Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL - PowerPoint PPT Presentation

Meet ‐ in ‐ the ‐ Middle Attack Using Output Truncation in 3 ‐ Pass HAVAL Yu Sasaki NTT Corporation 07/Sep/2009 ISC2009@Pisa 1/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Summary • HAVAL is a hash function that can produce variable output lengths. Output bit ‐ sizes: 128, 160, 192, 224, 256 Wide ‐ pipe Narrow ‐ pipe Our target Already attacked • We present the first analysis on short output sizes of 3 ‐ pass HAVAL. 2/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Motivation • Recently designed hash functions use “wide ‐ pipe” mode. (See, SHA ‐ 3 round2 cands.) – Internal state size is larger than hash value. M 0 M 1 M N ‐ 1 Hash n n n n n n n L Trunc. CF CF CF H N H 0 H 1 H 2 H N ‐ 1 • Previous work only analyzes without truncation (narrow ‐ pipe). We should analyze wide ‐ pipe. • It is useful to evaluate SHA ‐ 224/SHA ‐ 384. 3/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Target of our attacks • Our attacks generate followings: Preimages Pseudo ‐ preimages Hash Hash M M n n L n n L Trunc. Trunc. CF CF y y IV X For given y, find M For given y, find (X, M) s.t. Hash IV (M)=y. s.t. Hash X (M)=y. • Generic attack will cost 2 n for both attacks. 4/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Impact of attack Finding pseudo ‐ preimages indicates: 1. CF is distinguished from Random Oracle. (reduction security) 2. eTCR property for Key ‐ via ‐ IV are broken. ( keyed ‐ hash function security) eTCR: For given (K, M, y), find (K’, M’) s.t. Hash K’ (M’)=y. Hash K M n n L Trunc. CF y K 5/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Results • We propose 2 approaches to find preimages or pseudo ‐ preimages for short output size. Output Length 256 224 192 160 128 Pseudo ‐ Not 2 192 2 160 2 144 ‐ Approach preimage target 1 Not ‐ ‐ ‐ ‐ Preimage target Pseudo ‐ Not 2 160 2 128 2 106 2 84 Approach preimage target 2 Not 2 209 ‐ ‐ ‐ Preimage target First preimage attacks on HAVAL short output 6/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval HAVAL • Designed by Zheng, Pieprzyk, Seberry in 1992. Attack focus Executed if M 0 M 1 M N ‐ 1 L ≠ 256 1024 256 256 256 L Trunc. CF CF CF y H 0 H 1 H 2 H N ‐ 1 H N 7/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval HAVAL compression function • Split M i ‐ 1 into 32 bit message words (m 0 || m 1 ||…|| m 31 ). • Set a 256 ‐ bit variable p 0 = H i ‐ 1 . • Compute step func: p j+1 = Step(p j , m π (j) ), j=0,1,…,95. • Output H i = Trunc (p 0 + p 96 ). m π (0) m π (1) m π (2) m π (94) m π (95) p 0 p 1 p 2 p 3 p 94 p 95 p 96 step step step step step D Trunc. H i Note that step function is invertible. 8/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval HAVAL message schedule • Message index π for 96 steps: • In every 32 steps, each m 0 – m 31 appears once. • Each m i appears 3 times during 96 steps. • In each round, message order changes. 9/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Idea of MitM preimage attack • Split msg schedule into 2 chunks of steps so that each chunk includes independent word. Ex. 2 ‐ round (64 ‐ step HAVAL) function of m 9 , p j+1 = Step(p j , m π (j) ), for j=8,9,…,54 independent of m 2 = Step ‐ 1 (p j+1 p j , m π (j) ), for j=7,6,…,0 function of m 2 , p 64 = y ‐ p 0 independent of m 9 = Step ‐ 1 (p j+1 p j , m π (j) ), for j=63,62,…,55 10/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Idea of MitM preimage attack • Split msg schedule into 2 chunks of steps so that each chunk includes independent word. Ex. 2 ‐ round (64 ‐ step HAVAL) Start MitM function of m 9 , p j+1 = Step(p j , m π (j) ), for j=8,9,…,54 independent of m 2 = Step ‐ 1 (p j+1 p j , m π (j) ), for j=7,6,…,0 function of m 2 , p 64 = y ‐ p 0 independent of m 9 = Step ‐ 1 (p j+1 p j , m π (j) ), for j=63,62,…,55 11/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Idea