Institute for Applied Information Processing and Communications (IAIK) Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schl¨ affer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria martin.schlaeffer@iaik.tugraz.at Albena 2011 Albena Hash Function Cryptanalysis I 1
Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 2
Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 3
Institute for Applied Information Processing and Communications (IAIK) Motivation Cryptanalysis of block ciphers: well understood Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers ⇒ Attacks on MD-family by Wang et al. broke SHA-1 NIST SHA-3 competition to find a successor of SHA-1 to focus research on hash function cryptanalysis Albena Hash Function Cryptanalysis I 4
Institute for Applied Information Processing and Communications (IAIK) Cryptographic Hash Function m h h ( m ) Hash function h maps arbitrary length input m to n -bit output h ( m ) Collision Resistance (2 n / 2 ) find m , m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Second-Preimage Resistance (2 n ) given m , h ( m ) find m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Preimage Resistance (2 n ) given h ( m ) find m Albena Hash Function Cryptanalysis I 5
Institute for Applied Information Processing and Communications (IAIK) Iterated Hash Function Construction M 1 M 2 M 3 M t f f f f g H ( m ) IV w w w w n Most hash functions use some kind of iteration compression function f output transformation g chaining value size w ≥ n Strength depends on f , g , w smaller w needs stronger f Also building blocks are analyzed Albena Hash Function Cryptanalysis I 6
Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 7
Institute for Applied Information Processing and Communications (IAIK) Collision Attacks � = m m ∗ h h h ( m ) = h ( m ∗ ) Find two different messages which result in the same hash value: m � = m ∗ with h ( m ) = h ( m ∗ ) birthday effect applies: 2 n / 2 Albena Hash Function Cryptanalysis I 8
Institute for Applied Information Processing and Communications (IAIK) Collision Attacks (Differential View) − = ∆ m � = 0 m m ∗ h h h = h ( m ) − h ( m ∗ ) ∆ h ( m ) = 0 Find two different messages which result in the same hash m , ∆ m with ∆ m � = 0 and ∆ h ( m ) = 0 Usually XOR differences are used: ∆ m = m ⊕ m ∗ and ∆ h ( m ) = h ( m ) ⊕ h ( m ∗ ) Albena Hash Function Cryptanalysis I 9
Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 10
Institute for Applied Information Processing and Communications (IAIK) Differential Characteristic ∆ m � = 0 how to find m , ∆ m ? find differential characteristic (trail, path) h determines ∆ m holds with high probability P ? if P > 2 − n / 2 : find colliding m by trying 1 / P random messages with complexity < 2 n / 2 ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 11
Institute for Applied Information Processing and Communications (IAIK) Differential Characteristic ∆ m � = 0 how to find m , ∆ m ? find differential characteristic (trail, path) h determines ∆ m holds with high probability P ? if P > 2 − n / 2 : find colliding m by trying 1 / P random messages with complexity < 2 n / 2 ⇒ how to improve complexity of attack? ⇒ how to find good differential characteristics? ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 11
Institute for Applied Information Processing and Communications (IAIK) How to Improve Complexity of Attack? Good characteristic for block ciphers: ∆ m � = 0 optimizes probability Good characteristic for hash functions h optimizes probability minimizes effort to find m How to find m ? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 12
Institute for Applied Information Processing and Communications (IAIK) How to Improve Complexity of Attack? Good characteristic for block ciphers: ∆ m � = 0 optimizes probability Good characteristic for hash functions h optimizes probability minimizes effort to find m How to find m ? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic ⇒ characteristic with lower probability at input to get ∆ h ( m ) = 0 higher probability towards end Albena Hash Function Cryptanalysis I 12
Institute for Applied Information Processing and Communications (IAIK) How to Find Good Differential Characteristics? block cipher based design: use characteristic of block cipher attack (also related key characteristics) by hand: MD4, MD5, SHA-1 (Wang et al.) (semi-) automatic tools: linearize hash function (coding tools) non-linear differential search by design: well known best characteristics Albena Hash Function Cryptanalysis I 13
Institute for Applied Information Processing and Communications (IAIK) Example: SHA-1 high probability in second part (L) linearize hash function [RO05] search for linear differential characteristic using low weight code search connect with IV in first part (NL) low probability search for non-linear characteristic [WYY05, DR06] message modification easy for first 16 steps (just invert equation) also possible for more steps ( ≤ 25) (advanced message modification) Albena Hash Function Cryptanalysis I 14
Institute for Applied Information Processing and Communications (IAIK) Finding Linear Characteristics Message expansion is linear Linearize modular addition by XOR no carry with probability 1 / 2 Linearize Boolean function by XOR holds with probability ∼ 1 / 2 Probabilities are given for single bit differences Albena Hash Function Cryptanalysis I 15
Institute for Applied Information Processing and Communications (IAIK) Finding Linear Characteristics Differences with low Hamming weight result in good probability Finding good linear characteristic corresponds to finding low-weight code word in linear code Good representation of hash function is important Open source tool to find low weight code words: http://www.iaik.tugraz.at/content/research/ krypto/codingtool/ Albena Hash Function Cryptanalysis I 16
Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Using generalized conditions Albena Hash Function Cryptanalysis I 17
Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Find conforming message pair message mod. until step 25 probabilistic for further steps Albena Hash Function Cryptanalysis I 18
Institute for Applied Information Processing and Communications (IAIK) Message Modification To improve complexity of attack in first few steps up to 25 in the case of SHA-1 Many dedicated techniques have been published: advanced message modifications [WYY05] equation solving [SKPI07] neutral bits [BC04] boomerang/tunnels [JP07, Kli06] greedy approach [DMR07] Resulting theoretical complexity for SHA-1: ∼ 2 63 [WYY05] implementation overhead! Albena Hash Function Cryptanalysis I 19
Recommend
More recommend