A Tool for Differential Cryptanalysis of ARX Based Hash Functions - - PowerPoint PPT Presentation

a tool for differential cryptanalysis of arx based hash
SMART_READER_LITE
LIVE PREVIEW

A Tool for Differential Cryptanalysis of ARX Based Hash Functions - - PowerPoint PPT Presentation

Apr 28, 2023 180 likes •655 views

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work Collision Attacks on the

slide-1
SLIDE 1

A Tool for Differential Cryptanalysis of ARX Based Hash Functions

Florian Mendel

KU Leuven, Belgium

slide-2
SLIDE 2

Outline

1

Motivation

2

Application to SHA-1

3

Application to other Hash Functions

4

Summary and Future Work

slide-3
SLIDE 3

Collision Attacks on the MD4-family

slide-4
SLIDE 4

Collision Attacks on the MD4-family

Basic Attack Strategy

(1) Find a characteristic for that holds with high probability after the first round of the hash function. (2) Find a characteristic (not necessary with high probability) for the first round of the hash function. (3) Use message modification techniques [WY05] to fulfill conditions imposed by the characteristic in the first round. (4) Use random trials to find values for the remaining free message bits such that the message follows the characteristic. ⇒ The attack complexity is dominated by the last step.

slide-5
SLIDE 5

How to Construct Differential Characteristics

No secret key - all inputs are known or can even be chosen by the attacker Write out the equations and solve them The equations are usually highly nonlinear and difficult to solve Simplify equations by choosing some of the inputs carefully

How to Solve the Equations?

Wang’s Approach (by hand) Gr¨

  • bner Basis, SAT solvers, . . .

Dedicated Approach [DR06] (Guess-and-Determine)

slide-6
SLIDE 6

Guess-and-Determine Attack

On a high level, a guess-and-determine attack can be described as a repetition of the following two steps guess the value of some unknowns determine the value of as many unknowns as is possible until all unknowns have been determined.

slide-7
SLIDE 7

Guess-and-Determine Attack

A guess-and-determine attack works specially well if there are many sparse equations the set of equations can be split into a number of subsets with very few variables occurring in more than one subset ⇒ A successful attack employs a strategy to convert the complex and dense equations into a form that is more amenable to attack

slide-8
SLIDE 8

Guess-and-Determine Attack

Choice of the Intermediate Variables

This affects the performance of the algorithm that is used to propagate the information. For sparse equations and equations of low degree, it is easy to determine if new constraints on some unknowns lead to constraints on other unknowns. If there are many equations, the total effort of determining all new constraints becomes very expensive.

slide-9
SLIDE 9

Guess-and-Determine Attack

Choice of the Information to Store

We can not store all the information that we have on each of the intermediate variables accessing that information would be slower than recomputing it too much work to keep all information up-to-date and consistent. ⇒ Often it is better to store only a part of the information, and recreate the rest when it is needed.

slide-10
SLIDE 10

Application to SHA-1

Approach of De Canni` ere and Rechberger (ASIACRYPT 2006)

slide-11
SLIDE 11

Application to SHA-1

Ai Ai−1 Bi Bi−1 Ci Ci−1 Di Di−1 Ei Ei−1 Ki Wi f ≫ 2 ≪ 5

Choice of the Intermediate Variables

Alternative description of SHA-1 Ai = Ai−5 + Ai−1 ≪ 5 + Ki + f(Ai−2, Ai−3 ≫ 2, Ai−4 ≫ 2) + Wi

slide-12
SLIDE 12

Application to SHA-1

Choice of the Information to Store

All 16 possible conditions on a pair of bits are taken into account.

(xi, xi ∗) (0, 0) (1, 0) (0, 1) (1, 1) ?

  • x
  • u
  • n
  • 1
  • #
  • (xi, x∗

i )

(0, 0) (1, 0) (0, 1) (1, 1) 3

  • 5
  • 7
  • A
  • B
  • C
  • D
  • E
  • This is ideal for bitslice functions, but less ideal for functions that mix

bits from different slices.

slide-13
SLIDE 13

Application to SHA-1

Search Algorithm

(1) Start with an unrestricted characteristic (only ‘?’) (2) Successively impose new conditions on the characteristic (replace ‘?’ by ‘-’ and ‘x’ by ‘n’ or ‘u’) (3) Propagate the conditions in a bitslice manner and check for consistency

If a contradiction occurs then backtrack else proceed with step 2

(4) Repeat steps 2 and 3 until all bits of the characteristic are determined

slide-14
SLIDE 14

Example

Characteristic for the first round of SHA-1

slide-15
SLIDE 15

i ∇Ai ∇Wi

  • 5
  • 4
  • 3
  • 2
  • 1
  • ???????????????????????????????x

x-x---------------------------xx 1 ????????????????????????????????

