Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cryptanalysis Lecture Block 5: Cryptographic Hashes John Manferdelli [email protected] [email protected] © 2004-2008, John L. Manferdelli. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only. 1 jlm20090310 Cryptographic Hashes • A cryptographic hash (“CH”) is a “one way function,” h, from all binary strings (of arbitrary length) into a fixed block of size n (called the size of the hash) with the following properties: 1. 2. 3. 4. Computing h is relatively cheap. Given y=h(x) it is infeasible to calculate x. (“One way,” “non-invertibility” or “pre-image” resistance). Functions satisfying this condition are called One Way Hash Functions (OWHF) Given u, it is infeasible to find w such that h(u)=h(w). (weak collision resistance, 2nd pre-image resistance). It is infeasible to find u, w such that h(u)=h(w). (strong collision resistance). Note 43. Functions satisfying this condition are called Collision Resistant Functions (CRFs). JLM 20090310 2 Cryptographic Hashes • h must be compressive (otherwise copy of original binary string satisfies requirement) • Just like symmetric ciphers ratio of work factor for computation of hash vs work factor to break hash should be very high. • Adversary has complete information on computing hash and (obviously) can compute as many hashes from the target as she wants. JLM 20060105 12:16 3 Observations on Cryptographic Hashes • • Hashes are a strong “checksum” OWHF and CRF conditions make CHs satisfy many of the properties of “random functions” – Small changes should create large changes (otherwise the preimage of near neighbors are near neighbors making collisions easy to find) – Small input changes should be statistically unrelated (uncorrelated) to changes in a subset of the hash bits – Analysis of CHs very similar to Symmetric Cipher techniques Popular practical cryptographic hashes – – – MD4, MD5 (now “broken”) SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 (last 4 are “SHA-2”) RIPEMD JLM 20060105 12:16 4 Observations • • Collision Resistance 2nd pre-image resistance Let f(x)= x2-1 (mod p). – f(x) acts like a random function but is not a OWHF since square roots are easy to calculate mod p. • Let f(x)= x2 (mod pq). – f(x) is a OWHF but is neither collision nor 2nd pre-image resistant • • • If either h1(x) or h2(x) is a CRHF so is h(x)= h1(x)||h2(x) MDC+signature & MAC+unknown Key require all three properties Ideal Work Factors: Type Work Property OWHF 2n Pre-image 2nd Pre-image CRHF 2n/2 Collision MAC 2t Key recovery, computational resistance JLM 20060105 12:16 5 What are Hash Functions Good for? • Modification Detection Codes (MDCs): This is a strong checksum (integrity check). Sometimes called “unkeyed” hashes. • Message Authentication Code (MACs): If shared secret is part of the hash, two parties can determine authenticated integrity with CHs. Called “keyed hashes”. • Message Digests (MDs): Encrypting (with private key) the CH of a message (its MD) acts as a certification that the message was “approved” by possessor of private key. This is called a Digital Signature. [Note: you could “sign’ the whole message rather than the hash but this would take oodles of time by comparison.] JLM 20060105 12:16 6 What are Hash Functions Good for? • Uniquely and securely identifies bit streams like programs. Hash is strong name for program. • Entropy mixing: Since CHs are random functions into fixed size blocks with the properties of random functions, they are often used to “mix” biased input to produce a “seed” for a psuedo-random number generator. • Password Protection: Store salted hash of password instead of password (Needham). • Bit Commitment JLM 20060105 12:16 7 MACs using Hashes • • • Prefix and suffix attacks Hash(k1, Hash(k2, m)) Hash(k|p|m|k) • HMACK(x)= SHA-1(Kopad||SHA-1(Kipad)||x) JLM 20060105 12:16 8 One-Way Functions Hashes come from two basic classes of one-way functions – Mathematical • Multiplication: Z=X•Y • Modular Exponentiation: Z = YX (mod n) (Chaum vP Hash) – Ad-hoc (Symmetric cipher-like constructions) • Custom Hash functions (MD4, SHA, MD5, RIPEMD) JLM 20060105 12:16 9 Attacks on Cryptographic Hashes • Birthday (Yuval) attacks – Probability of collision determined by “Birthday Paradox” calculation: • (1- 1/n) (1- 2/n) … (1-(k-1)/n)= (n!/k!)/nk • Probability of collision is >.5 when k2 > n. • Need 280 blocks for SHA. • 1+x c ex, Pi=1i=k (1-i/n) c e-k(k-1)/(2n) • Dobbertin Attacks on MD4 • Attacks on 2nd preimage – (Old) If you hash 2t messages, the average work to find a 2nd primage is 2n-t – (New) If you hash 2t blocks, the average work to find a 2nd primage is t2n/2+1+ 2n-t+1 [Kelsey Schneier] – Appending length doesn’t help against 2nd pre-image attacks JLM 20060105 12:16 10 Attacks on Hashes • Selective and Existential Forgery • Key Recovery for MAC • Chaining – Meet in Middle – Fixed Point • Padding • Differential JLM 20060105 12:16 11 Attacks on Cryptographic Hashes • Berson (1992) using differential cryptanalysis on 1 round MD-5. • Boer and Bosselaers (1993), Pseudo collision in MD5. • Dobbertin (1996), Collisions in compression function. Attacks inspired RIPEMD proposal. • Biham and Chen (2004), Collisions in SHA-0. • Chabaud and Joux (2004), Collisions in SHA-0 . • Wang, Feng, Lai, Yu, (2004), MD4, MD5, RIPEMD • Wang et al, (2004, 2005), SHA-1 • SHA-1 has stood up best: best known theoretical attack (11/05) requires 263 operations. JLM 20060105 12:16 12 Birthday Attacks • Probability of collision determined by “Birthday Paradox” calculation: – (1-1/n) (1-2/n) … (1-(k-1)/n)= (n!