differential cryptanalysis of hash functions how to find
play

Differential Cryptanalysis of Hash Functions: How to find - PowerPoint PPT Presentation

Mar 19, 2023 •153 likes •1.05k views

Institute for Applied Information Processing and Communications (IAIK) Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schl affer Institute for Applied Information Processing and Communications (IAIK) Graz

  1. Institute for Applied Information Processing and Communications (IAIK) Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schl¨ affer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria martin.schlaeffer@iaik.tugraz.at Albena 2011 Albena Hash Function Cryptanalysis I 1

  2. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 2

  3. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 3

  4. Institute for Applied Information Processing and Communications (IAIK) Motivation Cryptanalysis of block ciphers: well understood Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers ⇒ Attacks on MD-family by Wang et al. broke SHA-1 NIST SHA-3 competition to find a successor of SHA-1 to focus research on hash function cryptanalysis Albena Hash Function Cryptanalysis I 4

  5. Institute for Applied Information Processing and Communications (IAIK) Cryptographic Hash Function m h h ( m ) Hash function h maps arbitrary length input m to n -bit output h ( m ) Collision Resistance (2 n / 2 ) find m , m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Second-Preimage Resistance (2 n ) given m , h ( m ) find m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Preimage Resistance (2 n ) given h ( m ) find m Albena Hash Function Cryptanalysis I 5

  6. Institute for Applied Information Processing and Communications (IAIK) Iterated Hash Function Construction M 1 M 2 M 3 M t f f f f g H ( m ) IV w w w w n Most hash functions use some kind of iteration compression function f output transformation g chaining value size w ≥ n Strength depends on f , g , w smaller w needs stronger f Also building blocks are analyzed Albena Hash Function Cryptanalysis I 6

  7. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 7

  8. Institute for Applied Information Processing and Communications (IAIK) Collision Attacks � = m m ∗ h h h ( m ) = h ( m ∗ ) Find two different messages which result in the same hash value: m � = m ∗ with h ( m ) = h ( m ∗ ) birthday effect applies: 2 n / 2 Albena Hash Function Cryptanalysis I 8

  9. Institute for Applied Information Processing and Communications (IAIK) Collision Attacks (Differential View) − = ∆ m � = 0 m m ∗ h h h = h ( m ) − h ( m ∗ ) ∆ h ( m ) = 0 Find two different messages which result in the same hash m , ∆ m with ∆ m � = 0 and ∆ h ( m ) = 0 Usually XOR differences are used: ∆ m = m ⊕ m ∗ and ∆ h ( m ) = h ( m ) ⊕ h ( m ∗ ) Albena Hash Function Cryptanalysis I 9

  10. Institute for Applied Information Processing and Communications (IAIK) Outline Motivation 1 Collision Attacks 2 Differential Cryptanalysis of Hash Functions 3 Application to SHA-1 The Rebound Attack 4 Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 10

  11. Institute for Applied Information Processing and Communications (IAIK) Differential Characteristic ∆ m � = 0 how to find m , ∆ m ? find differential characteristic (trail, path) h determines ∆ m holds with high probability P ? if P > 2 − n / 2 : find colliding m by trying 1 / P random messages with complexity < 2 n / 2 ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 11

  12. Institute for Applied Information Processing and Communications (IAIK) Differential Characteristic ∆ m � = 0 how to find m , ∆ m ? find differential characteristic (trail, path) h determines ∆ m holds with high probability P ? if P > 2 − n / 2 : find colliding m by trying 1 / P random messages with complexity < 2 n / 2 ⇒ how to improve complexity of attack? ⇒ how to find good differential characteristics? ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 11

  13. Institute for Applied Information Processing and Communications (IAIK) How to Improve Complexity of Attack? Good characteristic for block ciphers: ∆ m � = 0 optimizes probability Good characteristic for hash functions h optimizes probability minimizes effort to find m How to find m ? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic ∆ h ( m ) = 0 Albena Hash Function Cryptanalysis I 12