  • -x-----------------------xx----

2 ????????????????????????????????

  • xx-----------------------------

3 ???????????????????????????????? xxx-----------------------x-x-x- 4 ????????????????????????????????

  • -x----------------------x----xx

5 ???????????????????????????????? x-xx---------------------x------ 6 ???????????????????????????????? xx-x---------------------x-x--xx 7 ???????????????????????????????? xx-x----------------------x---x- 8 ????????????????????????????????

  • -x-----------------------------

9 ????????????????????????????????

  • xx-----------------------xx--x-

10 ????????????????????????????????

  • xx----------------------x----xx

11 ????????????????????????????????

  • -x----------------------x------

12 ???????????????????????????????? xxx----------------------x----x- 13 ????????????????????????????????

  • xx---------------------------x-

14 ?-----------------------------?? x------------------------------x 15

  • ------------------------------?
  • -------------------------x-----

16 x-----------------------------x-

  • -----------------------------xx

17

  • -----------------------------x-
  • x-----------------------x-x--x-

18 x-----------------------------x-

  • x-----------------------x------

19

  • xxx----------------------x-x--x-

20

  • -----------------------------x-

x-x----------------------------- . . . . . . . . .

# freebits: 532 # contradictions: 0

slide-16
SLIDE 16

Collision Attacks on the MD4-family

slide-17
SLIDE 17

Consequences of the Attacks

Transition from SHA-1 to SHA-2

NIST proposed the transition from SHA-1 to the SHA-2 family Companies and organization are expected to migrate to SHA-2

SHA-3 initiative

Researchers are evaluating alternative hash functions in the SHA-3 initiative organized by NIST

slide-18
SLIDE 18

The SHA-2 Family

Designed by NSA and issued by NIST in 2002. Defined in the Federal Information Processing Standard (FIPS-180-3) [Nat08] Part of several international standards Often recommended as an alternative to SHA-1 Consists of 4 hash functions, i.e. SHA-224, SHA-256, SHA-384, SHA-512

slide-19
SLIDE 19

Description of SHA-256

Iterated hash function processing message blocks of 512 bits and producing a hash value of 256 bits. Compression function f consists of 2 parts:

Message Expansion State Update (64 steps)

IV f M1 f M2 f M3 f Mt h

slide-20
SLIDE 20

Message Expansion

The message expansion of SHA-256 splits the 512-bit message block into 16 words Mi, i = 0, . . . , 15, and expands them into 64 expanded message words Wi as follows: Wi =

  • Mi

0 ≤ i < 16 σ1(Wi−2) + Wi−7 + σ0(Wi−15) + Wi−16 16 ≤ i < 64 The functions σ0(X) and σ1(X) are given by σ0(X) = (X ≫ 7) ⊕ (X ≫ 18) ⊕ (X ≫ 3) σ1(X) = (X ≫ 17) ⊕ (X ≫ 19) ⊕ (X ≫ 10)

slide-21
SLIDE 21

Step Function of SHA-256

Ai Ai−1 Bi Bi−1 Ci Ci−1 Di Di−1 Ei Ei−1 Fi Fi−1 Gi Gi−1 Hi Hi−1 Σ1 f1 Ki Wi Σ0 f0

slide-22
SLIDE 22

Step Function of SHA-256

The bitwise Boolean functions f0 and f1 used in each step are defined as follows: f0(X, Y, Z) = X ∧ Y ⊕ Y ∧ Z ⊕ X ∧ Z f1(X, Y, Z) = X ∧ Y ⊕ ¬X ∧ Z The linear functions Σ0 and Σ1 are defined as follows: Σ0(X) = (X ≫ 2) ⊕ (X ≫ 13) ⊕ (X ≫ 22) Σ1(X) = (X ≫ 6) ⊕ (X ≫ 11) ⊕ (X ≫ 25)

slide-23
SLIDE 23

Results for SHA-256

Preimage Attack

Aoki et al. [AGM+09]

43 out of 64 steps (complexity: 2254.9)

Khovratovich et al. [KRS11]

45 out of 64 steps (complexity: 2255.5)

Collision Attack

Nikoli´ c and Biryukov [NB08]

21 out of 64 steps (example)

Indesteege et al. [IMPR08]; Sanadhya and Sarkar [SS08b]

