branching heuristics in differential collision search
play

Branching Heuristics in Differential Collision Search: Application - PowerPoint PPT Presentation

Apr 11, 2023 •352 likes •602 views

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

  1. Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl¨ affer IAIK, Graz University of Technology, Austria FSE 2014

  2. Practical Collisions for Round-Reduced Hash Functions 64/64 MD5 [WY05] 75/80 SHA-1 [AG12] 38/64 SHA-256 [MNS13] 24/80 SHA-512 [IMPR08, SS08] 4/24 Keccak [DDS12] � semi-free-start collision for 38 steps of SHA-512 Contribution: using improved automatic search tools 1

  3. Practical Collisions for Round-Reduced Hash Functions 64/64 MD5 [WY05] 75/80 SHA-1 [AG12] 38/64 SHA-256 [MNS13] 38 / 24/80 now SHA-512 [IMPR08, SS08] 4/24 Keccak [DDS12] � semi-free-start collision for 38 steps of SHA-512 Contribution: using improved automatic search tools 1

  4. SHA-2 Family – SHA-256 / SHA-512 Iterated hash function 32-bit/64-bit words 16-word message blocks (= 512/1024 bits) 8-word hash value and chaining value (= 256/512 bits) m 1 m 2 m 3 m t f f f f IV hash Compression function f Message expansion: expand 16 words M i to 64/80 words W i State update: 64/80 steps with status words A i , E i 2

  5. SHA-2 Compression Function Message expansion: expand 16 words M i to 64/80 words W i W i = f W ( W i − 2 , W i − 7 , W i − 15 , W i − 16 ) for i ≥ 16 State update: 64/80 steps with status words A i , E i E i = f E ( A i − 4 , E i − 1 , . . . , E i − 4 , K i , W i ) , A i = f A ( E i , A i − 1 , . . . , A i − 4 ) A i − 1 A i − 2 A i − 3 A i − 4 E i − 1 E i − 2 E i − 3 E i − 4 − Σ 0 Σ 1 + K i MAJ IF W i A i − 1 A i − 2 A i − 3 E i − 1 E i − 2 E i − 3 A i E i 3

  6. SHA-2 Compression Function State -4 IV ( A ) IV ( E ) -3 -2 -1 0 1 2 m 0 3 4 m 0 5 6 7 8 9 10 f h 1 IV 11 12 13 14 15 16 17 18 19 SHA-2 compression function: 20 21 22 23 shows state words A i , E i , W i 24 25 26 27 inputs IV, m 0 28 29 30 output h 1 31 32 33 34 A i E i W i 35 36 37 0 h ( A ) h ( E ) 1 2 1 1 3 4

  7. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) ∆ =0 ∆ =0 -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 ∆ = ? 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 16 17 Automated search tool [DR06] 18 19 20 1 Guess undetermined bits 21 22 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 ∆ A i = ? ∆ E i = ? ∆ W i = ? Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) =0 ∆ =0 ∆ 1 2 1 1 3 5

  8. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 ⇓ ⇓ 16 17 Automated search tool [DR06] ⇐ 18 19 ⇓ 20 1 Guess undetermined bits 21 22 ⇐ 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  9. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 ⇓ ⇓ 16 17 Automated search tool [DR06] ⇐ 18 19 ⇓ 20 1 Guess undetermined bits 21 22 ⇐ 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  10. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 16 17 Automated search tool [DR06] 18 19 20 1 Guess undetermined bits 21 22 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  11. Previous Collision Attack on SHA-256 [MNS13] Starting point -4 IV ( A ) IV ( E ) -3 -2 -1 0 Few message words different 1 2 3 4 High probability m 0 5 6 7 8 Local collisions 9 10 11 12 13 14 Differential characteristic 15 16 17 Automated search tool [DR06] 18 19 20 1 Guess undetermined bits 21 22 23 24 2 Determine consequences 25 26 27 28 3 Backtrack if contradiction 29 30 31 32 33 34 A i E i W i Message Pair 35 36 37 Automated search tool 0 h ( A ) h ( E ) 1 2 1 1 3 5

