SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky Department of Computer Science Rochester Institute of Technology
Agenda ● SipHash ● Boolean Satisfiability Problem ● SAT Solver ● Attack Design ● Results ● Conclusion ● Questions
SipHash - Motivation ● Hash flooding ● Server processing several requests ● Send several inputs with same hash ● Worst case lookup time
Message Authentication Code (MAC) ● Data Integrity and Authentication ● f(k,m) = t ● Pre-image resistant ● Most MAC not optimized for short input ● Large overhead
SipHash - Overview ● Uses 128-bit key ● Produces 64-bit tag ● SipHash-c,d ● Simple SipRounds – 4 ADD, 4 XOR and 6 rotate ● Internal state stored in 4 64-bit vectors
SipHash - Features ● Highly secure ● High speed ● Autonomy ● Small state ● Minimal overhead
SipHash - Design SipHash-2,4 processing a 15-byte message[1]
SipRound SipRound[1]
Boolean Satisfiability Problem ● Possible assignment of values to variables so that a boolean formula evaluates to true ● (A ˄ B) (B ˅ C) – Satisfiable: A = T, B = T ● (A ˄ B) (B ˅ C) (¬A ˄ C) – Unsatisfiable ● NP-complete
Conjunctive Normal Form (CNF) ● (A ˅ B ˅ ¬C) (A ˅ ¬B) (¬A ˅ ¬C) ● (A ˅ B) ● A ˄ B 3SAT ● (A ˅ B ˅ ¬C) (A ˅ ¬B ˅ ¬C) (¬A ˅ B ˅ ¬C)
SAT Solver - Overview ● Input: Boolean formula ● Output: if satisfiable, set of value assignments ● CNF
SAT Solver - Algorithm Search Tree [2]
SAT Solver - Propagation B = T (~A ˅ B ˅ C) (~A ˅ ~B ˅ ~C) (~B ˅ C) (A ˅ B ˅ C) C = T (~A ˅ ~B ˅ ~C) (~B ˅ C) A = F (~A ˅ ~B ˅ ~C)
SAT Solver – Conflict & Learnt Clauses B = F (~A ˅ B ˅ C) (~A ˅ ~B ˅ ~C) (~B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) A = F (~A ˅ B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) C = ? (A ˅ B ˅ C) (A ˅ ~C) Conflict = (~A ˄ ~B) Learnt clause = (A ˅ B)
SAT Solver - Backtracking A = T (~A ˅ B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) C = T (~A ˅ B ˅ C)
CryptoMiniSAT ● DPLL-based algorithm ● Winner of sequential category SAT Race2010 ● Version 2.9.5 for 32-bit Linux
Attack - Design ● Perform partial key recovery ● Convert primitive to CNF ● Add known values to CNF ● Feed CNF to SAT solver ● Retrieve solution if satisfiable
Attack – Building CNF for AND ● (A ˅ B ˅ ¬C) (A ˅ ¬B ˅ ¬C) (¬A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ C) Truth table for A ^ B = C
Attack - CNF for OR and XOR ● OR (¬A ˅ B ˅ C) (A ˅ ¬B ˅ C) (A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ C) ● XOR (¬A ˅ B ˅ C) (A ˅ ¬B ˅ C) (A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ ¬C)
Attack – CNF for single bit ADD Full Adder (A ˆ B = S) (A ˄ B = C1) (Ci ˆ S = Sum) (S ˄ Ci = C2) (C1 ˅ C2 = Carryout)
Attack – CNF for 64-bit ADD Adding 64 bits (A ˆ B = S) (A ˄ B = C1) (Ci ˆ S = Sum) (S ˄ Ci = C2) (C1 ˅ C2 = Carryout)
Attack - Variables ● Numbers represent variables ● Negative numbers represent negation of variable ● Keep track of lowest unused number (577) 256 255 254 253 252 …..............................196 195 194 193 A XOR 128 127 126 125 124......................................... 69 68 67 66 65 B = C 640 639 638 637 636 …..............................580 579 578 577
Attack – Reserved Variables ● Key: 1 – 128 ● Message: 129 – 192 ● Finalization Constant: 193 – 256 ● Final Hash: 257 – 320 ● Vectors 0 to 3: 321 – 576 ● Unused variable: 577
Attack - Setup Generate CNF: SipHash-c,d Randomize key and message bits 100 Compute tag for given key times and message block Load message block,tag and known key bits onto CNF Feed CNF to SAT solver and Record conflicts
Attack – Simulation Parameters ● Compression rounds: 1 – 2 ● Finalization rounds: 0 - 3 ● Missing key bits: 1 - 25
Data Collected ● Number of conflicts ● Analogous to brute force attempts ● Parse through SAT solver output
Results – Sample CNF
Results - Sample Output
Results – SipHash-1,0 SipHash-1,0
Results – SipHash-1,x SipHash-1,1 SipHash-1,2
Related Work ● Collision attacks on CubeHash [3] ● SAT attacks on Bivium stream cipher [4] - successfully recovered 48 bits in register ● Logical cryptanalysis of DES [5] - cracked upto 3 rounds
Future Work ● Use different SAT solvers and compare performance ● Use parallel SAT solver ● Combine other cryptanalysis techniques to forge new attacks
Conclusions ● Perform partial key recovery ● Convert primitive to CNF ● Solve CNF using SAT solver ● Compare result with brute force approach ● Worked better for fewer SipRounds
References [1] Jean-Philippe Aumasson and Daniel J. Bernstein. SipHash: A fast short-input PRF. In Steven D. Galbraith and Mridul Nandi, editors, INDOCRYPT, volume 7668 of Lecture Notes in Computer Science, pages 489–508. Springer, 2012. [2] http://www.msoos.org/wordpress/wp-content/uploads/2011/06/soos_summerschool.pdf [3] Benjamin Bloom. SAT solver attacks on CubeHash @ONLINE, April 2010. http://www.cs.rit.edu/~ark/students/bwb1636/index.shtml [4] Tobias Eibach, Enrico Pilz, and Gunnar V¨olkel. Attacking Bivium using SAT solvers.In Proceedings of the 11th international conference on Theory and applications of satisfiability testing, SAT’08, pages 63–76, Berlin, Heidelberg, 2008. Springer-Verlag. [5] Fabio Massacci and Laura Marraro. Logical cryptanalysis as a SAT problem: the encoding of the Data Encryption Standard. In Journal of Automated Reasoning, 24:165–203, 1999.
Thank you
Recommend
More recommend