of MitM preimage attack • When we split msg schedule into 2 chunks, up to 9 consecutive steps can be skipped. Ex. 3 ‐ round (96 ‐ step HAVAL) Start Skip This strategy doesn’t work for truncated output. (in other words, wide ‐ pipe mode) 12/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Problem of previous work m π (0) m π (1) m π (2) m π (94) m π (95) Ex. 256 256 256 256 256 256 256 256 224 p 0 p 1 p 2 p 3 p 94 p 95 p 96 step step step step step D Trunc. y • Hash value is truncated, hence, cost for brute ‐ force attack is reduced. (this case: 2 224 ). • MitM on a 256 ‐ bit variable with 32 free ‐ bits is the same cost as brute force attack. • If each chunk includes more than 1 independent words, the attack works. But, it unlikely occurs. 13/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Attack outline • Approach 1 – Use unbalanced free bits in two chunks. – Increasing free bits by finding all inverse images in the truncated function. • Approach 2 – Perform the match of MitM on the input for truncated function. 14/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Approach 1: unbalanced free bits • Consider the 224 ‐ bit output (1 ‐ word truncation). • It unlikely occurs that both chunks have 2 free words. • The following situation often occurs: A chunk includes 2 free words, but the other includes 1. 15/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Previous MitM: unbalanced free bits MitM step 0 step 95 32 ‐ bit 64 ‐ bit given fix p 0 m 5 m 5 p 88 (m 27 , m 28 ) y Even if a chunk has 64 free bits, the attackers advantage is limited to only 32 bits as long as the other chunk has only 32 free bits. 16/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Attack on 224 ‐ bit output MitM step 0 step 95 32 ‐ bit 64 ‐ bit 32 ‐ bit 256 224 Trunc. given fix p 0 m 5 p 88 m 5 (m 27 , m 28 ) D y Invert Trunc. Find all 2 32 D s.t. Trunc(D)=y. Red chunk is now including 64 free ‐ bits; (m 5 , D). Pseudo ‐ preimages are found by (2 256 * 2 ‐ 64 ). 17/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Approach 2 (match at input of Trunc. ) Perform the match of MitM on the variable which is input of Truncation. m π (0) m π (1) m π (2) m π (94) m π (95) Ex. 256 256 256 256 256 256 256 256 224 p 0 p 1 p 2 p 3 p 94 p 95 p 96 step step step step step D Trunc. y Split steps into 2 chunks so that the match is performed on this variable. 18/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Attack idea Randomly satisfy Efficient match y (1) Q j ‐ 7 Q j ‐ 6 Q j ‐ 5 Q j ‐ 4 Q j ‐ 3 Q j ‐ 2 Q j ‐ 1 Q j Discard Randomly satisfy Efficient match D Q j ‐ 7 Q j ‐ 6 Q j ‐ 5 Q j ‐ 4 Q j ‐ 3 Q j ‐ 2 Q j ‐ 1 Q j Truncate (2) y Q j ‐ 5 Q j ‐ 4 Q j ‐ 3 Q j ‐ 2 Q j ‐ 1 Q j Randomly searched space is reduced. The attack efficiency does not change. 19/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Chunk separation for approach 2 The match is performed between Step 0 and 95. Note: Truncation of HAVAL is more complicated. More detailed analysis is necessary. 20/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Results Output length 256 224 192 160 128 Pseudo ‐ Not 2 192 2 160 2 144 ‐ Approach preimage target 1 Not ‐ ‐ ‐ ‐ Preimage target Pseudo ‐ Not 2 160 2 128 2 106 2 84 Approach preimage target 2 Not 2 209 ‐ ‐ ‐ Preimage target Approach 2 is prevented with small tweak of Trunc . Approach 1 works as long as Trunc ‐ 1 is easily computed. 21/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Summary • Two approaches of finding preimages and pseudo ‐ preimages against wide ‐ pipe hash with MitM attack. • First results on short ouput 3 ‐ pass HAVAL. • This technique can be also applied to reduced SHA ‐ 224 and SHA ‐ 384: Kazumaro Aoki, Jian Guo, Kristian Matusiewicz, Yu Sasaki, Lei Wang. Preimages for Step Reduced SHA ‐ 2 , Asiacrypt’09. 22/22

Yu Sasaki, MitM using output truncation of 3 ‐ Haval Thank you for your attention!! 23