practical near collisions on the compression function of
play

Practical Near-Collisions on the Compression Function of BMW Gatan - PowerPoint PPT Presentation

Apr 08, 2024 •337 likes •840 views

Introduction Solving AX systems BMW analysis Conclusion Practical Near-Collisions on the Compression Function of BMW Gatan Leurent and Sren S. Thomsen University of Luxembourg Technical University of Denmark FSE 2011 G. Leurent, S.

  1. Introduction Solving AX systems BMW analysis Conclusion Practical Near-Collisions on the Compression Function of BMW Gaëtan Leurent and Søren S. Thomsen University of Luxembourg Technical University of Denmark FSE 2011 G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 1 / 24

  2. Introduction Solving AX systems BMW analysis Conclusion The SHA-3 competition The SHA-3 competition ◮ 51 valid submissions ◮ 14 in the second round (July 2009) ◮ 5 finalists in December 2010 ◮ Winner in 2012? ◮ BMW was the fastest second-round candidate in software ◮ Not selected for the third round G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 2 / 24

  3. Introduction Solving AX systems BMW analysis Conclusion Hash Function Design ◮ Build a small compression function, and iterate. ◮ Cut the message in chunks M 0 , ... M k ◮ H i = f ( M i , H i − 1 ) ◮ F ( M ) = Ω ( H k ) M 0 M 1 M 2 M 3 f f f f IV H 0 H 1 H 2 H 3 G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 3 / 24

  4. Introduction Solving AX systems BMW analysis Conclusion Compression Function Attacks Fist results usually target the compression function ◮ Because it’s easier: more degrees of freedom ◮ Because good compression imply good hash function MD5 cryptanalysis ◮ 1993: Free-start collisions [den Boer and Bosselaers] ◮ 1996: Semi-free-start collisions [Dobbertin] ◮ 2005: Collisions [Wang et. al ] ◮ 2009: Rogue certificate [Stevens et. al ] Wang’s and Stevens’s attacks are based on the dBB path G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 4 / 24

  5. Introduction Solving AX systems BMW analysis Conclusion Compression Function Attacks Fist results usually target the compression function ◮ Because it’s easier: more degrees of freedom ◮ Because good compression imply good hash function MD5 cryptanalysis ◮ 1993: Free-start collisions [den Boer and Bosselaers] ◮ 1996: Semi-free-start collisions [Dobbertin] ◮ 2005: Collisions [Wang et. al ] ◮ 2009: Rogue certificate [Stevens et. al ] Wang’s and Stevens’s attacks are based on the dBB path G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 4 / 24

  6. Introduction Solving AX systems BMW analysis Conclusion Blue Midnight Wish f 0 x y Q a M P H f 2 H f 1 AddElement Q b ◮ Wide pipe: each line is 16 words (32 or 64 bits) ◮ Most of the diffusion happens in f 1 ◮ ARX: Addition, Rotations, Xors see details G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 5 / 24

  7. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  8. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  9. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  10. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  11. Introduction Solving AX systems BMW analysis Conclusion Transition Automata We use automata to study AX systems: [Mouha et. al ] ◮ States represent the carries ◮ Transitions are labeled with the variables Carry transitions for x ⊕ ∆ = x ⊞ δ . c x c’ c x c’ ∆ δ ∆ δ 0 0 0 0 0 1 0 0 0 - 0 0 0 1 0 1 0 0 1 - 0 0 1 0 - 1 0 1 0 1 0 0 1 1 - 1 0 1 1 1 0 1 0 0 - 1 1 0 0 0 0 1 0 1 - 1 1 0 1 1 0 1 1 0 0 1 1 1 0 - 0 1 1 1 1 1 1 1 1 - G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 7 / 24

  12. Introduction Solving AX systems BMW analysis Conclusion Transition Automata We use automata to study AX systems: [Mouha et. al ] ◮ States represent the carries ◮ Transitions are labeled with the variables Carry transitions for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ , x 0,0,0 1,0,1 0,0,1 0,1,0 1,1,0 0,1,1 1,1,1 start 0 1 see example 1,0,0 G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 7 / 24

