Collision Attacks on the Reduced Dual-Stream Hash Function - - PowerPoint PPT Presentation

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128

Florian Mendel1, Tomislav Nad2, Martin Schl¨ affer2

Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria

FSE 2012

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 1 / 22

Outline

1

Motivation

2

Description of RIPEMD-128

3

Outline of the Attack

4

Searching for Differential Characteristics

5

Finding a Colliding Message Pair

6

Results and Summary

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 2 / 22

Motivation

Outline

1

Motivation

2

Description of RIPEMD-128

3

Outline of the Attack

4

Searching for Differential Characteristics

5

Finding a Colliding Message Pair

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 3 / 22

Motivation

Motivation

Cryptanalysis of ARX based designs is still important Very difficult without the right tools Even more for dual-stream hash functions Do the results on SHA-2 help to improve attacks on other designs? RIPEMD-128: shares some similarities with SHA-2

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 4 / 22

Description of RIPEMD-128

Outline

1

Motivation

2

Description of RIPEMD-128

3

Outline of the Attack

4

Searching for Differential Characteristics

5

Finding a Colliding Message Pair

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 5 / 22

Description of RIPEMD-128

Description of RIPEMD-128

Stream 1 Stream 2

Mj+1 Mj+1 ≪ 64 ≪ 32 ≪ 96 Hj Hj+1

ISO/IEC standard [DBP96] designed by Dobbertin, Bosselaers and Preneel iterated, Merkle-Damg˚ ard hash function dual stream compression function no output transformation 128-bit hash output

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 6 / 22

Description of RIPEMD-128

Step Update Transformation of RIPEMD-128

Bi−3 Bi−4 Bi Bi−1 Bi−1 Bi−2 Bi−2 Bi−3 Ki Wi f ≪ s B′

i−3

B′

i−4

B′

i

B′

i−1

B′

i−1

B′

i−2

B′

i−2

B′

i−3

K′

i

W ′

i

f ′ ≪ s′

• ne message word updates two state variables

different message word permutations different rotation values and Boolean functions no interaction between streams (SHA-2: with interaction) 4 rounds of 16 steps

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 7 / 22

Description of RIPEMD-128

Step Update Transformation of RIPEMD-128

Ai Ai−1 Ai−1 Ai−2 Ai−2 Ai−3 Ai−3 Ai−4 Ei Ei−1 Ei−1 Ei−2 Ei−2 Ei−3 Ei−3 Ei−4 Σ1 f1 Ki Wi

− +

Σ0 f0

• ne message word updates two state variables

different message word permutations different rotation values and Boolean functions no interaction between streams (SHA-2: with interaction) 4 rounds of 16 steps

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 7 / 22

Outline of the Attack

Outline

1

Motivation

2

Description of RIPEMD-128

3

Outline of the Attack

4

Searching for Differential Characteristics

5

Finding a Colliding Message Pair

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 8 / 22

Outline of the Attack

Overview of the Attack

• 4
• 3
• 2
• 1

H0 H1 H2 H3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 7 4 13 1 10 6 15 3 12 9 5 2 14 11 8 3 10 14 4 9 15 8 1 2 7 6 13 11 5 12 5 14 7 9 2 11 4 13 6 15 8 1 10 3 12 6 11 3 7 13 5 10 14 15 8 12 4 9 1 2 15 5 1 3 7 14 6 9 11 8 12 2 10 4 13

Hi−1 Hi

Mi

left stream right stream

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 9 / 22

Outline of the Attack

Overview of the Attack

• 4
• 3
• 2
• 1

H0 H1 H2 H3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 7 4 13 1 10 6 15 3 12 9 5 2 14 11 8 3 10 14 4 9 15 8 1 2 7 6 13 11 5 12 5 14 7 9 2 11 4 13 6 15 8 1 10 3 12 6 11 3 7 13 5 10 14 15 8 12 4 9 1 2 15 5 1 3 7 14 6 9 11 8 12 2 10 4 13

