finding collisions for sha 1
play

Finding collisions for SHA-1 Pierre Karpman Based on joint work - PowerPoint PPT Presentation

Sep 09, 2022 •290 likes •681 views

Finding collisions for SHA-1 Pierre Karpman Based on joint work with Ange Albertini, Elie Bursztein, Yarik Markov, Thomas Peyrin and Marc Stevens Universit e Grenoble Alpes Real World Crypto Z urich 20180111 20180111

  1. Finding collisions for SHA-1 Pierre Karpman Based on joint work with Ange Albertini, Elie Bursztein, Yarik Markov, Thomas Peyrin and Marc Stevens Universit´ e Grenoble Alpes Real World Crypto — Z¨ urich 2018–01–11 2018–01–11 Finding collisions for SHA-1 1/38 Pierre Karpman

  2. The near-anniversary of not a birthday search I On 2017-01-15, the first (public?) SHA-1 collision was found I ... Coming after the first freestart collision in Oct. 2015 I ... Coming after the first “theoretical” attack in 2005 I ... Coming after the first standardization of SHA-1 in 1995 Aim of this talk: I What’s a SHA-1 collision like? How do you compute one? I How do you measure the “complexity” of such an attack? 2018–01–11 Finding collisions for SHA-1 2/38 Pierre Karpman

  3. A simple collision h 0 4e a9 62 69 7c 87 6e 26 74 d1 07 f0 fe c6 79 84 14 f5 bf 45 M 1 7f 46 dc 93 a6 b6 7e 01 3b 02 9a aa 1d b2 56 0b 45 ca 67 d6 88 c7 f8 4b 8c 4c 79 1f e0 2b 3d f6 14 f8 6d b1 69 09 01 c5 6b 45 c1 53 0a fe df b7 60 38 e9 72 72 2f e7 ad 72 8f 0e 49 04 e0 46 c2 h 1 8d 64 d6 17 ff ed 53 52 eb c8 59 15 5e c7 eb 34 f3 8a 5a 7b M 2 30 57 0f e9 d4 13 98 ab e1 2e f5 bc 94 2b e3 35 42 a4 80 2d 98 b5 d7 0f 2a 33 2e c3 7f ac 35 14 e7 4d dc 0f 2c c1 a8 74 cd 0c 78 30 5a 21 56 64 61 30 97 89 60 6b d0 bf 3f 98 cd a8 04 46 29 a1 h 2 1e ac b2 5e d5 97 0d 10 f1 73 69 63 57 71 bc 3a 17 b4 8a c5 h 0 4e a9 62 69 7c 87 6e 26 74 d1 07 f0 fe c6 79 84 14 f5 bf 45 M 1 ⊕ ∆ 1 73 46 dc 91 66 b6 7e 11 8f 02 9a b6 21 b2 56 0f f9 ca 67 cc a8 c7 f8 5b a8 4c 79 03 0c 2b 3d e2 18 f8 6d b3 a9 09 01 d5 df 45 c1 4f 26 fe df b3 dc 38 e9 6a c2 2f e7 bd 72 8f 0e 45 bc e0 46 d2 h 1 8d 64 c8 21 ff ed 52 e2 eb c8 59 15 5e c7 eb 36 73 8a 5a 7b M 2 ⊕ ∆ 2 3c 57 0f eb 14 13 98 bb 55 2e f5 a0 a8 2b e3 31 fe a4 80 37 b8 b5 d7 1f 0e 33 2e df 93 ac 35 00 eb 4d dc 0d ec c1 a8 64 79 0c 78 2c 76 21 56 60 dd 30 97 91 d0 6b d0 af 3f 98 cd a4 bc 46 29 b1 h 2 1e ac b2 5e d5 97 0d 10 f1 73 69 63 57 71 bc 3a 17 b4 8a c5 2018–01–11 Finding collisions for SHA-1 3/38 Pierre Karpman

  4. A comic application >sha1sum *.pdf 23aa25d9e0449e507a8b4c185fdc86c35bf609bc calvin.pdf 23aa25d9e0449e507a8b4c185fdc86c35bf609bc hobbes.pdf 2018–01–11 Finding collisions for SHA-1 4/38 Pierre Karpman

  5. SHA-1 collisions recap On the way to full practical attacks What complexity for an attack Conclusion & Future work 2018–01–11 Finding collisions for SHA-1 5/38 Pierre Karpman

  6. SHA-1 quick history Secure Hash Standard “SHA-1” I Standardized by NIST in Apr. 1995 I Similar to MD4/5 I Merkle-Damg˚ ard domain extender I Compression function = ad hoc block cipher in Davies-Meyer mode I Unbalanced Feistel network, 80 steps I Quick fix of “SHA-0” (May 1993) I Hash size is 160 bits ) collision security should be 80 bits 2018–01–11 Finding collisions for SHA-1 6/38 Pierre Karpman

  7. That’s nice, but we want to attack it! 2018–01–11 Finding collisions for SHA-1 7/38 Pierre Karpman

  8. A two-block attack in a picture δ M � δ M ∆ C 0 NL 1 NL 2 L -L ∆ C � ∆ C ∆ C 0 2018–01–11 Finding collisions for SHA-1 8/38 Pierre Karpman

  9. The result I SHA-1 is not collision-resistant (Wang, Yin & Yu, 2005) I Attack complexity ⌘ 2 69 (theoretical) I Eventually improved to ⌘ 2 61 (ditto, Stevens, 2013) 2018–01–11 Finding collisions for SHA-1 9/38 Pierre Karpman