  14. Institute for Applied Information Processing and Communications (IAIK) How to Improve Complexity of Attack? Good characteristic for block ciphers: ∆ m � = 0 optimizes probability Good characteristic for hash functions h optimizes probability minimizes effort to find m How to find m ? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic ⇒ characteristic with lower probability at input to get ∆ h ( m ) = 0 higher probability towards end Albena Hash Function Cryptanalysis I 12

  15. Institute for Applied Information Processing and Communications (IAIK) How to Find Good Differential Characteristics? block cipher based design: use characteristic of block cipher attack (also related key characteristics) by hand: MD4, MD5, SHA-1 (Wang et al.) (semi-) automatic tools: linearize hash function (coding tools) non-linear differential search by design: well known best characteristics Albena Hash Function Cryptanalysis I 13

  16. Institute for Applied Information Processing and Communications (IAIK) Example: SHA-1 high probability in second part (L) linearize hash function [RO05] search for linear differential characteristic using low weight code search connect with IV in first part (NL) low probability search for non-linear characteristic [WYY05, DR06] message modification easy for first 16 steps (just invert equation) also possible for more steps ( ≤ 25) (advanced message modification) Albena Hash Function Cryptanalysis I 14

  17. Institute for Applied Information Processing and Communications (IAIK) Finding Linear Characteristics Message expansion is linear Linearize modular addition by XOR no carry with probability 1 / 2 Linearize Boolean function by XOR holds with probability ∼ 1 / 2 Probabilities are given for single bit differences Albena Hash Function Cryptanalysis I 15

  18. Institute for Applied Information Processing and Communications (IAIK) Finding Linear Characteristics Differences with low Hamming weight result in good probability Finding good linear characteristic corresponds to finding low-weight code word in linear code Good representation of hash function is important Open source tool to find low weight code words: http://www.iaik.tugraz.at/content/research/ krypto/codingtool/ Albena Hash Function Cryptanalysis I 16

  19. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Using generalized conditions Albena Hash Function Cryptanalysis I 17

  20. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Albena Hash Function Cryptanalysis I 18

  21. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Albena Hash Function Cryptanalysis I 18

  22. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Albena Hash Function Cryptanalysis I 18

  23. Institute for Applied Information Processing and Communications (IAIK) Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Find conforming message pair message mod. until step 25 probabilistic for further steps Albena Hash Function Cryptanalysis I 18

  24. Institute for Applied Information Processing and Communications (IAIK) Message Modification To improve complexity of attack in first few steps up to 25 in the case of SHA-1 Many dedicated techniques have been published: advanced message modifications [WYY05] equation solving [SKPI07] neutral bits [BC04] boomerang/tunnels [JP07, Kli06] greedy approach [DMR07] Resulting theoretical complexity for SHA-1: ∼ 2 63 [WYY05] implementation overhead! Albena Hash Function Cryptanalysis I 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work Collision Attacks on the

652 views • 46 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash Functions June 2013 Bart Preneel Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis: basic topics Bart Preneel This is an input to

402 views • 14 slides
New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of

New Techniques for Cryptanalysis of Cryptographic Hash Functions Rafi Chen Department of Computer Science, Technion Israel Institute of Technology Joint work with Eli Biham Cryptoday 2011 p. 1/52 Talk Outline Definition and properties

963 views • 95 slides
Tools in Cryptanalysis of Hash Functions Application to SHA-256 Florian Mendel Institute for

Tools in Cryptanalysis of Hash Functions Application to SHA-256 Florian Mendel Institute for

Tools in Cryptanalysis of Hash Functions Application to SHA-256 Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria Outline Motivation 1

602 views • 42 slides
Cryptanalysis of FORK-256 and some comments on the state of hash functions research Krystian

Cryptanalysis of FORK-256 and some comments on the state of hash functions research Krystian

Cryptanalysis of FORK-256 and some comments on the state of hash functions research Krystian Matusiewicz kmatus@ics.mq.edu.au Centre for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University IM PAN, 20

