collision attacks on the reduced dual stream hash
play

Collision Attacks on the Reduced Dual-Stream Hash Function - PowerPoint PPT Presentation

Nov 03, 2022 •295 likes •650 views

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav Nad 2 , Martin Schl affer 2 Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria FSE 2012

  1. Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav Nad 2 , Martin Schl¨ affer 2 Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria FSE 2012 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 1 / 22

  2. Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 5 Finding a Colliding Message Pair Results and Summary 6 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 2 / 22

  3. Motivation Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 3 / 22

  4. Motivation Motivation Cryptanalysis of ARX based designs is still important Very difficult without the right tools Even more for dual-stream hash functions Do the results on SHA-2 help to improve attacks on other designs? RIPEMD-128: shares some similarities with SHA-2 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 4 / 22

  5. Description of RIPEMD-128 Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 5 / 22

  6. Description of RIPEMD-128 Description of RIPEMD-128 H j ISO/IEC standard [DBP96] Stream 1 Stream 2 designed by Dobbertin, Bosselaers and Preneel M j +1 M j +1 iterated, Merkle-Damg˚ ard hash function dual stream compression function ≪ 64 ≪ 32 ≪ 96 no output transformation 128-bit hash output H j +1 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 6 / 22

  7. Description of RIPEMD-128 Step Update Transformation of RIPEMD-128 B ′ B ′ B ′ B ′ B i − 4 B i − 1 B i − 2 B i − 3 i − 4 i − 1 i − 2 i − 3 K i K ′ i f f ′ W i W ′ i ≪ s ≪ s ′ B ′ B ′ B ′ B i − 3 B i B i − 1 B i − 2 B ′ i − 3 i i − 1 i − 2 one message word updates two state variables different message word permutations different rotation values and Boolean functions no interaction between streams (SHA-2: with interaction) 4 rounds of 16 steps Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 7 / 22

  8. Description of RIPEMD-128 Step Update Transformation of RIPEMD-128 A i − 1 A i − 2 A i − 3 A i − 4 E i − 1 E i − 2 E i − 3 E i − 4 − Σ 0 Σ 1 + K i f 0 f 1 W i A i − 1 A i − 2 A i − 3 E i − 1 E i − 2 E i − 3 A i E i one message word updates two state variables different message word permutations different rotation values and Boolean functions no interaction between streams (SHA-2: with interaction) 4 rounds of 16 steps Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 7 / 22

  9. Outline of the Attack Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 8 / 22

  10. Outline of the Attack Overview of the Attack -4 H i − 1 -3 -2 -1 0 0 5 0 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 9 9 6 9 10 10 right stream 15 10 11 11 8 11 left stream 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 16 7 6 17 4 11 18 13 3 19 1 7 20 10 0 21 6 13 22 15 5 23 3 10 24 12 14 25 0 15 26 9 8 27 5 12 28 2 4 29 14 9 30 11 1 31 8 2 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 37 15 14 38 8 6 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 9 / 22

  11. Outline of the Attack Overview of the Attack -4 H i − 1 -3 -2 -1 0 0 5 0 1 1 14 1 choose a good starting point 2 2 7 2 1 3 3 0 3 4 4 9 4 5 5 2 5 few message word differences 6 6 11 M i 6 7 7 4 7 8 8 13 8 9 9 6 9 high probability characteristic 10 10 right stream 15 10 11 11 8 11 left stream 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 search for a characteristics 16 7 6 2 17 4 11 18 13 3 19 1 7 20 10 0 very sparse in R2 and R3 21 6 13 22 15 5 23 3 10 sparse in one stream in R1 24 12 14 25 0 15 26 9 8 27 5 12 28 2 4 29 14 9 30 11 1 determine message pair 3 31 8 2 32 3 15 33 10 5 34 14 1 message modification in R1 35 4 3 36 9 7 37 15 14 38 8 6 exhaustive search for R2, R3 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 ⇒ iterations between phases 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 9 / 22

  12. Outline of the Attack Choosing a Starting Point -4 H i − 1 -3 -2 -1 0 0 5 0 which message words should 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 contain differences? 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 as few words as possible 9 9 6 9 10 10 15 10 11 11 8 11 only words used late in R3 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 short local collisions in R2 16 7 6 17 4 11 18 13 3 19 1 7 20 10 0 21 6 13 22 15 5 23 3 10 24 12 14 25 0 15 26 9 8 27 5 12 28 2 4 29 14 9 30 11 1 31 8 2 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 37 15 14 38 8 6 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

  13. Outline of the Attack Choosing a Starting Point -4 H i − 1 -3 -2 -1 0 0 5 0 which message words should 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 contain differences? 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 as few words as possible 9 9 6 9 10 10 15 10 11 11 8 11 only words used late in R3 12 12 1 12 13 13 10 13 impossible 3 14 14 14 15 15 12 15 short local collisions in R2 16 7 6 17 4 11 18 13 3 19 1 7 message word 13 20 10 0 21 6 13 22 15 5 23 3 10 single local collision (R1-R2) 24 12 14 25 0 15 26 9 8 27 5 12 impossible in left stream 28 2 4 29 14 9 30 11 1 31 8 2 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 37 15 14 38 8 6 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

