A Tool for Differential Cryptanalysis of ARX Based Hash Functions - PowerPoint PPT Presentation

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium

Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work

Collision Attacks on the MD4-family

Collision Attacks on the MD4-family Basic Attack Strategy (1) Find a characteristic for that holds with high probability after the first round of the hash function. (2) Find a characteristic (not necessary with high probability) for the first round of the hash function. (3) Use message modification techniques [WY05] to fulfill conditions imposed by the characteristic in the first round. (4) Use random trials to find values for the remaining free message bits such that the message follows the characteristic. ⇒ The attack complexity is dominated by the last step.

How to Construct Differential Characteristics No secret key - all inputs are known or can even be chosen by the attacker Write out the equations and solve them The equations are usually highly nonlinear and difficult to solve Simplify equations by choosing some of the inputs carefully How to Solve the Equations? Wang’s Approach (by hand) Gr¨ obner Basis, SAT solvers, . . . Dedicated Approach [DR06] (Guess-and-Determine)

Guess-and-Determine Attack On a high level, a guess-and-determine attack can be described as a repetition of the following two steps guess the value of some unknowns determine the value of as many unknowns as is possible until all unknowns have been determined.

Guess-and-Determine Attack A guess-and-determine attack works specially well if there are many sparse equations the set of equations can be split into a number of subsets with very few variables occurring in more than one subset ⇒ A successful attack employs a strategy to convert the complex and dense equations into a form that is more amenable to attack

Guess-and-Determine Attack Choice of the Intermediate Variables This affects the performance of the algorithm that is used to propagate the information. For sparse equations and equations of low degree, it is easy to determine if new constraints on some unknowns lead to constraints on other unknowns. If there are many equations, the total effort of determining all new constraints becomes very expensive.

Guess-and-Determine Attack Choice of the Information to Store We can not store all the information that we have on each of the intermediate variables accessing that information would be slower than recomputing it too much work to keep all information up-to-date and consistent. ⇒ Often it is better to store only a part of the information, and recreate the rest when it is needed.

Application to SHA-1 Approach of De Canni` ere and Rechberger (ASIACRYPT 2006)

Application to SHA-1 A i − 1 B i − 1 C i − 1 D i − 1 E i − 1 ≪ 5 K i f ≫ 2 W i A i B i C i D i E i Choice of the Intermediate Variables Alternative description of SHA-1 A i = A i − 5 + A i − 1 ≪ 5 + K i + f ( A i − 2 , A i − 3 ≫ 2 , A i − 4 ≫ 2 ) + W i

Application to SHA-1 Choice of the Information to Store All 16 possible conditions on a pair of bits are taken into account. ( x i , x i ∗ ) ( 0 , 0 ) ( 1 , 0 ) ( 0 , 1 ) ( 1 , 1 ) ( x i , x ∗ i ) ( 0 , 0 ) ( 1 , 0 ) ( 0 , 1 ) ( 1 , 1 ) ? � � � � 3 � � - - - � - - � 5 � - � - - - - x � � 7 � � � 0 � - - - A - � - � u - � - - B � � - � - - - - - n � C � � 1 - - - � D � - � � # - - - - E - � � � This is ideal for bitslice functions, but less ideal for functions that mix bits from different slices.

Application to SHA-1 Search Algorithm (1) Start with an unrestricted characteristic (only ‘ ? ’) (2) Successively impose new conditions on the characteristic (replace ‘ ? ’ by ‘ - ’ and ‘ x ’ by ‘ n ’ or ‘ u ’) (3) Propagate the conditions in a bitslice manner and check for consistency If a contradiction occurs then backtrack else proceed with step 2 (4) Repeat steps 2 and 3 until all bits of the characteristic are determined

Example Characteristic for the first round of SHA-1

i ∇ A i ∇ W i -5 -------------------------------- -4 -------------------------------- -3 -------------------------------- -2 -------------------------------- -1 -------------------------------- 0 ???????????????????????????????x x-x---------------------------xx 1 ???????????????????????????????? --x-----------------------xx---- 2 ???????????????????????????????? -xx----------------------------- 3 ???????????????????????????????? xxx-----------------------x-x-x- 4 ???????????????????????????????? --x----------------------x----xx 5 ???????????????????????????????? x-xx---------------------x------ 6 ???????????????????????????????? xx-x---------------------x-x--xx 7 ???????????????????????????????? xx-x----------------------x---x- 8 ???????????????????????????????? --x----------------------------- 9 ???????????????????????????????? -xx-----------------------xx--x- 10 ???????????????????????????????? -xx----------------------x----xx 11 ???????????????????????????????? --x----------------------x------ 12 ???????????????????????????????? xxx----------------------x----x- 13 ???????????????????????????????? -xx---------------------------x- 14 ?-----------------------------?? x------------------------------x 15 -------------------------------? --------------------------x----- 16 x-----------------------------x- ------------------------------xx 17 ------------------------------x- -x-----------------------x-x--x- 18 x-----------------------------x- -x-----------------------x------ 19 -------------------------------- xxx----------------------x-x--x- 20 ------------------------------x- x-x----------------------------- . . . . . . . . . # freebits: 532 # contradictions: 0