  12. Problem – SHA-256 vs. SHA-512 -4 -4 IV ( A ) IV ( E ) IV ( A ) IV ( E ) -3 -3 -2 -2 -1 -1 0 0 1 1 2 2 3 3 4 4 m 0 m 0 5 5 6 6 7 7 8 8 9 9 10 10 11 11 12 12 13 13 14 14 15 15 16 16 17 17 18 18 19 19 20 20 21 21 22 22 23 23 24 24 25 25 26 26 27 27 28 28 29 29 30 30 31 31 32 32 33 33 A i E i W i A i E i W i 34 34 35 35 36 36 37 37 0 h ( A ) h ( E ) 0 h ( A ) h ( E ) 1 1 2 1 1 2 1 1 3 3 state size Consequences: Larger search space Contradictions take longer to detect More conditions to fulfill 6

  13. Improving Guess & Determine? Problem description [MNS13] Starting point Hash function description High-level strategy Guessing strategy, branching rules [MNS11] Which variable to pick first? Which value to guess first for this variable? Propagation [MNS11, EMN + 13, Leu12, Leu13] How to detect contradictions? How to determine implications of a guess? Backtracking [MNS11] How many guesses to undo? Restart? 7

  14. Improving Guess & Determine? Problem description [MNS13] Starting point Hash function description High-level strategy Guessing strategy, branching rules [MNS11] Which variable to pick first? Which value to guess first for this variable? Propagation [MNS11, EMN + 13, Leu12, Leu13] How to detect contradictions? How to determine implications of a guess? Backtracking [MNS11] How many guesses to undo? Restart? 7

  15. Branching: Inspiration from SAT Solvers. . . SAT Solvers (Guess-and-Determine for CNF formulas) Different strategies and paradigms: Many small clauses first (B¨ ohm, MOM, JW) Many clauses first (DLCS, DLIS) Conflict-driven, recent conflicts first (VSIDS) Localized, recently updated clauses first Preview consequences (UPLA) 8

  16. Look-Ahead Branching Heuristic Rationale: Propagation is good Reduce search space Better explicit than implicit conditions Contradictions are good Better handle them sooner rather than later -4 -3 IV ( A ) IV ( E ) -2 -1 0 1 2 3 4 5 m 0 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 A i E i W i 35 36 37 0 1 h ( A ) h ( E ) 1 1 2 3 ⇒ simulate outcome for candidate guessing variables and pick best 9

  17. Randomized Look-Ahead Problems of basic approach: Simulating for many candidates is very costly Search is not well randomized – essential after restarts Solution: Limit absolute candidate set size Limit relative set size Avoid redundant evaluation of candidates -4 -3 IV ( A ) IV ( E ) -2 -1 0 1 2 3 4 5 m 0 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 A i E i W i 35 36 37 0 1 h ( A ) h ( E ) 1 1 2 3 10

  18. Effect of Branching Heuristic (16 Candidates) Semi-free-start collisions: 27 or 38 steps of SHA-256 with heuristic: about 5–50 times faster 27 steps of SHA-512 without heuristic: 4 days on 40 CPUs with heuristic: seconds on standard PC 38 steps of SHA-512 without heuristic: no results with heuristic: ≈ 1 . 5 h on 40 CPUs Collisions with correct IV: not enough freedom in message left 11

  19. Application to 38 steps of SHA-512 – Characteristic -4 IV ( A ) IV ( E ) -3 -2 -1 0 1 2 3 4 m 0 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 A i E i W i 34 35 36 37 0 h ( A ) h ( E ) 1 2 1 1 3 12