/k!)/nk – Probability of collision is >.5 when k2 > n. – Need 280 blocks for SHA. – 1+x c ex, Pi=1i=k (1-i/n) c e-k(k-1)/(2n) JLM 20060105 12:16 13 Chaum-vanHeijst-Pfitzmann Compression Function • Suppose p is prime, q=(p-1)/2 is prime, a is a primitive root in Fp, b is another primitive root so ax=b (mod p) for some unknown x). • g: {1,2,…,q-1}2 {1,2,…,p-1}, q=(p-1)/2 by: – g(s, t) = as bt (mod p) • Reduction to discrete log: Suppose g(s, t)= g(u, v) can be found. Then as bt (mod p)= au bv (mod p). So as-u (mod p)= bv-t (mod p). Let b= ax (mod p). Then (s-u)=x(y-t) (mod p-1). But p-1= 2q so we can solve for x, thus determining the discrete log of b. JLM 20060105 12:16 14 Merkle/Damgard Construction Hi-1 Padded n bit blocks Compression Function (f) Input: x=x1||…||xt Input is usually padded H0= IV Hi= f(Hi-1, xi) h(x)= g(ht) Hash Value Graphic by Josh Benaloh JLM 20060105 12:16 15 Proofs about compression function • Theorem: If g: {0,1}m {0,1}n, for a sequence of n bit blocks, x= x1, x2, …, xt, we can define a hash function h: {0,1}* {0,1}n by H0= c, Hi+1= g(Hi||xi) with h(x)=Ht. h is collision resistant if g is. – Proof: Let x= x1, x2, …, xt and x’= x1’, x2’, …, xt’’ be two strings with h(x)=h(x’) and let Hi, Hi’ be the intermediate values. Suppose there is an i<t: Ht-i=Ht’-i’ and Ht-i-1Ht’-i-1’. Then g(Ht-i-1||xi)= g(Ht-i-1’||xi’) so g is not collision resistant. Otherwise Hi=Hi’ and either xi=xi’, it, in which case there is nothing to prove or some xixi’(but then g(Hi||xi) = g(Hi’||xi’) and again g is not collision resistant) or g(Ht-1)= g(Hj’||xj’), j>t and again g is not collision resistant. JLM 20081026 16 Technique for CHs from Block Ciphers Let input be x= x1||x2|| … ||xt where each xi is n bits long. Let g be a function taking an n bit input to an m bit input. Let E(k, x) be a block cipher with m bit keyspace and n bit block. Let H0= IV. Construction 1: Hi= E(g(Hi-1), xi)Hi-1 Construction 2: Hi= E(xi, Hi-1)Hi-1 Construction 3: Hi= E(g(Hi-1), xi)xiHi-1 Note: Because of collisions n should be >64. Ideally, m=n and g= id. DES with n= 64 is too small. AES with n=m=128 is better. JLM 20060105 12:16 17 DM/MMO constructions for block ciphers Hi-1 mi(key) E Hi-1 (key) E Hi Hi • Differential attack on C • Related key attack on E JLM 20090222 mi(key) • Differential attack on C • Differential attack on E 18 Nostradamus (“herding") attack • Let h be a Merkle-Damgard hash with compression function f and initial value IV . Goal is to hash a prefix value (P) quickly by appending random suffixes (S). • Procedure – Phase 1: Pick k, generate K= 2k random d0i from each pair of the values f(IV ||di,i+1) and two messages M0,j ;M1,j which collide under f . Call this value d1,j this takes effort 2n/2 for each pair. Do this (colliding di,j ; di+1,j under Mi,j ;Mi+1,j to produce di,j+1 until you reach dK,0). This is the diamond. – Publish y = w(dK,0) where w is the final transformation in the hash as the hash (i.e. - claim y = h(P||S). JLM 20060105 12:16 19 Diamond structure h(0,0) h(0,1) M0 h(1, 0) h(0,2) h(0,3) P M5 M7 h(1, 1) h(2,0) h(0,4) h(0,5) h(1, 2) Published hash h(0,6) h(0,7) JLM 20081028 h(1, 3) h(2, 1) h(3,0) w(h(3,0)) 20 Nostradamus (“herding") attack • The cost of phase 1 is (2k -1)2n/2. • In phase 2, guess S’ and compute T = f(IV||P||S’). • Keep guessing until T is one of the dij. Once you get a collision, follow a path through the Mij to dK,0. Append these Mij to P||S’ and apply w to get right hash. • Total cost: W= 2n-k-1+2n/2+k/2+k2n/2+1. k=(n-5)/3 is a good choice. For 160 bit hash, k=52. JLM 20060105 12:16 21 Multicollision (Joux) • Iterative construction is vulnerable to multi-collision • Suppose M1;M1’; M2;M2’; …; Mt;Mt’ all collide. • From these we get 2t collisions. • If r people each have one of N possible birthdays, there is a greater than 50% chance of k collisions if r>Nk, k= k-1/k. JLM 20060105 12:16 22 Random Oracle Model • Let f be a OWF with trapdoor, (y1, y2) = (f(r); h(r)+m) is used as encryption. • An oracle with i requests L. • Pr(guess right) = P(rL)+½ P(rL). • Set p = 1/2+e, • ePr(rL). • Canetti, Goldreich, Halevi constructed cryptosystem that is secure in the Random Oracle model but any secure for any concrete hash. JLM 20081024 23 A Cryptographic Hash: SHA-1 Picture from Wikipedia JLM 20060105 12:16 24 A Cryptographic Hash: SHA-1 (IV ) – 160 bits 512-bit Input Compression Function 160-bit Output JLM 20060105 12:16 Slide by Josh Benaloh 25 A Cryptographic Hash: SHA-0/1 Picture from Wikipedia JLM 20060105 12:16 26 A Cryptographic Hash: SHA-1 • Depending on the round, the “non-linear” function f is one of the following. f(X,Y,Z) = (XY)((X)Z) f(X,Y,Z) = (XY)(XZ)(YZ) f(X,Y,Z) = XYZ JLM 20060105 12:16 27 A Cryptographic Hash: SHA-1 What’s in the final 32-bit transform? • Take the rightmost word. • Add in the leftmost word rotated 5 bits. • Add in a round-dependent function f of the middle three words. • Add in a round-dependent constant. • Add in a portion of the 512-bit message. JLM 20060105 12:16 28 SHA-0 A= 0x67452301, B= 0xefcdab89, C= 0x98badcfe, D= 0x10325476 E= 0xc3d2e1f0 Ft(X,Y,Z)= (XY)((X)Z), t= 0,…,19 Ft(X,Y,Z)= XYZ, t= 20,…,39 Ft(X,Y,Z)= (XY)(XZ)(YZ), t= 40,…,59 Ft(X,Y,Z)= XYZ, t= 60,…,79 Kt= Kt= Kt= Kt= 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xca62c1d6, t= 0,…,19 t=20,…,39 t= 40,…,59 t=60,…,79 JLM 20060105 12:16 Absence of this term is only difference between SHA-0 and SHA-1 Do until no more input blocks { If last input