new message difference for md4
play

New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and - PowerPoint PPT Presentation

Mar 28, 2024 •159 likes •562 views

New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro The University of Electro-Communications 28/March/2007 @ FSE 2007 1 Introduction of MD4 Input Output Hash Arbitrary Defined Function length data length

  1. New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro The University of Electro-Communications 28/March/2007 @ FSE 2007 1

  2. Introduction of MD4 Input Output Hash Arbitrary Defined Function length data length data ﻪ MD4 is a 128-bit hash function. ﻪ Many hash functions such as MD5 and SHA-1, are designed based on MD4. ﻪ Cryptanalysis of MD4 is important. 2

  3. Collision Attack is Important !! ﻪ Collision attack means finding (M, M ’ ) such that Hash(M)=Hash(M ’ ), M ≠ M ’ . ﻪ Collision can threaten some applications. forging certificate, forging signature, key recovery on NMAC/HMAC password recovery on APOP, and so on. 3

  4. Message Difference for Various Improved Collision Attack ﻪ In 2005, Wang et al. proposed efficient collision attack. (less than 2 8 MD4) ﻪ Naito et al. improved the complexity. (less than 3 MD4) ﻪ Shulaffer and Oswald proposed automated sufficient condition search algorithm. Common Fact All previous known attacks use the same message difference as Wang et al. ’ s. 4

  5. Our Result ﻪ We propose new message difference and new local collision that are the best for collision attack on MD4. ﻪ Our attack generates a collision with less than 2 MD4 computations. Generating collision is faster Generating collision is faster than checking collision!! than checking collision!! 5

  6. Procedure of Collision Attack 6

  7. Differential Attack ⊿ M ≠ 0 M ’ M 1 st Round 1 st Round 1 st Round 2 nd Round 2 nd Round 2 nd Round ー = 3 rd Round 3 rd Round 3 rd Round ⊿ H(M)=0 H(M) H(M ’ ) 7

  8. 1. Local Collision in 3 rd round. Attack Procedure Insert some difference in 3 rd round ⊿ M = -2 31 + 2 21 and cancel it in few steps. 2. ⊿ M Core Technique 1R 2 31 -2 24 2 12 2 8 Insert message difference to 2 30 2 21 2 10 2 3 realize local collision. b 2,12 =0 3. Differential Path 2R -2 31 2 27 -2 13 2 7 Analyze how ⊿ M propagates. 4. Chaining Variable Condition 0 0 0 0 Make Conditions of chaining 3R 0 0 0 0 variables to hold differential path. LC 5. Collision Search 0 0 0 0 By using message modification, search a message satisfying all ⊿ H= 0 conditions. 8

  9. Constructing the Best Local Collision 1. Study of Wang et al. ’ s local collision 2. Analyze why it is not the best 3. Construct the best local collision 9

  10. Structure of MD4 Structure of MD4 Structure of MD4 i step a i-1 b i-1 c i-1 d i-1 MD4 has 48 steps. f <<< s i : Left Rotation Const m i-1 f: Boolean Function <<<s 1 (XOR is considered for Local Collision) a i b i c i d i 10

  11. Wang et al ’ s Local Collision 1/6 i step 1. Make diff with 2 j-s1 of m i-1 . a i-1 b i-1 c i-1 d i-1 2 j-s1 f Const m i-1 2 j-s1 <<<s 1 <<<s 1 2 j a i b i c i d i 2 j 11

  12. Wang et al ’ s Local Collision 2/6 i+1 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f f 2 j 2 j 2 j Const m i 2 j-s2 2 j-s2 <<<s 1 <<<s 2 2 j a i b i c i d i 2 j 2 j 12

  13. Wang et al ’ s Local Collision 3/6 i+2 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f f 3. No difference 0 Const m i+1 <<<s 3 a i b i c i d i 2 j 2 j 13

  14. Wang et al ’ s Local Collision 4/6 i+3 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f f 3. No difference 0 Const 4. No difference m i+2 <<<s 4 a i b i c i d i 2 j 2 j 14

  15. Wang et al ’ s Local Collision 5/6 i+4 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . 2 j 2 j f f 3. No difference 2 j Const 4. No difference m i+3 5. No difference <<<s 5 a i b i c i d i 2 j 15

  16. Wang et al ’ s Local Collision 6/6 i+5 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f 3. No difference 2 j 2 j Const 4. No difference m i+4 5. No difference <<<s 6 6. Cancel diff with 2 j of m i+4 . All differences are cancelled !! a i b i c i d i 16

