Collisions on SHA-0 in one hour Stéphane Manuel Thomas Peyrin INRIA Rocquencourt, Team SECRET Orange Labs - AIST

FSE February 10-13, 2008 Lausanne

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

1 / 26

Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

2 / 26

Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

3 / 26

Cryptographic hash function An algorithm that maps input strings of arbitrary length to "short" xed length output strings. Expected security properties: I

I

I

Preimage resistance: given any specied output, it is computationally infeasible to nd any input which hashes to this output. Second preimage resistance: given any specied input, it is computationally infeasible to nd another input which hashes to the same output. Collision resistance: it is computationally infeasible to nd two distinct input which hashes to the same output.

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

4 / 26

Domain extender ◦

The Merkle-Damgard algorithm:

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

5 / 26

Compression function The Davies-Meyer construction:

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

6 / 26

The SHA-0 hash function Built in 1993, 160 bits output.

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

7 / 26

The SHA-0 hash function Message expansion: for 0 ≤ k ≤ 15 k, Wk −16 ⊕ Wk −14 ⊕ Wk −8 ⊕ Wk −3 , for 16 ≤ k ≤ 79

(

k=

W

M

Boolean functions: step k 1 ≤ k ≤ 20 21 ≤ k ≤ 40 41 ≤ k ≤ 60 61 ≤ k ≤ 80

Stéphane Manuel (INRIA)

k (B , C , D ) fIF = (B ∧ C ) ⊕ (B ∧ D ) fXOR = B ⊕ C ⊕ D fMAJ = (B ∧ C ) ⊕ (B ∧ D ) ⊕ (C ∧ D ) fXOR = B ⊕ C ⊕ D f

Collisions on SHA-0

FSE 2008

8 / 26

Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

9 / 26

Chabaud and Joux [CRYPTO 98] Local collisions: insert a perturbation and correct it in the next 5 steps. Find linear dierential path of interleaved local collisions with 3 constraints on the perturbation vector: I I I

no truncated local collisions, no consecutive perturbations in the rst 16 steps, no perturbation starting after step 74.

Complexity is evaluated in terms of probability for local collisions to hold. Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

10 / 26

Biham et al. Biham and Chen [CRYPTO 04] I

Speedup technique during collision search: using neutral bits, the conformance to the dierential path is assured up to step 23.

Biham et al. [EUROCRYPT 2005] I

Multi-block technique: use several blocks to nd a collision.

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

11 / 26

Wang et al. [CRYPTO 05] Relax the rst two constraints on the perturbation vector to nd a better one.

Modify (by hands) the rst steps of the dierential path to compensate truncated and consecutive local collisions, using dierent tools: I I I

modular subtraction, carry eect, non-linearity of the boolean function fIF .

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

12 / 26

Wang et al. [CRYPTO 05] Build from a random rst block of message a chaining variable verifying specic conditions.

Message modications: another speedup technique. I

Complexity is given in terms of number of conditions to fulll (starts from step 20).

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

13 / 26

Naito et al. [ASIACRYPT 06] Based on the linear and non-linear characteristics of Wang et al. Submarine modications: condition counting starts from step 24. Complexity: I I I

236 function calls theoretically ... ... but requires 100 hours on average with a good PC. Our estimation: 240,5 function calls practically.

Complexity should be given in terms of function calls with an ecient implementation on the same computer (i.e. OpenSSL) according to De Cannière et al. proposal [Hash Workshop 2007].

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

14 / 26

Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

15 / 26

Possible improvements Relax the last constraint to nd better perturbation vectors: I

no perturbation starting after step 74.

Then we need: I I I

multi-block technique, adapted non-linear characteristics, generic speedup technique.

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

16 / 26

Possible improvements

Adapt the tools developed for the recent attacks against SHA-1. Non-linear characteristics: I

the automated non-linear characteristic generator from De Cannière and Rechberger (2006).

Speedup technique: I

the boomerang attacks from Joux and Peyrin (2007).

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

17 / 26

New perturbation vector Criteria for vector search: I I I

minimize the number of conditions between steps 16 and 80, starting step for counting conditions depends on the speedup technique, adaptability with the non-linear characteristic generator.