Hi−1 Hi

Mi

left stream right stream

1

choose a good starting point

few message word differences high probability characteristic

2

search for a characteristics

very sparse in R2 and R3 sparse in one stream in R1

3

determine message pair

message modification in R1 exhaustive search for R2, R3

⇒ iterations between phases

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 9 / 22

Outline of the Attack

Choosing a Starting Point

• 4
• 3
• 2
• 1

H0 H1 H2 H3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 7 4 13 1 10 6 15 3 12 9 5 2 14 11 8 3 10 14 4 9 15 8 1 2 7 6 13 11 5 12 5 14 7 9 2 11 4 13 6 15 8 1 10 3 12 6 11 3 7 13 5 10 14 15 8 12 4 9 1 2 15 5 1 3 7 14 6 9 11 8 12 2 10 4 13

Hi−1 Hi

Mi

which message words should contain differences?

as few words as possible

• nly words used late in R3

short local collisions in R2

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

Outline of the Attack

Choosing a Starting Point

• 4
• 3
• 2
• 1

H0 H1 H2 H3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 7 4 13 1 10 6 15 3 12 9 5 2 14 11 8 3 10 14 4 9 15 8 1 2 7 6 13 11 5 12 5 14 7 9 2 11 4 13 6 15 8 1 10 3 12 6 11 3 7 13 5 10 14 15 8 12 4 9 1 2 15 5 1 3 7 14 6 9 11 8 12 2 10 4 13

Hi−1 Hi

Mi

impossible

which message words should contain differences?

as few words as possible

• nly words used late in R3

short local collisions in R2

message word 13

single local collision (R1-R2) impossible in left stream

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

Outline of the Attack

Choosing a Starting Point

• 4
• 3
• 2
• 1

H0 H1 H2 H3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 7 4 13 1 10 6 15 3 12 9 5 2 14 11 8 3 10 14 4 9 15 8 1 2 7 6 13 11 5 12 5 14 7 9 2 11 4 13 6 15 8 1 10 3 12 6 11 3 7 13 5 10 14 15 8 12 4 9 1 2 15 5 1 3 7 14 6 9 11 8 12 2 10 4 13

Hi−1 Hi

Mi

which message words should contain differences?

as few words as possible

• nly words used late in R3

short local collisions in R2

message word 13

single local collision (R1-R2) impossible in left stream

message word 0 and 6

left: two short local collisions right: one long local collision avoid overlapping of LCs collision for 38 steps

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

Searching for Differential Characteristics

Outline

1

Motivation

2

Description of RIPEMD-128

3

Outline of the Attack

4

Searching for Differential Characteristics

5

Finding a Colliding Message Pair

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 11 / 22

Searching for Differential Characteristics

Differences and Conditions

Generalized Conditions [DR06] take all 16 possible conditions on a pair of bits into account

(Xi, Xi

∗)

(0, 0) (1, 0) (0, 1) (1, 1) ?

• x
• u
• n
• 1
• #
• (Xi, X ∗

i )

(0, 0) (1, 0) (0, 1) (1, 1) 3

• 5
• 7
• A
• B
• C
• D
• E
• 2-bit Conditions [MNS11]

linear relation between closely related bits: Xi ⊕ Xj = 0/1 2-bit conditions on any generalized condition (-,x,?,...) used to determine critical bits (those with many relations)

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 12 / 22

Searching for Differential Characteristics

Propagation of Differences and Conditions

Stored conditions

all possible pairs on bits (generalized conditions) all possible pairs on carries

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 13 / 22

Searching for Differential Characteristics

Propagation of Differences and Conditions

Stored conditions

all possible pairs on bits (generalized conditions) all possible pairs on carries

2-bit conditions

all inputs and outputs of Boolean functions modular additions even on carries (sign of carry)

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 13 / 22

Searching for Differential Characteristics

Propagation of Differences and Conditions

Stored conditions

all possible pairs on bits (generalized conditions) all possible pairs on carries

2-bit conditions

all inputs and outputs of Boolean functions modular additions even on carries (sign of carry)

Efficiency

not all conditions in every iteration/phase use table lookups when possible

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 13 / 22

Searching for Differential Characteristics

Search Strategy

Search Algorithm [DR06, MNS11] (1) Start with an unrestricted characteristic (’?’ and ’-’) (2) Successively impose new conditions on the characteristic

path search: replace ’?’ by ’-’ and ’x’ by ’n’ or ’u’ message search: replace ’-’ by ’1’ or ’0’

(3) Propagate the conditions in a bitslice manner and check for consistency

if a contradiction occurs then backtrack else proceed with step 2

(4) Repeat steps 2 and 3 until all bits of the characteristic are determined

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 14 / 22

Searching for Differential Characteristics

Search Strategy

The difficulties are in the details... Which information to propagate (and when)?