  20. Application to 38 steps of SHA-512 – Result Semi-free-start collision for 38 of 80 steps ( ≈ 1 . 5 h on 40 CPUs): e8626f53a3771964 2ae427b8c5065790 c8fd5a1628fc3337 0f362d297f82f987 h 0 89166a0c022ffc40 c2c49c30e629239f d1fa8bd692843025 ad4bba64c797e6ec 610519a88f0d2809 3addc83f01c8b179 84afa7a2772c6141 ad539854e64c9cce 85450b73549b2085 7296b5291f31c0d9 fc978d9624e2c2cc fffffffffffffffe m 92114cb9d2f4cd9b 34a3198b79871212 cca7f43154e38081 ac0598a589168fe1 f32ae6a0070a8d2e 755aa5cada87e894 4b9bd7df3c94b667 65291f2b80cc8c51 610519a88f0d2809 3addc83f01c8b179 84afa7a2772c6141 ad539854e64c9cce 85450b73549b2085 7296b5291f31c0d9 fc978d9624e2c2cc 0000000000000001 m ∗ 92114cb9d2f4cd9c 34a3198b79871212 cca8143154e38079 ac0598a589168fe1 f32ae6a0070a8d2e 755aa5cada87e894 4b9bd7df3c94b667 65291f2b80cc8c50 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 ffffffffffffffff ∆ m 0000000000000007 0000000000000000 000fe000000000f8 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000001 946a28eedc3b2ff6 c4573d0a13ea6268 11f07b04b06900dd 897c606e4053bbe4 h 1 2406aae9d58504b4 89b237932b061ba8 663402cb4bb1972c d99c062dce945423 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The CPLEX Library: MIP Heuristics Ed Rothberg, ILOG, Inc. 1 Motivation for Heuristics Why not

The CPLEX Library: MIP Heuristics Ed Rothberg, ILOG, Inc. 1 Motivation for Heuristics Why not

The CPLEX Library: MIP Heuristics Ed Rothberg, ILOG, Inc. 1 Motivation for Heuristics Why not wait for branching? Produce feasible solutions as quickly as possible Often satisfies user demands Avoid exploring unproductive subtrees

465 views • 12 slides
Construction Heuristics Iterated Greedy GRASP Adaptive Iterated Construction Search Multilevel

Construction Heuristics Iterated Greedy GRASP Adaptive Iterated Construction Search Multilevel

Outline DM811 1. Complete Search Methods A best-first search HEURISTICS AND LOCAL SEARCH ALGORITHMS FOR COMBINATORIAL OPTIMZATION 2. Incomplete Search Methods 3. Other Tree Search Based Incomplete Methods Rollout/Pilot Method Lecture 5

521 views • 14 slides
Set 3: Informed Heuristic Search ICS 271 Fall 2014 Kalev Kask Overview Heuristics and

Set 3: Informed Heuristic Search ICS 271 Fall 2014 Kalev Kask Overview Heuristics and

Set 3: Informed Heuristic Search ICS 271 Fall 2014 Kalev Kask Overview Heuristics and Optimal search strategies heuristics hill-climbing algorithms Best-First search A*: optimal search using heuristics Properties of A*

1.08k views • 78 slides
Outline 1. (Meta-) Heuristics for Local Search Local Search (Meta-) Heuristics Heuristics for

Outline 1. (Meta-) Heuristics for Local Search Local Search (Meta-) Heuristics Heuristics for

Topic 17: Constraint-Based Local Search 1 (Version of 26th November 2020) Pierre Flener Optimisation Group Department of Information Technology Uppsala University Sweden Course 1DL441: Combinatorial Optimisation and Constraint Programming,

1.18k views • 114 slides
Constraint Programming - Heuristics in Search Variable and Value selection Static and

Constraint Programming - Heuristics in Search Variable and Value selection Static and

Constraint Programming - Heuristics in Search Variable and Value selection Static and Dynamic Heuristics Incomplete Search Strategies Symmetry Breaking (introduction) 10 November 2011 Constraint Programming 1 Heuristic Search -

746 views • 59 slides
Neural branching heuristics for SAT solving Sebastian Jaszczur, Micha uszczyk, Henryk

