Download Lecture Notes (pps)

Cryptanalysis
Lecture Block 5: Cryptographic Hashes
John Manferdelli
[email protected]
[email protected]
© 2004-2008, John L. Manferdelli.
This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability
for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.
1
jlm20090310
Cryptographic Hashes
•
A cryptographic hash (“CH”) is a “one way function,” h,
from all binary strings (of arbitrary length) into a fixed
block of size n (called the size of the hash) with the
following properties:
1.
2.
3.
4.
Computing h is relatively cheap.
Given y=h(x) it is infeasible to calculate x. (“One way,”
“non-invertibility” or “pre-image” resistance). Functions
satisfying this condition are called One Way Hash
Functions (OWHF)
Given u, it is infeasible to find w such that h(u)=h(w).
(weak collision resistance, 2nd pre-image resistance).
It is infeasible to find u, w such that h(u)=h(w). (strong
collision resistance). Note 43. Functions satisfying
this condition are called Collision Resistant Functions
(CRFs).
JLM 20090310
2
Cryptographic Hashes
•
h must be compressive (otherwise copy of original binary
string satisfies requirement)
•
Just like symmetric ciphers ratio of work factor for
computation of hash vs work factor to break hash should
be very high.
•
Adversary has complete information on computing hash
and (obviously) can compute as many hashes from the
target as she wants.
JLM 20060105 12:16
3
Observations on Cryptographic Hashes
•
•
Hashes are a strong “checksum”
OWHF and CRF conditions make CHs satisfy many of the properties
of “random functions”
–
Small changes should create large changes (otherwise the preimage of near neighbors are near neighbors making collisions easy
to find)
–
Small input changes should be statistically unrelated (uncorrelated)
to changes in a subset of the hash bits
–
Analysis of CHs very similar to Symmetric Cipher techniques
Popular practical cryptographic hashes
–
–
–
MD4, MD5 (now “broken”)
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 (last 4 are “SHA-2”)
RIPEMD
JLM 20060105 12:16
4
Observations
•
•
Collision Resistance  2nd pre-image resistance
Let f(x)= x2-1 (mod p).
– f(x) acts like a random function but is not a OWHF since square roots are easy to
calculate mod p.
•
Let f(x)= x2 (mod pq).
– f(x) is a OWHF but is neither collision nor 2nd pre-image resistant
•
•
•
If either h1(x) or h2(x) is a CRHF so is h(x)= h1(x)||h2(x)
MDC+signature & MAC+unknown Key require all three properties
Ideal Work Factors:
Type
Work
Property
OWHF
2n
Pre-image
2nd Pre-image
CRHF
2n/2
Collision
MAC
2t
Key recovery, computational resistance
JLM 20060105 12:16
5
What are Hash Functions Good for?
• Modification Detection Codes (MDCs): This is a strong checksum
(integrity check). Sometimes called “unkeyed” hashes.
• Message Authentication Code (MACs): If shared secret is part of the
hash, two parties can determine authenticated integrity with CHs.
Called “keyed hashes”.
• Message Digests (MDs): Encrypting (with private key) the CH of a
message (its MD) acts as a certification that the message was
“approved” by possessor of private key. This is called a Digital
Signature. [Note: you could “sign’ the whole message rather than the
hash but this would take oodles of time by comparison.]
JLM 20060105 12:16
6
What are Hash Functions Good for?
• Uniquely and securely identifies bit streams like
programs. Hash is strong name for program.
• Entropy mixing: Since CHs are random functions into
fixed size blocks with the properties of random functions,
they are often used to “mix” biased input to produce a
“seed” for a psuedo-random number generator.
• Password Protection: Store salted hash of password
instead of password (Needham).
• Bit Commitment
JLM 20060105 12:16
7
MACs using Hashes
•
•
•
Prefix and suffix attacks
Hash(k1, Hash(k2, m))
Hash(k|p|m|k)
•
HMACK(x)= SHA-1(Kopad||SHA-1(Kipad)||x)
JLM 20060105 12:16
8
One-Way Functions
Hashes come from two basic classes of one-way functions
– Mathematical
• Multiplication: Z=X•Y
• Modular Exponentiation: Z = YX (mod n) (Chaum vP
Hash)
– Ad-hoc (Symmetric cipher-like constructions)
• Custom Hash functions (MD4, SHA, MD5, RIPEMD)
JLM 20060105 12:16
9
Attacks on Cryptographic Hashes
• Birthday (Yuval) attacks
– Probability of collision determined by “Birthday Paradox” calculation:
• (1- 1/n) (1- 2/n) … (1-(k-1)/n)= (n!/k!)/nk
• Probability of collision is >.5 when k2 > n.
• Need 280 blocks for SHA.
• 1+x c ex, Pi=1i=k (1-i/n) c e-k(k-1)/(2n)
• Dobbertin Attacks on MD4
• Attacks on 2nd preimage
– (Old) If you hash 2t messages, the average work to find a 2nd primage is 2n-t
– (New) If you hash 2t blocks, the average work to find a 2nd primage is
t2n/2+1+ 2n-t+1 [Kelsey Schneier]
– Appending length doesn’t help against 2nd pre-image attacks
JLM 20060105 12:16
10
Attacks on Hashes
• Selective and Existential Forgery
• Key Recovery for MAC
• Chaining
– Meet in Middle
– Fixed Point
• Padding
• Differential
JLM 20060105 12:16
11
Attacks on Cryptographic Hashes
• Berson (1992) using differential cryptanalysis on 1 round MD-5.
• Boer and Bosselaers (1993), Pseudo collision in MD5.
• Dobbertin (1996), Collisions in compression function. Attacks
inspired RIPEMD proposal.
• Biham and Chen (2004), Collisions in SHA-0.
• Chabaud and Joux (2004), Collisions in SHA-0 .
• Wang, Feng, Lai, Yu, (2004), MD4, MD5, RIPEMD
• Wang et al, (2004, 2005), SHA-1
• SHA-1 has stood up best: best known theoretical attack (11/05)
requires 263 operations.
JLM 20060105 12:16
12
Birthday Attacks
• Probability of collision determined by “Birthday Paradox”
calculation:
– (1-1/n) (1-2/n) … (1-(k-1)/n)= (n!/k!)/nk
– Probability of collision is >.5 when k2 > n.
– Need 280 blocks for SHA.
– 1+x c ex, Pi=1i=k (1-i/n) c e-k(k-1)/(2n)
JLM 20060105 12:16
13
Chaum-vanHeijst-Pfitzmann
Compression Function
• Suppose p is prime, q=(p-1)/2 is prime, a is a primitive root in
Fp, b is another primitive root so ax=b (mod p) for some
unknown x).
• g: {1,2,…,q-1}2  {1,2,…,p-1}, q=(p-1)/2 by:
– g(s, t) = as bt (mod p)
• Reduction to discrete log:
Suppose g(s, t)= g(u, v) can be found. Then as bt (mod p)= au bv (mod
p).
So as-u (mod p)= bv-t (mod p). Let b= ax (mod p). Then (s-u)=x(y-t) (mod
p-1).
But p-1= 2q so we can solve for x, thus determining the discrete log of
b.
JLM 20060105 12:16
14
Merkle/Damgard Construction
Hi-1
Padded n bit blocks
Compression
Function (f)
Input: x=x1||…||xt
Input is usually padded
H0= IV
Hi= f(Hi-1, xi)
h(x)= g(ht)
Hash Value
Graphic by Josh Benaloh
JLM 20060105 12:16
15
Proofs about compression function
• Theorem: If g: {0,1}m  {0,1}n, for a sequence of n bit
blocks, x= x1, x2, …, xt, we can define a hash function h:
{0,1}*  {0,1}n by H0= c, Hi+1= g(Hi||xi) with h(x)=Ht. h is
collision resistant if g is.