path search: generalized conditions message search: generalized conditions and 2-bit conditions

Which bits (which area) to guess?

dedicated to hash function bits with many 2-bit conditions (in message search) lots of trial and error needed to find best strategy

How to backtrack?

if a contradiction occurs on a bit, backtrack until bit can be set keep and check a list of previous critical bits

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 15 / 22

Searching for Differential Characteristics

Search Strategy

The difficulties are in the details... Which information to propagate (and when)?

path search: generalized conditions message search: generalized conditions and 2-bit conditions

Which bits (which area) to guess?

dedicated to hash function bits with many 2-bit conditions (in message search) lots of trial and error needed to find best strategy

How to backtrack?

if a contradiction occurs on a bit, backtrack until bit can be set keep and check a list of previous critical bits

⇒ Dedicated for every hash function (unfortunately)

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 15 / 22

Searching for Differential Characteristics

Searching for a Differential Characteristic

i ∇Bi ∇B′

i

∇mi

• 4
• 3
• 2
• 1
• ????????????????????????????????
• ???????????????????????????????x

1 ????????????????????????????????

• 2

????????????????????????????????

• 3
• ????????????????????????????????
• 4
• ????????????????????????????????
• 5
• ????????????????????????????????
• 6
• ????????????????????????????????

???????????????????????????????? 7

• ????????????????????????????????
• 8
• ????????????????????????????????
• 9
• ????????????????????????????????
• 10
• ????????????????????????????????
• 11
• ????????????????????????????????
• 12
• ????????????????????????????????
• 13
• ????????????????????????????????
• 14
• ????????????????????????????????
• 15
• ????????????????????????????????
• 16
• ????????????????????????????????

17

• 18
• 19
• 20
• 21

????????????????????????????????

• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• Start characteristic

? in words with difference

• in words without differences

x in LSB of word 0

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 16 / 22

Searching for Differential Characteristics

Searching for a Differential Characteristic

i ∇Bi ∇B′

i

∇mi

• 4
• 3
• 2
• 1
• ------unnnnunnnnnnnn-----------
• ---------------------u--------u

1

• -----n--------------nuuuunnnnnn
• 2
• -----unnunnnnnnnnnnnnnnnnnnnnnn
• 3
• ----------u--------u-----------
• 4
• ????????-----------?????????????
• 5
• ????????????????????????????????
• 6
• ????????????????????????????????
• -------n----------------------n

7

• ????????????????????????????????
• 8
• ????????????????????????????????
• 9
• ????????????????????????????????
• 10
• ????????????????????????????????
• 11
• ????????????????????????????????
• 12
• ????????????????????????????????
• 13
• ????????????????????????????????
• 14
• ????????????????????????????????
• 15
• ---------------------x--------x
• 16
• ---------------------n--------n

17

• 18
• 19
• 20
• 21
• ---------------------n--------n
• 22
• ---------------------0--------0
• 23
• ---------------------1--------1
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• Start characteristic

? in words with difference

• in words without differences

x in LSB of word 0

Separate search (phases)

1

high probability in R2

2

left stream in R1

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 16 / 22

Searching for Differential Characteristics

Searching for a Differential Characteristic

i ∇Bi ∇B′

i

∇mi

• 4
• 3
• 2
• 1
• ------unnnnunnnnnnnn-----------
• ---------------------u--------u

1

• -----n--------------nuuuunnnnnn
• ----------0--------0-----------
• -0-----------------------------

2

• -----unnunnnnnnnnnnnnnnnnnnnnnn
• ----------0--------0-----------
• 3
• -0100-----u--------u----0110---
• 4
• -1101----1-1-------1----1111---
• --0----------------------------

5

• -unnn00--1-1-------1----unnn-00
• 6
• -000010--n-u---00--n----0111-10
• -------n----------------------n

7

• 001nuuuu--0-----11111----1001-nu
• 8
• 110100----1-----un11n-------u---
• 9
• un1n00----------1-unn---1---1---
• 10
• -n0u1----------0-10000-----1---
• 11
• -0nuu------------01n11-----n---
• 12
• -110--------------nuuu---------
• 13
• --01--------------11-1---------
• 14
• ------------------00-1--------0
• 15
• ---------------------n--------n
• 16
• ---------------------n--------n

