Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological University, Singapore Technical University of Denmark NTU, 25 Nov 2009 A merged version with Aoki, Sasaki and Wang will appear in ASIACRYPT 2009 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Table of contents Description of SHA-2 1 General View Step Function Message Expansion Description of Preimage Attack 2 Application to SHA-2 3 Overview Message Stealing Message Compensation Extended Partial Matching Conclusions 4 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 General View Description of Preimage Attack Step Function Application to SHA-2 Message Expansion Conclusions SHA-2 in General input state IV n M n input message message expansion algorithm iteration of the step transformation state feed-forward operation output state IV n +1 Step Function: update internal chaining Message Expansion: expand 16 message words to 64/80 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 General View Description of Preimage Attack Step Function Application to SHA-2 Message Expansion Conclusions SHA-2 Step Function A i B i C i D i E i F i G i H i Σ 0 Σ 1 K i MAJ IF W i A i +1 B i +1 C i +1 D i +1 E i +1 F i +1 G i +1 H i +1 MAJ( A , B , C ) = ( A ∧ B ) ∨ ( A ∧ C ) ∨ ( B ∧ C ) , IF( E , F , G ) = ( E ∧ F ) ∨ ( ¬ E ∧ G ) , Σ 0 ( x ) = ( x ≫ 2) ⊕ ( x ≫ 13) ⊕ ( x ≫ 22) , Σ 1 ( x ) = ( x ≫ 6) ⊕ ( x ≫ 11) ⊕ ( x ≫ 25) . Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 General View Description of Preimage Attack Step Function Application to SHA-2 Message Expansion Conclusions SHA-2 Message Expansion σ 0 σ 1 W 0 W 15 W 16 W 63 M 0 M 15 � M i for 0 ≤ i < 16 , W i = σ 1 ( W i − 2 ) + W i − 7 + σ 0 ( W i − 15 ) + W i − 16 for 16 ≤ i < 64 . Note: any consecutive 16 determine all message words. Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimage Attack - in general split match Target n + l Find pseudo-preimage in 2 l , then preimage in 2 2 +1 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 W 11 , . . . , W 26 as a basis to generate all message words. Neutral words: W 16 and W 19 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Stealing Σ 0 Σ 1 Σ 0 Σ 1 K i K i MAJ IF MAJ IF W i +3 W i W i splitting point W i W i Σ 0 Σ 1 Σ 0 Σ 1 K i +1 K i +1 0 MAJ IF MAJ IF W i +1 W i +1 Σ 0 Σ 1 Σ 0 Σ 1 K i +2 K i +2 1 MAJ IF MAJ IF W i +2 W i +2 Σ 0 Σ 1 Σ 0 Σ 1 K i +3 K i +3 MAJ IF MAJ IF W i +3 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 W 11 , . . . , W 26 as a basis to generate all message words. Neutral words: W 16 and W 19 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 W 11 , . . . , W 26 as a basis to generate all message words. Neutral words: W 16 and W 19 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - Second Chunk W 27 = σ 1 ( W 25 ) + W 20 + σ 0 ( W 12 ) + W 11 , = σ 1 ( W 26 ) + W 21 + σ 0 ( W 13 ) + W 12 , W 28 W 29 = σ 1 ( W 27 ) + W 22 + σ 0 ( W 14 ) + W 13 , W 30 = σ 1 ( W 28 ) + W 23 + σ 0 ( W 15 ) + W 14 , W 31 = σ 1 ( W 29 ) + W 24 + σ 0 ( W 16 ) + W 15 , W 32 = σ 1 ( W 30 ) + W 25 + σ 0 ( W 17 ) + W 16 , = σ 1 ( W 31 ) + W 26 + σ 0 ( W 18 ) + W 17 , W 33 W 34 = σ 1 ( W 32 ) + W 27 + σ 0 ( W 19 ) + W 18 . Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A W 0 = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) W 34 = σ 1 ( W 32 ) + W 27 + σ 0 ( W 19 ) + W 18 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Recommend
More recommend