– Proof: Let x= x1, x2, …, xt and x’= x1’, x2’, …, xt’’ be two strings with
h(x)=h(x’) and let Hi, Hi’ be the intermediate values. Suppose there
is an i<t: Ht-i=Ht’-i’ and Ht-i-1Ht’-i-1’. Then g(Ht-i-1||xi)= g(Ht-i-1’||xi’) so g
is not collision resistant. Otherwise Hi=Hi’ and either xi=xi’, it, in
which case there is nothing to prove or some xixi’(but then g(Hi||xi)
= g(Hi’||xi’) and again g is not collision resistant) or g(Ht-1)=
g(Hj’||xj’), j>t and again g is not collision resistant.
JLM 20081026
16
Technique for CHs from Block Ciphers
Let input be x= x1||x2|| … ||xt where each xi is n bits long. Let g be a
function taking an n bit input to an m bit input. Let E(k, x) be a block
cipher with m bit keyspace and n bit block. Let H0= IV.
Construction 1: Hi= E(g(Hi-1), xi)Hi-1
Construction 2: Hi= E(xi, Hi-1)Hi-1
Construction 3: Hi= E(g(Hi-1), xi)xiHi-1
Note: Because of collisions n should be >64. Ideally, m=n and g= id. DES
with n= 64 is too small. AES with n=m=128 is better.
JLM 20060105 12:16
17
DM/MMO constructions for block ciphers
Hi-1
mi(key)
E
Hi-1 (key)
E


Hi
Hi
• Differential attack on C
• Related key attack on E
JLM 20090222
mi(key)
• Differential attack on C
• Differential attack on E
18
Nostradamus (“herding") attack
• Let h be a Merkle-Damgard hash with compression function f and initial
value IV . Goal is to hash a prefix value (P) quickly by appending
random suffixes (S).
• Procedure
– Phase 1: Pick k, generate K= 2k random d0i from each pair of the
values f(IV ||di,i+1) and two messages M0,j ;M1,j which collide under f .
Call this value d1,j this takes effort 2n/2 for each pair. Do this (colliding
di,j ; di+1,j under Mi,j ;Mi+1,j to produce di,j+1 until you reach dK,0). This is
the diamond.
– Publish y = w(dK,0) where w is the final transformation in the hash as
the hash (i.e. - claim y = h(P||S).
JLM 20060105 12:16
19
Diamond structure
h(0,0)
h(0,1)
M0
h(1, 0)
h(0,2)
h(0,3)
P
M5
M7
h(1, 1)
h(2,0)
h(0,4)
h(0,5)
h(1, 2)
Published hash
h(0,6)
h(0,7)
JLM 20081028
h(1, 3)
h(2, 1)
h(3,0)
w(h(3,0))
20
Nostradamus (“herding") attack
• The cost of phase 1 is (2k -1)2n/2.
• In phase 2, guess S’ and compute T = f(IV||P||S’).
• Keep guessing until T is one of the dij. Once you get a
collision, follow a path through the Mij to dK,0. Append these
Mij to P||S’ and apply w to get right hash.
• Total cost: W= 2n-k-1+2n/2+k/2+k2n/2+1. k=(n-5)/3 is a good
choice. For 160 bit hash, k=52.
JLM 20060105 12:16
21
Multicollision (Joux)
• Iterative construction is vulnerable to multi-collision
• Suppose M1;M1’; M2;M2’; …; Mt;Mt’ all collide.
• From these we get 2t collisions.
• If r people each have one of N possible birthdays, there is
a greater than 50% chance of k collisions if r>Nk, k= k-1/k.
JLM 20060105 12:16
22
Random Oracle Model
• Let f be a OWF with trapdoor, (y1, y2) = (f(r); h(r)+m) is
used as encryption.
• An oracle with i requests L.
• Pr(guess right) = P(rL)+½ P(rL).
• Set p = 1/2+e,
• ePr(rL).
• Canetti, Goldreich, Halevi constructed cryptosystem that is
secure in the Random Oracle model but any secure for any
concrete hash.
JLM 20081024
23
A Cryptographic Hash: SHA-1
Picture from Wikipedia
JLM 20060105 12:16
24
A Cryptographic Hash: SHA-1
(IV ) – 160 bits
512-bit Input
Compression
Function
160-bit Output
JLM 20060105 12:16
Slide by Josh Benaloh
25
A Cryptographic Hash: SHA-0/1
Picture from Wikipedia
JLM 20060105 12:16
26
A Cryptographic Hash: SHA-1
• Depending on the round, the “non-linear” function f is
one of the following.
f(X,Y,Z) = (XY)((X)Z)
f(X,Y,Z) = (XY)(XZ)(YZ)
f(X,Y,Z) = XYZ
JLM 20060105 12:16
27
A Cryptographic Hash: SHA-1
What’s in the final 32-bit transform?
• Take the rightmost word.
• Add in the leftmost word rotated 5 bits.
• Add in a round-dependent function f of the middle
three words.
• Add in a round-dependent constant.
• Add in a portion of the 512-bit message.
JLM 20060105 12:16
28
SHA-0
A= 0x67452301, B= 0xefcdab89,
C= 0x98badcfe, D= 0x10325476
E= 0xc3d2e1f0
Ft(X,Y,Z)= (XY)((X)Z),
t= 0,…,19
Ft(X,Y,Z)= XYZ,
t= 20,…,39
Ft(X,Y,Z)= (XY)(XZ)(YZ),
t= 40,…,59
Ft(X,Y,Z)= XYZ, t= 60,…,79
Kt=
Kt=
Kt=
Kt=
0x5a827999,
0x6ed9eba1,
0x8f1bbcdc,
0xca62c1d6,
t= 0,…,19
t=20,…,39
t= 40,…,59
t=60,…,79
JLM 20060105 12:16
Absence of this term is only
difference between SHA-0 and SHA-1
Do until no more input blocks {
If last input block
Pad to 512 bits by adding 1
then 0s then 64 bits of
length.
Mi= input block(32 bits)
i= 0,…,15
Wt= Mt, t= 0,…,15;
Wt= (Wt-3Wt-8Wt-14Wt-16) <<<1,
t= 16,…,79
a= A; b= B; c= C; d= D; e= E;
for(t=0 to 79) {
x= (a<<<5)+ft(b,c,d)+e+Wt+Kt
e= d; d=c; c= b<<<30;
b=a; a= x;
}
A+= a; B+=b; C+= c; D+= d; E+= e;
}
29
SHA-1
Message expansion
A= 0x67452301, B= 0xefcdab89,
C= 0x98badcfe, D= 0x10325476
E= 0xc3d2e1f0
Ft(X,Y,Z)= (XY)((X)Z),
t= 0,…,19
Ft(X,Y,Z)= XYZ,
t= 20,…,39
Ft(X,Y,Z)= (XY)(XZ)(YZ),
t= 40,…,59
Ft(X,Y,Z)= XYZ, t= 60,…,79
Kt=
Kt=
Kt=
Kt=
0x5a827999,
0x6ed9eba1,
0x8f1bbcdc,
0xca62c1d6,
t= 0,…,19
t=20,…,39
t= 40,…,59
t=60,…,79
JLM 20060105 12:16
Do until no more input blocks {
If last input block
Pad to 512 bits by adding 1
then 0s then 64 bits of
length.