24 out of 64 steps (example)

slide-24
SLIDE 24

Collision Attacks on SHA-256

All collisions attacks so far are of practical complexity They are all based on the same basic idea: extending a local collision over 9 steps to more steps The best collision attack so far is for 24 steps based on the 9-step differential characteristic of Nikoli´ c and Biryukov

slide-25
SLIDE 25

Attack of Nikoli´ c and Biryukov

By using modular differences Nikoli´ c and Biryukov found a 9-step differential characteristic for which it is not necessary to apply corrections in each step

step ∆A ∆B ∆C ∆D ∆E ∆F ∆G ∆H ∆W i 1 i + 1 1 1 δ1 i + 2 1

  • 1

1 δ2 i + 3 1

  • 1

1 δ3 i + 4 1

  • 1

1 i + 5 1

  • 1

i + 6 1 i + 7 1 i + 8 1 δ4 i + 9

slide-26
SLIDE 26

Attack of Nikoli´ c and Biryukov

The fact that only 5 message words have differences helped to overcome several steps of the message expansion ⇒ Practical collision attacks on 21 steps of the hash function

W 6 7 8 9 14 1 2 3 4 5 6 x 7 x 8 x 9 x 10 11 12 13 14 x 15 16 x x 17 18 x x 19 20 x x

slide-27
SLIDE 27

Extensions to more Steps

Extensions of the attack to more steps: Sanadhya and Sarkar extended the attack to 22, 23, 24 steps [SS08a, SS08b, SS08c] The best collision attack on SHA-256 is for 24 steps by Sanadhya and Sarkar [SS08b], and Indesteege et al. [IMPR08] Note that this approach is unlikely to extend beyond 24 steps as pointed out by Indesteege et al.

slide-28
SLIDE 28

Basic Attack Strategy

To find collisions for more than 24 steps, we need differential characteristics spanning over t > 9 steps To find these characteristics we proceed as follows:

(1) Fix the value of t (2) Identify those message words which need to have differences to result in a valid differential characteristic for the message expansion (3) Consider only the candidates that may result in a collision for more than 24 steps (4) Use an automatic search tool to construct a valid differential characteristic for both the state update transformation and the message expansion

slide-29
SLIDE 29

Candidate for 27 Steps

For t = 10 we already find a candidate which may result in a collision for 27 steps (with differences in only 3 message words)

step ∆A ∆B ∆C ∆D ∆E ∆F ∆G ∆H ∆W 4 ? 5 ? ? 6 ? ? ? ? 7 ? ? ? ? ? 8 ? ? ? ? ? ? 9 ? ? ? ? ? 10 ? ? ? ? 11 ? ? ? 12 ? ? ? 13 ? ? 14

W 4 12 13 1 2 3 4 x 5 6 7 8 9 10 11 12 x 13 x 14 15 16 17 18 19 x x 20 x x 21 22 23 24 25 26

slide-30
SLIDE 30

Candidate for 32 Steps

By choosing t = 16 we get a candidate for a collision of 32 steps (with differences in 8 message words)

step ∆A ∆B ∆C ∆D ∆E ∆F ∆G ∆H ∆W 2 ? 3 ? ? ? 4 ? ? ? ? ? 5 ? ? ? ? ? ? ? 6 ? ? ? ? ? ? ? ? ? 7 ? ? ? ? ? ? ? ? ? 8 ? ? ? ? ? ? ? ? ? 9 ? ? ? ? ? ? ? ? 10 ? ? ? ? ? ? ? ? 11 ? ? ? ? ? ? ? 12 ? ? ? ? ? ? 13 ? ? ? ? ? 14 ? ? ? ? 15 ? ? ? 16 ? ? 17 ? ? 18

slide-31
SLIDE 31

Finding Differential Characteristics

These characteristics can not be constructed manually Use a sophisticated automatic search tool to construct these characteristics Extend the approach of De Canni` ere and Rechberger for SHA-1

slide-32
SLIDE 32

Increased Complexity of SHA-2

SHA-1

Ai Ai−1 Bi Bi−1 Ci Ci−1 Di Di−1 Ei Ei−1 Ki Wi f ≫ 2 ≪ 5

SHA-2

Ai Ai−1 Bi Bi−1 Ci Ci−1 Di Di−1 Ei Ei−1 Fi Fi−1 Gi Gi−1 Hi Hi−1 Σ1 f1 Ki Wi Σ0 f0

Design Complexity

slide-33
SLIDE 33

How to overcome the problems?

