • 114 slides
Constraint Programming - Heuristics in Search Variable and Value selection Static and

Constraint Programming - Heuristics in Search Variable and Value selection Static and

Constraint Programming - Heuristics in Search Variable and Value selection Static and Dynamic Heuristics Incomplete Search Strategies Symmetry Breaking (introduction) 10 November 2011 Constraint Programming 1 Heuristic Search -

746 views • 59 slides
Neural branching heuristics for SAT solving Sebastian Jaszczur, Micha uszczyk, Henryk

Neural branching heuristics for SAT solving Sebastian Jaszczur, Micha uszczyk, Henryk

Neural branching heuristics for SAT solving Sebastian Jaszczur, Micha uszczyk, Henryk Michalewski University of Warsaw AITP 2019, bit.ly/neurheur-aitp2019 Overview 1. Introduction 2. The neural network 3. Experiments 4. Conclusions

733 views • 21 slides
An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography Andr Chailloux, Mara Naya-Plasencia, Andr

321 views • 28 slides
Outline 1. Construction Heuristics DMP204 General Principles SCHEDULING, Metaheuristics A

Outline 1. Construction Heuristics DMP204 General Principles SCHEDULING, Metaheuristics A

Construction Heuristics Local Search Software Tools Outline 1. Construction Heuristics DMP204 General Principles SCHEDULING, Metaheuristics A search TIMETABLING AND ROUTING Rollout Beam Search Iterated Greedy GRASP Lecture 9 2.

701 views • 21 slides
Foundations of Artificial Intelligence 14. State-Space Search: Analysis of Heuristics Malte

Foundations of Artificial Intelligence 14. State-Space Search: Analysis of Heuristics Malte

Foundations of Artificial Intelligence 14. State-Space Search: Analysis of Heuristics Malte Helmert and Thomas Keller University of Basel March 23, 2020 Properties of Heuristics Examples Connections Summary State-Space Search: Overview

480 views • 15 slides
Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

Safeness of Heuristics Path Dependent Heuristics Unjustified Actions The Connection More than a Pruning Mechanism Experimental Evaluation Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

706 views • 37 slides
Foundations of Artificial Intelligence 4. Informed Search Methods Heuristics, Local Search

Foundations of Artificial Intelligence 4. Informed Search Methods Heuristics, Local Search

Foundations of Artificial Intelligence 4. Informed Search Methods Heuristics, Local Search Methods, Genetic Algorithms Wolfram Burgard, Bernhard Nebel, and Martin Riedmiller Albert-Ludwigs-Universit at Freiburg Mai 17, 2011 Contents

346 views • 33 slides
Outline DM811 Fall 2009 Heuristics for Combinatorial Optimization 1. Complete Search Methods

Outline DM811 Fall 2009 Heuristics for Combinatorial Optimization 1. Complete Search Methods

Complete Search Incomplete Search General Search Methods A search Metaheuristics Heuristics for TSP Outline DM811 Fall 2009 Heuristics for Combinatorial Optimization 1. Complete Search Methods General Search Methods A search

432 views • 14 slides
1 Hyper-heuristics: Raising the Level of Generality of Search Hyper-heuristics: Raising the Level

1 Hyper-heuristics: Raising the Level of Generality of Search Hyper-heuristics: Raising the Level

Hyper-heuristics: Raising the Level of Generality of Search Hyper-heuristics: Raising the Level of Generality of Search Methodologies Methodologies Graham Kendall Contents The University of Nottingham What is a hyper-heuristic?