Mi= input block(32 bits) i=
0,…,15
Wt= Mt , t= 0,…,15;
Wt= (Wt-3Wt-8Wt-14Wt-16)<<<1,
t= 16,…,79
a= A; b= B; c= C; d= D; e= E;
for(t=0 to 79) {
x= (a<<<5)+ft(b,c,d)+e+Wt+Kt
e= d; d=c; c= b<<<30;
b=a; a= x;
}
A+= a; B+=b; C+= c; D+= d; E+= e;
}
30
MD4 and Dobbertin
• Invented by Rivest, ca 1990
• Weaknesses found by 1992
– Rivest proposed improved version (MD5), 1992
• Dobbertin found 1st MD4 collision in 1998
– Clever and efficient attack
– Nonlinear equation solving and differential
Slide by Mark Stamp
31
MD4 Algorithm
• After padding message is a multiple of the 512-bit block size
– Also a multiple of 32 bit word size
• Let N be number of 32-bit words
• Message M = (Y0,Y1,…,YN1)
– Each Yi is a 32-bit word
• 32-bit words
• Little-endian convention
– Leftmost byte is low-order (relevant when generating “meaningful”
collisions)
• Pad M so length is 448 (mod 512)
– Single “1” bit followed by “0” bits
– At least one bit of padding, at most 512
– Length before padding (64 bits) is appended
Slide by Mark Stamp
32
MD4 Algorithm
• For 32-bit words A,B,C, define
F(A,B,C) = (AB)(AC)
G(A,B,C) = (AB)(AC)(BC)
H(A,B,C) = ABC
where , , ,  are AND, OR, NOT, XOR
• Define constants: K0 = 0x00000000,
K1 = 0x5a827999, K2 = 0x6ed9eba1.
• Let Wi, i = 0,1,…47 be (permuted) inputs, Yj
Slide by Mark Stamp
33
MD4 Algorithm
34
MD4 Algorithm
• Round 0: Steps 0 thru 15, uses F function
• Round 1: Steps 16 thru 31, uses G function
• Round 2: Steps 32 thru 47, uses H function
Slide by Mark Stamp
35
MD4: One Step
• Where
Slide by Mark Stamp
36
Dobbertin’s attack strategy
• Specify a differential condition
• If condition holds, probability of collision
• Derive system of nonlinear equations: solution satisfies
differential condition
• Find efficient method to solve equations
• Find enough solutions to yield a collision
• Find one-block collision, where M= (X0,X1,…,X15), M= (X0,X1,…,X15)
• Difference is subtraction mod 232
• Blocks differ in only 1 word
– Difference in that word is exactly 1
• Limits avalanche effect to steps 12 thru 19
– Only 8 of the 48 steps are critical to attack!
– System of equations applies to these 8 steps
Slide by Mark Stamp
37
Notation
• Suppose (Qj,Qj1,Qj2,Qj3) = MD40…j(IV,M)
and (Qj,Qj1,Qj2,Qj3) = MD40…j(IV,M)
• Define j = (QjQj, Qj1Qj1, Qj2Qj2, Qj3Qj3 )
where subtraction is modulo 232
• Let 2n denote 2n mod 232.
– 225 = 0x02000000 and 25 = 0xffffffe0
• All arithmetic is modulo 232
38
Strategy
• Try to find one block collision
• Denote M = (X0,X1,…,X15)
• Define M by Xi = Xi for i12 and
X12= X12+1
• Word X12 last appears in steps 12, 19, 35
– This provides a “natural” division of the attack strategy
• We are freedom to choose X0,X1,…,X11 at our convenience
• Goal is to find pair M and M with 35= 0, if 35= (0,0,0,0) we
have a collision
Slide by Mark Stamp
39
MD4 Attack
Analyze attack in three phases
1. Show: 19= (225,25,0,0) implies probability at least 1/230 that the 35
condition holds
– Uses differential cryptanalysis
2. “Backup” to step 12: We can start at step 12 and have 19 condition
hold
– By solving system of nonlinear equations
3. “Backup” to step 0: And find collision
– In each phase of attack, some words of M are determined
– When completed, have M and M
• Where M  M but h(M) = h(M)
– Equation solving step is tricky part
• Nonlinear system of equations
• Must be able to solve efficiently
Slide by Mark Stamp
40
Steps 19 to 35
• Differential phase of the
attack
• Suppose M and M as
given above
– Only differ in word 12
• Assume that 19=
(225,25,0,0)
– And G(Q19,Q18,Q17) =
G(Q19,Q18,Q17)
• Then we compute
probabilities of “”
conditions at steps 19
thru 35
Slide by Mark Stamp
41
Steps 19 thru 35
• For example, consider 35
• Suppose j = 34 holds: Then 34= (0,0,0,1) and
• Implies 35= (0,0,0,0) with probability 1
– As summarized in j = 35 row of table
Slide by Mark Stamp
42
Steps 12 to 19
• Analyze steps 12 to 19, find
conditions that ensure 19 =
(225,25,0,0)
– And G(Q19,Q18,Q17)=
G(Q19,Q18,Q17), as required
in differential phase
• Step 12 to 19—equation solving
phase
• This is most complex part of
attack
– Last phase, steps 0 to 11, is
easy
Slide by Mark Stamp
43
Steps 12 to 19
• To apply differential phase, must have
19= (225,25,0,0) which states that
Q19= Q19+225
Q18+25 = Q18
Q17= Q17
Q16= Q16
• Derive equations for steps 12 to 19…
• At step 12 we have
Q12= (Q8 + F(Q11,Q10,Q9) + X12) <<< 3
Q12=(Q8 + F(Q11,Q10,Q9) + X12) <<< 3
• Since X12= X12+1 and (Q8,Q9,Q10,Q11)= (Q8,Q9,Q10,Q11),
(Q12<<<29)(Q12<<<29)= 1
Slide by Mark Stamp
44
Steps 12 to 19
• Similar analysis for remaining steps yields system of
equations:
Slide by Mark Stamp
45
Steps 12 to 19
• To solve this system must find
•
•
•
•
•
so that all equations hold.
Since there are 14 variables and 8 equations, we have wiggle room
Given such a solution, we determine Xj for j = 13,14,15,0,4,8,12
so that we begin at step 12 and arrive at step 19 with 19 condition
satisfied
This phase reduces to solving (nonlinear) system of equations
Can manipulate the equations so that
– Choose (Q14,Q15,Q16,Q17,Q18,Q19) arbitrary
– Which determines (Q10,Q13,Q13 ,Q14 ,Q15)
Result is 3 equations must be satisfied (next slide)
Slide by Mark Stamp
46
Solving equations for 12 to 19
• Using this we can solve for seven message words:
–
–
–
–
–
–
–
X13= anything
X14= (Q14<<<21)-Q10-F(Q13, Q12, Q11)
X15= (Q15<<<21)-Q11-F(Q14, Q13, Q12)
X0= (Q16<<<21)-Q12-G(Q15, Q14, Q13) –K1
X4= (Q17<<<21)-Q13-G(Q16, Q15, Q14) –K1
X8= (Q18<<<21)-Q14-G(Q17, Q16, Q15) –K1
X12= (Q19<<<21)-Q15-G(Q18, Q17, Q16) –K1
47
Solving equations for 12 to 19
• Choose Q12= -1, Q12’=0, Q11=0. Then
– Q15’= Q15-G(Q18’,Q17,Q16)+G(Q18,Q17,Q16)+(Q19’<<<19)-(Q19<<<19)-1
– Q14’= Q14-G(Q18’,Q17,Q16)+G(Q18,Q17,Q16)+(Q18’<<<23)-(Q19<<<23)
– Q13= (Q14<<<21)-(Q14’<<<21)
– Q13’= Q13-G(Q16,Q15’,Q14’)+G(Q16,Q15,Q14)
– Q10= (Q13’<<<25)-(Q13<<<25)
– F(Q18’,Q17,Q16)-F(Q18,Q17,Q16)= (Q15’<<<13)-(Q15<<<13)
– G(Q18’,Q17,Q16)-G(Q18,Q17,Q16)= Q12-Q11’
• Choose Q14, …, Q19 arbitrarily and solve for Q10, Q13, Q13’, Q14’, Q15’
– G(Q15,Q14,Q13)-G(Q15’, Q14’, Q13’)= 1
– F(Q14’, Q13’, 0)-F(Q14, Q13,, -1)= 0
– G(Q19’, Q18’, Q17)= G(Q19, Q18,, Q17)
48
Steps 12 to 19
• Three conditions must be satisfied:
• First 2 are “check” equations
– Third is “admissible” condition
• Naïve algorithm: choose six Qj, yields five Qj, Qj until
3 equations satisfied
• How much work is this?