Ai Ai−1 Ai−1 Ai−2 Ai−2 Ai−3 Ai−3 Ai−4 Ei Ei−1 Ei−1 Ei−2 Ei−2 Ei−3 Ei−3 Ei−4 Σ1 f1 Ki Wi

− +

Σ0 f0

Efficient Propagation of Conditions

Use an alternative description of SHA-2 Split one step into several smaller less complex substeps ⇒ This way the propagation of conditions can be implemented more efficiently

slide-34
SLIDE 34

How to overcome the problems?

Conditions on more Bits

Many conditions on two bits of the form Ai,j = Ai−1,j occur in SHA-2 resulting from Σi and fi The orthogonal applications of Σi and fi may results in cyclic conditions

∇A0 = [------------------n----------n--] ∇A1 = [---------n----------------------] ∇A2 = [---------n-n----------n--------n] ∇A3 = [---n-----n-n-n----n--nn--------n]

= = = =

slide-35
SLIDE 35

How to overcome the problems?

Conditions on more Bits

More complex conditions on more than two bits occur It is not possible to determine all these conditions We implemented several tests to check for many of these contradictions

slide-36
SLIDE 36

How to overcome the problems?

Finding a Confirming Message Pair

Despite all these test we did not find a single valid differential characteristic We combined the search for differential characteristics with the search for conforming message pairs In the message search we first determine and guess critical bits and backtrack if needed

Complex hidden conditions are resolved at an earlier stage Impossible characteristics are corrected once they are detected

slide-37
SLIDE 37

Example

Collision for 27 Steps of SHA-256 Compression Function

slide-38
SLIDE 38

i ∇Ai ∇Ei ∇Wi

  • 4
  • 3
  • 2
  • 1
  • 1
  • 2
  • 3
  • 4

???????????????????????????????? ???????????????????????????????? ???????????????????????????????? 5 ???????????????????????????????? ????????????????????????????????

  • 6
  • ????????????????????????????????
  • 7
  • ????????????????????????????????
  • 8
  • ????????????????????????????????
  • 9
  • ????????????????????????????????
  • 10
  • 11
  • 12
  • ????????????????????????????????

13

  • ????????????????????????????????

14

  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • # freebits: 352

# contradictions: 0

slide-39
SLIDE 39

Results for the Compression Function

Example of a collision for 27 steps of the compression function (minutes on a standard PC)

h0 4d031285 26b1c18f c8c014f2 3cca74bd 58481e1b c7dd5a1e 0ae3c962 e01f0e96 h∗ 4d031285 26b1c18f c8c014f2 3cca74bd 58481e1b c7dd5a1e 0ae3c962 e01f0e96 ∆h0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 m e4e9607f b6fb6b22 01597e95 5265b614 d4dbb9af 8a228a75 3c660afd 55b668bc 97121d5e 35214e08 174b5fbb 1dc549e5 7e5b858a c966e506 faac3dbc 9df96855 m∗ e4e9607f b6fb6b22 01597e95 5265b614 d543baaf 8a228a75 3c660afd 55b668bc 97121d5e 35214e08 174b5fbb 1dc549e5 7e0bb58a c8fee406 faac3dbc 9df96855 ∆m 00000000 00000000 00000000 00000000 01980300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00503000 01980100 00000000 00000000 h1 9f9579f2 2737d03f 20263c5b 1b802daf 0b5e24ad 9eed0964 6bb8f239 2a4c60f7 h∗

1

9f9579f2 2737d03f 20263c5b 1b802daf 0b5e24ad 9eed0964 6bb8f239 2a4c60f7 ∆h1 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

slide-40
SLIDE 40

Results for the Compression Function

Example of a collision for 32 steps of the compression function (hours on a small cluster)

h0 764d264f 268a3366 285fecb1 4c389b22 75cd568d f5c8f99b 6e7a3cc3 1b4ea134 h∗ 764d264f 268a3366 285fecb1 4c389b22 75cd568d f5c8f99b 6e7a3cc3 1b4ea134 ∆h0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 m 52a600a8 2c3b8434 ea92dfcf d4eaf9ad b77fe08d 7c50e542 69c783a6 86a14e10 baf88b0b 12665efb ce7c3a31 3030f09d 9bd52eb8 7549997e fa976e0d 86ebacbc m∗ 52a600a8 2c3b8434 ea92dfcb 0cdba38b f514e39d 7a5bb4cb ee6bcba6 c58f6a0f b2f78b0b 12665efb ce7c3a31 3030f09d 9bd52eb8 7549997e fa976e0d 86ebacbc ∆m 00000000 00000000 00000004 d8315a26 426b0310 060b5189 87ac4800 432e241f 080f0000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 h1 d0b41ffa e1f519a2 e3cad2ed a19d5795 906ac05f c995f6c8 cf309f95 9fb9ca57 h∗