Neural branching heuristics for SAT solving Sebastian Jaszczur, Micha uszczyk, Henryk

Neural branching heuristics for SAT solving Sebastian Jaszczur, Micha uszczyk, Henryk Michalewski University of Warsaw AITP 2019, bit.ly/neurheur-aitp2019 Overview 1. Introduction 2. The neural network 3. Experiments 4. Conclusions

733 views • 21 slides
An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography Andr Chailloux, Mara Naya-Plasencia, Andr

321 views • 28 slides
Outline 1. Construction Heuristics DMP204 General Principles SCHEDULING, Metaheuristics A

Outline 1. Construction Heuristics DMP204 General Principles SCHEDULING, Metaheuristics A

Construction Heuristics Local Search Software Tools Outline 1. Construction Heuristics DMP204 General Principles SCHEDULING, Metaheuristics A search TIMETABLING AND ROUTING Rollout Beam Search Iterated Greedy GRASP Lecture 9 2.

701 views • 21 slides
Foundations of Artificial Intelligence 14. State-Space Search: Analysis of Heuristics Malte

Foundations of Artificial Intelligence 14. State-Space Search: Analysis of Heuristics Malte

Foundations of Artificial Intelligence 14. State-Space Search: Analysis of Heuristics Malte Helmert and Thomas Keller University of Basel March 23, 2020 Properties of Heuristics Examples Connections Summary State-Space Search: Overview

480 views • 15 slides
Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

Safeness of Heuristics Path Dependent Heuristics Unjustified Actions The Connection More than a Pruning Mechanism Experimental Evaluation Living on the Edge: Safe Search with Unsafe Heuristics Erez Karpas Carmel Domshlak Faculty of

706 views • 37 slides
Foundations of Artificial Intelligence 4. Informed Search Methods Heuristics, Local Search

Foundations of Artificial Intelligence 4. Informed Search Methods Heuristics, Local Search

Foundations of Artificial Intelligence 4. Informed Search Methods Heuristics, Local Search Methods, Genetic Algorithms Wolfram Burgard, Bernhard Nebel, and Martin Riedmiller Albert-Ludwigs-Universit at Freiburg Mai 17, 2011 Contents

346 views • 33 slides
Outline DM811 Fall 2009 Heuristics for Combinatorial Optimization 1. Complete Search Methods

Outline DM811 Fall 2009 Heuristics for Combinatorial Optimization 1. Complete Search Methods

Complete Search Incomplete Search General Search Methods A search Metaheuristics Heuristics for TSP Outline DM811 Fall 2009 Heuristics for Combinatorial Optimization 1. Complete Search Methods General Search Methods A search

432 views • 14 slides
1 Hyper-heuristics: Raising the Level of Generality of Search Hyper-heuristics: Raising the Level

1 Hyper-heuristics: Raising the Level of Generality of Search Hyper-heuristics: Raising the Level

Hyper-heuristics: Raising the Level of Generality of Search Hyper-heuristics: Raising the Level of Generality of Search Methodologies Methodologies Graham Kendall Contents The University of Nottingham What is a hyper-heuristic?

307 views • 14 slides
4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for Heuristic Search 4.4 Complexity Issues 4.2 Admissibility, 4.5 Epilogue and Monotonicity, and References Informedness 4.6 Exercises Additional

1.04k views • 78 slides
4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for

4 Heuristic Search 4.0 Introduction 4.3 Using Heuristics in Games 4.1 An Algorithm for Heuristic Search 4.4 Complexity Issues 4.2 Admissibility, 4.5 Epilogue and Monotonicity, and References Informedness 4.6 Exercises Additional

536 views • 53 slides
Lecture Overview Recap Search heuristics: admissibility and examples Recap of BestFS

Lecture Overview Recap Search heuristics: admissibility and examples Recap of BestFS

Heuristic Search: A* Alan Mackworth UBC CS 322 Search 4 January 16, 2013 Textbook 3.6 1 Lecture Overview Recap Search heuristics: admissibility and examples Recap of BestFS Heuristic search: A* 2 Example for search

439 views • 20 slides
Locality Aware Mechanisms for Large-scale Networks: The Tapestry Infrastructure John D.