Slide by Mark Stamp
49
Continuous Approximation
• Each equation holds with probability 1/232
• Appears that 296 iterations required
– Since three 32-bit check equations
– Birthday attack on MD4 is only 264 work!
• Solution
– A “continuous approximation”
– Small changes, converge to a solution
Slide by Mark Stamp
50
Continuous Approximation
• Generate random Qi values until first check equation is
satisfied
– Random one-bit modifications to Qi
– Save if 1st check equation still holds and 2nd check equation
is “closer” to holding
– Else try different random modifications
• Modifications converge to solution
– Then 2 check equations satisfied
– Repeat until admissible condition holds
Slide by Mark Stamp
51
Steps 0 to 11
• At this point, we have (Q8,Q9,Q10,Q11) and
MD412…47(Q8,Q9,Q10,Q11,X)= MD412…47(Q8,Q9,Q10,Q11,X)
• To finish, we must have
MD40…11(IV,X) = MD40…11(IV,X)= (Q8,Q9,Q10,Q11)
•
•
•
•
Recall, X12 is only difference between M, M
Also, X12 first appears in step 12
Have already found Xj for j= 0,4,8,12,13,14,15
Free to choose Xj for j= 1,2,3,5,6,7,9,10,11 so that
MD40…11 equation holds easily!
Slide by Mark Stamp
52
All Together Now
•
Attack proceeds as follows…
1.
2.
3.
Slide by Mark Stamp
Steps 12 to 19: Find (Q8,Q9,Q10,Q11) and Xj for j=
0,4,8,12,13,14,15
Steps 0 to 11: Find Xj for remaining j
Steps 19 to 35: Check 35= (0,0,0,0)
–
If so, have found a collision!
–
If not, go to 2.
53
Meaningful Collision
• Different contracts, same hash value
Slide by Mark Stamp
54
SHA-0 Strategy (Chabaud and Joux)
• Basic idea is to look for small differences that can be
tracked through rounds like differential cryptanalysis.
• Consider three approximations to the SHA-0 compression
function.
– SHI-1
• Use Xor instead of Add
• Make f(i) linear
– SHI-2
• Use Xor instead of Add
• Restore f(i) to original values
– SHI-3
• Restore Add
• Make f(i) linear
JLM 20060105 12:16
55
SHI-1 Finding Collisions
• Assume the W(i) are unrelated and follow progress of a change to W(1).
A
B
C
D
E
1
W1+ROL5(A)+f(B,C,D)+
E+K
A
ROL30(B)
C
D
2
W2 + …
3
ROL30(-)
4
ROL30(W1+ROL5(A)+
f(B,C,D)+E+K)
5
6
W6+ … - fixes W1
perturbation
JLM 20060105
56
SHI-1 Error Propagation in Hash
Perturbation
On bit 1
D
Corrections defining
masks
W1(i)
W6(i+1)
W1(i+2)
W31(i+3)
W31(i+4)
W31(i+5)
A1(i)
A(i+1)
A(i+2)
A(i+3)
A(i+4)
A(i+5)
State
A(i)
B(i)
C(i)
D(i)
E(i)
JLM 20060105 12:16
B31(i+1)
B(i+5)
C31(i+2)
C(i+5)
D31(i+3)
D(i+5)
E31(i+4)
E(i+5)
57
SHI-1 Restoring Expansion
• Flip bit 1 of W1. This modified A in round “0” resulting, potentially to
different (A, B, C, D, E) in round 6. By following linear process we can
determine bits in W1, , W6 which, when flipped, produce the same
(A,B,C,D,E) in round 6.
• Let M(i) be 0 in all positions that are unchanged in round i and 1 where
bits are flipped to restore the result in round 6. This is called a local
collision.
• This is easy to do, as we’ve seen if there is no expansion.
• Question: If there is expansion, what successful masks are preserved by
expansion if bits are flipped in W(1)?
• Answer: M(i)= M(i-3)M(i-8)M(i-14)M(i-16) , 10<i<80
• Because SHA-0 expansion doesn’t interleave bits, we can consider each
of the 32 bits independently and exhaustively search for a successful
pattern
JLM 20060105 12:16
58
SHI-2
• Restore f(i) and note that rounds 0-19, 40-59 are no longer Xors
Round
Name
f(i)(X,Y,Z)
K(i)
0-19
IF
(XY(XZ)
0x5a827999
20-39
XOR
XYZ
0x6ed9eba1
40-59
MAJ
(XY)(XZ)(YZ)
0x8f1bbcdc
60-79
XOR
XYZ
0xca62c1d6
• When does f(i) behave like an Xor for IF and MAJ?
• Again the action on each of the 32 bits is independent
JLM 20060105 12:16
59
SHI-2 Finding Collisions
• What inputs make IF and MAJ act like Todoand XOR
– B(i)’= B(i), C(i)’= C(i), D(i)’= D(i)
– Single bit change in B(i), e.g. B(i) 21.
– Single bit change in C(i)31 or D(i)31, e.g. C(i) 231 or D(i) 231 or both.
• The mask becomes probabilistic: We can find a pattern that has the
probability with p=2-24 from these. Must check every perturbation has
foregoing effect: 2,6,14,16,17,18,19,21,22,26,27,28,35,37,41,45,48,
51,54,55,56,58,59,62,63,68,69,70,71,72.
• Perturbations in positions 2, 6 occurs with p=2-6. Try many W(15).
• Collision!
1a6191b0
062ec496
2270fdbd
002831a9
3c4a331c
48611ca8
2a8090f0
50fe1535
JLM 20060105 12:16
1f228ea2
583401bc
4b12fd98
61ac0d3d
403b7609
399879d0
473cc7a1
f26700ec
04
4d9
acc
fa
60
SHI-3
• Change the Xor back to add and f back to linear
• Perturbation in bit 1 of W(i) leading to corrections in W31(i+3),
W31(i+4), W31(i+5).
• To prevent carries, non linear constraints must hold on W1(i),
W6(i+1), W1(i+2).
• So we fix these.
• Collision
53c29e14
0c0abc30
0da433ac
1a3f8b70
44fe051b
3806260d
6337b011
0e7a4620
JLM 20060105 12:16
4a8ce882
76cbeb2f
1041e2a9
25e81245
576e1943
1b8379a8
20b44364
289acb2b
91
8bfe
e596
9382aa9
61
SHA-0
•
•
•
•
Perturbations must be inserted without carry.
