collisions for simplified variants of sha 256
play

Collisions for simplified variants of SHA-256 Krystian Matusiewicz - PowerPoint PPT Presentation

Mar 14, 2024 •329 likes •822 views

Collisions for simplified variants of SHA-256 Krystian Matusiewicz and Josef Pieprzyk kmatus@ics.mq.edu.au, josef@ics.mq.edu.au Centre For Advanced Computing, Algorithms and Cryptography, Department of Computing, Macquarie University

  1. Collisions for simplified variants of SHA-256 Krystian Matusiewicz and Josef Pieprzyk kmatus@ics.mq.edu.au, josef@ics.mq.edu.au Centre For Advanced Computing, Algorithms and Cryptography, Department of Computing, Macquarie University Collisions for simplified variants of SHA-256 – p. 1/35

  2. Overview • Motivation: How secure is SHA-256? • Description of SHA-256 • Collisions for a linear variant • Collisions for a linear variant with Boolean functions • About S-Boxes • Conclusions and open problems Collisions for simplified variants of SHA-256 – p. 2/35

  3. Motivation: The family tree of MD functions 1990 MD4 Collisions for simplified variants of SHA-256 – p. 3/35

  4. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 Collisions for simplified variants of SHA-256 – p. 3/35

  5. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 Collisions for simplified variants of SHA-256 – p. 3/35

  6. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 Collisions for simplified variants of SHA-256 – p. 3/35

  7. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 Collisions for simplified variants of SHA-256 – p. 3/35

  8. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 Collisions for simplified variants of SHA-256 – p. 3/35

  9. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 Collisions for simplified variants of SHA-256 – p. 3/35

  10. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 2004 SHA-224 Collisions for simplified variants of SHA-256 – p. 3/35

  11. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 2004 SHA-224 Collisions for simplified variants of SHA-256 – p. 3/35

  12. Motivation: The family tree of MD functions 1990 MD4 1991 MD5 HAVAL 1992 RIPEMD 128,160,224,256 1993 SHA0 1994 SHA1 1995 RIPEMD-160 . . . 2002 SHA-512,384 SHA-256 2004 SHA-224 Collisions for simplified variants of SHA-256 – p. 3/35

  13. Motivation: Security of SHA-256 • What is the role of the components of SHA-256? • How do they contribute to the security of the function? Collisions for simplified variants of SHA-256 – p. 4/35

  14. Overview • Motivation: How secure is SHA-256? • Description of SHA-256 • Collisions for a linear variant • Collisions for a linear variant with Boolean functions • About S-Boxes • Conclusions and open problems Collisions for simplified variants of SHA-256 – p. 5/35

  15. Description of SHA-256 Iterated hash function using a compression function f : { 0 , 1 } 512 × { 0 , 1 } 256 → { 0 , 1 } 256 M 1 IV f M 2 f M 3 f M 1 M 2 M 3 h ( M ) Collisions for simplified variants of SHA-256 – p. 6/35

  16. SHA-256 compression function IV M message expansion . . . . . . f ( M, IV ) Collisions for simplified variants of SHA-256 – p. 7/35

  17. Message expansion of SHA-256 � M i for 0 ≤ i < 16 , W i = σ 1 ( W i − 2 ) + W i − 7 + σ 0 ( W i − 15 ) + W i − 16 for 16 ≤ i < 64 . where σ 0 ( x ) = ROTR 2 ( x ) ⊕ ROTR 18 ( x ) ⊕ SHR 3 ( x ) σ 1 ( x ) = ROTR 17 ( x ) ⊕ ROTR 19 ( x ) ⊕ SHR 10 ( x ) σ 1 σ 0 W 0 W 15 Collisions for simplified variants of SHA-256 – p. 8/35

  18. Step transformation of SHA-256 A i B i C i D i E i F i G i H i Σ 0 Σ 1 K i Maj Ch W i A i +1 E i +1 H i +1 Σ 0 ( x ) = ROTR 2 ( x ) ⊕ ROTR 13 ( x ) ⊕ ROTR 22 ( x ) Σ 1 ( x ) = ROTR 6 ( x ) ⊕ ROTR 11 ( x ) ⊕ ROTR 25 ( x ) Maj ( A, B, C ) = ( A ∧ B ) ∨ ( A ∧ C ) ∨ ( B ∧ C ) Ch ( E, F, G ) = ( E ∧ F ) ∨ ( ¬ E ∧ G ) Collisions for simplified variants of SHA-256 – p. 9/35