block Pad to 512 bits by adding 1 then 0s then 64 bits of length. Mi= input block(32 bits) i= 0,…,15 Wt= Mt, t= 0,…,15; Wt= (Wt-3Wt-8Wt-14Wt-16) <<<1, t= 16,…,79 a= A; b= B; c= C; d= D; e= E; for(t=0 to 79) { x= (a<<<5)+ft(b,c,d)+e+Wt+Kt e= d; d=c; c= b<<<30; b=a; a= x; } A+= a; B+=b; C+= c; D+= d; E+= e; } 29 SHA-1 Message expansion A= 0x67452301, B= 0xefcdab89, C= 0x98badcfe, D= 0x10325476 E= 0xc3d2e1f0 Ft(X,Y,Z)= (XY)((X)Z), t= 0,…,19 Ft(X,Y,Z)= XYZ, t= 20,…,39 Ft(X,Y,Z)= (XY)(XZ)(YZ), t= 40,…,59 Ft(X,Y,Z)= XYZ, t= 60,…,79 Kt= Kt= Kt= Kt= 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xca62c1d6, t= 0,…,19 t=20,…,39 t= 40,…,59 t=60,…,79 JLM 20060105 12:16 Do until no more input blocks { If last input block Pad to 512 bits by adding 1 then 0s then 64 bits of length. Mi= input block(32 bits) i= 0,…,15 Wt= Mt , t= 0,…,15; Wt= (Wt-3Wt-8Wt-14Wt-16)<<<1, t= 16,…,79 a= A; b= B; c= C; d= D; e= E; for(t=0 to 79) { x= (a<<<5)+ft(b,c,d)+e+Wt+Kt e= d; d=c; c= b<<<30; b=a; a= x; } A+= a; B+=b; C+= c; D+= d; E+= e; } 30 MD4 and Dobbertin • Invented by Rivest, ca 1990 • Weaknesses found by 1992 – Rivest proposed improved version (MD5), 1992 • Dobbertin found 1st MD4 collision in 1998 – Clever and efficient attack – Nonlinear equation solving and differential Slide by Mark Stamp 31 MD4 Algorithm • After padding message is a multiple of the 512-bit block size – Also a multiple of 32 bit word size • Let N be number of 32-bit words • Message M = (Y0,Y1,…,YN1) – Each Yi is a 32-bit word • 32-bit words • Little-endian convention – Leftmost byte is low-order (relevant when generating “meaningful” collisions) • Pad M so length is 448 (mod 512) – Single “1” bit followed by “0” bits – At least one bit of padding, at most 512 – Length before padding (64 bits) is appended Slide by Mark Stamp 32 MD4 Algorithm • For 32-bit words A,B,C, define F(A,B,C) = (AB)(AC) G(A,B,C) = (AB)(AC)(BC) H(A,B,C) = ABC where , , , are AND, OR, NOT, XOR • Define constants: K0 = 0x00000000, K1 = 0x5a827999, K2 = 0x6ed9eba1. • Let Wi, i = 0,1,…47 be (permuted) inputs, Yj Slide by Mark Stamp 33 MD4 Algorithm 34 MD4 Algorithm • Round 0: Steps 0 thru 15, uses F function • Round 1: Steps 16 thru 31, uses G function • Round 2: Steps 32 thru 47, uses H function Slide by Mark Stamp 35 MD4: One Step • Where Slide by Mark Stamp 36 Dobbertin’s attack strategy • Specify a differential condition • If condition holds, probability of collision • Derive system of nonlinear equations: solution satisfies differential condition • Find efficient method to solve equations • Find enough solutions to yield a collision • Find one-block collision, where M= (X0,X1,…,X15), M= (X0,X1,…,X15) • Difference is subtraction mod 232 • Blocks differ in only 1 word – Difference in that word is exactly 1 • Limits avalanche effect to steps 12 thru 19 – Only 8 of the 48 steps are critical to attack! – System of equations applies to these 8 steps Slide by Mark Stamp 37 Notation • Suppose (Qj,Qj1,Qj2,Qj3) = MD40…j(IV,M) and (Qj,Qj1,Qj2,Qj3) = MD40…j(IV,M) • Define j = (QjQj, Qj1Qj1, Qj2Qj2, Qj3Qj3 ) where subtraction is modulo 232 • Let 2n denote 2n mod 232. – 225 = 0x02000000 and 25 = 0xffffffe0 • All arithmetic is modulo 232 38 Strategy • Try to find one block collision • Denote M = (X0,X1,…,X15) • Define M by Xi = Xi for i12 and X12= X12+1 • Word X12 last appears in steps 12, 19, 35 – This provides a “natural” division of the attack strategy • We are freedom to choose X0,X1,…,X11 at our convenience • Goal is to find pair M and M with 35= 0, if 35= (0,0,0,0) we have a collision Slide by Mark Stamp 39 MD4 Attack Analyze attack in three phases 1. Show: 19= (225,25,0,0) implies probability at least 1/230 that the 35 condition holds – Uses differential cryptanalysis 2. “Backup” to step 12: We can start at step 12 and have 19 condition hold – By solving system of nonlinear equations 3. “Backup” to step 0: And find collision – In each phase of attack, some words of M are determined – When completed, have M and M • Where M M but h(M) = h(M) – Equation solving step is tricky part • Nonlinear system of equations • Must be able to solve efficiently Slide by Mark Stamp 40 Steps 19 to 35 • Differential phase of the attack • Suppose M and M as given above – Only differ in word 12 • Assume that 19= (225,25,0,0) – And G(Q19,Q18,Q17) = G(Q19,Q18,Q17) • Then we compute probabilities of “” conditions at steps 19 thru 35 Slide by Mark Stamp 41 Steps 19 thru 35 • For example, consider 35 • Suppose j = 34 holds: Then 34= (0,0,0,1) and • Implies 35= (0,0,0,0) with probability 1 – As summarized in j = 35 row of table Slide by Mark Stamp 42 Steps 12 to 19 • Analyze steps 12 to 19, find conditions that ensure 19 = (225,25,0,0) – And G(Q19,Q18,Q17)= G(Q19,Q18,Q17), as required in differential phase • Step 12 to 19—equation solving phase • This is most complex part of attack – Last phase, steps 0 to 11, is easy Slide by Mark Stamp 43 Steps 12 to 19 • To apply differential phase, must have 19= (225,25,0,0) which states that Q19= Q19+225 Q18+25 = Q18 Q17= Q17 Q16= Q16 • Derive equations for steps 12 to 19… • At step 12 we have Q12= (Q8 + F(Q11,Q10,Q9) + X12) <<< 3 Q12=(Q8 + F(Q11,Q10,Q9) + X12) <<< 3 • Since X12= X12+1 and (Q8,Q9,Q10,Q11)= (Q8,Q9,Q10,Q11), (Q12<<<29)(Q12<<<29)= 1 Slide by Mark Stamp 44 Steps 12 to 19 • Similar analysis for remaining steps yields system of equations: Slide by Mark Stamp 45 Steps 12 to 19 • To solve this system must find • • • • • so that all equations hold. Since there are 14 variables and 8 equations, we