  17. Summary of Wang et al. ’ s LC If j = MSB, cancellation 1. Make diff with 2 j-s1 of m i-1 . succeeds with probability 1. 2. Cancel diff with 2 j of m i . Make diff with 2 j-s2 of m i . When we make diff at 3. No difference MSB, we will fail with 1/2. 4. No difference 5. No difference Proof: next page 6. Cancel diff with 2 j of m i+4 . Therefore, total success probability is 1/4. 17

  18. Proof: Difference in MSB bit position (31-s1) a i-1 b i-1 c i-1 d i-1 v: 000000001000000 ⊿ v ⊿ v: 000000001000000 f v ’ : 000000010000000 Const m i-1 2 31-s1 After rotation by s1 bits. <<<s 1 u: 100000000000000 2 31 ⊿ u u ’ : 000000000000001 ⊿ u ≠ 2 31 , not desired difference . a i b i c i d i Prob of avoiding carry is 1/2 . 18

  19. The Best Local Collision • Wang et al. ’ s LC makes two differences in MSB. Success prob of LC : 1/4 • At least 1 difference is necessary. • If LC that consists of 1 difference in MSB exists, such LC is the best. Success prob is 1/2 19

  20. New Local Collision 1/5 i step 1. Make diff with 2 j-s1 of m i-1 . a i-1 b i-1 c i-1 d i-1 2 j-s1 f Const m i-1 2 j-s1 <<<s 1 <<<s 1 2 j a i b i c i d i 2 j 20

  21. New Local Collision 2/5 i+1 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 f f 2 j 2 j 2 j Const m i <<<s 2 a i b i c i d i 2 j 21

  22. New Local Collision 3/5 i+2 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 3. Cancel diff with 2 j of m i+1 . 2 j f f 2 j 2 j Const m i+1 <<<s 3 a i b i c i d i 2 j 22

  23. New Local Collision 4/5 i+3 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 3. Cancel diff with 2 j of m i+1 . 2 j f f 2 j 4. Cancel diff with 2 j of m i+2 . 2 j Const m i+2 <<<s 4 a i b i c i d i 2 j 23

  24. New Local Collision 5/5 i+4 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 3. Cancel diff with 2 j of m i+1 . f 4. Cancel diff with 2 j of m i+2 . 2 j 2 j Const 5. Cancel diff with 2 j of m i+3 . m i+3 <<<s 5 All differences are cancelled !! a i b i c i d i 24

  25. Comparison of Both Local Collisions Wang et al. ’ s Ours (1/4) (1/2) a b c d a b c d m m m m m m m m m m 5 msgs m Msg expansion should be evaluated. 3 msgs are involved 25

  26. Analysis of Message Expansion 26

  27. Which step we Index of apply LC ? step message 33 0 34 8 35 4 New local collision 36 12 1. Make diff with 2 j-s1 of m i-1 . 37 2 38 10 2. Cancel diff with 2 j of m i . 39 6 40 14 3. Cancel diff with 2 j of m i+1 . 41 1 42 9 4. Cancel diff with 2 j of m i+2 . 43 5 5. Cancel diff with 2 j of m i+3 . 44 13 45 3 46 11 47 7 48 15 There are 12 patterns. 27

  28. Criteria for Good Msg Expansion 3R 2R step message step message 17 0 33 0 18 4 34 8 Criteria 19 8 35 4 Some 20 12 36 12 diff 21 1 37 2 Last difference 22 5 38 10 23 9 39 6 in 2R round 24 13 40 14 should be as 25 2 41 1 early as possible. 26 6 42 9 27 43 10 5 28 14 44 13 In this example: No 29 3 45 3 25 30 7 46 11 diff 31 11 47 7 32 15 48 15 28

  29. Msg Expansion: New LC Last step of diff in 2R 3R 2R step message step message Case 1 25 17 0 33 0 Case 2 18 4 34 8 Case 3 19 8 35 4 20 12 36 12 Case 4 21 1 37 2 Case 5 22 5 38 10 23 9 39 6 Case 6 24 13 40 14 Case 7 25 2 41 1 26 6 42 9 Case 8 27 43 10 5 Case 9 28 14 44 13 29 3 45 3 Case 10 30 7 46 11 Case 11 31 11 47 7 Case 12 32 15 48 15 29

