Cryptanalysis of FORK-256 Krystian Matusiewicz 1 , Thomas Peyrin 2 , - PowerPoint PPT Presentation

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Cryptanalysis of FORK-256 Krystian Matusiewicz 1 , Thomas Peyrin 2 , Olivier Billet 2 , Scott Contini 1 and Josef Pieprzyk 1 1 Centre for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University 2 Network and Services Security Lab, France Telecom Research and Development FSE 2007, 26 March 2007

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Talk overview ◮ Short description of FORK-256 ◮ Micro-collisions in the step transformation ◮ Simple differential path for the compression function ◮ General method of finding differential paths ◮ Collisions for the compression function ◮ The differential path ◮ Complexity analysis ◮ Improving efficiency using large memory ◮ Achieving collisions for the hash function ◮ Conclusions

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions ◮ Short description of FORK-256 ◮ Micro-collisions in the step transformation ◮ Simple differential path for the compression function ◮ General method of finding differential paths ◮ Collisions for the compression function ◮ The differential path ◮ Complexity analysis ◮ Improving efficiency using large memory ◮ Achieving collisions for the hash function ◮ Conclusions

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Structure of FORK-256 :: four parallel branches cv ℓ M ℓ σ 1 σ 2 σ 3 σ 4 B1 B2 B3 B4 cv ℓ +1 ◮ 256 bits of chaining variable cv ◮ 512 bits of message M ◮ each branch B1, B2, B3, B4 consists of 8 steps ◮ each branch uses a different permutation ( σ 1 , σ 2 , σ 3 , σ 4 ) of message words M 0 , . . . , M 15

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Structure of FORK-256 :: step transformation A j , k − 1 B j , k − 1 C j , k − 1 D j , k − 1 E j , k − 1 F j , k − 1 G j , k − 1 H j , k − 1 M σ j (2 k − 2) M σ j (2 k − 1) g f δ π j (2 k − 2) δ π j (2 k − 1) ≪ 5 ≪ 9 ≪ 17 ≪ 21 g f ≪ 9 ≪ 5 Q L Q R ≪ 21 ≪ 17 A j , k B j , k C j , k D j , k E j , k F j , k G j , k H j , k ◮ there are 8 steps in each branch ◮ step transformation – composition of 3 simple operations ◮ addition of two different message words ◮ two parallel Q-structures ◮ rotation of registers

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions ◮ Short description of FORK-256 ◮ Micro-collisions in the step transformation ◮ Simple differential path for the compression function ◮ General method of finding differential paths ◮ Collisions for the compression function ◮ The differential path ◮ Complexity analysis ◮ Improving efficiency using large memory ◮ Achieving collisions for the hash function ◮ Conclusions

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions What is a “micro-collision”? A B C D y f ≪ 5 δ π j (2 k ) ≪ 17 z g ≪ 9 Q L ≪ 21 A B C D Micro-collision: a difference in register A does not propagate to the selected register B, C or D. If it does not propagate to more than one other register we have simultaneous micro-collisions .

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions A B y f δ π j (2 k ) z g A B Let us denote y ′ = f ( x ′ ) z ′ = g ( x ′ ⊞ δ ) . y = f ( x ) , z = g ( x ⊞ δ ) , We have a micro-collision in the first line if the equation ( y ⊞ B ) ⊕ z = ( y ′ ⊞ B ) ⊕ z ′ (1) is satisfied for given y , y ′ , z , z ′ and some constant B . Our aim is to find the set of all constants B for which (1) is satisfied.

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Three representations of a difference ◮ usual XOR difference: ∆ ⊕ ( z , z ′ ) = ( z 0 ⊕ z ′ 0 , . . . , z 31 ⊕ z ′ ∈ { 0 , 1 } 32 31 ) ◮ integer difference: ∂ y = y ′ − y ∈ {− 2 32 + 1 , . . . , 2 32 − 1 } ◮ singed binary difference: ∆ ± ( y , y ′ ) = ( y 0 − y ′ 0 , . . . , y 31 − y ′ ∈ {− 1 , 0 , 1 } 32 , 31 )

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Two useful relationships between different representations ◮ If ∆ ± ( y , y ′ ) = ( r 0 , r 1 , . . . , r 31 ) is a signed binary difference, then the corresponding XOR difference is ( | r 0 | , | r 1 | , . . . , | r 31 | ). ◮ Having a signed binary difference we can easily recover the (unique) corresponding integer difference: 31 2 i · ∆ ± ( y , y ′ ) i . � ∂ y = i =0