  19. Overview • Motivation: How secure is SHA-256? • Description of SHA-256 • Collisions for a linear variant • Collisions for a linear variant with Boolean functions • About S-Boxes • Conclusions and open problems Collisions for simplified variants of SHA-256 – p. 10/35

  20. Linearized variant of SHA-256 SHA-256 contains three types of functions: • F 2 – linear: σ 0 , σ 1 , Σ 0 , Σ 1 • Z 2 32 – linear: addition modulo 2 32 : + • nonlinear in respect of both structures: bitwise Boolean functions Simplified variant 1: • replace σ 0 , σ 1 , Σ 0 , Σ 1 with id , σ 0 ( x ) = σ 1 ( x ) = Σ 0 ( x ) = Σ 1 ( x ) = x , • replace Boolean functions with addition: Maj ( x, y, z ) = Ch ( x, y, z ) = x + y + z We get fully Z 2 32 –linear function. Is it possible to use disturbance-corrections strategy to find collisions for this model? Collisions for simplified variants of SHA-256 – p. 11/35

  21. Correcting single disturbance: steps 1 – 2 A i B i C i D i E i F i G i H i Σ 0 Σ 1 K i Maj Ch ∆ ∆ ∆ Σ 0 Σ 1 K i +1 Maj Ch − 4∆ ∆ − 2∆ ∆ Collisions for simplified variants of SHA-256 – p. 12/35

  22. Correcting single disturbance: steps 3 – 4 − 2∆ ∆ ∆ Σ 0 Σ 1 K i +2 Maj Ch 2∆ − ∆ − 2∆ ∆ ∆ Σ 0 Σ 1 K i +3 Maj Ch 2∆ ∆ − ∆ − ∆ − 2∆ ∆ Collisions for simplified variants of SHA-256 – p. 13/35

  23. Correcting single disturbance: steps 5 – 6 ∆ − ∆ − ∆ − 2∆ Σ 0 Σ 1 K i +4 Maj Ch 4∆ − ∆ − ∆ − 2∆ ∆ Σ 0 Σ 1 K i +5 Maj Ch 2∆ ∆ − ∆ − ∆ Collisions for simplified variants of SHA-256 – p. 14/35

  24. Correcting single disturbance: steps 7 – 8 ∆ − ∆ − ∆ Σ 0 Σ 1 K i +6 Maj Ch ∆ ∆ − ∆ Σ 0 Σ 1 K i +7 Maj Ch 0 ∆ Collisions for simplified variants of SHA-256 – p. 15/35

  25. Correcting single disturbance: step 9 ∆ Σ 0 Σ 1 K i +8 Maj Ch − ∆ Σ 0 Σ 1 K i +9 Maj Ch 0 Collisions for simplified variants of SHA-256 – p. 16/35

  26. Single corrective pattern Disturbance in i -th word ∆ i is corrected by the following sequence ∆ i , − 4∆ i , 2∆ i , 2∆ i , 4∆ i , 2∆ i , ∆ i , 0 , − ∆ i . disturbance ∆ i − 4 2 2 4 2 1 0 − 1 Collisions for simplified variants of SHA-256 – p. 17/35

  27. Conditions for a disturbance vector We treat expanded messages as vectors W ∈ Z 64 2 32 A difference ∆ = W ′ − W is a valid disturbance pattern if two conditions are satisfied: C1. the last 8 words of ∆ are zero, C2. ∆ with prepended 8 zero block must also be the result of the expansion process. C1 is necessary to allow enough time to correct the last difference as 8 steps are needed to correct each disturbance. C2 is necessary for constructing a corrective pattern as a linear combination of ∆ and “delayed” disturbance vectors. Collisions for simplified variants of SHA-256 – p. 18/35

  28. More about condition C2 For disturbance pattern ∆ = [∆ 0 , . . . , ∆ 63 ] T the full corrective pattern is computed as C = ∆ − 4 · [0 , ∆ 0 , . . . , ∆ 62 ] T + 2 · [0 , 0 , ∆ 0 , . . . , ∆ 61 ] T + 2 · [0 , 0 , 0 , ∆ 0 , . . . , ∆ 60 ] T + . . . − 1 · [0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , ∆ 0 , . . . , ∆ 55 ] T . „Delayed” pattern [0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , ∆ 0 , . . . , ∆ 55 ] T has to be the result of the expansion. Collisions for simplified variants of SHA-256 – p. 19/35