1

d0b41ffa e1f519a2 e3cad2ed a19d5795 906ac05f c995f6c8 cf309f95 9fb9ca57 ∆h1 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

slide-41
SLIDE 41

Results for the Hash Function

Extending the Attack to the Hash Function

Approach of Indesteege et al. [IMPR08]

Construct a collision for the compression function (with no differences in the first message words) Use the freedom in the first message words to turn it into a collision for the hash function

⇒ Collision attack on 27 steps of SHA-256

W 7 8 12 15 1 2 3 4 5 6 7 x 8 x 9 10 11 12 x 13 14 15 x 16 17 x 18 19 x x 20 21 22 x x 23 x x 24 x x 25 26

slide-42
SLIDE 42

Results for the Hash Function

Example of a collision for 27 steps of the hash function

h0 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 m 725a0370 0daa9f1b 071d92df ec8282c1 7913134a bc2eb291 02d33a84 278dfd29 0c40f8ea d8bd68a0 0ce670c5 5ec7155d 9f6407a8 729fbfe8 aa7c7c08 607ae76d m∗ 725a0370 0daa9f1b 071d92df ec8282c1 7913134a bc2eb291 02d33a84 27460e6d 08c8fbea d8bd68a0 0ce670c5 5ec7155d 9f4425fb 729fbfe8 aa7c7c08 2d32d129 ∆m 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00cbf344 04880300 00000000 00000000 00000000 00202253 00000000 00000000 4d483644 h1 5864015f 133494fa fa42bb35 94bc44f9 29eabb36 9e461e33 2eab27f8 106467c9

slide-43
SLIDE 43

Summary and Future Work

Summary

Sophisticated tool to construct complex differential characteristics Time consuming to find the right settings Once settings are found, characteristics can be found efficiently

Current/Future Work

Extend attacks to more steps Application to other hash functions ⇒ Still lots of work to be done! Remember: it took 5 years to get from SHA-1 to SHA-2

slide-44
SLIDE 44

Thank you for your attention!

slide-45
SLIDE 45

References I

Kazumaro Aoki, Jian Guo, Krystian Matusiewicz, Yu Sasaki, and Lei Wang. Preimages for Step-Reduced SHA-2. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages 578–597. Springer, 2009. Alex Biryukov, Mario Lamberger, Florian Mendel, and Ivica Nikolic. Second-Order Differential Collisions for Reduced SHA-256. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT, volume 7073 of LNCS, pages 270–287. Springer, 2011. Christophe De Canni` ere and Christian Rechberger. Finding SHA-1 Characteristics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 of LNCS, pages 1–20. Springer, 2006. Sebastiaan Indesteege, Florian Mendel, Bart Preneel, and Christian Rechberger. Collisions and Other Non-random Properties for Step-Reduced SHA-256. In Roberto Maria Avanzi, Liam Keliher, and Francesco Sica, editors, Selected Areas in Cryptography, volume 5381 of LNCS, pages 276–293. Springer, 2008. Dmitry Khovratovich, Christian Rechberger, and Alexandra Savelieva. Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family. Cryptology ePrint Archive, Report 2011/286, 2011. http://eprint.iacr.org/. Florian Mendel, Tomislav Nad, and Martin Schl¨ affer. Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT, volume 7073 of LNCS, pages 288–307. Springer, 2011.

slide-46
SLIDE 46

References II

National Institute of Standards and Technology. FIPS PUB 180-3: Secure Hash Standard. Federal Information Processing Standards Publication 180-3, U.S. Department of Commerce, October 2008. Ivica Nikoli´ c and Alex Biryukov. Collisions for Step-Reduced SHA-256. In Kaisa Nyberg, editor, FSE, volume 5086 of LNCS, pages 1–15. Springer, 2008. Somitra Kumar Sanadhya and Palash Sarkar. Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family. In Tzong-Chen Wu, Chin-Laung Lei, Vincent Rijmen, and Der-Tsai Lee, editors, ISC, volume 5222 of LNCS, pages 244–259. Springer, 2008. Somitra Kumar Sanadhya and Palash Sarkar. New Collision Attacks against Up to 24-Step SHA-2. In Dipanwita Roy Chowdhury, Vincent Rijmen, and Abhijit Das, editors, INDOCRYPT, volume 5365 of LNCS, pages 91–103. Springer, 2008. Somitra Kumar Sanadhya and Palash Sarkar. Non-linear Reduced Round Attacks against SHA-2 Hash Family. In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, ACISP, volume 5107 of LNCS, pages 254–266. Springer, 2008. Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of LNCS, pages 19–35. Springer, 2005.