307 views • 14 slides
4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for Heuristic Search 4.4 Complexity Issues 4.2 Admissibility, 4.5 Epilogue and Monotonicity, and References Informedness 4.6 Exercises Additional

1.04k views • 78 slides
4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for Heuristic Search 4.4 Complexity Issues 4.2 Admissibility, 4.5 Epilogue and Monotonicity, and References Informedness 4.6 Exercises Additional

536 views • 53 slides
Lecture Overview Recap Search heuristics: admissibility and examples Recap of BestFS

Lecture Overview Recap Search heuristics: admissibility and examples Recap of BestFS

Heuristic Search: A* Alan Mackworth UBC CS 322 Search 4 January 16, 2013 Textbook 3.6 1 Lecture Overview Recap Search heuristics: admissibility and examples Recap of BestFS Heuristic search: A* 2 Example for search

439 views • 20 slides
Informed search algorithms Outline Best-first search Greedy best-first search A *

Informed search algorithms Outline Best-first search Greedy best-first search A *

Informed search algorithms Outline Best-first search Greedy best-first search A * search Heuristics Local search algorithms Hill-climbing search Best-first search Idea: use an evaluation function f(n) for each node

844 views • 47 slides
Planning (Ch. 10) Forward search Last time... Initial: At(Truck, UPSD) ^ Package(UPSD, P1) ^

Planning (Ch. 10) Forward search Last time... Initial: At(Truck, UPSD) ^ Package(UPSD, P1) ^

Planning (Ch. 10) Forward search Last time... Initial: At(Truck, UPSD) ^ Package(UPSD, P1) ^ Package(UPSD, P2) ^ Mobile(Truck) Goal: Package(H1, P1) ^ Package(H2, P2) Heuristics for planning Backwards search has a smaller branching factor in

1.02k views • 70 slides
Automatic Creation of Search Heuristics Stefan Edelkamp 1 Overview - Automatic Creation of

Automatic Creation of Search Heuristics Stefan Edelkamp 1 Overview - Automatic Creation of

Automatic Creation of Search Heuristics Stefan Edelkamp 1 Overview - Automatic Creation of Heuristics - Macro Problem Solving - Hierarchical A* and Voltortas Theorem - Pattern Databases - Disjoint Pattern Databases - Multiple, Bounded,

476 views • 29 slides
10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]: automatic suggestions about the motions of objects immediately following a collision; animation systems using dynamical simulation inherently must respond

767 views • 53 slides
Proximity search heuristics for Mixed Integer Programs Matteo Fischetti University of Padova,

Proximity search heuristics for Mixed Integer Programs Matteo Fischetti University of Padova,

Proximity search heuristics for Mixed Integer Programs Matteo Fischetti University of Padova, Italy Joint work with Martina Fischetti and Michele Monaci RAMP, 17 October 2014 1 MIP heuristics We consider a Mixed-Integer convex 0-1

448 views • 25 slides
Stochastic Local Search Methods Dynamic Local Search Iterated Local Search Tabu Search Marco

Stochastic Local Search Methods Dynamic Local Search Iterated Local Search Tabu Search Marco

Outline DM811 HEURISTICS AND LOCAL SEARCH ALGORITHMS FOR COMBINATORIAL OPTIMZATION 1. Stochastic Local Search Methods (Metaheuristics) Randomized Iterative Improvement Lecture 12 Attribute Based Hill Climber Stochastic Local Search Methods

590 views • 9 slides
Piece of Pie Search: Confidently Stamatopoulos Exploiting Heuristics 1. Introduction 2. Related

Piece of Pie Search: Confidently Stamatopoulos Exploiting Heuristics 1. Introduction 2. Related

Piece of Pie Search: Confidently Exploiting Heuristics Nikolaos Pothitos, Panagiotis Piece of Pie Search: Confidently Stamatopoulos Exploiting Heuristics 1. Introduction 2. Related Work 3. Bridging Systematic and Nikolaos Pothitos

452 views • 19 slides
HEURISTIC SEARCH Heuristics: Rules for choosing the branches in a state space that are most

HEURISTIC SEARCH Heuristics: Rules for choosing the branches in a state space that are most

HEURISTIC SEARCH Heuristics: Rules for choosing the branches in a state space that are most likely to lead to an acceptable problem solution. Used when: Information has inherent ambiguity computational costs are high Algorithms for

534 views • 41 slides

More recommend