  13. Introduction Solving AX systems BMW analysis Conclusion Decision Automata ◮ Remove x from the transitions ◮ Convert the non-deterministic automata to deterministic. Carry transitions for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ , x 0,0,0 1,0,1 0,0,1 0,1,0 1,1,0 0,1,1 1,1,1 start 0 1 1,0,0 ◮ Can decide whether a given ∆ , δ is compatible. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 8 / 24

  14. Introduction Solving AX systems BMW analysis Conclusion Decision Automata ◮ Remove x from the transitions ◮ Convert the non-deterministic automata to deterministic. Decision automaton for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ 0,0 1,0 0,0 0,1 1,1 0,1 1,1 start 0 1 1,0 ◮ Can decide whether a given ∆ , δ is compatible. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 8 / 24

  15. Introduction Solving AX systems BMW analysis Conclusion Decision Automata ◮ Remove x from the transitions ◮ Convert the non-deterministic automata to deterministic. Decision automaton for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ 1,0 0,0 1,1 0,1 1,1 0,1 { 0 } { 0 , 1 } { 1 } start 0,0 1,0 ◮ Can decide whether a given ∆ , δ is compatible. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 8 / 24

  16. Introduction Solving AX systems BMW analysis Conclusion Solving AX systems Take an AX system with variables and parameters. e.g. x ⊕ ∆ = x ⊞ δ 1 Compute carry transitions 2 Build transition automaton 3 Remove variables and compute equivalent deterministic automaton ◮ For each values of the parameters: ◮ Test if system is coherent in linear time ◮ Find a solution in linear time Can also study properties of the systems. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 9 / 24

  17. Introduction Solving AX systems BMW analysis Conclusion Some Properties Important Example x ⊕ ∆ = x ⊞ δ ◮ For this particular system, we can build very efficient test: � ∆ 0 = δ 0 ◮ Consistent iff ∀ i : ∆ i = 1 δ i ⊕ ∆ i + 1 ⊕ δ i + 1 = 0 or ✦✭✭❉❫❞✮✫✶✮ ✫✫ ✦✭✭✭✭✭❉❫❞✮❃❃✶✮❫❞✮ ✫ ✭⑦❉✮✮ ❁❁ ✶✮ ◮ Probability 2 − 13 . 9 for random δ , ∆ ◮ Probability 2 − 1 for random δ and ∆ = − 1 ◮ Solutions: ✭❉❫❞✮❃❃✶ ❫ ✭r✫✭⑦❉⑤✵①✽✵✵✵✵✵✵✮✮ G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 10 / 24

  18. Introduction Solving AX systems BMW analysis Conclusion Application to BMW f 0 x y Q a M P H f 2 H f 1 AddElement Q b ◮ If we have ◮ a (near) collision in Q a ◮ a (near) collision in M ◮ a (near) collision in the the first rounds of f 1 this can be seen in the output: HH 0 = ( XH ≫ 5 ⊕ Q ≫ 5 16 ⊕ M 0 ) ⊞ ( XL ⊕ Q 24 ⊕ Q 0 ) G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 11 / 24

Recommend

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven, Belgium Fast Software Encryption 2009 Sebastiaan Indesteege (COSIC) Practical Collisions for EnRUPT 1/27 Outline 1 Introduction 2 Description of

704 views • 69 slides
Angular Correlations as a function of multiplicity in pp and p-Pb collisions in the ATLAS

Angular Correlations as a function of multiplicity in pp and p-Pb collisions in the ATLAS

Angular Correlations as a function of multiplicity in pp and p-Pb collisions in the ATLAS experiment Deepak Kar On behalf of ATLAS collaboration MPI@LHC Workshop, Chiapas, Mexico, November 2016 Collective Behaviour in a small system ~30000

366 views • 20 slides
Production of the D s meson in proton-proton collisions at 13 TeV as a function of multiplicity

Production of the D s meson in proton-proton collisions at 13 TeV as a function of multiplicity

Rencontres QGP France 2019 Production of the D s meson in proton-proton collisions at 13 TeV as a function of multiplicity Arthur Gal University of Strasbourg Institut Pluridisciplinaire Hubert Curien Outline Part I : Physics motivations

343 views • 22 slides
Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen Gauravaram 1 , Ga eten Leurent 2 , Florian Mendel 3 , Mar a Naya-Plasencia 4 , Thomas Peyrin 5 , Christian Rechberger 6 , Martin Schl affer 3 , 1

822 views • 45 slides
collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
Fast approximately application of Greens function of Hamiltonian using symbol compression Song

Fast approximately application of Greens function of Hamiltonian using symbol compression Song

Fast approximately application of Greens function of Hamiltonian using symbol compression Song Mei ICME, Stanford May 1, 2015 Joint work with Lin Lin and Lexing Ying. . . . . . . . . . . . . . . . . . . . . .. . .. .

