differential cryptanalysis of hash functions how to find
play

Differential Cryptanalysis of Hash Functions: How to find - PowerPoint PPT Presentation

Mar 19, 2023 •153 likes •1.05k views

Institute for Applied Information Processing and Communications (IAIK) Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schl affer Institute for Applied Information Processing and Communications (IAIK) Graz

  1. Institute for Applied Information Processing and Communications (IAIK) Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schl¨ affer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria martin.schlaeffer@iaik.tugraz.at Albena 2011 Albena Hash Function Cryptanalysis I 1

  2. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 2

  3. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 3

  4. Institute for Applied Information Processing and Communications (IAIK) Motivation Cryptanalysis of block ciphers: well understood Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers ⇒ Attacks on MD-family by Wang et al. broke SHA-1 NIST SHA-3 competition to find a successor of SHA-1 to focus research on hash function cryptanalysis Albena Hash Function Cryptanalysis I 4

  5. Institute for Applied Information Processing and Communications (IAIK) Cryptographic Hash Function m h h ( m ) Hash function h maps arbitrary length input m to n -bit output h ( m ) Collision Resistance (2 n / 2 ) find m , m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Second-Preimage Resistance (2 n ) given m , h ( m ) find m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Preimage Resistance (2 n ) given h ( m ) find m Albena Hash Function Cryptanalysis I 5

  6. Institute for Applied Information Processing and Communications (IAIK) Iterated Hash Function Construction M 1 M 2 M 3 M t f f f f g H ( m ) IV w w w w n Most hash functions use some kind of iteration compression function f output transformation g chaining value size w ≥ n Strength depends on f , g , w smaller w needs stronger f Also building blocks are analyzed Albena Hash Function Cryptanalysis I 6

  7. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 7

  8. Institute for Applied Information Processing and Communications (IAIK) Collision Attacks � = m m ∗ h h h ( m ) = h ( m ∗ ) Find two different messages which result in the same hash value: m � = m ∗ with h ( m ) = h ( m ∗ ) birthday effect applies: 2 n / 2 Albena Hash Function Cryptanalysis I 8

  9. Institute for Applied Information Processing and Communications (IAIK) Collision Attacks (Differential View) − = ∆ m � = 0 m m ∗ h h h = h ( m ) − h ( m ∗ ) ∆ h ( m ) = 0 Find two different messages which result in the same hash m , ∆ m with ∆ m � = 0 and ∆ h ( m ) = 0 Usually XOR differences are used: ∆ m = m ⊕ m ∗ and ∆ h ( m ) = h ( m ) ⊕ h ( m ∗ ) Albena Hash Function Cryptanalysis I 9

  10. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 10

  11. Institute for Applied Information Processing and Communications (IAIK) Differential Characteristic ∆ m � = 0 how to find m , ∆ m ? find differential characteristic (trail, path) h determines ∆ m holds with high probability P ? if P > 2 − n / 2 : find colliding m by trying 1 / P random messages with complexity < 2 n / 2 ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 11

  12. Institute for Applied Information Processing and Communications (IAIK) Differential Characteristic ∆ m � = 0 how to find m , ∆ m ? find differential characteristic (trail, path) h determines ∆ m holds with high probability P ? if P > 2 − n / 2 : find colliding m by trying 1 / P random messages with complexity < 2 n / 2 ⇒ how to improve complexity of attack? ⇒ how to find good differential characteristics? ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 11

  13. Institute for Applied Information Processing and Communications (IAIK) How to Improve Complexity of Attack? Good characteristic for block ciphers: ∆ m � = 0 optimizes probability Good characteristic for hash functions h optimizes probability minimizes effort to find m How to find m ? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 12

  14. Institute for Applied Information Processing and Communications (IAIK) How to Improve Complexity of Attack? Good characteristic for block ciphers: ∆ m � = 0 optimizes probability Good characteristic for hash functions h optimizes probability minimizes effort to find m How to find m ? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic ⇒ characteristic with lower probability at input to get ∆ h ( m ) = 0 higher probability towards end Albena Hash Function Cryptanalysis I 12