  29. Message expansion as a linear transform Message expansion with σ 0 = σ 1 = id is Z 2 32 –linear, so it can be represented as 64 × 16 matrix   I 16 A   E =  ,   A 2    A 3 where A is a linear transform producing 16 new words out of 16 old ones according to the recurrence relation. Then we have W = E · M where M ∈ Z 16 2 32 is the initial message and W ∈ Z 64 2 32 is the expanded message. Collisions for simplified variants of SHA-256 – p. 20/35

  30. Finding disturbance patterns We are looking for such message differences ∆ M = M ′ − M that expanded differences ∆ = E (∆ M ) satisfy conditions C1 and C2. This can be written as 0 = A 3 [8 :: 16] · ∆ M the last 8 elements of ∆ are zero 0 = A − 1 [8 :: 16] · ∆ M 8 prepended elements of ∆ would be zero where M [ a :: b ] means a matrix consisting of rows of matrix M from a -th row to b -th row, inclusive. These two matrix equations form a linear system over the ring Z 2 32 . Collisions for simplified variants of SHA-256 – p. 21/35

  31. Finding disturbance patterns: solving the system The system 0 = A 3 [8 :: 16] · ∆ M 0 = A − 1 [8 :: 16] · ∆ M has one-dimensional solution space given by ∆ M = [0 x 10000000 , 0 xA 0000000 , 0 xC 0000000 , 0 xA 0000000 , 0 xE 0000000 , 0 x 20000000 , 0 x 40000000 , 0 x 40000000 , 0 x 80000000 , 0 xD 0000000 , 0 x 10000000 , 0 x 60000000 , 0 x 50000000 , 0 x 40000000 , 0 x 70000000 , 0 x 30000000] T . Any nonzero multiple of this vector constitutes a valid disturbance pattern for linearized version of SHA-256 – we can use it to find collisions. Collisions for simplified variants of SHA-256 – p. 22/35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

50 crossings: 0 Simplified: 41 0 100 crossings: 0 Simplified: 81 0 Simplified: 200 156

50 crossings: 0 Simplified: 41 0 100 crossings: 0 Simplified: 81 0 Simplified: 200 156

0 50 crossings: 0 Simplified: 41 0 100 crossings: 0 Simplified: 81 0 Simplified: 200 156 0 Simplified: 300 229 2500 slope=2.017 2000 intercept=-27.677 r=0.999 hyperbolic volume 1500 1000 500 0 0 200 400 600 800

363 views • 23 slides
Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we

Consensus Variants Usman Mazhar Mirza 6/17/2013 1 Consensus Variants In the variants we consider here, just like in consensus, the processes need to make consistent decisions, such as agreeing on one common value. Most of the

590 views • 35 slides
collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
A FORCING EXTENSION OF A SIMPLIFIED ( 2 , 1) MORASS WITH NO SIMPLIFIED ( 2 , 1) MORASS WITH

A FORCING EXTENSION OF A SIMPLIFIED ( 2 , 1) MORASS WITH NO SIMPLIFIED ( 2 , 1) MORASS WITH

A FORCING EXTENSION OF A SIMPLIFIED ( 2 , 1) MORASS WITH NO SIMPLIFIED ( 2 , 1) MORASS WITH LINEAR LIMITS Franqui C ardenas Universidad Nacional de Colombia, Bogot a July 14th, 2007 Wroc law Old statement:using supercompact

516 views • 35 slides
Is There a Contradiction A Simplified Statistical . . . Between Statistics and A Simplified

Is There a Contradiction A Simplified Statistical . . . Between Statistics and A Simplified

Social Applications of AI Many Current Social . . . So Is There a . . . Examples of Unfair . . . Is There a Contradiction A Simplified Statistical . . . Between Statistics and A Simplified Fuzzy . . . General Description of . . . Fairness:

552 views • 39 slides
Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness

Variants of Turing Machines Variants of Turing Machines p.1/49 Robustness Robustness of a mathematical object (such as proof, definition, algorithm, method, etc.) is measured by its invariance to certain changes To prove that a

944 views • 49 slides
On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea

On the variants of treewidth On the variants of treewidth and minor-closedness property O-joung Kwon KAIST in Daejeon, Korea GRASTA 2014 Joint work with Hans Bodlaender, Vincent Kreuzen, Stefan Kratsch and Seongmin Ok 1 / 22 On the variants

756 views • 31 slides
On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK

On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK

On Variants of Modified Bar Recursion On Variants of Modified Bar Recursion Paulo Oliva Queen Mary, University of London, UK (pbo@dcs.qmul.ac.uk) (Joint work with Mart n Escard o) Domains IX, Brighton 22 September 2008 On Variants of

744 views • 27 slides
Simplicity Is Worse Than What Simplification . . . Theft: A Constraint-Based The Simplified . .

