collision attacks on the reduced dual stream hash
play

Collision Attacks on the Reduced Dual-Stream Hash Function - PowerPoint PPT Presentation

Nov 03, 2022 •295 likes •650 views

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav Nad 2 , Martin Schl affer 2 Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria FSE 2012

  1. Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav Nad 2 , Martin Schl¨ affer 2 Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria FSE 2012 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 1 / 22

  2. Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 5 Finding a Colliding Message Pair Results and Summary 6 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 2 / 22

  3. Motivation Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 3 / 22

  4. Motivation Motivation Cryptanalysis of ARX based designs is still important Very difficult without the right tools Even more for dual-stream hash functions Do the results on SHA-2 help to improve attacks on other designs? RIPEMD-128: shares some similarities with SHA-2 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 4 / 22

  5. Description of RIPEMD-128 Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 5 / 22

  6. Description of RIPEMD-128 Description of RIPEMD-128 H j ISO/IEC standard [DBP96] Stream 1 Stream 2 designed by Dobbertin, Bosselaers and Preneel M j +1 M j +1 iterated, Merkle-Damg˚ ard hash function dual stream compression function ≪ 64 ≪ 32 ≪ 96 no output transformation 128-bit hash output H j +1 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 6 / 22

  7. Description of RIPEMD-128 Step Update Transformation of RIPEMD-128 B ′ B ′ B ′ B ′ B i − 4 B i − 1 B i − 2 B i − 3 i − 4 i − 1 i − 2 i − 3 K i K ′ i f f ′ W i W ′ i ≪ s ≪ s ′ B ′ B ′ B ′ B i − 3 B i B i − 1 B i − 2 B ′ i − 3 i i − 1 i − 2 one message word updates two state variables different message word permutations different rotation values and Boolean functions no interaction between streams (SHA-2: with interaction) 4 rounds of 16 steps Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 7 / 22

  8. Description of RIPEMD-128 Step Update Transformation of RIPEMD-128 A i − 1 A i − 2 A i − 3 A i − 4 E i − 1 E i − 2 E i − 3 E i − 4 − Σ 0 Σ 1 + K i f 0 f 1 W i A i − 1 A i − 2 A i − 3 E i − 1 E i − 2 E i − 3 A i E i one message word updates two state variables different message word permutations different rotation values and Boolean functions no interaction between streams (SHA-2: with interaction) 4 rounds of 16 steps Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 7 / 22

  9. Outline of the Attack Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 8 / 22

  10. Outline of the Attack Overview of the Attack -4 H i − 1 -3 -2 -1 0 0 5 0 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 9 9 6 9 10 10 right stream 15 10 11 11 8 11 left stream 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 16 7 6 17 4 11 18 13 3 19 1 7 20 10 0 21 6 13 22 15 5 23 3 10 24 12 14 25 0 15 26 9 8 27 5 12 28 2 4 29 14 9 30 11 1 31 8 2 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 37 15 14 38 8 6 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 9 / 22

  11. Outline of the Attack Overview of the Attack -4 H i − 1 -3 -2 -1 0 0 5 0 1 1 14 1 choose a good starting point 2 2 7 2 1 3 3 0 3 4 4 9 4 5 5 2 5 few message word differences 6 6 11 M i 6 7 7 4 7 8 8 13 8 9 9 6 9 high probability characteristic 10 10 right stream 15 10 11 11 8 11 left stream 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 search for a characteristics 16 7 6 2 17 4 11 18 13 3 19 1 7 20 10 0 very sparse in R2 and R3 21 6 13 22 15 5 23 3 10 sparse in one stream in R1 24 12 14 25 0 15 26 9 8 27 5 12 28 2 4 29 14 9 30 11 1 determine message pair 3 31 8 2 32 3 15 33 10 5 34 14 1 message modification in R1 35 4 3 36 9 7 37 15 14 38 8 6 exhaustive search for R2, R3 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 ⇒ iterations between phases 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 9 / 22