have wiggle room Given such a solution, we determine Xj for j = 13,14,15,0,4,8,12 so that we begin at step 12 and arrive at step 19 with 19 condition satisfied This phase reduces to solving (nonlinear) system of equations Can manipulate the equations so that – Choose (Q14,Q15,Q16,Q17,Q18,Q19) arbitrary – Which determines (Q10,Q13,Q13 ,Q14 ,Q15) Result is 3 equations must be satisfied (next slide) Slide by Mark Stamp 46 Solving equations for 12 to 19 • Using this we can solve for seven message words: – – – – – – – X13= anything X14= (Q14<<<21)-Q10-F(Q13, Q12, Q11) X15= (Q15<<<21)-Q11-F(Q14, Q13, Q12) X0= (Q16<<<21)-Q12-G(Q15, Q14, Q13) –K1 X4= (Q17<<<21)-Q13-G(Q16, Q15, Q14) –K1 X8= (Q18<<<21)-Q14-G(Q17, Q16, Q15) –K1 X12= (Q19<<<21)-Q15-G(Q18, Q17, Q16) –K1 47 Solving equations for 12 to 19 • Choose Q12= -1, Q12’=0, Q11=0. Then – Q15’= Q15-G(Q18’,Q17,Q16)+G(Q18,Q17,Q16)+(Q19’<<<19)-(Q19<<<19)-1 – Q14’= Q14-G(Q18’,Q17,Q16)+G(Q18,Q17,Q16)+(Q18’<<<23)-(Q19<<<23) – Q13= (Q14<<<21)-(Q14’<<<21) – Q13’= Q13-G(Q16,Q15’,Q14’)+G(Q16,Q15,Q14) – Q10= (Q13’<<<25)-(Q13<<<25) – F(Q18’,Q17,Q16)-F(Q18,Q17,Q16)= (Q15’<<<13)-(Q15<<<13) – G(Q18’,Q17,Q16)-G(Q18,Q17,Q16)= Q12-Q11’ • Choose Q14, …, Q19 arbitrarily and solve for Q10, Q13, Q13’, Q14’, Q15’ – G(Q15,Q14,Q13)-G(Q15’, Q14’, Q13’)= 1 – F(Q14’, Q13’, 0)-F(Q14, Q13,, -1)= 0 – G(Q19’, Q18’, Q17)= G(Q19, Q18,, Q17) 48 Steps 12 to 19 • Three conditions must be satisfied: • First 2 are “check” equations – Third is “admissible” condition • Naïve algorithm: choose six Qj, yields five Qj, Qj until 3 equations satisfied • How much work is this? Slide by Mark Stamp 49 Continuous Approximation • Each equation holds with probability 1/232 • Appears that 296 iterations required – Since three 32-bit check equations – Birthday attack on MD4 is only 264 work! • Solution – A “continuous approximation” – Small changes, converge to a solution Slide by Mark Stamp 50 Continuous Approximation • Generate random Qi values until first check equation is satisfied – Random one-bit modifications to Qi – Save if 1st check equation still holds and 2nd check equation is “closer” to holding – Else try different random modifications • Modifications converge to solution – Then 2 check equations satisfied – Repeat until admissible condition holds Slide by Mark Stamp 51 Steps 0 to 11 • At this point, we have (Q8,Q9,Q10,Q11) and MD412…47(Q8,Q9,Q10,Q11,X)= MD412…47(Q8,Q9,Q10,Q11,X) • To finish, we must have MD40…11(IV,X) = MD40…11(IV,X)= (Q8,Q9,Q10,Q11) • • • • Recall, X12 is only difference between M, M Also, X12 first appears in step 12 Have already found Xj for j= 0,4,8,12,13,14,15 Free to choose Xj for j= 1,2,3,5,6,7,9,10,11 so that MD40…11 equation holds easily! Slide by Mark Stamp 52 All Together Now • Attack proceeds as follows… 1. 2. 3. Slide by Mark Stamp Steps 12 to 19: Find (Q8,Q9,Q10,Q11) and Xj for j= 0,4,8,12,13,14,15 Steps 0 to 11: Find Xj for remaining j Steps 19 to 35: Check 35= (0,0,0,0) – If so, have found a collision! – If not, go to 2. 53 Meaningful Collision • Different contracts, same hash value Slide by Mark Stamp 54 SHA-0 Strategy (Chabaud and Joux) • Basic idea is to look for small differences that can be tracked through rounds like differential cryptanalysis. • Consider three approximations to the SHA-0 compression function. – SHI-1 • Use Xor instead of Add • Make f(i) linear – SHI-2 • Use Xor instead of Add • Restore f(i) to original values – SHI-3 • Restore Add • Make f(i) linear JLM 20060105 12:16 55 SHI-1 Finding Collisions • Assume the W(i) are unrelated and follow progress of a change to W(1). A B C D E 1 W1+ROL5(A)+f(B,C,D)+ E+K A ROL30(B) C D 2 W2 + … 3 ROL30(-) 4 ROL30(W1+ROL5(A)+ f(B,C,D)+E+K) 5 6 W6+ … - fixes W1 perturbation JLM 20060105 56 SHI-1 Error Propagation in Hash Perturbation On bit 1 D Corrections defining masks W1(i) W6(i+1) W1(i+2) W31(i+3) W31(i+4) W31(i+5) A1(i) A(i+1) A(i+2) A(i+3) A(i+4) A(i+5) State A(i) B(i) C(i) D(i) E(i) JLM 20060105 12:16 B31(i+1) B(i+5) C31(i+2) C(i+5) D31(i+3) D(i+5) E31(i+4) E(i+5) 57 SHI-1 Restoring Expansion • Flip bit 1 of W1. This modified A in round “0” resulting, potentially to different (A, B, C, D, E) in round 6. By following linear process we can determine bits in W1, , W6 which, when flipped, produce the same (A,B,C,D,E) in round 6. • Let M(i) be 0 in all positions that are unchanged in round i and 1 where bits are flipped to restore the result in round 6. This is called a local collision. • This is easy to do, as we’ve seen if there is no expansion. • Question: If there is expansion, what successful masks are preserved by expansion if bits are flipped in W(1)? • Answer: M(i)= M(i-3)M(i-8)M(i-14)M(i-16) , 10<i<80 • Because SHA-0 expansion doesn’t interleave bits, we can consider each of the 32 bits independently and exhaustively search for a successful pattern JLM 20060105 12:16 58 SHI-2 • Restore f(i) and note that rounds 0-19, 40-59 are no longer Xors Round Name f(i)(X,Y,Z) K(i) 0-19 IF (XY(XZ) 0x5a827999 20-39 XOR XYZ 0x6ed9eba1 40-59 MAJ (XY)(XZ)(YZ) 0x8f1bbcdc 60-79 XOR XYZ 0xca62c1d6 • When does f(i) behave like an Xor for IF and MAJ? • Again the action on each of the 32 bits is independent JLM 20060105 12:16 59 SHI-2 Finding Collisions • What inputs make IF and MAJ act like Todoand XOR – B(i)’= B(i), C(i)’= C(i), D(i)’= D(i) – Single bit change in B(i), e.g. B(i) 21. – Single bit change in C(i)31 or D(i)31, e.g. C(i) 231 or D(i) 231 or both. • The mask becomes probabilistic: We can find a pattern that has the probability with p=2-24 from these. Must check every perturbation has foregoing effect: 2,6,14,16,17,18,19,21,22,26,27,28,35,37,41,45,48, 51,54,55,56,58,59,62,63,68,69,70,71,72. • Perturbations in positions 2, 6 occurs with p=2-6. Try many W(15). • Collision! 