Collisions on SHA-0 in one hour Stéphane Manuel Thomas Peyrin INRIA Rocquencourt, Team SECRET Orange Labs - AIST
FSE February 10-13, 2008 Lausanne
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
1 / 26
Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
2 / 26
Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
3 / 26
Cryptographic hash function An algorithm that maps input strings of arbitrary length to "short" xed length output strings. Expected security properties: I
I
I
Preimage resistance: given any specied output, it is computationally infeasible to nd any input which hashes to this output. Second preimage resistance: given any specied input, it is computationally infeasible to nd another input which hashes to the same output. Collision resistance: it is computationally infeasible to nd two distinct input which hashes to the same output.
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
4 / 26
Domain extender ◦
The Merkle-Damgard algorithm:
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
5 / 26
Compression function The Davies-Meyer construction:
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
6 / 26
The SHA-0 hash function Built in 1993, 160 bits output.
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
7 / 26
The SHA-0 hash function Message expansion: for 0 ≤ k ≤ 15 k, Wk −16 ⊕ Wk −14 ⊕ Wk −8 ⊕ Wk −3 , for 16 ≤ k ≤ 79
(
k=
W
M
Boolean functions: step k 1 ≤ k ≤ 20 21 ≤ k ≤ 40 41 ≤ k ≤ 60 61 ≤ k ≤ 80
Stéphane Manuel (INRIA)
k (B , C , D ) fIF = (B ∧ C ) ⊕ (B ∧ D ) fXOR = B ⊕ C ⊕ D fMAJ = (B ∧ C ) ⊕ (B ∧ D ) ⊕ (C ∧ D ) fXOR = B ⊕ C ⊕ D f
Collisions on SHA-0
FSE 2008
8 / 26
Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
9 / 26
Chabaud and Joux [CRYPTO 98] Local collisions: insert a perturbation and correct it in the next 5 steps. Find linear dierential path of interleaved local collisions with 3 constraints on the perturbation vector: I I I
no truncated local collisions, no consecutive perturbations in the rst 16 steps, no perturbation starting after step 74.
Complexity is evaluated in terms of probability for local collisions to hold. Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
10 / 26
Biham et al. Biham and Chen [CRYPTO 04] I
Speedup technique during collision search: using neutral bits, the conformance to the dierential path is assured up to step 23.
Biham et al. [EUROCRYPT 2005] I
Multi-block technique: use several blocks to nd a collision.
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
11 / 26
Wang et al. [CRYPTO 05] Relax the rst two constraints on the perturbation vector to nd a better one.
Modify (by hands) the rst steps of the dierential path to compensate truncated and consecutive local collisions, using dierent tools: I I I
modular subtraction, carry eect, non-linearity of the boolean function fIF .
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
12 / 26
Wang et al. [CRYPTO 05] Build from a random rst block of message a chaining variable verifying specic conditions.
Message modications: another speedup technique. I
Complexity is given in terms of number of conditions to fulll (starts from step 20).
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
13 / 26
Naito et al. [ASIACRYPT 06] Based on the linear and non-linear characteristics of Wang et al. Submarine modications: condition counting starts from step 24. Complexity: I I I
236 function calls theoretically ... ... but requires 100 hours on average with a good PC. Our estimation: 240,5 function calls practically.
Complexity should be given in terms of function calls with an ecient implementation on the same computer (i.e. OpenSSL) according to De Cannière et al. proposal [Hash Workshop 2007].
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
14 / 26
Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
15 / 26
Possible improvements Relax the last constraint to nd better perturbation vectors: I
Adapt the tools developed for the recent attacks against SHA-1. Non-linear characteristics: I
the automated non-linear characteristic generator from De Cannière and Rechberger (2006).
Speedup technique: I
the boomerang attacks from Joux and Peyrin (2007).
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
17 / 26
New perturbation vector Criteria for vector search: I I I
minimize the number of conditions between steps 16 and 80, starting step for counting conditions depends on the speedup technique, adaptability with the non-linear characteristic generator.
Several good possible vectors found. I
Our perturbation vector:
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
18 / 26
The boomerangs Boomerangs are a framework: I
I
I
The attacker build auxiliary dierentials that can be used under neutral bits or message modications settings. With the neutral bits setting they give a generic easy to use tool for collision search speedup. Constraints are set to provide good neutral bits that would exist with very low probability on a random dierential path.
Our approach: I I I
First nd good generic auxiliary dierentials. Place them so that they do not interfere with the perturbation vector. Then run the non-linear characteristic generator taking in account these auxiliary dierentials.
Stéphane Manuel (INRIA)
Collisions on SHA-0
FSE 2008
19 / 26
The boomerangs We build two types of auxiliary dierentials: I I
a light but short one (few constraints but low range), and a heavy but long one (long range but lot of constraints).
These auxiliary dierentials are used as neutral bits for steps 23 and 28 respectively. On average, we can set 5 auxiliary dierentials (7 for the rst block): I
implementation on the same computer (i.e. OpenSSL) according to De. Cannière et al. proposal ... and a heavy but long one (long range but lot of constraints).
principle of this attack consists in relaxing two of the three conditions on the .... By relax- ing this last condition, it may be possible to find better perturbation ...
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Collisions ...
A 500. gram cart moving at .360 m/s, what is its momentum? If the cart was to bounce off a wall and return with a velocity of -.240 m/s, what is its Impulse be? 3.
pQCD or AdS/CFT? Gyulassyfest 2015, Wuhan, China. Barbara Betz. 8. 25/09/2015. PHENIX, PRL 105, 142301 (2010). pQCD-like. AdS/CFT-like. M. Gyulassy, Physics 2, 107 (2009). Is pQCD the correct description for the jet-energy loss or do we have to apply
number of nodes connected via a computer network. The aim of an ... (CSCW) [1] [4] and social play [3]. ... section 3 we describe our approach to collision.
Book Synopsis. Does any of this sound like you?1. You never know what to writeOn most days you struggle to come up with blog post ideas and haven't planned ...