Case in SHI-2 where bit 31 in both C and D flip doesn’t work
Yields two good patterns with probability 2-69.
Trick to suppress perturbations in rounds 16 and 17 reduces
probability to 2-61.
• Probability of finding on is 2-22 using basic 2-14 collision
• Partial Collision (35 rounds)
78fb1285
4a4d1c83
a08e7920
38bef788
77a2dc84
186e8429
16a3e469
2274a40c
4035a90b
74326988
2ed4213d
4c14e934
b61f0b39
7f220f79
4a75b904
cee12cec
97
19fa7
29ac
6a
• None of this works in SHA-1 because of interleaved bits.
JLM 20060105 12:16
62
SHA-0 Finding Collisions
• Change the Xor back to add
• Prob of finding on is 2-22 using basic 2-14 collision
• Partial Collision (35 rounds)
78fb1285
4a4d1c83
a08e7920
38bef788
77a2dc84
186e8429
16a3e469
2274a40c
JLM 20060105 12:16
4035a90b
74326988
2ed4213d
4c14e934
b61f0b39
7f220f79
4a75b904
cee12cec
97
19fa7
29ac
6a
63
SHA-0 Collisions --- Comments
• Message Expansion: Wi-3Wi-8Wi-14Wi-16 means any round can be
determined from any consecutive 16 rounds of message expansion.
• The expanded rounds (all 80) can be represented using a linear
transformation, A on 512 bits: (w, Aw, A2w, A3w, A4w)T.
• When the round functions are linearized, a change in bit j of word Wi
can be “corrected” by changes in bits j+6, j, j+30, j+30, j+30 in rounds
i+1, i+2, i+3, i+4 and i+5.
• When the round functions are replaced by their non-linear versions a
change in bit 1 can be corrected by the same pattern with probability
between 2-2 and 2-5. If change is made to position j1, the probability
of correction is reduced by 2-3.
• For SHA-1, because of rotation, one bit change propagates to 107
bits in expansion.
JLM 20060105 12:16
64
SHA-0 Biham and Chen
• Introduces “disturbance vectors”
– Collision when last 5 vectors is 0
• Full collision on 65 rounds
• 82 round SHA-0 is weaker than 80 round
• Neutral Bits: Bit i is neutral if disturbance pattern
unchanged with complemented i.
• 2-neutral set. Size k(r) of maximal 2-neutral set.
JLM 20060105 12:16
65
Other Cryptographic Hashes and
Performance
Hash Name
Block Size
Relative Speed
MD4
128
1
MD5
128
.68
RIPEMD-128
128
.39
SHA-1
160
.28
RIPEMD-160
160
.24
JLM 20060105 12:16
66
Padding
• Standard technique
– Let last message block have k bits. If k=n, make a
new block and set k= 0.
– Append a 1 to last block leaving r=n-k-1 remaining bits
in block.
– If r64, append r-64 0s then append bit length of input
expressed as 64 bit unsigned integer
– If r<64, append n-r 0’s (to fill out block), append n-64
0’s at beginning of next block then append bit length of
input expressed as 64 bit unsigned integer
JLM 20060105 12:16
67
Winnowing and Chaffing (Rivest)
•
•
Want to send 1001. Pick random stream (mi) and
embed message at positions (say) 3, 7, 8 14 MAC
each packet (mmi).
Make sure MAC is correct only in message
positions
JLM 20060105 12:16
68
Lai-Massey
• Assume the padding contains the length of the input string
and that the input to the CH function, h, is at least two
blocks long. Finding a 2nd pre-image for h with fixed IV
requires 2n operations iff finding a 2nd pre-image for the
compression function, f, with arbitrarily chosen Hi-1
requires 2n operations where n is the number of bits of h’s
output.
JLM 20060105 12:16
69
Breaking news on Hashes
•
•
•
•
•
Don’t use MD4 or you’ll look really, really, silly.
Don’t use MD5.
Don’t use RIPEMD-128
SHA-1 appears to have collision attacks of the order
261
Use SHA-2 functions
– Truncate to provide legacy compatibility if you have
to (i.e. – gun to head)
– Required by “Suite B” Standards
JLM 20060105 12:16
70
Message Expansion
• Process of expanding from 16 32 bit words to 80 32 bit words in the
compression function is called message expansion
– MD5
• Permutations
– SHA-0
• Linear code (LFSR)
– SHA-1
• Linear code with rotation
• Has profound effect on possible disturbance vectors in Differential
attacks
• Being studied to provide greater protection
• Replace xor with modular addition to prevent codeword difference
propagation
• Conditions on chaining variables for local collision (Probability
between 2-39 and 2-42)
JLM 20060105 12:16
71
SHA-2
•
FIPS 180-2, 8/02.
–
–
Defines SHA-256, SHA-384, SHA-512.
SHA-224 (truncated) added 2/04
•
Great increase in mixing between bits of the words
compared to SHA-1.
•
US Patent 6,829,355
•
•
•
Inventor: Glenn Lilly
Assignee: NSA
Can obtain source from
– http://en.wikipedia.org/wiki/SHA-2
JLM 20060105 12:16
72
SHA-256
//Initialize variables:
h0 := 0x6a09e667
//232 times the square root of the first 8 primes 2..19
h1 := 0xbb67ae85, h2 := 0x3c6ef372, h3 := 0xa54ff53a, h4 := 0x510e527f
h5 := 0x9b05688c, h6 := 0x1f83d9ab,h7 := 0x5be0cd19
//Initialize table of round constants:
k(0..63) :=
//232 times the cube root of the first 64 primes 2..311
•
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b,
0x59f111f1, 0x923f82a4, 0xab1c5ed5,
•
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74,
0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
•
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f,
0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
•
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3,
0xd5a79147, 0x06ca6351, 0x14292967,
•
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354,
0x766a0abb, 0x81c2c92e, 0x92722c85,
•
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819,
0xd6990624, 0xf40e3585, 0x106aa070,
•
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3,
0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
•
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa,
0xa4506ceb, 0xbef9a3f7, 0xc67178f2
JLM 20060105 12:16
73
SHA-256
//Pre-processing:
append a single "1" bit to message
append "0" bits until message length ≡ 448 ≡ -64 (mod 512)
append length of message (before pre-processing), in bits as 64-bit big-endian
integer to message
//Process the message in successive 512-bit chunks:
break message into 512-bit chunks;
For(each chunk)
break chunk into sixteen 32-bit big-endian words w(i), 0≤i≤15
//Extend the sixteen 32-bit words into sixty-four 32-bit words:
for i from 16 to 63
s0 := (w(i-15>>>7)(w(i-15)>>>18)(w(i-15)>>3)
s1 := (w(i-2)>>>17)(w(i-2)>>>19)(w(i-2)>>10)
w(i) := w(i-16)+s0+w(i-7)+s1
//Initialize hash value for this chunk:
a := h0, b := h1, c := h2, d := h3, e := h4, f := h5,
JLM 20060105 12:16
g := h6,
h := h7
74
SHA-256
//Main loop:
for 0 i 63
s0:= (a>>>2)(a>>>13)(a>>>22)
maj:= (ab)(bc)(ca)
t0:= s0+maj
s1:= (e>>>6)(e>>>11)(e>>>25)
ch:= (ef)((e)g)
t1:= h+s1+ch+k(i)+w(i)
h:= g, g := f, f := e, e := d t1,
d:= c, c := b, b := a, a := t0+t1
//Add this chunk's hash to result so far:
h0:= h0+a, h1:= h1+b , h2:= h2+c, h3:= h3+d
h4:= h4+e, h5:= h5+f, h6:= h6+g, h7:= h7+h
//Output the final hash value (big-endian):
digest = hash = h0||h1||h2||h3||h4||h5||h6||h7;
JLM 20060105 12:16
75
Chinese Attack-1
Find M, M': H(M)=H(M'). Select
Message difference M'=MD
Differential path bi'=biDbi
For MD5: Hi= f(Hi-1, Mi), 0i<16,
f: (a,b,c,d, wi, wi+1, wi+2, wi+3) is computed as follows:
a= b+((a+yi(b,c,d)+wi+ ti)<<<si),
d= a+((d+yi+1(a,b,c)+wi+1+ti+1)<<<si+1),
c= d+((c+yi+2 (d,a,b)+wi+2+ti+2)<<<si+2),
b= c+((b+yi+3(c,d,a)+wi+3+ti+3)<<<si+3).