1a6191b0 062ec496 2270fdbd 002831a9 3c4a331c 48611ca8 2a8090f0 50fe1535 JLM 20060105 12:16 1f228ea2 583401bc 4b12fd98 61ac0d3d 403b7609 399879d0 473cc7a1 f26700ec 04 4d9 acc fa 60 SHI-3 • Change the Xor back to add and f back to linear • Perturbation in bit 1 of W(i) leading to corrections in W31(i+3), W31(i+4), W31(i+5). • To prevent carries, non linear constraints must hold on W1(i), W6(i+1), W1(i+2). • So we fix these. • Collision 53c29e14 0c0abc30 0da433ac 1a3f8b70 44fe051b 3806260d 6337b011 0e7a4620 JLM 20060105 12:16 4a8ce882 76cbeb2f 1041e2a9 25e81245 576e1943 1b8379a8 20b44364 289acb2b 91 8bfe e596 9382aa9 61 SHA-0 • • • • Perturbations must be inserted without carry. Case in SHI-2 where bit 31 in both C and D flip doesn’t work Yields two good patterns with probability 2-69. Trick to suppress perturbations in rounds 16 and 17 reduces probability to 2-61. • Probability of finding on is 2-22 using basic 2-14 collision • Partial Collision (35 rounds) 78fb1285 4a4d1c83 a08e7920 38bef788 77a2dc84 186e8429 16a3e469 2274a40c 4035a90b 74326988 2ed4213d 4c14e934 b61f0b39 7f220f79 4a75b904 cee12cec 97 19fa7 29ac 6a • None of this works in SHA-1 because of interleaved bits. JLM 20060105 12:16 62 SHA-0 Finding Collisions • Change the Xor back to add • Prob of finding on is 2-22 using basic 2-14 collision • Partial Collision (35 rounds) 78fb1285 4a4d1c83 a08e7920 38bef788 77a2dc84 186e8429 16a3e469 2274a40c JLM 20060105 12:16 4035a90b 74326988 2ed4213d 4c14e934 b61f0b39 7f220f79 4a75b904 cee12cec 97 19fa7 29ac 6a 63 SHA-0 Collisions --- Comments • Message Expansion: Wi-3Wi-8Wi-14Wi-16 means any round can be determined from any consecutive 16 rounds of message expansion. • The expanded rounds (all 80) can be represented using a linear transformation, A on 512 bits: (w, Aw, A2w, A3w, A4w)T. • When the round functions are linearized, a change in bit j of word Wi can be “corrected” by changes in bits j+6, j, j+30, j+30, j+30 in rounds i+1, i+2, i+3, i+4 and i+5. • When the round functions are replaced by their non-linear versions a change in bit 1 can be corrected by the same pattern with probability between 2-2 and 2-5. If change is made to position j1, the probability of correction is reduced by 2-3. • For SHA-1, because of rotation, one bit change propagates to 107 bits in expansion. JLM 20060105 12:16 64 SHA-0 Biham and Chen • Introduces “disturbance vectors” – Collision when last 5 vectors is 0 • Full collision on 65 rounds • 82 round SHA-0 is weaker than 80 round • Neutral Bits: Bit i is neutral if disturbance pattern unchanged with complemented i. • 2-neutral set. Size k(r) of maximal 2-neutral set. JLM 20060105 12:16 65 Other Cryptographic Hashes and Performance Hash Name Block Size Relative Speed MD4 128 1 MD5 128 .68 RIPEMD-128 128 .39 SHA-1 160 .28 RIPEMD-160 160 .24 JLM 20060105 12:16 66 Padding • Standard technique – Let last message block have k bits. If k=n, make a new block and set k= 0. – Append a 1 to last block leaving r=n-k-1 remaining bits in block. – If r64, append r-64 0s then append bit length of input expressed as 64 bit unsigned integer – If r<64, append n-r 0’s (to fill out block), append n-64 0’s at beginning of next block then append bit length of input expressed as 64 bit unsigned integer JLM 20060105 12:16 67 Winnowing and Chaffing (Rivest) • • Want to send 1001. Pick random stream (mi) and embed message at positions (say) 3, 7, 8 14 MAC each packet (mmi). Make sure MAC is correct only in message positions JLM 20060105 12:16 68 Lai-Massey • Assume the padding contains the length of the input string and that the input to the CH function, h, is at least two blocks long. Finding a 2nd pre-image for h with fixed IV requires 2n operations iff finding a 2nd pre-image for the compression function, f, with arbitrarily chosen Hi-1 requires 2n operations where n is the number of bits of h’s output. JLM 20060105 12:16 69 Breaking news on Hashes • • • • • Don’t use MD4 or you’ll look really, really, silly. Don’t use MD5. Don’t use RIPEMD-128 SHA-1 appears to have collision attacks of the order 261 Use SHA-2 functions – Truncate to provide legacy compatibility if you have to (i.e. – gun to head) – Required by “Suite B” Standards JLM 20060105 12:16 70 Message Expansion • Process of expanding from 16 32 bit words to 80 32 bit words in the compression function is called message expansion – MD5 • Permutations – SHA-0 • Linear code (LFSR) – SHA-1 • Linear code with rotation • Has profound effect on possible disturbance vectors in Differential attacks • Being studied to provide greater protection • Replace xor with modular addition to prevent codeword difference propagation • Conditions on chaining variables for local collision (Probability between 2-39 and 2-42) JLM 20060105 12:16 71 SHA-2 • FIPS 180-2, 8/02. – – Defines SHA-256, SHA-384, SHA-512. SHA-224 (truncated) added 2/04 • Great increase in mixing between bits of the words compared to SHA-1. • US Patent 6,829,355 • • • Inventor: Glenn Lilly Assignee: NSA Can obtain source from – http://en.wikipedia.org/wiki/SHA-2 JLM 20060105 12:16 72 SHA-256 //Initialize variables: h0 := 0x6a09e667 //232 times the square root of the first 8 primes 2..19 h1 := 0xbb67ae85, h2 := 0x3c6ef372, h3 := 0xa54ff53a, h4 := 0x510e527f h5 := 0x9b05688c, h6 := 0x1f83d9ab,h7 := 0x5be0cd19 //Initialize table of round constants: k(0..63) := //232 times the cube root of the first 64 primes 2..311 • 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, • 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, • 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, • 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, • 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, • 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, • 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, • 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 JLM 20060105 12:16 73 SHA-256 //Pre-processing: append a single "1" bit to message append "0" bits until message length ≡ 448 ≡ -64 (mod 512) append length of message (before pre-processing), in bits as 64-bit big-endian integer to message //Process the message in successive 512-bit chunks: break message into 512-bit chunks; For(each chunk) break chunk into sixteen 32-bit big-endian words w(i), 0≤i≤15 //Extend the sixteen 32-bit words into sixty-four 32-bit words: for i from 16 to 63 s0 := (w(i-15>>>7)(w(i-15)>>>18)(w(i-15)>>3) s1 := (w(i-2)>>>17)(w(i-2)>>>19)(w(i-2)>>10) w(i) := w(i-16)+s0+w(i-7)+s1 //Initialize hash value for this chunk: a := h0, b := h1, c := h2, d := h3, e := h4, f := h5, JLM 20060105 12:16 g := h6, h := h7 74 SHA-256 //Main loop: for 0 i 63 s0:= (a>>>2)(a>>>13)(a>>>22) maj:= (ab)(bc)(ca) t0:= s0+maj s1:= (e>>>6)(e>>>11)(e>>>25) ch:= (ef)((e)g) t1:= h+s1+ch+k(i)+w(i) h:= g, g := f, f := e, e := d t1, d:= c, c := b, b := a, a := t0+t1 //Add this chunk's hash to result so far: h0:= h0+a, h1:= h1+b , h2:= h2+c, h3:= h3+d h4:= h4+e, h5:= h5+f, h6:= h6+g, h7:= h7+h //Output the final hash value (big-endian): digest = hash = h0||h1||h2||h3||h4||h5||h6||h7; JLM 20060105 12:16 75 Chinese Attack-1 Find M, M': H(M)=H(M'). Select Message difference M'=MD Differential path bi'=biDbi For MD5: Hi= f(Hi-1, Mi), 0i<16, f: (a,b,c,d, wi, wi+1, wi+2, wi+3) is computed as follows: a= b+((a+yi(b,c,d)+wi+ ti)<<<si), d= a+((d+yi+1(a,b,c)+wi+1+ti+1)<<<si+1), c= d+((c+yi+2 (d,a,b)+wi+2+ti+2)<<<si+2), b= c+((b+yi+3(c,d,a)+wi+3+ti+3)<<<si+3). JLM 20051124 14:16 76 Chinese Attack-2 yi (X,Y,Z)= (XY)(XZ), 0i15, yi(X,Y,Z)= (XZ) (YZ), 16i31, yi (X,Y,Z)= (XYZ), 32i47, yi (X,Y,Z)= Y(XZ), 48i63 and wi is the expanded message, wi, ti are round dependant constants. Now, define DX = X'-X. D H0 [(M0, M0‘)] DH1[(M1, M1‘)] DH2 …[(Mi-1, M i-1 ‘)] D DHi= H with each composed of DHi[P2 ]DR i+1,1 [P2] DR i+1,2 [P3]DR i+1,3 [P4]DR i+1,4= DH i+1. JLM 20051124 14:16 77 Chinese Attack-3 • Let Di,j=x i,j’-x i,j=±1 and Dxi [ j1, j2, …,jl ]= xi [j1, j2, … , jl]-xi. • Collision is caused by 1024 bit input: (M0, M1) with DM0= (0,0,0,0,231, 0,0,0,0,0,0,215,0,0,231,0) DM1= (0,0,0,0,231, 0,0,0,0,0,0,-215,0,0,231,0). • Sufficient conditions insure that differential holds with high probability. • At 8th iteration, b2= c2+(b1+F(c2,d2,a2)+m7+t7)<<<22 • Try to control (Dc2 , Dd2, Da2, Db1) Db2 as indicated in next slide JLM 20051124 14:16 78 Chinese Attack-4 (A) Non-zero bits of Db2: d2,11=1, b2,1=0, d2,26= overline a2,26=1, b2,16=0. d2,28= overline a2,28=0, b2,i=0. d2,11=1, b2,24=0. (B) Zero bits of Db2: c2,i=0, d2,i= a2,I, c2,i=1. d 2,6 =overline a2,6 =0. d2,i= 0, d2,12= 1, a2,24= 0. 7th bit of c2, d2, a2 result in no change in b2. JLM 20051124 14:16 79 Chinese Attack-5 Algorithm 1: Repeat until first block is found (a) Select random M0, (b) Modify M0, (c) M0, M0'= M0+DM0 produce DM0 (DH1, DM1) with probability 2-37, (d) Test characteristics. 2: Repeat until first block is found (a) Select random M1, (b) Modify M1, (c) M1, M1'= M1+DM1 produce DM1 0 with probability 2-30 (d) Test characteristics. JLM 20051124 14:16 80 SHA-2 • FIPS 180-2, 8/02. – Defines SHA-256, SHA-384, SHA-512. – SHA-224 (truncated) added 2/04 • Great increase in mixing between bits of the words compared to SHA-1. • US Patent 6,829,355 – Inventor: Glenn Lilly – Assignee: NSA • Can obtain source from – http://en.wikipedia.org/wiki/SHA-2 JLM 20060212 14:16 81 SHA-256 Definitions Ch(x,y,z)= (xy)(xz), Maj(x,y,z)= (xy) (xz) (yz). y256{i, j, k}(x)= ROTRi(x)ROTRj(x)ROTRk(x), y256{i, j, k}(x)= ROTR i(x)ROTR j(x)SHRk(x). S0256(x)= y256{2, 13, 22}(x), S1256 x)= y256{6, 11, 25}(x). s0256(x)= y256{7, 18, 3}(x), s1256(x)= y256{17, 19, 10}(x). JLM 20051124 14:16 82 SHA-512 Definitions Ch(x,y,z)= (xy)(xz), Maj(x,y,z)= (xy)(xz)(yz). y512{i, j, k}(x)= ROTRi(x)ROTRij(x)ROTRk(x), y512{i, j, k} (x)= ROTRi(x)ROTRj(x)SHRk(x). S0512 (x)= y512{28,34,39}(x), S1512(x)= y512{14, 18, 41}(x). s0512(x)= y512{1,8,7}(x), s1512 (x)= y512 {19, 61, 6}(x). JLM 20051124 14:16 83 SHA-256 SHA-256(M1||M2||…||MN): for(i=1; iN; i++) { Wt= Mt(i) , 0t15, Wt = s1256(Wt-2)Wt-7s0256(Wt-15)Wt-1,16t63; a= H0(i-1); b= H1(i-1); c= H2(i-1); d= H2(i-1); e= H4(i-1); f= H5(i-1); g= H6(i-1); e= H7(i-1); for(t=0; t<64;t++) { T1=h+s1256(e)+Ch(e,f,g)+Kt256+Wt; T2=s0256(a)+Maj(e,f,g); h= g; g= f; f=e; e= d+T1; d=c; c=b; b=a; a= T1+T2; } H0(i)= a+H0(i-1);H1(i)= b+H1(i-1);H2(i)= c+H2(i-1);H3(i)= d+H3(i-1); H4(i)= e+H4(i-1);H5(i)= f+H5(i-1);H6(i)= g+H6(i-1);H7(i)= h+H7(i-1); } • SHA-512 is the same except there are 79 rounds and the words are 64 bits long. JLM 20051124 14:16 84 Other Cryptographic Hashes and Performance Hash Name Block Size Relative Speed MD4 128 1 MD5 128 .68 RIPEMD-128 128 .39 SHA-1 160 .28 RIPEMD-160 160 .24 JLM 20060212 14:16 85 What to take home • Symmetric ciphers and hashes provide key ingredients for “distributed security” – – – • Fast data transformation