859 views • 55 slides
Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices

982 views • 67 slides
Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013

Introduction 1/24 Gatan Leurent Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013 UCL Crypto Group FSE 2013 Cryptanalysis of WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group

617 views • 32 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario

Finite Field Functions to Counterattack Linear and Differential Cryptanalysis Daniel Panario School of Mathematics and Statistics Carleton University daniel@math.carleton.ca ASCrypto (Advanced School of Cryptography) Latincrypt 2019

971 views • 62 slides
Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2

Differential Cryptanalysis of Keccak Variants olbl 1 , Florian Mendel 2 , Stefan K affer 2 Tomislav Nad and Martin Schl 1 DTU - Technical University of Denmark 2 IAIK - Graz University of Technology December 18, 2013 Cryptographic Hash

345 views • 22 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Theory I Algorithm Design and Analysis (5 Hashing) Prof. Th. Ottmann The dictionary problem

Theory I Algorithm Design and Analysis (5 Hashing) Prof. Th. Ottmann The dictionary problem

Theory I Algorithm Design and Analysis (5 Hashing) Prof. Th. Ottmann The dictionary problem Different approaches to the dictionary problem: Previously: Structuring the set of actually occurring keys: lists, trees, graphs, ...

446 views • 23 slides
Uses of dictionaries n Symbol table in a compiler n Key: nameof identifier n Values:

Uses of dictionaries n Symbol table in a compiler n Key: nameof identifier n Values:

Advanced Programming Dictionaries, Hash Tables Dictionaries (Maps) Hash tables ADT Dictionary or Map Has following operations: n I NSERT : inserts a new element, associated to unique value of a field (key) n S EARCH : searches an element

722 views • 22 slides
Advanced Algorithms Count Distinct Elements a sequence x 1 , x 2 , ...,

Advanced Algorithms Count Distinct Elements a sequence x 1 , x 2 , ...,

Advanced Algorithms Count Distinct Elements a sequence x 1 , x 2 , ..., x n Input : z = | { x 1 , x 2 , ..., x n } | Output : an estimation of data stream: input comes one at a time naive algorithm: store

471 views • 34 slides
CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Hashing Wouldnt it be wonderful if... Search through a

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Hashing Wouldnt it be wonderful if... Search through a

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Hashing Wouldnt it be wonderful if... Search through a collection could be accomplished in (1) with relatively small memory needs? Lets try this: Assume we have an array of length m (call

714 views • 23 slides
Hashing (Application of Probability) Ashwinee Panda Final CS 70 Lecture! 9 Aug 2018 Overview

Hashing (Application of Probability) Ashwinee Panda Final CS 70 Lecture! 9 Aug 2018 Overview

Hashing (Application of Probability) Ashwinee Panda Final CS 70 Lecture! 9 Aug 2018 Overview Intro to Hashing Hashing with Chaining Hashing Performance Hash Families Balls and Bins Load Balancing Universal Hashing

726 views • 18 slides
Week 8 - Friday What did we talk about last time? Balancing trees by construction Hash

Week 8 - Friday What did we talk about last time? Balancing trees by construction Hash

Week 8 - Friday What did we talk about last time? Balancing trees by construction Hash tables Infix to Postfix Converter Wednesdays at 5 p.m. in The Point 113 Already started! Saturdays at noon in The Point 113 Starting

748 views • 31 slides
CS261 Data Structures Hash Tables Concepts Goals

CS261 Data Structures Hash Tables Concepts Goals

CS261 Data Structures Hash Tables Concepts Goals Hash Func9ons Dealing with Collisions Searching...Be?er than O(log n )? Skip lists and AVL

301 views • 16 slides
Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing: basic plan Save items in a key-indexed table (index is a function of the key). Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;) = 3 Tyler Moore 3 &quot;it&quot; ?? 4 CS 2123, The

559 views • 6 slides

More recommend