T-79.514 Special Course on Cryptology September 30, 2004 Recent Cryptanalytic Results on Dedicated Hash Functions. Markku-Juhani O. Saarinen Helsinki University of Technology mjos@tcs.hut.fi T.79-514 Markku-Juhani O. Saarinen 1
Terminology Vulnerability to n implies vulnerability n + 1 , n + 2 · · · . 1. Preimage attack : Given value Y , find a message M with H ( M ) = Y . 2. 2nd preimage attack: Given message M 1 , find message M 2 � = M 1 with H ( M 1 ) = H ( M 2 ) . 3. Collision attack : Find two messages M 1 � = M 2 with H ( M 1 ) = H ( M 2 ) . 4. Pseudo-collision attack : Two inputs M 1 � = M 2 and a chaining variable X so that F ( M 1 , X ) = F ( M 2 , X ) . T.79-514 Markku-Juhani O. Saarinen 2
Iterated hash functions (1) Merkle-Damgård idea (Crypto 1989): Cut the long message as equal- length message blocks M 1 , M 2 , · · · , M n and maintain state S i . Using some initialization vector H 0 and compression function F , compute the digest as H i = F ( M i , H i − 1 ) . Final H n is the hash. T.79-514 Markku-Juhani O. Saarinen 3
Iterated hash functions (2) • Davies-Meyer construction (origianlly for block ciphers) uses block ci- pher as compression function: H i = E ( M i , H i − 1 ) + H i − 1 , where E ( key , input ) is a block cipher. • Speed (number of block cipher invocations) is directly proportional to key size. Idea: why not design dedicated hash functions which have a really long key. Ron Rivest designs MD4 in 1990. • All SHA and MD4/MD5 family hashes follow the Davies-Meyer con- struction. "Key" (i.e. message block) is 512 bits (1024 bits for SHA- 512), and state is 128 (MD5), 160 (SHA-1), 256 (SHA-256), or 512 (SHA-512). T.79-514 Markku-Juhani O. Saarinen 4
T.79-514 Markku-Juhani O. Saarinen 5
From FIPS 186-2 “Secure Hash Standard” (August 2002), page 7: T.79-514 Markku-Juhani O. Saarinen 6
Multicollisions (Antoine Joux, CRYPTO 2004) • To find a k -collision (i.e. H ( M 1 ) = H ( M 2 ) = · · · = H ( M k ) ) on an ideal n -bit hash function would require O (2 ( k − 1) n/k ) effort. • This is not the case for iterated hash functions. Suppose that to find a collision for a single message block would require x = O (2 n/ 2 ) effort. We find collisions for message blocks 1, 2, and 3. This requires 3 x effort. But it allows us to construct 2 3 = 8 collisions of messages consisting of 3 blocks! • Hence the complexity becomes O (log( k ) ∗ 2 n/ 2 ) . • Stefan Lucks has proposed increasing the internal state of hash func- tion as larger than the hash result. (e-Print 253/2004, Sept 29, 2004). T.79-514 Markku-Juhani O. Saarinen 7
MD5 • Message Digest 5 – designed by Ron Rivest in 1992 of MIT and RSA Labs. Specified in RFC 1321. • 128-bit state (4 word) and hash result. 512-bit (16 word) blocks. • Four “rounds”, each consisting of 16 iterations. mod 2 32 addition, very fast. • Bitwise boolean functions mixed with • Widely used in electronic mail, certificates, IPSec, SSL/TLS, and also as a building block for PRNGs. T.79-514 Markku-Juhani O. Saarinen 8
Structure of MD5 • F ( b, c, d ) : Boolean function for each round: R1: ( b ∧ c ) ∨ ( ¬ b ∧ d ) , R2: ( b ∧ d ) ∨ ( c ∧ ¬ d ) , R3: b ⊕ c ⊕ d , R4: c ⊕ ( b ∨ ¬ d ) . • M i : One of 16 Message words (permutated each round). • K i : One of 64 “random” constants. T.79-514 Markku-Juhani O. Saarinen 9
MD5 high-bit characteristic P ⊕ P ′ = 80000000 80000000 80000000 80000000 ↓ E ( K, P ) ⊕ E ( K, P ′ ) = 80000000 80000000 80000000 80000000 This differential characteristic holds for various iterations: R1: P = 0 . 5 , R2: P = 0 . 5 , R3: P = 1 , R4: P = 0 . 5 . Total probability: 2 − 48 . Hence the MD5 compression function would be a very bad block cipher, and constructions like MDC-MD5 are broken. T.79-514 Markku-Juhani O. Saarinen 10
Recommend
More recommend