Locality Aware Mechanisms for Large-scale Networks: The Tapestry Infrastructure John D.

Locality Aware Mechanisms for Large-scale Networks: The Tapestry Infrastructure John D. Kubiatowicz UC Berkeley Global Scale Applications Clear demand for global scale applications Exploiting collective resources File sharing, data

406 views • 19 slides
Redundancies: Getting it right 18 November 2020 Redundancy situation Most common- diminished

Redundancies: Getting it right 18 November 2020 Redundancy situation Most common- diminished

Redundancies: Getting it right 18 November 2020 Redundancy situation Most common- diminished need for employees to do work of a particular kind Diminished level of work is to be judged by employer commercial judgment/priorities of the

676 views • 21 slides
Teleworking in Europe Webinar Thursday November 19th, 2020 4.00 p.m. (CET) Content i. Welcome

Teleworking in Europe Webinar Thursday November 19th, 2020 4.00 p.m. (CET) Content i. Welcome

Teleworking in Europe Webinar Thursday November 19th, 2020 4.00 p.m. (CET) Content i. Welcome and introduction ii. Implementation of teleworking a. Introduction of telework Specific law Introduction with or without the consent

466 views • 23 slides
Practices of an Agile Developer Venkat Subramaniam Andy Hunt venkats@agiledeveloper.com

Practices of an Agile Developer Venkat Subramaniam Andy Hunt venkats@agiledeveloper.com

Practices of an Agile Developer Venkat Subramaniam Andy Hunt venkats@agiledeveloper.com andy@pragmaticbookshelf.com The Pragmatic Programmers PaD - 1 Abstract You have worked on software projects with varying degree of success. What were

506 views • 25 slides
Decision Procedures for Verification Combinations of Decision Procedures (4) 13.02.2017 Viorica

Decision Procedures for Verification Combinations of Decision Procedures (4) 13.02.2017 Viorica

Decision Procedures for Verification Combinations of Decision Procedures (4) 13.02.2017 Viorica Sofronie-Stokkermans sofronie@uni-koblenz.de 1 Last time From conjunctions to arbitrary combinations Known: Methods for checking satisfiability

1.15k views • 94 slides
CS3157: Advanced Programming Lecture #2 May 30 Shlomo Hershkop shlomo@cs.columbia.edu

CS3157: Advanced Programming Lecture #2 May 30 Shlomo Hershkop shlomo@cs.columbia.edu

CS3157: Advanced Programming Lecture #2 May 30 Shlomo Hershkop shlomo@cs.columbia.edu Overview Today: More C Basics Debugging process Intro CGI Background Integrating c Some Shell Programming Keep in touch

1.58k views • 111 slides
3-coloring triangle-free planar graphs Bernard Lidick y Iowa State University O.Borodin I.

3-coloring triangle-free planar graphs Bernard Lidick y Iowa State University O.Borodin I.

3-coloring triangle-free planar graphs Bernard Lidick y Iowa State University O.Borodin I. Choi, J. Ekstein, Z. Dvo r ak , P. Holub, A. Kostochka, M. Yancey. Colourings 25th Workshop on Cycles and Sep 6, 2016 Coloring of a graph

958 views • 82 slides
Colouring Colouring Colouring For a graph G = ( V , E ) , a colouring is a function c : V N

Colouring Colouring Colouring For a graph G = ( V , E ) , a colouring is a function c : V N

Colouring Colouring Colouring For a graph G = ( V , E ) , a colouring is a function c : V N such that uv E implies c ( u ) = c ( v ) . A graph is k -colourable if there is a colouring c which uses at most k colours, i. e., c : V {

77 views • 7 slides

More recommend