Several good possible vectors found. I

Our perturbation vector:

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

18 / 26

The boomerangs Boomerangs are a framework: I

I

I

The attacker build auxiliary dierentials that can be used under neutral bits or message modications settings. With the neutral bits setting they give a generic easy to use tool for collision search speedup. Constraints are set to provide good neutral bits that would exist with very low probability on a random dierential path.

Our approach: I I I

First nd good generic auxiliary dierentials. Place them so that they do not interfere with the perturbation vector. Then run the non-linear characteristic generator taking in account these auxiliary dierentials.

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

19 / 26

The boomerangs We build two types of auxiliary dierentials: I I

a light but short one (few constraints but low range), and a heavy but long one (long range but lot of constraints).

These auxiliary dierentials are used as neutral bits for steps 23 and 28 respectively. On average, we can set 5 auxiliary dierentials (7 for the rst block): I

improvement of a factor 25 on the raw attack.

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

20 / 26

First auxiliary dierential i

Ai

Wi

-1: 00: 01: 02: 03: 04: 05: 06: 07: 08: 09: 10: 11: 12: 13: 14: 15:

      -b -b -a -0 -1      

      -a a   -a    

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

21 / 26

Second auxiliary dierential i

Ai

Wi

-1: 00: 01: 02:

-d -d -e-a -e-1 -b-0 -0 -0    -f -f -c -0 -0  

-a a-b ba -a -a -b -b   -c c  -c -c

03: 04: 05: 06: 07: 08: 09: 10: 11: 12: 13: 14: 15:

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

22 / 26

Collision example W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 W10 W11 W12 W13 W14 W15

M1

st

1

0x4643450b 0x41d35081 0xfe16dd9b 0x3ba36244 0xe6424055 0x16ca44a0 0x20f62444 0x10f7465a 0x5a711887 0x51479678 0x726a0718 0x703f5bfb 0xb7d61841 0xa5280003 0x6b08d26e 0x2e4df0d8

A2 0x6f84b892

Stéphane Manuel (INRIA)

B2 0x1f9f2aae

block

M10

0x46434549 0x41d350c1 0xfe16dddb 0x3ba36204 0x66424017 0x96ca44a0 0xa0f62404 0x10f7465a 0x5a7118c5 0xd147963a 0x726a0718 0x703f5bb9 0xb7d61801 0xa5280041 0x6b08d26c 0xae4df0d8

C2 0x0dbab75c

Collisions on SHA-0

M2

nd

2

0x9a74cf70 0x04f9957d 0xee26223d 0x9a06e4b5 0xb8408af6 0xb8608612 0x8b7e0fea 0xe17e363c 0xa2f1b8e5 0xca079936 0x02f2a7cb 0xf724e838 0x37ffc03a 0x53aa8c43 0x90811819 0x312d423e

D2 0x0afe56f5

block

M2 0x9a74cf32 0x04f9953d 0xee26227d 0x9a06e4f5 0x38408ab4 0x38608612 0x0b7e0faa 0xe17e363c 0xa2f1b8a7 0x4a079974 0x02f2a7cb 0xf724e87a 0x37ffc07a 0x53aa8c01 0x9081181b 0xb12d423e 0

E2 0xa7974c90

FSE 2008

23 / 26

Outline 1 Introduction 2 Previous Collision Attacks on SHA-0 3 New Results on SHA-0 4 Conclusion

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

24 / 26

Complexity comparison

Team Chabaud and Joux (1998) Biham et al. (2004) Wang et al. (2005) Naito et al. (2006) Our results

Stéphane Manuel (INRIA)

Theoritical Practical Time on a PC 2 2 2 20 years 2 2 2 . 100 hours . 2 2 1 hour 61 51

51

39 36

40 3

33

33 6

Collisions on SHA-0

FSE 2008

25 / 26

Complexity comparison

Thank you!

Stéphane Manuel (INRIA)

Collisions on SHA-0

FSE 2008

26 / 26