563 views • 27 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
Process dependence of the gluon Sivers function in inclusive pp collisions: theory Cristian Pisano

Process dependence of the gluon Sivers function in inclusive pp collisions: theory Cristian Pisano

Process dependence of the gluon Sivers function in inclusive pp collisions: theory Cristian Pisano In collaboration with: U. DAlesio, C. Flore, F. Murgia, P. Taels TMD factorization and process dependence 2/24 TMD factorization Two scale

283 views • 24 slides
Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression Background Focus on spatial compression Best in class lossy compressor Point wise max error bound: 10 -5 Open questions Random noise

564 views • 19 slides
Development of high rate MWPC and data compression function with FADC (II) Nguyen Minh Truong

Development of high rate MWPC and data compression function with FADC (II) Nguyen Minh Truong

Development of high rate MWPC and data compression function with FADC (II) Nguyen Minh Truong (Osaka U.), Coworker: Masaharu Aoki(Osaka U.), Youichi Igarashi(KEK), Masatoshi Saito(KEK), Hiroaki Natori (KEK), Nguyen Duy Thong (Osaka U.) Open-It,

310 views • 27 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system contains a lossless compression system Lossy compression system Dequantizer Transform Lossless Lossless Inverse Quantizer Encoder Decoder

771 views • 29 slides
Compression Strategies & Alternate Summarization Systems and Applications Ling 573 May 23,

Compression Strategies & Alternate Summarization Systems and Applications Ling 573 May 23,

Compression Strategies & Alternate Summarization Systems and Applications Ling 573 May 23, 3017 Roadmap Content Realization: Compression Deep, Heuristic Approaches Compression Integration Compression Learning

317 views • 31 slides
Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar,

Compression Programs File Compression: Gzip, Bzip Archivers :Arc, Pkzip, Winrar, File Systems: NTFS Analysis of Algorithms Piyush Kumar (Lecture e 5: Compression) on) Welcome to 4531 Source: Guy E. Blelloch, Emad, Tseng

297 views • 12 slides
Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion collision? Focus on collective phenomena present in nucleus-nucleus collisions, but absent in pp collisions (condensed matter physics of

879 views • 23 slides
Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

On behavior of Professors Ohta and Sakiyama. Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo Sakiyama The University of Electro-Communications, Japan Blake A candidate in second round for

433 views • 11 slides
14.9.2 JPEG2000 compression DCT compression basis for JPEG wavelet compression

14.9.2 JPEG2000 compression DCT compression basis for JPEG wavelet compression

14.9 JPEG and MPEG image compression 31 14.9.2 JPEG2000 compression DCT compression basis for JPEG wavelet compression basis for JPEG2000 JPEG2000 new international standard for still image compression

492 views • 12 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
Tradeoffs in XML Database Compression James Cheney University of Edinburgh Data Compression

Tradeoffs in XML Database Compression James Cheney University of Edinburgh Data Compression

Tradeoffs in XML Database Compression James Cheney University of Edinburgh Data Compression Conference March 30, 2006 Tradeoffs in XML Database Compression p.1/22 XML Compression XML: a format for tree-structured data Increasingly used

382 views • 22 slides
JPEG Compression Ian Snyder December 11, 2009 Ian Snyder JPEG Compression Outline

JPEG Compression Ian Snyder December 11, 2009 Ian Snyder JPEG Compression Outline

Outline Introduction Images and Compression Walkthrough of JPEG Compression Steps Complete Compression Process Results and Conclusion JPEG Compression Ian Snyder December 11, 2009 Ian Snyder JPEG Compression Outline Introduction Images

594 views • 45 slides

More recommend