JLM 20051124 14:16
76
Chinese Attack-2
yi (X,Y,Z)= (XY)(XZ), 0i15,
yi(X,Y,Z)= (XZ) (YZ), 16i31,
yi (X,Y,Z)= (XYZ), 32i47,
yi (X,Y,Z)= Y(XZ), 48i63 and
wi is the expanded message, wi, ti are round dependant constants.
Now, define DX = X'-X.
D H0 [(M0, M0‘)] DH1[(M1, M1‘)] DH2 …[(Mi-1, M i-1 ‘)]
D DHi= H with each composed of
DHi[P2 ]DR i+1,1 [P2] DR i+1,2 [P3]DR i+1,3 [P4]DR i+1,4= DH i+1.
JLM 20051124 14:16
77
Chinese Attack-3
• Let Di,j=x i,j’-x i,j=±1 and Dxi [ j1, j2, …,jl ]= xi [j1, j2, … , jl]-xi.
• Collision is caused by 1024 bit input: (M0, M1) with
DM0= (0,0,0,0,231, 0,0,0,0,0,0,215,0,0,231,0)
DM1= (0,0,0,0,231, 0,0,0,0,0,0,-215,0,0,231,0).
• Sufficient conditions insure that differential holds with high
probability.
• At 8th iteration, b2= c2+(b1+F(c2,d2,a2)+m7+t7)<<<22
• Try to control (Dc2 , Dd2, Da2, Db1)  Db2 as indicated in
next slide
JLM 20051124 14:16
78
Chinese Attack-4
(A) Non-zero bits of Db2:
d2,11=1, b2,1=0,
d2,26= overline a2,26=1, b2,16=0.
d2,28= overline a2,28=0, b2,i=0.
d2,11=1, b2,24=0.
(B) Zero bits of Db2:
c2,i=0, d2,i= a2,I, c2,i=1.
d 2,6 =overline a2,6 =0.
d2,i= 0, d2,12= 1, a2,24= 0.
7th bit of c2, d2, a2 result in no change in b2.
JLM 20051124 14:16
79
Chinese Attack-5
Algorithm
1: Repeat until first block is found
(a) Select random M0,
(b) Modify M0,
(c) M0, M0'= M0+DM0 produce DM0  (DH1, DM1) with probability 2-37,
(d) Test characteristics.
2: Repeat until first block is found
(a) Select random M1,
(b) Modify M1,
(c) M1, M1'= M1+DM1 produce DM1 0 with probability 2-30
(d) Test characteristics.
JLM 20051124 14:16
80
SHA-2
•
FIPS 180-2, 8/02.
– Defines SHA-256, SHA-384, SHA-512.
– SHA-224 (truncated) added 2/04
•
Great increase in mixing between bits of the words
compared to SHA-1.
•
US Patent 6,829,355
– Inventor: Glenn Lilly
– Assignee: NSA
•
Can obtain source from
– http://en.wikipedia.org/wiki/SHA-2
JLM 20060212 14:16
81
SHA-256 Definitions
Ch(x,y,z)= (xy)(xz),
Maj(x,y,z)= (xy) (xz) (yz).
y256{i, j, k}(x)= ROTRi(x)ROTRj(x)ROTRk(x),
y256{i, j, k}(x)= ROTR i(x)ROTR j(x)SHRk(x).
S0256(x)= y256{2, 13, 22}(x),
S1256 x)= y256{6, 11, 25}(x).
s0256(x)= y256{7, 18, 3}(x),
s1256(x)= y256{17, 19, 10}(x).
JLM 20051124 14:16
82
SHA-512 Definitions
Ch(x,y,z)= (xy)(xz),
Maj(x,y,z)= (xy)(xz)(yz).
y512{i, j, k}(x)= ROTRi(x)ROTRij(x)ROTRk(x),
y512{i, j, k} (x)= ROTRi(x)ROTRj(x)SHRk(x).
S0512 (x)= y512{28,34,39}(x),
S1512(x)= y512{14, 18, 41}(x).
s0512(x)= y512{1,8,7}(x),
s1512 (x)= y512 {19, 61, 6}(x).
JLM 20051124 14:16
83
SHA-256
SHA-256(M1||M2||…||MN):
for(i=1; iN; i++) {
Wt= Mt(i) , 0t15,
Wt = s1256(Wt-2)Wt-7s0256(Wt-15)Wt-1,16t63;
a= H0(i-1); b= H1(i-1); c= H2(i-1); d= H2(i-1);
e= H4(i-1); f= H5(i-1); g= H6(i-1); e= H7(i-1);
for(t=0; t<64;t++) {
T1=h+s1256(e)+Ch(e,f,g)+Kt256+Wt; T2=s0256(a)+Maj(e,f,g);
h= g; g= f; f=e; e= d+T1; d=c;
c=b; b=a; a= T1+T2;
}
H0(i)= a+H0(i-1);H1(i)= b+H1(i-1);H2(i)= c+H2(i-1);H3(i)= d+H3(i-1);
H4(i)= e+H4(i-1);H5(i)= f+H5(i-1);H6(i)= g+H6(i-1);H7(i)= h+H7(i-1);
}
• SHA-512 is the same except there are 79 rounds and the words are 64
bits long.
JLM 20051124 14:16
84
Other Cryptographic Hashes and
Performance
Hash Name
Block Size
Relative Speed
MD4
128
1
MD5
128
.68
RIPEMD-128
128
.39
SHA-1
160
.28
RIPEMD-160
160
.24
JLM 20060212 14:16
85
What to take home
•
Symmetric ciphers and hashes provide key ingredients
for “distributed security”
–
–
–
•
Fast data transformation to provide confidentiality
Integrity
Public key crypto provides critical third component (trust
negotiation, key distribution)
It’s important to know properties of cryptographic
primitives and how likely possible attacks are, etc.
–
–
Most modern ciphers are designed so that knowing output of n-1
messages provides no useful information about nth message.
This has an effect on some modes of operation.
JLM 20060212 14:16
86
SHA-3 Competition
JLM 20090310
87
Notes
•
•
•
•
•
•
•
•
Message expansion and related key attacks
Rebound attacks, bottleneck attacks (FSE 2009)
Extension attacks: permutations, output function
Multicollision resistance
Indifferentiability attacks
Bijective Feistel  5R impossible differential
Matsui: How far can we go on the x64. FSE 2006, v4047.
Matsui: Power of bitslice. CHES 2007, v4727.
JLM 20090222
88
Haifa
• Dean 2nd Pre-image on fixed points
• H=EM-1(0)
1. Find 2mc/2 fixed points, A= (h,m)
2. Find 2mc/2 single block outputs B= CMD(IVM|m’)
3. Obtain collision
• hi+1= C(hi,Mi,nBitsSoFar,salt)
• Wide path. C1: {0,1}mc x {0,1}n  {0,1}mc; C2: {0,1}mc  {0,1}n.
