Gröbner Basis Based Cryptanalysis of SHA-1 Makoto Sugita IPA Security Center Joint work with Mitsuru Kawazoe (Osaka Prefecture university) and Hideki Imai (Chuo University and RCIS, AIST) 1
Outline • Introduction • Wang’s method • Our method - Gröbner basis based method • Gröbner basis based cryptanalysis of 58- round SHA-1 • Gröbner basis based cryptanalysis of full- round SHA-1 • Conclusion 2
A history of hash function proposals and cryptanalysis of hash functions MD4 (’90) MD4 (’90) ’90 ’90 Proposed by Proposed by Dob Dobbert rtin: s in: semi-free sta -free start t Ron Rivest Ron Rivest collision o llision of MD MD5 ( 5 (’96) 96) MD5 (’91) MD5 (’91) Wang: Attack Co Wang: Attack Complexity mplexity 58 SHA-0 2 58 SHA-0 (’97) (’97) Chabaud and Joux(’98) Chabaud Joux(’98) SHA-0 (’93) SHA-0 (’93) Wang: 2 bloc Wan 2 block co collis llision ion of MD5 (’04) of MD5 (’04) 2000 2000 Joux: 4 blok Joux: 4 blok collision of collision of Proposed by Proposed by SHA-1 (’95) SHA-1 (’95) SHA SHA-0(’04) 0(’04) NIST NIST Biham and Chen : collision Biham nd Chen : collision SHA-2 (’01) SHA-2 (’01) of of 40-rounds SHA 40-rounds SHA-1 (’04) 1 (’04) Wang: Attack complexi Wang: Attack complexity ty 3 63 SHA-1 (’05) 2 63 SHA- -224, 256, 384, 512 224, 256, 384, 512 SHA SHA-1 (’05)
Structure of hash function SHA-1 Initial value Initial value IV(160bit) (160bit) IV 32bit 1 st st - -step(160bit) step(160bit) Message Message 32bit 1 Message Message M M expansion expansion 32 × × 16 16 32 32bit 2 nd nd - -step(160bit) step(160bit) 32bit 2 = = 512bit 512bit 32bit 3 rd rd - -step(160bit) step(160bit) 32bit 3 32 × × 80 80 32 = = 2560bit 2560bit 32bit 32bit n th th- -step(160bit) step(160bit) n 32bit 80 th th - -step(160bit) step(160bit) 32bit 80 A, B, C, D,E :32 A, B, C, D,E :32- -bit words of the state bit words of the state Hash results F : nonlinear function : nonlinear function Hash results F <<< s : left bit rotation by left bit rotation by s s places; places; <<< s : : addition modulo 2 32 32 . : addition modulo 2 . 4 Kt :constant. Kt :constant.
Differential cryptanalysis against Hash functions Initial value Initial value Difference of Initial Difference of Initial Value Δ Δ IV IV(160bit) (160bit) IV = 0 = 0 IV Value Difference of Difference of st - st - 1 st 1 -round(160bit) round(160bit) 1 st 1 -round round Expanded Expanded Message Message M 1 :32bit M 1 :32bit Message Δ M Δ h Message Message Δ difference Δ Difference Message M 1 Difference value h value h 0 difference h 1 1 0 M expansion 1 M expansion of of Difference of Difference of × 16 32 × 2 nd 2 nd - -round(160bit) round(160bit) 2 nd 2 nd - -round round 32 16 Expanded Expanded M 2 :32bit M 2 :32bit Message Message difference Δ Δ h Δ M Message Δ value h value h 2 difference h 2 Message M 2 = = Δ Δ M = M 2 2 2 M = M- -M M’ ’ 512bit 512bit Difference of Difference of 3 rd rd - -round(160bit) round(160bit) 3 rd rd - -round round 3 3 M 3 M 3 :32bit :32bit Expanded Expanded Δ h difference Δ value h h 3 difference h 3 value Δ M Message Δ Message M 3 3 3 3 32 × × 80 80 32 = = 2560bit 2560bit Difference of Difference of n th n th- -round(160bit) round(160bit) n th n th- -step step M n M n :32bit :32bit Expanded Expanded difference Δ Δ h value h h n value h n difference Δ M Define sufficient conditions Message Δ Message M n n n n so that expected chains of difference occurs Difference of Difference of 80 th 80 th - -round(160bit) round(160bit) 80 th 80 th - -step step M M 80 80 :32bit :32bit Expanded Expanded difference Δ Δ h value h value h 80 difference h 80 Δ M Message Δ Message M 80 80 80 Problems are transformed 80 Difference of hash into decoding problem of Difference of hash Hash results H Hash results H results Δ Δ H nonlinear code H=H =H- -H H’ ’ results sufficient conditions are determined 5 Δ H=0 ⇒ collision: H = H’ depending on differential values (disturbance vector)
Wang’s attack Outline of the attack. • Find differential paths – characteristics (difference for subtractions modular 2 32 ) • Determine certain sufficient conditions • For randomly chosen M, apply the message modification techniques • However, not all information is published – How to find such differential path (disturbance vector)? • Candidates are too many – How to determine sufficient conditions? – What is multi-message modification? • Details are unpublished 6
Sufficient condition and message modification techniques by Wang Method for Method for determining determining sufficient sufficient conditions is is conditions unpublished unpublished 7
Many details are not public!! 1. How to find the differentials? 2. How to determine sufficient conditions on a i ? 3. What are the details of message modification technique? => We have clarified 2 and 3, and partially 1 8
Our Contribution: • Developing the searching method for ‘good’ message differentials • Developing the method to determine sufficient conditions • Developing new multi-message modification technique – Proposal of a novel message modification technique employing the Gröbner basis based method 9
Wang’s attack, nonlinear code and Gröbner basis same same Decoding problem Decoding problem Wang’ ’s attack s attack Wang of nonlinear code of nonlinear code applicable applicable applicable applicable Grö öbner bner- -like method like method Gr • Wang’s attack can be considered as decoding problem of nonlinear code. 10
Wang’s attack and nonlinear code • Wang’s attack is decoding a nonlinear code { a i , m i } in GF(2) 32x80x2 . – Satisfying sufficient conditions – Satisfying nonlinear relations between a and m 11
How to decode nonlinear code? • A general method – Gröbner bases based algorithm • Difficult to calculate Gröbner basis directly: – System of equations is very complex • How to decode? – Employ Gröbner basis based method – Employ techniques of error correcting code – Note: Nonlinear relations between a and m can be linearly approximated 12
How to find disturbance vector and construct differentials? • See our preprint. After that, some better methods have already been published by other teams. • We recently proposed a new non- probabilistic method to construct differentials using `Rail Differential` in SCIS2007 in Japan 13
Recommend
More recommend