  12. Outline of the Attack Choosing a Starting Point -4 H i − 1 -3 -2 -1 0 0 5 0 which message words should 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 contain differences? 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 as few words as possible 9 9 6 9 10 10 15 10 11 11 8 11 only words used late in R3 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 short local collisions in R2 16 7 6 17 4 11 18 13 3 19 1 7 20 10 0 21 6 13 22 15 5 23 3 10 24 12 14 25 0 15 26 9 8 27 5 12 28 2 4 29 14 9 30 11 1 31 8 2 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 37 15 14 38 8 6 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

  13. Outline of the Attack Choosing a Starting Point -4 H i − 1 -3 -2 -1 0 0 5 0 which message words should 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 contain differences? 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 as few words as possible 9 9 6 9 10 10 15 10 11 11 8 11 only words used late in R3 12 12 1 12 13 13 10 13 impossible 3 14 14 14 15 15 12 15 short local collisions in R2 16 7 6 17 4 11 18 13 3 19 1 7 message word 13 20 10 0 21 6 13 22 15 5 23 3 10 single local collision (R1-R2) 24 12 14 25 0 15 26 9 8 27 5 12 impossible in left stream 28 2 4 29 14 9 30 11 1 31 8 2 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 37 15 14 38 8 6 39 1 9 40 2 11 41 7 8 42 0 12 43 6 2 44 13 10 45 11 0 46 5 4 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

  14. Outline of the Attack Choosing a Starting Point -4 H i − 1 -3 -2 -1 0 0 5 0 which message words should 1 1 14 1 2 2 7 2 3 3 0 3 4 4 9 4 contain differences? 5 5 2 5 6 6 11 M i 6 7 7 4 7 8 8 13 8 as few words as possible 9 9 6 9 10 10 15 10 11 11 8 11 only words used late in R3 12 12 1 12 13 13 10 13 3 14 14 14 15 15 12 15 short local collisions in R2 16 7 6 17 4 11 18 13 3 19 1 7 message word 13 20 10 0 21 6 13 22 15 5 23 3 10 single local collision (R1-R2) 24 12 14 25 0 15 26 9 8 27 5 12 impossible in left stream 28 2 4 29 14 9 30 11 1 31 8 2 message word 0 and 6 32 3 15 33 10 5 34 14 1 35 4 3 36 9 7 left: two short local collisions 37 15 14 38 8 6 39 1 9 right: one long local collision 40 2 11 41 7 8 42 0 12 43 6 2 avoid overlapping of LCs 44 13 10 45 11 0 46 5 4 collision for 38 steps 47 12 13 H0 H i H1 H2 H3 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 10 / 22

  15. Searching for Differential Characteristics Outline Motivation 1 Description of RIPEMD-128 2 Outline of the Attack 3 Searching for Differential Characteristics 4 Finding a Colliding Message Pair 5 Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 11 / 22

  16. Searching for Differential Characteristics Differences and Conditions Generalized Conditions [DR06] take all 16 possible conditions on a pair of bits into account ∗ ) ( X i , X i ( 0 , 0 ) ( 1 , 0 ) ( 0 , 1 ) ( 1 , 1 ) ( X i , X ∗ i ) ( 0 , 0 ) ( 1 , 0 ) ( 0 , 1 ) ( 1 , 1 ) - - ? � � � � 3 � � � - - � � - � - - 5 - - - x � � 7 � � � 0 � - - - A - � - � - � - - � � - � u B - - - - - n � C � � - - - � � - � � 1 D - - - - - � � � # E 2-bit Conditions [MNS11] linear relation between closely related bits: X i ⊕ X j = 0 / 1 2-bit conditions on any generalized condition (-,x,?,...) used to determine critical bits (those with many relations) Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 12 / 22

  17. Searching for Differential Characteristics Propagation of Differences and Conditions Stored conditions all possible pairs on bits (generalized conditions) all possible pairs on carries Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 13 / 22

  18. Searching for Differential Characteristics Propagation of Differences and Conditions Stored conditions all possible pairs on bits (generalized conditions) all possible pairs on carries 2-bit conditions all inputs and outputs of Boolean functions modular additions even on carries (sign of carry) Martin Schl¨ affer (FSE 2012) Collision Attacks on RIPEMD-128 13 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used of people, signifies a confusion in associative memory or imagination, especially a persistent one (see thinko ). True story: One of us was once on

908 views • 31 slides
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel Cryptographic Hash Functions A cryptographic hash function is hash function H:{0,1}*-> {0,1} n with strong requirements : Collision