17

• ---------------------0--------0

18

• 19
• 20
• 21
• ---------------------n--------n
• 22
• ---------------------0--------0
• 23
• ---------------------1--------1
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• Start characteristic

? in words with difference

• in words without differences

x in LSB of word 0

Separate search (phases)

1

high probability in R2

2

left stream in R1

3

find first block M0

4

right stream in R1

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 16 / 22

Finding a Colliding Message Pair

Outline

1

Motivation

2

Description of RIPEMD-128

3

Outline of the Attack

4

Searching for Differential Characteristics

5

Finding a Colliding Message Pair

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 17 / 22

Finding a Colliding Message Pair

Finding a Colliding Message Pair

Message modification

many dedicated techniques published mostly hand-tuned (for MD5, RIPEMD, SHA-1, ...)

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 18 / 22

Finding a Colliding Message Pair

Finding a Colliding Message Pair

Message modification

many dedicated techniques published mostly hand-tuned (for MD5, RIPEMD, SHA-1, ...)

Apply to RIPEMD-128?

difficult and time consuming 1 message word updates 2 state words different message permutations and rotations values

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 18 / 22

Finding a Colliding Message Pair

Finding a Colliding Message Pair

Message modification

many dedicated techniques published mostly hand-tuned (for MD5, RIPEMD, SHA-1, ...)

Apply to RIPEMD-128?

difficult and time consuming 1 message word updates 2 state words different message permutations and rotations values

Automatic message search

continue guessing ’-’ bits to ’0’ or ’1’ guess on words (state, message) in order they appear

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 18 / 22

Finding a Colliding Message Pair

Finding a Colliding Message Pair

Message modification

many dedicated techniques published mostly hand-tuned (for MD5, RIPEMD, SHA-1, ...)

Apply to RIPEMD-128?

difficult and time consuming 1 message word updates 2 state words different message permutations and rotations values

Automatic message search

continue guessing ’-’ bits to ’0’ or ’1’ guess on words (state, message) in order they appear

Amortize costs

automatic message modification until word 13 brute-force with message words 14,15 complexity 2?

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 18 / 22

Results and Summary

Outline

1

Motivation

2

Description of RIPEMD-128

3

Outline of the Attack

4

Searching for Differential Characteristics

5

Finding a Colliding Message Pair

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 19 / 22

Results and Summary

Results

previous results:

component attack steps complexity generic reference hash preimage 33 2124.5 2128 [OSS10] hash preimage

• interm. 35

2121 2128 [OSS10] hash preimage

• interm. 36

2126.5 2128 [WSK+11]

• ur results:

component attack steps complexity generic hash collision 38 example, 214 264 hash near-collision 44 example, 232 247.8 hash non-randomness 48 270 276 compression collision 48 example, 240 264

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 20 / 22

Results and Summary

Summary

Strategy to analyze dual stream hash functions Automatic path search and automatic message modification Time consuming to find the right settings Once settings are found, collision can be found in minutes Still lots of work to be done for other (ARX based) hash functions Remember: it took 5 years to get from SHA-1 to SHA-2

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 21 / 22

Results and Summary

References

Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. RIPEMD-160: A Strengthened Version of RIPEMD. In Dieter Gollmann, editor, FSE, volume 1039 of LNCS, pages 71–82. Springer, 1996. Christophe De Canni` ere and Christian Rechberger. Finding SHA-1 Characteristics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 of LNCS, pages 1–20. Springer, 2006. Florian Mendel, Tomislav Nad, and Martin Schl¨ affer. Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT, LNCS. Springer, 2011. To appear. Chiaki Ohtahara, Yu Sasaki, and Takeshi Shimoyama. Preimage Attacks on Step-Reduced RIPEMD-128 and RIPEMD-160. In Xuejia Lai, Moti Yung, and Dongdai Lin, editors, Inscrypt, volume 6584 of LNCS, pages 169–186. Springer, 2010. Lei Wang, Yu Sasaki, Wataru Komatsubara, Kazuo Ohta, and Kazuo Sakiyama. (Second) Preimage Attacks on Step-Reduced RIPEMD/RIPEMD-128 with a New Local-Collision Approach. In Aggelos Kiayias, editor, CT-RSA, volume 6558 of LNCS, pages 197–212. Springer, 2011.

Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 22 / 22