Collisions for simplified variants of SHA-256 Krystian Matusiewicz - PowerPoint PPT Presentation

Collisions for simplified variants of SHA-256 Krystian Matusiewicz and Josef Pieprzyk kmatus@ics.mq.edu.au, josef@ics.mq.edu.au Centre For Advanced Computing, Algorithms and Cryptography, Department of Computing, Macquarie University Collisions for simplified variants of SHA-256 – p. 1/35

Overview • Motivation: How secure is SHA-256? • Description of SHA-256 • Collisions for a linear variant • Collisions for a linear variant with Boolean functions • About S-Boxes • Conclusions and open problems Collisions for simplified variants of SHA-256 – p. 2/35

Motivation: The family tree of MD functions 1990 MD4 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 2004 SHA-224 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 2004 SHA-224 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 2004 SHA-224 Collisions for simplified variants of SHA-256 – p. 3/35

Motivation: Security of SHA-256 • What is the role of the components of SHA-256? • How do they contribute to the security of the function? Collisions for simplified variants of SHA-256 – p. 4/35

Overview • Motivation: How secure is SHA-256? • Description of SHA-256 • Collisions for a linear variant • Collisions for a linear variant with Boolean functions • About S-Boxes • Conclusions and open problems Collisions for simplified variants of SHA-256 – p. 5/35

Description of SHA-256 Iterated hash function using a compression function f : { 0 , 1 } 512 × { 0 , 1 } 256 → { 0 , 1 } 256 M 1 IV f M 2 f M 3 f M 1 M 2 M 3 h ( M ) Collisions for simplified variants of SHA-256 – p. 6/35

SHA-256 compression function IV M message expansion . . . . . . f ( M, IV ) Collisions for simplified variants of SHA-256 – p. 7/35

Message expansion of SHA-256 � M i for 0 ≤ i < 16 , W i = σ 1 ( W i − 2 ) + W i − 7 + σ 0 ( W i − 15 ) + W i − 16 for 16 ≤ i < 64 . where σ 0 ( x ) = ROTR 2 ( x ) ⊕ ROTR 18 ( x ) ⊕ SHR 3 ( x ) σ 1 ( x ) = ROTR 17 ( x ) ⊕ ROTR 19 ( x ) ⊕ SHR 10 ( x ) σ 1 σ 0 W 0 W 15 Collisions for simplified variants of SHA-256 – p. 8/35

Step transformation of SHA-256 A i B i C i D i E i F i G i H i Σ 0 Σ 1 K i Maj Ch W i A i +1 E i +1 H i +1 Σ 0 ( x ) = ROTR 2 ( x ) ⊕ ROTR 13 ( x ) ⊕ ROTR 22 ( x ) Σ 1 ( x ) = ROTR 6 ( x ) ⊕ ROTR 11 ( x ) ⊕ ROTR 25 ( x ) Maj ( A, B, C ) = ( A ∧ B ) ∨ ( A ∧ C ) ∨ ( B ∧ C ) Ch ( E, F, G ) = ( E ∧ F ) ∨ ( ¬ E ∧ G ) Collisions for simplified variants of SHA-256 – p. 9/35

Overview • Motivation: How secure is SHA-256? • Description of SHA-256 • Collisions for a linear variant • Collisions for a linear variant with Boolean functions • About S-Boxes • Conclusions and open problems Collisions for simplified variants of SHA-256 – p. 10/35

Linearized variant of SHA-256 SHA-256 contains three types of functions: • F 2 – linear: σ 0 , σ 1 , Σ 0 , Σ 1 • Z 2 32 – linear: addition modulo 2 32 : + • nonlinear in respect of both structures: bitwise Boolean functions Simplified variant 1: • replace σ 0 , σ 1 , Σ 0 , Σ 1 with id , σ 0 ( x ) = σ 1 ( x ) = Σ 0 ( x ) = Σ 1 ( x ) = x , • replace Boolean functions with addition: Maj ( x, y, z ) = Ch ( x, y, z ) = x + y + z We get fully Z 2 32 –linear function. Is it possible to use disturbance-corrections strategy to find collisions for this model? Collisions for simplified variants of SHA-256 – p. 11/35

Correcting single disturbance: steps 1 – 2 A i B i C i D i E i F i G i H i Σ 0 Σ 1 K i Maj Ch ∆ ∆ ∆ Σ 0 Σ 1 K i +1 Maj Ch − 4∆ ∆ − 2∆ ∆ Collisions for simplified variants of SHA-256 – p. 12/35