  30. Msg Expansion: New LC Last step of diff in 2R 3R 2R step message step message Case 1 25 17 0 33 0 Case 2 27 18 4 34 8 Case 3 19 8 35 4 20 12 36 12 Case 4 21 1 37 2 Case 5 22 5 38 10 23 9 39 6 Case 6 24 13 40 14 Case 7 25 2 41 1 26 6 42 9 Case 8 27 43 10 5 Case 9 28 14 44 13 29 3 45 3 Case 10 30 7 46 11 Case 11 31 11 47 7 Case 12 32 15 48 15 30

  31. Msg Expansion: New LC Last step of diff in 2R 3R 2R step message step message Case 1 25 17 0 33 0 Case 2 27 18 4 34 8 Case 3 27 19 8 35 4 20 12 36 12 Case 4 21 1 37 2 Case 5 22 5 38 10 23 9 39 6 Case 6 24 13 40 14 Case 7 25 2 41 1 26 6 42 9 Case 8 27 43 10 5 Case 9 28 14 44 13 29 3 45 3 Case 10 30 7 46 11 Case 11 31 11 47 7 Case 12 32 15 48 15 31

  32. Result: Good msg Difference of our LC Case 1 25 As a result, Case 1 is the best. 27 Case 2 m 0 : 2 28 m 12 : 2 31 27 Case 3 ⊿ M= m 2 : 2 31 m 8 : 2 31 Case 4 28 m 4 : 2 31 Case 5 28 Case 6 28 We also evaluated Wang et al. ’ s LC by Case 7 28 using the same criteria. Then, the best Case 8 28 value was the same. 29 Case 9 31 Case 10 Confirmed that the best LC is really 31 Case 11 the best. 32 Case 12 32

Recommend

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in difference Card &amp; Krueger (1995,AER) Rise in minimum wage from 4,2$ to 5,05$ in April 1992 in the State of New Jersey. Research question:

405 views • 28 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Lecture Notes: Message Management 1 Slide 1: Message Management Message Management A critical

Lecture Notes: Message Management 1 Slide 1: Message Management Message Management A critical

Lecture Notes: Message Management 1 Slide 1: Message Management Message Management A critical aspect of successful advocacy is the ability to create and deliver a message. While your passion matters greatly, your coalitions make the work

487 views • 15 slides
Topic 11: A message What Is a Message in Communication? In rhetorical and communication studies,

Topic 11: A message What Is a Message in Communication? In rhetorical and communication studies,

Topic 11: A message What Is a Message in Communication? In rhetorical and communication studies, a message is defined as information conveyed by words (in speech or writing), and/or other signs and symbols. A message (verbal or nonverbal, or

485 views • 17 slides
GSM Short Message Service GSM Short Message Service GSM Short Message Service GSM Short Message

GSM Short Message Service GSM Short Message Service GSM Short Message Service GSM Short Message

National Taiwan University Department of Computer Science and Information Engineering GSM Short Message Service GSM Short Message Service GSM Short Message Service GSM Short Message Service Phone Lin Phone Lin Ph.D. Ph.D. Email:

360 views • 13 slides
ping Program ICMP Message Format Available at /usr/sbin/ping Test whether another host is

ping Program ICMP Message Format Available at /usr/sbin/ping Test whether another host is

ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by

474 views • 10 slides
Message integrity Message Auth. Codes Dan Boneh Message

Message integrity Message Auth. Codes Dan Boneh Message

Online Cryptography Course

556 views • 52 slides
Web Engineering HTTP-message = Request | Response generic-message = start-line *message-header

Web Engineering HTTP-message = Request | Response generic-message = start-line *message-header

Structure of HTTP Messages Web Engineering HTTP-message = Request | Response generic-message = start-line *message-header Prof. Dr. Dr. h.c. mult. Gerhard Krger, Albrecht Schmidt CRLF [ message-body ] Universitt Karlsruhe start-line =

289 views • 12 slides
MPI - Message Passing Interface MPI is the mostly used message passing-standard By

MPI - Message Passing Interface MPI is the mostly used message passing-standard By

MPI - Message Passing Interface MPI is the mostly used message passing-standard By using MPI you obtain portable programs MPI is based on earlier message passing libraries Lecture 7: NX, MPL, PVM, P4, TCGMSH, PARMACS, ...