to provide confidentiality Integrity Public key crypto provides critical third component (trust negotiation, key distribution) It’s important to know properties of cryptographic primitives and how likely possible attacks are, etc. – – Most modern ciphers are designed so that knowing output of n-1 messages provides no useful information about nth message. This has an effect on some modes of operation. JLM 20060212 14:16 86 SHA-3 Competition JLM 20090310 87 Notes • • • • • • • • Message expansion and related key attacks Rebound attacks, bottleneck attacks (FSE 2009) Extension attacks: permutations, output function Multicollision resistance Indifferentiability attacks Bijective Feistel 5R impossible differential Matsui: How far can we go on the x64. FSE 2006, v4047. Matsui: Power of bitslice. CHES 2007, v4727. JLM 20090222 88 Haifa • Dean 2nd Pre-image on fixed points • H=EM-1(0) 1. Find 2mc/2 fixed points, A= (h,m) 2. Find 2mc/2 single block outputs B= CMD(IVM|m’) 3. Obtain collision • hi+1= C(hi,Mi,nBitsSoFar,salt) • Wide path. C1: {0,1}mc x {0,1}n {0,1}mc; C2: {0,1}mc {0,1}n. JLM 20090222 89 RadioGatun • Compression (state, message to state) • Expand (message expansion, 35x) • IMF has given capacity lc • Alternating input construction – Internal collision – State guessing – Decorrelation – Difference propagation • Operates on ls bit state • State guess infeasible implies that pre-image is infeasible JLM 20090222 Alternating input construction • In: li-bit input blocks. p0, … , pnp-1 • Out: lo-bit input blocks. z0, … , znz-1 • R is round function S= 0; for(i=0;i<np;i++) { T= SFi(pi); S= R(T); } for(i=0;i<nb;i++) S= R(T); for(i=0;i<np;i++) { S= R(S); zi= F0(S); } 90 Blake salt chain value ctr Init • Haifa design. h0= IV for(i=0;i<N;i++) hi= compress(hi,mi,s,li) • Gi(a,b,c,d): – a= a+b+(msr(2i) csr(2i)) – d= (da)>>>16 – c= c+d – b= (bc)>>>12 – a= a+b+(msr(2i+1) csr(2i+1)) – d= (da)>>>8 – c= c+d – b= (bc)>>>7 JLM 20090222 M Rounds • • • • • • • • ctr salt Final next chain value h0’= h0s0v0v8 h1’= h1s1v1v9 h2’= h2s2v2v10 h3’= h3s3v3v11 h4’= h4s4v4v12 h5’= h5s5v5v13 h6’= h6s6v6v14 h7’= h7s7v7v15 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 h0 h4 c0s0 c4t0 h1 h2 h3 h5 h6 h7 c1s1 c2s2 c3s3 c5t1 c6t2 c7t3 91 Grostl • • • • • • h0= IV, hi= f(hi-1,mi), H(M)= G(ht). Compression: f(h,m)= P(hm) Q(m) h G(x)=truncn(P(x) x) R(x)=Mix(Shift(Subbyte(AddRoundKey(x)))) Mix: 8 x 8 MDS over GF(28) P and Q only differ by use of constants in 10 rounds of applying R(x). Mt Hi-1 P Q Hi JLM 20090222 92 Sponge • A sponge function takes a variable length input, p, of characters from A and produces an infinite length output z, zj A , f: A x C A, |p|1 and final character is 0. State is S=(SA,SC). – – – – – – – – – Absorbing: S= f(SA+pi,SC) Squeezing: S=f(S). Rate: lg(|A|). Capacity: lg(|C|). Sf[p]: state after absorbing p. zj= SA,f[p|0j]. State collision: Sf[p]=Sf[q]. Inner collision: Sf,c[p]=Sf,c [q]. Simultates Random oracle JLM 20090222 93 T/P-Sponge • A P-sponge is a permutation selected uniformly and randomly from (AC)!. • A T-sponge is a function selected uniformly and randomly from (AC)AC. • Theorem: The output returned by a random sponge to a sequence of queries are uniformly and randomly distributed if no inner collision occurs. • Theorem: The probability of success of distinguishing between a RS and a random oracle (RO) is P ½+½P(IC|RS). For a randome Tsponge, P(IC)=1-exp(-Si=1q i/|C|) • 2nd pre-image: Find 2nd path to some inner state: T=SC,f[p’] Case Inner collision T-sponge [q(q+1)]/[2|C|] P-sponge [q(q+1)]/[2|C|] - [q(q-1)]/[2|A||C|] JLM 20090222 Path Find Out cycle Out bind (rm>c) Out bind (rm<c) q/|C| [q(q+1)]/[2|C||A|] ( N/|C|) [|A|1]/A) ( N/|C|) [|A|-1]/Am) ( N/|C|) [|A|1]/A) ( N/|C|) [|A|-1]/Am) [q(q+4)]/[4|C|] -[q2]/[4|A||C|] q/[|A||C|] 94 Sponge r c SA SC • r is bit rate • c is capacity p0 f absorbing SA z0 SC f squeezing JLM 20090222 95 Sponge • Theorem: A random sponge can only be distinguished from a random oracle by the presence of an inner collision which is unlikely if q<<2c/2. • Theorem: A random sponge can be differentiated from a random oracle with probability p ~ – q (q+1) 2-(c+1), N<2c. T P Output collision 2(min(n,c)+3)/2 2(min(n,c)+3)/2 Pre-image 2n min(2c/2+2n, 2n) 2nd pre-image min(2c/l, 2n) min(2(min(n,c)+3)/2, 2n) JLM 20090222 96 Sponge • Simulate:: make interface the same as to an ideal compression function, F. • Def: A Turing Machine C with oracle access to an ideal primitive, F, is said to be (tD, tS, q, e)indifferentiable from an ideal primitive, G, if there is a simulator P[G] such that "D ,|Pr[D[C(F); F]=1]Pr[D[G,P[G]]=1]; F]=1]|<e. JLM 20090222 97 Keccak • Keccak-f(r+c). r+c= 25, 50, 100, 200, 400,800, 1600 – r=1024, c=575 – r=512, c=1088 • State: 5 x 5 x 2l bits – q for diffusion – r for inter slice dispersion – p for disturbing vertical/horizontal alignment – c for non-linearity – i for symmetry breaking JLM 20090222 98 Keccak c: for(y=0; y<5; y++){ for(x=0;x<5;x++) A[x][y]= a[x][y]((a[x+1][y]) a[x+2][y]); } q: for(x=0; x<5; x++){ p[x]= a[x][0]; for(y=0;y<5;y++) p[x]= a[x][y]p[x]; } for(x=0; x<5; x++){ p[x]= p[x-1] p[x+1]<<1; for(y=0;y<5;y++) p[x]= a[x][y]p[x]; } JLM 20090222 99 Keccak p: for(x=0;x<5;x++) { for(y=0; y<5; y++) [X, Y]T= [0 1] [X, Y]T [2 3] } A[X][Y]= a[X][Y] r: A[0][0]= a[0][0]; [X, Y]T= [1, 0]T; for(t=0; t<5; t++){ A[x][y]= a[x][y]<<<[(t+1)(t+2)]/2; } i: Add round constants; JLM 20090222 100 Lane • • • • • • • • • • IVn,S= f(0,f||bin32(n)||0k|S,0), fis the salt. P-6 round, Q- 3 