Collision Attacks on the MD4-family

Consequences of the Attacks Transition from SHA-1 to SHA-2 NIST proposed the transition from SHA-1 to the SHA-2 family Companies and organization are expected to migrate to SHA-2 SHA-3 initiative Researchers are evaluating alternative hash functions in the SHA-3 initiative organized by NIST

The SHA-2 Family Designed by NSA and issued by NIST in 2002. Defined in the Federal Information Processing Standard (FIPS-180-3) [Nat08] Part of several international standards Often recommended as an alternative to SHA-1 Consists of 4 hash functions, i.e. SHA-224, SHA-256, SHA-384, SHA-512

Description of SHA-256 Iterated hash function processing message blocks of 512 bits and producing a hash value of 256 bits. Compression function f consists of 2 parts: Message Expansion State Update (64 steps) M 1 M 2 M 3 M t f f f f IV h

Message Expansion The message expansion of SHA-256 splits the 512-bit message block into 16 words M i , i = 0 , . . . , 15, and expands them into 64 expanded message words W i as follows: � M i 0 ≤ i < 16 W i = σ 1 ( W i − 2 ) + W i − 7 + σ 0 ( W i − 15 ) + W i − 16 16 ≤ i < 64 The functions σ 0 ( X ) and σ 1 ( X ) are given by σ 0 ( X ) = ( X ≫ 7 ) ⊕ ( X ≫ 18 ) ⊕ ( X ≫ 3 ) σ 1 ( X ) = ( X ≫ 17 ) ⊕ ( X ≫ 19 ) ⊕ ( X ≫ 10 )

Step Function of SHA-256 A i − 1 B i − 1 C i − 1 D i − 1 E i − 1 F i − 1 G i − 1 H i − 1 Σ 1 Σ 0 K i f 0 f 1 W i A i B i C i D i E i F i G i H i

Step Function of SHA-256 The bitwise Boolean functions f 0 and f 1 used in each step are defined as follows: f 0 ( X , Y , Z ) = X ∧ Y ⊕ Y ∧ Z ⊕ X ∧ Z f 1 ( X , Y , Z ) = X ∧ Y ⊕ ¬ X ∧ Z The linear functions Σ 0 and Σ 1 are defined as follows: Σ 0 ( X ) = ( X ≫ 2 ) ⊕ ( X ≫ 13 ) ⊕ ( X ≫ 22 ) Σ 1 ( X ) = ( X ≫ 6 ) ⊕ ( X ≫ 11 ) ⊕ ( X ≫ 25 )

Results for SHA-256 Preimage Attack Aoki et al. [AGM + 09] 43 out of 64 steps (complexity: 2 254 . 9 ) Khovratovich et al. [KRS11] 45 out of 64 steps (complexity: 2 255 . 5 ) Collision Attack Nikoli´ c and Biryukov [NB08] 21 out of 64 steps (example) Indesteege et al. [IMPR08]; Sanadhya and Sarkar [SS08b] 24 out of 64 steps (example)

Collision Attacks on SHA-256 All collisions attacks so far are of practical complexity They are all based on the same basic idea: extending a local collision over 9 steps to more steps The best collision attack so far is for 24 steps based on the 9-step differential characteristic of Nikoli´ c and Biryukov

Attack of Nikoli´ c and Biryukov By using modular differences Nikoli´ c and Biryukov found a 9-step differential characteristic for which it is not necessary to apply corrections in each step ∆ A ∆ B ∆ C ∆ D ∆ E ∆ F ∆ G ∆ H ∆ W step i 1 i + 1 1 1 δ 1 i + 2 1 -1 1 δ 2 i + 3 1 -1 1 δ 3 i + 4 1 -1 1 i + 5 1 -1 i + 6 1 i + 7 1 i + 8 1 δ 4 i + 9

Attack of Nikoli´ c and Biryukov W 6 7 8 9 14 0 1 2 3 4 5 The fact that only 5 message words 6 x 7 x have differences helped to overcome 8 x several steps of the message expansion 9 x 10 11 12 ⇒ Practical collision attacks on 21 steps of 13 14 x the hash function 15 16 x x 17 18 x x 19 20 x x