  14. Outline of the Attack Choosing a Starting Point -4 H i − 1 -3 -2 -1 0 0 5 0 which message words should 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 contain differences? 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 as few words as possible 9 9 6 9 10 10 15 10 11 11 8 11 only words used late in R3 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 short local collisions in R2 16 7 6 17 4 11 18 13 3 19 1 7 message word 13 20 10 0 21 6 13 22 15 5 23 3 10 single local collision (R1-R2) 24 12 14 25 0 15 26 9 8 27 5 12 impossible in left stream 28 2 4 29 14 9 30 11 1 31 8 2 message word 0 and 6 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 left: two short local collisions 37 15 14 38 8 6 39 1 9 right: one long local collision 40 2 11 41 7 8 42 0 12 43 6 2 avoid overlapping of LCs 44 13 10 45 11 0 46 5 4 collision for 38 steps 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

  15. Searching for Differential Characteristics Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 11 / 22

  16. Searching for Differential Characteristics Differences and Conditions Generalized Conditions [DR06] take all 16 possible conditions on a pair of bits into account ∗ ) ( X i , X i ( 0 , 0 ) ( 1 , 0 ) ( 0 , 1 ) ( 1 , 1 ) ( X i , X ∗ i ) ( 0 , 0 ) ( 1 , 0 ) ( 0 , 1 ) ( 1 , 1 ) - - ? � � � � 3 � � � - - � � - � - - 5 - - - x � � 7 � � � 0 � - - - A - � - � - � - - � � - � u B - - - - - n � C � � - - - � � - � � 1 D - - - - - � � � # E 2-bit Conditions [MNS11] linear relation between closely related bits: X i ⊕ X j = 0 / 1 2-bit conditions on any generalized condition (-,x,?,...) used to determine critical bits (those with many relations) Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 12 / 22

  17. Searching for Differential Characteristics Propagation of Differences and Conditions Stored conditions all possible pairs on bits (generalized conditions) all possible pairs on carries Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 13 / 22

  18. Searching for Differential Characteristics Propagation of Differences and Conditions Stored conditions all possible pairs on bits (generalized conditions) all possible pairs on carries 2-bit conditions all inputs and outputs of Boolean functions modular additions even on carries (sign of carry) Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 13 / 22

Recommend

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used of people, signifies a confusion in associative memory or imagination, especially a persistent one (see thinko ). True story: One of us was once on

908 views • 31 slides
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel Cryptographic Hash Functions A cryptographic hash function is hash function H:{0,1}*-> {0,1} n with strong requirements : Collision

461 views • 33 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

800 views • 10 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

442 views • 28 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

602 views • 23 slides
A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work Collision Attacks on the

652 views • 46 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article Jean-Philippe Aumasson, Designing and attacking Kudelski Security (NAGRA) port scan detection tools by Solar Designer (Alexander D. J. Bernstein,

1.83k views • 164 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
An Assessment of Single and Dual Stream Recycling Waste Management Advisory Committee March 26,

An Assessment of Single and Dual Stream Recycling Waste Management Advisory Committee March 26,

An Assessment of Single and Dual Stream Recycling Waste Management Advisory Committee March 26, 2013 Single and Dual Stream Recycling Two recent studies were undertaken: 1. An Assessment of Single and Dual Stream Recycling - Waste Diversion

189 views • 8 slides
Does Secure Time-Stamping Imply Collision-Free Hash Functions Ahto Buldas, Aivo J urgenson

Does Secure Time-Stamping Imply Collision-Free Hash Functions Ahto Buldas, Aivo J urgenson

Does Secure Time-Stamping Imply Collision-Free Hash Functions Ahto Buldas, Aivo J urgenson aivo.jurgenson@eesti.ee Tallinn University of Technology, Estonia. Elion Enterprises Ltd, Estonia. p. 1 Topics background about hash

413 views • 37 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
Hash Tables Outline Definition Hash functions Open hashing Closed hashing

Hash Tables Outline Definition Hash functions Open hashing Closed hashing

Hash Tables Outline Definition Hash functions Open hashing Closed hashing collision resolution techniques Efficiency EECS 268 Programming II 1 Overview Implementation style for the Table ADT that is good in a wide

237 views • 20 slides
On recent attacks against Cryptographic Hash Functions Martin Eker & Henrik Ygge 1

On recent attacks against Cryptographic Hash Functions Martin Eker & Henrik Ygge 1

On recent attacks against Cryptographic Hash Functions Martin Eker & Henrik Ygge 1 Outline First part Preliminaries Which cryptographic hash functions exist? What degree of security do they offer? An

1.68k views • 98 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger

Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger

Practical attacks on AES-like cryptographic hash functions Stefan K olbl, Christian Rechberger DTU - Technical University of Denmark September 12, 2014 Cryptographic Hash Functions Today is the 12th of September... h 4981A99EDA782

1.01k views • 34 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides

More recommend