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Finding micro-collisions: The principle y + B = x100x11xx11xx0x11x1xx0xxxxxxxxxx B y y ′ ∆ ± = .+++-.+-+.+..+-.+.-..+.......... the same integer difference ∂ y ∆ ± = +-++.--..--..+.--.-..+.......... z z ′ ∆ ⊕ = 1111.11..11..1.11.1..1.......... XOR difference ∆ ⊕ → 2 h w (∆ ⊕ ) signed binary diffs → 2 h w (∆ ⊕ ) integer diffs → one of them must be ∂ y = y − y ′

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Finding micro-collisions: Necessary condition To test whether the quadruple ( y , y ′ , z , z ′ ) may yield a micro-collision we have to check whether there exists a signed binary representation corresponding to ∂ y = y − y ′ that “fits” into XOR difference ∆ ⊕ ( z , z ′ ). This problem can be reduced to an easy (superincreasing) knapsack problem: Having a set of positions I = { k 0 , k 1 , . . . , k m } (determined by non-zero bits of ∆ ⊕ ( z , z ′ ) ), decide whether it is possible to find a binary signed representation r = ( r 0 , . . . , r 31 ) corresponding to ∂ y s.t.: m 2 k i · r k i � ∂ y = where r k i ∈ {− 1 , 1 } . i =0

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions This test can be implemented very efficiently! int micro_possible(WRD y1, WRD y2 , WRD dz) { WRD tmp , delta_y , sum; if ( y2 > y1 ) { tmp = y2; y2 = y1; y1 = tmp; } delta_y = y1 - y2; sum = delta_y; sum += dz; if ( sum < delta_y ) { if ( (dz > >31)==0 ) return 0; } dz <<= 1; return ( (dz|sum) == dz ); }

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Finding micro-collisions: Also a sufficient condition In fact we can prove that this condition is also sufficient: if we can find such a representation, we can always find constants B that make the difference “fit” into the prescribed XOR pattern. Moreover, the analysis shows that the size of the set of good constants B is equal to 2 32 − h w ( z ⊕ z ′ )+1 , with the grey one added if the MSB of ∆ ⊕ ( z , z ′ ) is one.

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions ◮ Short description of FORK-256 ◮ Micro-collisions in the step transformation ◮ Simple differential path for the compression function ◮ General method of finding differential paths ◮ Collisions for the compression function ◮ The differential path ◮ Complexity analysis ◮ Improving efficiency using large memory ◮ Achieving collisions for the hash function ◮ Conclusions

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Simple differential path using micro-collisions Branch 1 Branch 2 Branch 3 Branch 4 0 1 14 15 7 6 5 12 2 3 11 9 10 14 1 8 By introducing dif- ferences in B 0 and 4 5 8 10 13 2 15 0 finding simultane- 6 7 3 4 9 12 13 11 ous microcollisions in four Q-structures 8 9 2 13 11 4 3 10 in step 4 we ob- 10 11 0 5 15 8 9 2 tain a differential restricted to 4 12 13 6 7 5 0 7 14 registers. 14 15 12 1 1 3 4 6

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Simple path: complexity analysis ◮ Once we pass through step 4, we can generate 2 32 pairs, ◮ To pass step 4 we have to make a few simple checks for 2 32 values, altogether equivalent to 2 32 / 4 of FORK evaluations, we succeed with probability P 6 d , where P d depends on the difference, for d = 0x00000404 we have P d ≈ 2 − 3 . ◮ the average cost of a single solution ≈ 1 / 4 · P − 6 ≈ 2 16 . d ◮ an example of a pair with output difference of weight 22: 8406e290 5988c6af 76a1d478 0eb60cea f5c5d865 458b2dd1 528590bf c3bf98a1 cv n cv ′ 8406e290 5988cab3 76a1d478 0eb60cea f5c5d865 458b2dd1 528590bf c3bf98a1 n 396eedd8 0e8c2a93 b961f8a4 f0a06fc6 9935952b e01d16c9 ddc60aa4 0ac1d8df M c6fef1d8 4c472ca6 58d9322d 2d087b65 7c8e1a26 71ba5da1 ba5d2bfc 1988f929 cv n +1 9897c70a 4e18862d b4725ac1 cfc9f92c 9aa0637d ae772570 74dd4af1 cd444dd7 cv ′ 9897c70a 4e1880f9 1e677302 4c650966 f4792bf4 ae772570 74dd4af1 cd444dd7 n +1