round. Mi= m1 || m2 || m3 || m4 Hi= h0 || h1 W0= h0 m0 m1 m2 m3 || h1 m0 m2 W1= h0 h1 m0 m2 m3 || h0 m1 m2 W2= h0 h1 m0 m1 m2 || h0 m0 m3 W3= h0 || h1 W4= m0 || m1 W5= m2 || m3 JLM 20090222 101 Lane Hi-1 M E P0 P1 P2 P3 Q0 P4 P5 Q1 Hi JLM 20090222 102 Lane • • • • • • • • • • • • • Round(r, X) 1: X ← SubBytes(X) 2: X ← ShiftRows(X) 3: X ← MixColumns(X) 4: X ← AddConstants(r,X) 5: X ← AddCounter(r,X) 6: X ← SwapColumns(X) 7: return X function LastRound(X) 1: X ← SubBytes(X) 2: X ← ShiftRows(X) 3: X ← MixColumns(X) 4: X ← SwapColumns( JLM 20090222 • • • • • • • function Pj(X) 1: for i = 0 to 4 do 2: r ← 5j + i 3: X ← Round (r,X) 4: end for 5: X ← LastRound(X) 6: return X • • • • • • • function Qj(X) 1: for i = 0 to 1 do 2: r ← 30 + 2j + i 3: X ← Round (r,X) 4: end for 5: X ←LastRound(X) Return x; 103 Lane • • • • • • • • 1: k0 ← 07fc703dx 2: for i = 1 to 272 (resp. 768 for Lane-384 and Lane-512) do 3: ki = ki−1 ≫ 1 4: if ki−1 ∧ 00000001x then 5: ki = ki ⊕ d0000001x 6: end if 7: end for Figure 2.4: Pseudocode JLM 20090222 104 Shavite • • • • Use Haifa mode/MD-construction. Compression: C256, Encrypt: E256. E: (Li+1, Ri+1) = (Ri, Li F3rk[i](Ri). F3k0,k1,k2(x)= AESR(0128, AESR(k1, AESR(k2, x k0))) C256(M, cnt, salt) – Message expansion – Repeat 4 times • Repeat 2 times 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. JLM 20090222 rk[i]= M, i= 0,…,15 i=16 t[0…3]= AESR(0128, rk[i-15], rk[i-14], rk[i-13], rk[i-16]) salt[0…3] rk[i+j]=t[j] rk[i+j-4] if(i==16) rk[16]cnt[0]; rk[17]cnt[1]; if(i==84) rk[86]cnt[1]; rk[87]cnt[0]; i+= 4; t[0…3]= AESR(0128, rk[i-15], rk[i-14], rk[i-13], rk[i-16]) salt[4…7] rk[i+j]=t[j]rk[i+j-4] if(i==56) rk[57]cnt[0]; rk[58]cnt[1]; if(i==124) rk[124]cnt[1]; rk[127]cnt[0]; i+= 1; 105 Shavite Repeat 2 times 1. rk[i]=rk[i-16] rk[i-3] 2. i++; Pad M’=M|1|0k|len(M)|len(m) b= 0; h0= IV for(i=0; i<|M|/512; i++) b+= 512; hi=C256(hi-1, Mi, b, salt) if(|M|=0 (mod512)) hl-1=C256(hl-2, Ml, b, salt) hl=C256(hl-1, Ml, b, salt) JLM 20090222 106 Shavite • Message expansion X(M,cnt,salt256) 144 32 bit words rk[0…143] • Theorem for C256: The exact maximal expected 2 round differential characteristic has probability (53/234)=1.656 x 2-29. The exact maximal expected 4 round differential characteristic has probability (53/234)4=1.881 x 2-114. The best 3 round differential characteristic has probability <2-49. • Theorem: Except for the 00 characteristic: 1. 2. 3. 4. • • • • There is no iterative 2 round characteristic of E256. There is no four round characteristic of E256. with probability > 2-147. There is no 3 round characteristic of E256. with probability > 2-98. There is no 9 round characteristic of E256. with probability > 2-294. With MD construction, there is no preimage if block cipher is safe. In wide pipe need mc2m for safety against pre-image. Need salt1/2 mc for safety against herding attack. MIV256= C256(0,0,0,0) JLM 20090222 107 Skein Mix Round-Key0 + + Mix Mix … Mix <<< Permute M0 UBI G M1 Mk … Len First Final JLM 20090222 108 DM/MMO Hi-1 mi(key) E Hi-1 (key) E Hi Hi • Differential attack on C • Related key attack on E JLM 20090222 mi(key) • Differential attack on C • Differential attack on E 109 MD6 has… • Bottom-up tree-based mode of operation (like Merkle-tree) • 4-to-1 compression ratio at each node JLM 20090228 110 MD6 has… • 1024-bit intermediate (chaining) values • root truncated to desired final length • Location (level,index) input to each node (2,0) JLM 20090228 (2,1) (2,2) (2,3) 111 Prepend Constant + Map + Chop const 15 Prepend key+UV data 8+2 64 1-1 map p 89 words Map p 89 words Chop JLM 20090228 16 words 112 Constants • Taps 17, 18, 21, 31, 67 optimize diffusion • Constants Si defined by simple recurrence; change at end of each 16-step round • Shift amounts repeat each round (best diffusion of 1,000,000 such tables): 0 1 2 5 6 7 8 ri 10 5 13 10 11 12 2 7 14 15 7 13 11 7 6 12 li 11 24 9 27 15 6 29 8 5 31 9 JLM 20090228 3 4 16 15 9 9 2 10 11 12 13 14 15 15 113 Large Memory (sliding window) 2 • • • 3 1 4 5 3 2 1 2 0 3 3 4 2 2 Array of 16r + 89 64-bit words. Each computed as function of preceding 89 words. Last 16 words computed are output. JLM 20090228 114 Small memory (shift register) 89 words 2 3 2 1 5 6 3 2 7 1 3 2 6 3 1 4 0 1 Si • • Shifts Shift-register of 89 words (712 bytes) Data moves right to left JLM 20090228 115 MD6 Description • Compress – Input: A[0], …, A[88], A[0]..A[14]- constants, A[15]..A[22] key/level, A[25]..A[88] – data – One step: • for (i=89; i<= 16r+88) { x= Si A[i-17] A[i-88] (A[i-18]A[i-21) A[i-67] x= x(x>>ri) A[i]= x(x<<li) } – Output: A[16r+73]..A[16r+88] (64 bit words) • MD6 proposes 1280 steps • S0= 0123456789abcdef, • Si= (S0<<1) (S0>>63) (Si-17311c2812425cfa) s 0 1 ri 10 5 li 11 24 9 JLM 20090222 2 3 4 5 6 7 8 13 10 11 12 2 7 14 15 7 16 15 9 27 15 6 9 2 10 11 12 13 14 15 13 11 7 29 8 15 5 6 12 31 9 116 End JLM 20081006 117 Next Quarter • • • 2-4 weeks to cover 16, 17, 18 and results on boolean functions. Rest on major reports: – Full Linear cryptanalysis of DES. – Full Differential cryptanalysis of DES. – Full Linear and differential cryptanalysis of FEAL. – Intro Algebraic cryptanalysis (including SFLASH) – John. – An algebraic cryptanalysis. – Dobbertin’s attack on MD4. – Chinese (Wang et. al) attack on SHA-1. Other topics (final quarter?) – Full factoring attack. – Full Elliptic Curve crypto selection, attacks, etc (3 weeks). – Full Discrete Log attack. – Full Re-estimation attack. – Random number analysis. – NIST Hash analysis. – Full Stream cipher analysis. JLM 20090201 118