461 views • 33 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

800 views • 10 slides
Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security

Collision Resistant Usage of SHA-1 via Message Pre-processing Michael Szydlo RSA Security Yiqun Lisa Yin Independent Consultant Recent Advances in Hash Collision Attacks Efficient collisions found for MD4, MD5 Improved techniques

442 views • 28 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

602 views • 23 slides
A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work Collision Attacks on the

652 views • 46 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article Jean-Philippe Aumasson, Designing and attacking Kudelski Security (NAGRA) port scan detection tools by Solar Designer (Alexander D. J. Bernstein,

1.83k views • 164 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
An Assessment of Single and Dual Stream Recycling Waste Management Advisory Committee March 26,

An Assessment of Single and Dual Stream Recycling Waste Management Advisory Committee March 26,

An Assessment of Single and Dual Stream Recycling Waste Management Advisory Committee March 26, 2013 Single and Dual Stream Recycling Two recent studies were undertaken: 1. An Assessment of Single and Dual Stream Recycling - Waste Diversion

189 views • 8 slides
Applying Hash-based Indexing in Text-based Information Retrieval Benno Stein and Martin Potthast

Applying Hash-based Indexing in Text-based Information Retrieval Benno Stein and Martin Potthast

Applying Hash-based Indexing in Text-based Information Retrieval Benno Stein and Martin Potthast Bauhaus University Weimar Web-Technology and Information Systems Introduction Hash-based Indexing Methods Comparative Study DIR07 Mar.

474 views • 21 slides
CSE 326: Data Structures (amortized) linked list Array Hash Tables Insert Find Hal Perkins

CSE 326: Data Structures (amortized) linked list Array Hash Tables Insert Find Hal Perkins

Dictionary Implementations So Far BST AVL Splay Unsorted Sorted CSE 326: Data Structures (amortized) linked list Array Hash Tables Insert Find Hal Perkins Spring 2007 Delete Lecture 16 1 2 Hash Tables Example 0 Constant

381 views • 8 slides
1 Starting point: for every hash function, there is a really bad input. A possible

1 Starting point: for every hash function, there is a really bad input. A possible

Tirgul 8 Universal Hashing Remarks on Programming Exercise 1 Solution to question 2 in theoretical homework 2 We want to manage a set of n elements with the dictionary operations Insert, Search and Delete. Each element has

327 views • 7 slides
Inf 2B: Hash Tables Lecture 4 of ADS thread Kyriakos Kalorkoti School of Informatics University

Inf 2B: Hash Tables Lecture 4 of ADS thread Kyriakos Kalorkoti School of Informatics University

1 / 22 Inf 2B: Hash Tables Lecture 4 of ADS thread Kyriakos Kalorkoti School of Informatics University of Edinburgh 2 / 22 Dictionaries A Dictionary stores keyelement pairs, called items . Several elements might have the same key.

476 views • 22 slides
Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Hash-Based Indexing Torsten Grust Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static Hashing Hash Functions Architecture and Implementation of Database Systems Extendible Hashing Summer 2016

930 views • 39 slides
Conditional Course Lecture 4 Hash Tables I: Separate Chaining and Open Addressing Fabian Kuhn

Conditional Course Lecture 4 Hash Tables I: Separate Chaining and Open Addressing Fabian Kuhn

Algorithms and Data Structures Conditional Course Lecture 4 Hash Tables I: Separate Chaining and Open Addressing Fabian Kuhn Algorithms and Complexity Fabian Kuhn Algorithms and Data Structures Abstract Data Types: Dictionary Dictionary:

717 views • 36 slides
Hashing () Hashing () K08

Hashing () Hashing () K08

Hashing () Hashing () K08 / 1 Ecient implementation

828 views • 56 slides
A Parallel Compact Hash Table Alfons Laarman & Steven van der Vegt Overview Research

A Parallel Compact Hash Table Alfons Laarman & Steven van der Vegt Overview Research

A Parallel Compact Hash Table Alfons Laarman & Steven van der Vegt Overview Research Motivation Background Contribution A Parallel Compact Hash Table October 3, 2011 2 / 19 Introduction Hash tables are fundamental data structures A

636 views • 29 slides

More recommend