Simplicity Is Worse Than What Simplification . . . Theft: A Constraint-Based The Simplified . .

In Science, Simplicity . . . In Practice, Simplified . . . Simplified . . . Question Simplicity Is Worse Than What Simplification . . . Theft: A Constraint-Based The Simplified . . . Optimization: Case of . . . Explanation of a Seemingly

534 views • 14 slides
Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion collision? Focus on collective phenomena present in nucleus-nucleus collisions, but absent in pp collisions (condensed matter physics of

879 views • 23 slides
Software lifecycle lifecycle (simplified) (simplified) Software Problem

Software lifecycle lifecycle (simplified) (simplified) Software Problem

Software lifecycle lifecycle (simplified) (simplified) Software Problem statement requirements analysis 1. Domain analysis 2. System Design 3. Programming (implementing the design) 4. Includes fixing syntax and

404 views • 18 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re- measures C+C collisions 2003 N+N and pi-N collisions in HADES Phys. Lett B 750, 12 (2015) What have we learnt from inclusive spectra p p X e+

505 views • 24 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Minor variants in HIV-1 Minor variants in HIV-1 Why? Why? University of Cologne Institute of

Minor variants in HIV-1 Minor variants in HIV-1 Why? Why? University of Cologne Institute of

University of Cologne Institute of Virology Minor variants in HIV-1 Minor variants in HIV-1 Why? Why? University of Cologne Institute of Virology with the method of direct sequencing only virus populations 20% can be detected. it

347 views • 15 slides
Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing Mathy Vanhoef, Domien Schepers, Frank Piessens imec-DistriNet, KU Leuven Asia CCS 2017 Introduction More and more Wi-Fi network use encryption: 2010 Most

531 views • 19 slides
HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R.

HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R.

HEP Applications with Globus Virtual Workspaces Ian Gable , A. Agarwal, A. Charbonneau, R. Desmarais, R. Enge, D. Grundy, A. Norton, D. Penfold-Brown, R. Seuster, R.J. Sobie, D. C. Vanderster National Research Council of Canada, Ottawa, Ontario,

244 views • 20 slides
Name of the Speaker : Karan kural Co-Speaker : Deepshikha Singh Company Name : Srijan

Name of the Speaker : Karan kural Co-Speaker : Deepshikha Singh Company Name : Srijan

Name of the Speaker : Karan kural Co-Speaker : Deepshikha Singh Company Name : Srijan Technologies Pvt. Ltd. Place: New Delhi. GitHub Pull Request Builder Plugin for Jenkins Tools We will going to use: What is Jenkins? Jenkins is an

219 views • 20 slides
Goals Today IT420: Database Management Reminder IT/CS Dinner Meal Registration and

Goals Today IT420: Database Management Reminder IT/CS Dinner Meal Registration and

Goals Today IT420: Database Management Reminder IT/CS Dinner Meal Registration and Organization Storing and Checking Passwords Sessions Session Control in PHP (Chapter 22 PHP and MySQL Web Development) Authentication Step 1:

392 views • 4 slides
Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B ock

Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B ock

Random numbers Hashes Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno B ock 2014-05-28 1 / 13 Bad random numbers Random numbers Random fails Hashes Example: Factoring RSA keys Good / bad

811 views • 13 slides
. Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . .

. Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . .

fle XOR : flexible garbling for XOR gates that beats free- XOR . Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . . background 1 . . . Enc A C B Enc A C B Enc A C B Enc A C B . background: garbled

1.29k views • 92 slides
Koen Lindstrm Claessen, Alejandro Russo, John Hughes WG2.8, Park City, Utah, Chalmers

Koen Lindstrm Claessen, Alejandro Russo, John Hughes WG2.8, Park City, Utah, Chalmers

Koen Lindstrm Claessen, Alejandro Russo, John Hughes WG2.8, Park City, Utah, Chalmers University of Technology June 2008 Dictionary Passwords on UNIX systems attacks, offline attacks, ... Universal Access /etc/passwd RootAccess

775 views • 38 slides
CptS 360 (System Programming) Unit 8: System Data Files Bob Lewis School of Engineering and

CptS 360 (System Programming) Unit 8: System Data Files Bob Lewis School of Engineering and

Unit 8: System Data Files CptS 360 (System Programming) Unit 8: System Data Files Bob Lewis School of Engineering and Applied Sciences Washington State University Spring, 2020 Bob Lewis WSU CptS 360 (Spring, 2020) Unit 8: System Data Files

604 views • 13 slides

More recommend