JLM 20090222
89
RadioGatun
• Compression (state, message to
state)
• Expand (message expansion, 35x)
• IMF has given capacity lc
• Alternating input construction
– Internal collision
– State guessing
– Decorrelation
– Difference propagation
• Operates on ls bit state
• State guess infeasible implies that
pre-image is infeasible
JLM 20090222
Alternating input construction
• In: li-bit input blocks. p0, … , pnp-1
• Out: lo-bit input blocks. z0, … , znz-1
• R is round function
S= 0;
for(i=0;i<np;i++) {
T= SFi(pi);
S= R(T);
}
for(i=0;i<nb;i++)
S= R(T);
for(i=0;i<np;i++) {
S= R(S);
zi= F0(S);
}
90
Blake
salt
chain value
ctr
Init
• Haifa design.
h0= IV
for(i=0;i<N;i++)
hi= compress(hi,mi,s,li)
• Gi(a,b,c,d):
– a= a+b+(msr(2i) csr(2i))
– d= (da)>>>16
– c= c+d
– b= (bc)>>>12
– a= a+b+(msr(2i+1) csr(2i+1))
– d= (da)>>>8
– c= c+d
– b= (bc)>>>7
JLM 20090222
M
Rounds
•
•
•
•
•
•
•
•
ctr
salt
Final
next chain value
h0’= h0s0v0v8
h1’= h1s1v1v9
h2’= h2s2v2v10
h3’= h3s3v3v11
h4’= h4s4v4v12
h5’= h5s5v5v13
h6’= h6s6v6v14
h7’= h7s7v7v15
v0 v1 v2 v3
v4 v5 v6 v7
v8 v9 v10 v11
v12 v13 v14 v15
h0
h4
c0s0
c4t0
h1
h2
h3
h5
h6
h7
c1s1 c2s2 c3s3
c5t1 c6t2 c7t3
91
Grostl
•
•
•
•
•
•
h0= IV, hi= f(hi-1,mi), H(M)= G(ht).
Compression: f(h,m)= P(hm) Q(m) h
G(x)=truncn(P(x) x)
R(x)=Mix(Shift(Subbyte(AddRoundKey(x))))
Mix: 8 x 8 MDS over GF(28)
P and Q only differ by use of constants in 10
rounds of applying R(x).
Mt
Hi-1

P
Q

Hi
JLM 20090222
92
Sponge
• A sponge function takes a variable length input, p, of
characters from A and produces an infinite length
output z, zj A , f: A x C  A, |p|1 and final character
is 0. State is S=(SA,SC).
–
–
–
–
–
–
–
–
–
Absorbing: S= f(SA+pi,SC)
Squeezing: S=f(S).
Rate: lg(|A|).
Capacity: lg(|C|).
Sf[p]: state after absorbing p.
zj= SA,f[p|0j].
State collision: Sf[p]=Sf[q].
Inner collision: Sf,c[p]=Sf,c [q].
Simultates Random oracle
JLM 20090222
93
T/P-Sponge
• A P-sponge is a permutation selected uniformly and randomly from
(AC)!.
• A T-sponge is a function selected uniformly and randomly from
(AC)AC.
• Theorem: The output returned by a random sponge to a sequence of
queries are uniformly and randomly distributed if no inner collision
occurs.
• Theorem: The probability of success of distinguishing between a RS
and a random oracle (RO) is P  ½+½P(IC|RS). For a randome Tsponge, P(IC)=1-exp(-Si=1q i/|C|)
• 2nd pre-image: Find 2nd path to some inner state: T=SC,f[p’]
Case
Inner collision
T-sponge
[q(q+1)]/[2|C|]
P-sponge
[q(q+1)]/[2|C|]
- [q(q-1)]/[2|A||C|]
JLM 20090222
Path Find
Out cycle
Out bind
(rm>c)
Out bind
(rm<c)
q/|C| [q(q+1)]/[2|C||A|]
( N/|C|) [|A|1]/A)
( N/|C|)
[|A|-1]/Am)
( N/|C|) [|A|1]/A)
( N/|C|)
[|A|-1]/Am)
[q(q+4)]/[4|C|]
-[q2]/[4|A||C|]
q/[|A||C|]
94
Sponge
r
c
SA
SC
• r is bit rate
• c is capacity

p0
f
absorbing
SA
z0
SC

f
squeezing
JLM 20090222
95
Sponge
• Theorem: A random sponge can only be distinguished from a
random oracle by the presence of an inner collision which is
unlikely if q<<2c/2.
• Theorem: A random sponge can be differentiated from a random
oracle with probability p ~
– q (q+1) 2-(c+1), N<2c.
T
P
Output collision
2(min(n,c)+3)/2
2(min(n,c)+3)/2
Pre-image
2n
min(2c/2+2n, 2n)
2nd pre-image
min(2c/l, 2n)
min(2(min(n,c)+3)/2, 2n)
JLM 20090222
96
Sponge
• Simulate:: make interface the same as to an ideal
compression function, F.
• Def: A Turing Machine C with oracle access to an
ideal primitive, F, is said to be (tD, tS, q, e)indifferentiable from an ideal primitive, G, if there is a
simulator P[G] such that "D ,|Pr[D[C(F); F]=1]Pr[D[G,P[G]]=1]; F]=1]|<e.
JLM 20090222
97
Keccak
• Keccak-f(r+c). r+c= 25, 50, 100, 200, 400,800, 1600
– r=1024, c=575
– r=512, c=1088
• State: 5 x 5 x 2l bits
– q for diffusion
– r for inter slice dispersion
– p for disturbing vertical/horizontal alignment
– c for non-linearity
– i for symmetry breaking
JLM 20090222
98
Keccak
c:
for(y=0; y<5; y++){
for(x=0;x<5;x++)
A[x][y]= a[x][y]((a[x+1][y]) a[x+2][y]);
}
q:
for(x=0; x<5; x++){
p[x]= a[x][0];
for(y=0;y<5;y++)
p[x]= a[x][y]p[x];
}
for(x=0; x<5; x++){
p[x]= p[x-1] p[x+1]<<1;
for(y=0;y<5;y++)
p[x]= a[x][y]p[x];
}
JLM 20090222
99
Keccak
p:
for(x=0;x<5;x++) {
for(y=0; y<5; y++)
[X, Y]T= [0 1] [X, Y]T
[2 3]
}
A[X][Y]= a[X][Y]
r:
A[0][0]= a[0][0]; [X, Y]T= [1, 0]T;
for(t=0; t<5; t++){
A[x][y]= a[x][y]<<<[(t+1)(t+2)]/2;
}
i:
Add round constants;
JLM 20090222
100
Lane
•
•
•
•
•
•
•
•
•
•
IVn,S= f(0,f||bin32(n)||0k|S,0), fis the salt.
P-6 round, Q- 3 round.