360 views • 9 slides
Message Passing Concepts Message Passing Model The message passing model is based on the

Message Passing Concepts Message Passing Model The message passing model is based on the

Message Passing Concepts Message Passing Model The message passing model is based on the notion of processes can think of a process as an instance of a running program, together with the programs data In the message passing model,

601 views • 16 slides
GIVING A PRESENTATION The Core structure Introduction Message 1 Message 2 Message 3

GIVING A PRESENTATION The Core structure Introduction Message 1 Message 2 Message 3

GIVING A PRESENTATION The Core structure Introduction Message 1 Message 2 Message 3 Conclusion INTRODUCTION Introduce yourself Summary of the messages USEFUL PHRASES: USEFUL PHRASES: Good morning/afternoon everyone. Im

772 views • 8 slides
What was your message? what were you trying to achieve, your goal? what was your core message?

What was your message? what were you trying to achieve, your goal? what was your core message?

PRESENTATION TO CHILDREN YOUTH AND FAMILIES FORUM FOR YR IN MAY 2011 AT THEIR ADVOCACY PLANNING DAY I PRESENTED OUR AAA PROJECT AT THAT TIME. What was your message? what were you trying to achieve, your goal? what was your core message?

193 views • 5 slides
IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by

261 views • 12 slides
Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI? Message Passing Programming with MPI 2 MPI Forum First message-passing interface standard. Sixty people from forty different organisations.

1.61k views • 113 slides
Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will cover message passing model SPMD communication modes collective communications Programming Models Message-Passing Serial Programming

406 views • 28 slides
ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient

ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient

ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient IGG 04-04-2012 Recipient ID in Message must match the physical Message recipient Background Message routing in the new Tibco-based environment will

79 views • 3 slides
Singer difference sets and difference system of sets Akihiro Munemasa Graduate School of

Singer difference sets and difference system of sets Akihiro Munemasa Graduate School of

Singer difference sets and difference system of sets Akihiro Munemasa Graduate School of Information Sciences Tohoku University (joint work with Vladimir D. Tonchev) November 18, 2004 Singer difference sets and difference system of sets

598 views • 55 slides
Difference-in-Difference estimator Presented at Summer School 2015 by Ziyodullo Parpiev, PhD

Difference-in-Difference estimator Presented at Summer School 2015 by Ziyodullo Parpiev, PhD

Difference-in-Difference estimator Presented at Summer School 2015 by Ziyodullo Parpiev, PhD June 9, 2015 Tashkent Todays Class Non-experimental Methods: Difference-in-differences Understanding how it works How to test the

772 views • 52 slides
Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that

Message Authentication MAC and Hash SMU CSE 5349/49 Message Authentication Verify that messages come from the alleged source, unaltered SMU CSE 5349/7349 Authentication Functions Message encryption Ciphertext itself serves as

1.16k views • 69 slides
A Nonparametric Finite Mixture Approach to Difference-in-Difference Estimation, with an

A Nonparametric Finite Mixture Approach to Difference-in-Difference Estimation, with an

A Nonparametric Finite Mixture Approach to Difference-in-Difference Estimation, with an Application to Professional Training and Wages Oliver Cassagneau-Francis 1 Robert Gary-Bobo 2 Julie Pernaudet 3 Jean-Marc Robin 4 1 Sciences Po, 2 CREST,

832 views • 50 slides
Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1

Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1

Message Passing Programming with MPI What is MPI? Message Passing Programming with MPI 1 Message Passing Programming with MPI 2 MPI Forum Goals and Scope of MPI First message-passing interface standard. MPIs prime goals are:

511 views • 29 slides
COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic

COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic

Topic 4.3: Message Passing COMP31212: Concurrency Topics 4.3: Message Passing Topic 4.3: Message Passing Outline Topic 4.3: Message Passing Background Synchronous Message Passing Asynchronous Message Passing Channel Selection Topic 4.3:

382 views • 36 slides
and injury leave: results from a difference in difference approach Mohamed Ben Halima (CEE et

and injury leave: results from a difference in difference approach Mohamed Ben Halima (CEE et

Summer School A European Social Sciences Research Infrastructure Project Company organisational changes and long term sickness absence and injury leave: results from a difference in difference approach Mohamed Ben Halima (CEE et TEPP),

511 views • 33 slides
MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb

MESSAGE HANDLING MESSAGE HANDLING ICS- -213 213 ICS Presented by Chuck Sprick KE5RAD Feb 17, 2008 1 Message Forms Various forms were used by different agencies &amp; operators Incident Command System requires us to use ICS-213

535 views • 11 slides

More recommend