Correcting single disturbance: steps 3 – 4 − 2∆ ∆ ∆ Σ 0 Σ 1 K i +2 Maj Ch 2∆ − ∆ − 2∆ ∆ ∆ Σ 0 Σ 1 K i +3 Maj Ch 2∆ ∆ − ∆ − ∆ − 2∆ ∆ Collisions for simplified variants of SHA-256 – p. 13/35

Correcting single disturbance: steps 5 – 6 ∆ − ∆ − ∆ − 2∆ Σ 0 Σ 1 K i +4 Maj Ch 4∆ − ∆ − ∆ − 2∆ ∆ Σ 0 Σ 1 K i +5 Maj Ch 2∆ ∆ − ∆ − ∆ Collisions for simplified variants of SHA-256 – p. 14/35

Correcting single disturbance: steps 7 – 8 ∆ − ∆ − ∆ Σ 0 Σ 1 K i +6 Maj Ch ∆ ∆ − ∆ Σ 0 Σ 1 K i +7 Maj Ch 0 ∆ Collisions for simplified variants of SHA-256 – p. 15/35

Correcting single disturbance: step 9 ∆ Σ 0 Σ 1 K i +8 Maj Ch − ∆ Σ 0 Σ 1 K i +9 Maj Ch 0 Collisions for simplified variants of SHA-256 – p. 16/35

Single corrective pattern Disturbance in i -th word ∆ i is corrected by the following sequence ∆ i , − 4∆ i , 2∆ i , 2∆ i , 4∆ i , 2∆ i , ∆ i , 0 , − ∆ i . disturbance ∆ i − 4 2 2 4 2 1 0 − 1 Collisions for simplified variants of SHA-256 – p. 17/35

Conditions for a disturbance vector We treat expanded messages as vectors W ∈ Z 64 2 32 A difference ∆ = W ′ − W is a valid disturbance pattern if two conditions are satisfied: C1. the last 8 words of ∆ are zero, C2. ∆ with prepended 8 zero block must also be the result of the expansion process. C1 is necessary to allow enough time to correct the last difference as 8 steps are needed to correct each disturbance. C2 is necessary for constructing a corrective pattern as a linear combination of ∆ and “delayed” disturbance vectors. Collisions for simplified variants of SHA-256 – p. 18/35

More about condition C2 For disturbance pattern ∆ = [∆ 0 , . . . , ∆ 63 ] T the full corrective pattern is computed as C = ∆ − 4 · [0 , ∆ 0 , . . . , ∆ 62 ] T + 2 · [0 , 0 , ∆ 0 , . . . , ∆ 61 ] T + 2 · [0 , 0 , 0 , ∆ 0 , . . . , ∆ 60 ] T + . . . − 1 · [0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , ∆ 0 , . . . , ∆ 55 ] T . „Delayed” pattern [0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , ∆ 0 , . . . , ∆ 55 ] T has to be the result of the expansion. Collisions for simplified variants of SHA-256 – p. 19/35

Message expansion as a linear transform Message expansion with σ 0 = σ 1 = id is Z 2 32 –linear, so it can be represented as 64 × 16 matrix   I 16 A   E =  ,   A 2    A 3 where A is a linear transform producing 16 new words out of 16 old ones according to the recurrence relation. Then we have W = E · M where M ∈ Z 16 2 32 is the initial message and W ∈ Z 64 2 32 is the expanded message. Collisions for simplified variants of SHA-256 – p. 20/35

Finding disturbance patterns We are looking for such message differences ∆ M = M ′ − M that expanded differences ∆ = E (∆ M ) satisfy conditions C1 and C2. This can be written as 0 = A 3 [8 :: 16] · ∆ M the last 8 elements of ∆ are zero 0 = A − 1 [8 :: 16] · ∆ M 8 prepended elements of ∆ would be zero where M [ a :: b ] means a matrix consisting of rows of matrix M from a -th row to b -th row, inclusive. These two matrix equations form a linear system over the ring Z 2 32 . Collisions for simplified variants of SHA-256 – p. 21/35

Finding disturbance patterns: solving the system The system 0 = A 3 [8 :: 16] · ∆ M 0 = A − 1 [8 :: 16] · ∆ M has one-dimensional solution space given by ∆ M = [0 x 10000000 , 0 xA 0000000 , 0 xC 0000000 , 0 xA 0000000 , 0 xE 0000000 , 0 x 20000000 , 0 x 40000000 , 0 x 40000000 , 0 x 80000000 , 0 xD 0000000 , 0 x 10000000 , 0 x 60000000 , 0 x 50000000 , 0 x 40000000 , 0 x 70000000 , 0 x 30000000] T . Any nonzero multiple of this vector constitutes a valid disturbance pattern for linearized version of SHA-256 – we can use it to find collisions. Collisions for simplified variants of SHA-256 – p. 22/35