  15. Institute for Applied Information Processing and Communications (IAIK) How to Find Good Differential Characteristics? block cipher based design: use characteristic of block cipher attack (also related key characteristics) by hand: MD4, MD5, SHA-1 (Wang et al.) (semi-) automatic tools: linearize hash function (coding tools) non-linear differential search by design: well known best characteristics Albena Hash Function Cryptanalysis I 13

  16. Institute for Applied Information Processing and Communications (IAIK) Example: SHA-1 high probability in second part (L) linearize hash function [RO05] search for linear differential characteristic using low weight code search connect with IV in first part (NL) low probability search for non-linear characteristic [WYY05, DR06] message modification easy for first 16 steps (just invert equation) also possible for more steps ( ≤ 25) (advanced message modification) Albena Hash Function Cryptanalysis I 14

  17. Institute for Applied Information Processing and Communications (IAIK) Finding Linear Characteristics Message expansion is linear Linearize modular addition by XOR no carry with probability 1 / 2 Linearize Boolean function by XOR holds with probability ∼ 1 / 2 Probabilities are given for single bit differences Albena Hash Function Cryptanalysis I 15

  18. Institute for Applied Information Processing and Communications (IAIK) Finding Linear Characteristics Differences with low Hamming weight result in good probability Finding good linear characteristic corresponds to finding low-weight code word in linear code Good representation of hash function is important Open source tool to find low weight code words: http://www.iaik.tugraz.at/content/research/ krypto/codingtool/ Albena Hash Function Cryptanalysis I 16

  19. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Using generalized conditions Albena Hash Function Cryptanalysis I 17

  20. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Albena Hash Function Cryptanalysis I 18

  21. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Albena Hash Function Cryptanalysis I 18

  22. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Albena Hash Function Cryptanalysis I 18

  23. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Find conforming message pair message mod. until step 25 probabilistic for further steps Albena Hash Function Cryptanalysis I 18

  24. Institute for Applied Information Processing and Communications (IAIK) Message Modification To improve complexity of attack in first few steps up to 25 in the case of SHA-1 Many dedicated techniques have been published: advanced message modifications [WYY05] equation solving [SKPI07] neutral bits [BC04] boomerang/tunnels [JP07, Kli06] greedy approach [DMR07] Resulting theoretical complexity for SHA-1: ∼ 2 63 [WYY05] implementation overhead! Albena Hash Function Cryptanalysis I 19

Recommend

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work Collision Attacks on the

652 views • 46 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash Functions June 2013 Bart Preneel Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis: basic topics Bart Preneel This is an input to

402 views • 14 slides
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of Computer Science, Technion Israel Institute of Technology Joint work with Eli Biham Cryptoday 2011 p. 1/52 Talk Outline Definition and properties

963 views • 95 slides
Tools in Cryptanalysis of Hash Functions Application to SHA-256 Florian Mendel Institute for

Tools in Cryptanalysis of Hash Functions Application to SHA-256 Florian Mendel Institute for

Tools in Cryptanalysis of Hash Functions Application to SHA-256 Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria Outline Motivation 1

602 views • 42 slides
Cryptanalysis of FORK-256 and some comments on the state of hash functions research Krystian

Cryptanalysis of FORK-256 and some comments on the state of hash functions research Krystian

Cryptanalysis of FORK-256 and some comments on the state of hash functions research Krystian Matusiewicz kmatus@ics.mq.edu.au Centre for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University IM PAN, 20

859 views • 55 slides
Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices

982 views • 67 slides
Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Introduction 1/24 Gatan Leurent Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013 UCL Crypto Group FSE 2013 Cryptanalysis of WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group

617 views • 32 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Tools in Cryptanalysis Florian Mendel - Tomislav Nad - Martin Schlffer Christoph Dobraunig -

Tools in Cryptanalysis Florian Mendel - Tomislav Nad - Martin Schlffer Christoph Dobraunig -

Tools in Cryptanalysis Florian Mendel - Tomislav Nad - Martin Schlffer Christoph Dobraunig - Maria Eichlseder Hash Functions A cryptographic hash function produces cryptographic checksums or fingerprints m Fast H Secure h Security

696 views • 42 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar &amp; Pelzl. &amp; Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides

More recommend