Mi= m1 || m2 || m3 || m4
Hi= h0 || h1
W0= h0 m0 m1 m2 m3 || h1 m0 m2
W1= h0 h1 m0 m2 m3 || h0 m1 m2
W2= h0 h1 m0 m1 m2 || h0 m0 m3
W3= h0 || h1
W4= m0 || m1
W5= m2 || m3
JLM 20090222
101
Lane
Hi-1
M
E
P0
P1
P2
P3

Q0
P4
P5


Q1
Hi
JLM 20090222
102
Lane
•
•
•
•
•
•
•
•
•
•
•
•
•
Round(r, X)
1: X ← SubBytes(X)
2: X ← ShiftRows(X)
3: X ← MixColumns(X)
4: X ← AddConstants(r,X)
5: X ← AddCounter(r,X)
6: X ← SwapColumns(X)
7: return X
function LastRound(X)
1: X ← SubBytes(X)
2: X ← ShiftRows(X)
3: X ← MixColumns(X)
4: X ← SwapColumns(
JLM 20090222
•
•
•
•
•
•
•
function Pj(X)
1: for i = 0 to 4 do
2: r ← 5j + i
3: X ← Round (r,X)
4: end for
5: X ← LastRound(X)
6: return X
•
•
•
•
•
•
•
function Qj(X)
1: for i = 0 to 1 do
2: r ← 30 + 2j + i
3: X ← Round (r,X)
4: end for
5: X ←LastRound(X)
Return x;
103
Lane
•
•
•
•
•
•
•
•
1: k0 ← 07fc703dx
2: for i = 1 to 272 (resp. 768 for Lane-384 and Lane-512) do
3: ki = ki−1 ≫ 1
4: if ki−1 ∧ 00000001x then
5: ki = ki ⊕ d0000001x
6: end if
7: end for
Figure 2.4: Pseudocode
JLM 20090222
104
Shavite
•
•
•
•
Use Haifa mode/MD-construction. Compression: C256, Encrypt: E256.
E: (Li+1, Ri+1) = (Ri, Li F3rk[i](Ri).
F3k0,k1,k2(x)= AESR(0128, AESR(k1, AESR(k2, x k0)))
C256(M, cnt, salt)
– Message expansion
– Repeat 4 times
• Repeat 2 times
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
JLM 20090222
rk[i]= M, i= 0,…,15
i=16
t[0…3]= AESR(0128, rk[i-15], rk[i-14], rk[i-13], rk[i-16]) salt[0…3]
rk[i+j]=t[j] rk[i+j-4]
if(i==16) rk[16]cnt[0]; rk[17]cnt[1];
if(i==84) rk[86]cnt[1]; rk[87]cnt[0];
i+= 4;
t[0…3]= AESR(0128, rk[i-15], rk[i-14], rk[i-13], rk[i-16]) salt[4…7]
rk[i+j]=t[j]rk[i+j-4]
if(i==56) rk[57]cnt[0]; rk[58]cnt[1];
if(i==124) rk[124]cnt[1]; rk[127]cnt[0];
i+= 1;
105
Shavite
Repeat 2 times
1. rk[i]=rk[i-16] rk[i-3]
2. i++;
Pad
M’=M|1|0k|len(M)|len(m)
b= 0;
h0= IV
for(i=0; i<|M|/512; i++)
b+= 512;
hi=C256(hi-1, Mi, b, salt)
if(|M|=0 (mod512))
hl-1=C256(hl-2, Ml, b, salt)
hl=C256(hl-1, Ml, b, salt)
JLM 20090222
106
Shavite
• Message expansion X(M,cnt,salt256)  144 32 bit words rk[0…143]
• Theorem for C256: The exact maximal expected 2 round differential
characteristic has probability (53/234)=1.656 x 2-29. The exact maximal
expected 4 round differential characteristic has probability
(53/234)4=1.881 x 2-114. The best 3 round differential characteristic has
probability <2-49.
• Theorem: Except for the 00 characteristic:
1.
2.
3.
4.
•
•
•
•
There is no iterative 2 round characteristic of E256.
There is no four round characteristic of E256. with probability > 2-147.
There is no 3 round characteristic of E256. with probability > 2-98.
There is no 9 round characteristic of E256. with probability > 2-294.
With MD construction, there is no preimage if block cipher is safe.
In wide pipe need mc2m for safety against pre-image.
Need salt1/2 mc for safety against herding attack.
MIV256= C256(0,0,0,0)
JLM 20090222
107
Skein
Mix
Round-Key0
+
+
Mix
Mix
…
Mix
<<<
Permute

M0
UBI
G
M1

Mk

…

Len
First
Final
JLM 20090222
108
DM/MMO
Hi-1
mi(key)
E
Hi-1 (key)
E


Hi
Hi
• Differential attack on C
• Related key attack on E
JLM 20090222
mi(key)
• Differential attack on C
• Differential attack on E
109
MD6 has…
• Bottom-up tree-based mode of
operation (like Merkle-tree)
• 4-to-1 compression ratio at each node
JLM 20090228
110
MD6 has…
• 1024-bit intermediate (chaining) values
• root truncated to desired final length
• Location (level,index) input to each node
(2,0)
JLM 20090228
(2,1)
(2,2) (2,3)
111
Prepend Constant + Map + Chop
const
15
Prepend
key+UV
data
8+2
64
1-1 map p
89 words
Map
p 89 words
Chop
JLM 20090228
16 words
112
Constants
• Taps 17, 18, 21, 31, 67 optimize diffusion
• Constants Si defined by simple recurrence; change at
end of each 16-step round
• Shift amounts repeat each round (best diffusion of
1,000,000 such tables):
0
1
2
5
6
7
8
ri
10
5
13 10 11 12
2
7
14 15
7
13 11
7
6
12
li
11 24
9
27 15
6
29
8
5
31
9
JLM 20090228
3
4
16 15
9
9
2
10 11 12 13 14 15
15
113
Large Memory (sliding window)
2
•
•
•
3
1
4
5
3
2
1
2
0
3
3
4
2
2
Array of 16r + 89 64-bit words.
Each computed as function of preceding 89 words.
Last 16 words computed are output.
JLM 20090228
114
Small memory (shift register)
89 words
2 3 2 1 5 6 3 2 7 1 3 2 6 3 1 4 0 1


Si
•
•
Shifts
Shift-register of 89 words (712 bytes)
Data moves right to left
JLM 20090228
115
MD6 Description
• Compress
– Input: A[0], …, A[88], A[0]..A[14]- constants, A[15]..A[22] key/level,
A[25]..A[88] – data
– One step:
• for (i=89; i<= 16r+88) {
x= Si A[i-17] A[i-88] (A[i-18]A[i-21) A[i-67]
x= x(x>>ri)
A[i]= x(x<<li)
}
– Output: A[16r+73]..A[16r+88] (64 bit words)
• MD6 proposes 1280 steps
• S0= 0123456789abcdef,
• Si= (S0<<1) (S0>>63) (Si-17311c2812425cfa)
s
0
1
ri
10 5
li
11 24 9
JLM 20090222
2
3
4
5
6
7
8
13 10 11 12 2
7
14 15 7
16 15 9
27 15 6
9
2
10 11 12 13 14 15
13 11 7
29 8
15 5
6
12
31 9
116
End
JLM 20081006
117
Next Quarter
•
•
•
2-4 weeks to cover 16, 17, 18 and results on boolean functions.
Rest on major reports:
–
Full Linear cryptanalysis of DES.
–
Full Differential cryptanalysis of DES.
–
Full Linear and differential cryptanalysis of FEAL.
–
Intro Algebraic cryptanalysis (including SFLASH) – John.
–
An algebraic cryptanalysis.
–
Dobbertin’s attack on MD4.
–
Chinese (Wang et. al) attack on SHA-1.
Other topics (final quarter?)
–
Full factoring attack.
–
Full Elliptic Curve crypto selection, attacks, etc (3 weeks).
–
Full Discrete Log attack.
–
Full Re-estimation attack.
–
Random number analysis.
–
NIST Hash analysis.
–
Full Stream cipher analysis.
JLM 20090201
118