  10. The attack process 1 Pick a linear path 2 Find a non-linear path (first block) 3 Find accelerating techniques (first block) 4 Compute a near-collision (a solution for (0 , δ M ) ! ∆ C )) I Possible expected wall time estimation (first block) 5 Find a non-linear path (second block) 6 Find accelerating techniques (second block) 7 Compute a collision (a solution for ( ∆ C , � δ M ) ! � ∆ C )) I Possible expected wall time estimation (full attack) 2018–01–11 Finding collisions for SHA-1 10/38 Pierre Karpman

  11. Wall time estimation Simple approach: I Implement the attack I Measure production rate # A xx /s I Multiply by probability that a solution A xx extends to A 80 Early variant (crude): I Partial solutions for the di ff erential path up to A 16 are free I For A 17 ... ?? , count path conditions v. accelerating technique “e ffi ciency” I Estimate the “critical” step A xx & corresp. production rate I Multiply by probability that a solution A xx extends to A 80 2018–01–11 Finding collisions for SHA-1 11/38 Pierre Karpman

  12. SHA-1 collisions recap On the way to full practical attacks What complexity for an attack Conclusion & Future work 2018–01–11 Finding collisions for SHA-1 12/38 Pierre Karpman

  13. Best practical attack progress (2005-2011) I 2005 (Biham & al.): 40 steps (cost: “within seconds”) I 2005 (Wang & al.): 58 steps (cost: ⇡ 2 33 SHA-1 computations) I 2006 (De Canni` ere & Rechberger): 64 (cost: ⇡ 2 35 ) I 2007 (Rechberger & al.): 70 (cost: ⇡ 2 44 ) I 2007 (Joux & Peyrin): 70 (cost: ⇡ 2 39 ) I 2010 (Grechnikov): 73 (cost: ⇡ 2 50 . 7 ) I 2011 (Grechnikov & Adinetz): 75 (cost: ⇡ 2 57 . 7 ) 2018–01–11 Finding collisions for SHA-1 13/38 Pierre Karpman

  14. 2014: time to improve things again! I Eventual objective: full practical collision?? I Significant intermediate step: full practical freestart collision? I Easier in principle, but is it the case? ) I Search for a 76-step freestart collision (lowest # unattacked steps) I Use the opportunity to develop a GPU framework 2018–01–11 Finding collisions for SHA-1 14/38 Pierre Karpman

  15. The point of freestart (in a picture) Internal state of SHA-1 ( A i ) Wang-type attack Freestart i = � 4 IV 0 # o ff set Pr = 1 16 Pr ⇡ 1 20 Pr ⌧ 1 2018–01–11 Finding collisions for SHA-1 15/38 Pierre Karpman

  16. First results In Dec. 2014: a first 76-step freestart collision (with Peyrin & Stevens) I Right on time for the ASIACRYPT rump session :P I Cost: ⇡ 2 50 SHA-1 computations on a GTX-970 ) Freestart helps! I ) About 4 days on a single GPU (what we did) I ) About 1 day on a S$ 3000 4-GPU machine 2018–01–11 Finding collisions for SHA-1 16/38 Pierre Karpman

  17. Now what? 2018–01–11 Finding collisions for SHA-1 17/38 Pierre Karpman

  18. Objective: full compression function collision I Early (optimistic?) estimates: full freestart ⇡ 32 ⇥ more expensive than 76-step I (Hard to know for sure w/o implementing it) I ) buy (a bit) more GPUs! I + develop a new attack (“sadly” necessary) I Update path search tools I Settle on a linear path I Generate new attack parameters I Program the attack again I ... 2018–01–11 Finding collisions for SHA-1 18/38 Pierre Karpman

  19. Let’s do this! Figure: Part of a homemade cluster to be 2018–01–11 Finding collisions for SHA-1 19/38 Pierre Karpman

  20. Second results In Sep. 2015: a first 80-step (full) freestart collision (with Stevens & Peyrin) I Right on time for EUROCRYPT submissions :P I cost: ⇡ 2 57 . 5 SHA-1 computations on a GTX-970 I A bit more than expected I ) About 680 days on a single GPU I ... or 10 days on a 64-GPU cluster (what we did) I ... or US$ 2000 of the cheapest Amazon EC2 instances 2018–01–11 Finding collisions for SHA-1 20/38 Pierre Karpman

  21. Some early impact I SHA-1 TLS certificates are not extended through 2016 by CA/Browser forum actors I Ballot 152 (Oct. 2015!) of the CA/Browser forum is withdrawn I Some major browsers (Edge, Firefox) sped-up deprecation/security warnings I But (some) continued use in Git, company-specific certificates (e.g. Facebook until Dec. 2016, Cloudflare), etc. I Mostly because of legacy issues 2018–01–11 Finding collisions for SHA-1 21/38 Pierre Karpman

  22. Now what? 2018–01–11 Finding collisions for SHA-1 22/38 Pierre Karpman

  23. Objective: full hash function collision I Early (optimistic?) estimates: full collision ⇡ 50 ⇥ more expensive than full freestart I (Hard to know for sure w/o implementing it) I ) buy a lot more GPUs? (No) I ) get help from GPU-rich people/companies? (Yes) I + develop a new attack I + add some cool exploitation features! 2018–01–11 Finding collisions for SHA-1 23/38 Pierre Karpman

  24. Let’s do this! A CWI/Google collaboration 1 Prepare a prefix for future colliding PDFs 2 Compute a first (actually two) near-collision block(s) I Done on CPU 3 Compute a second near-collision ) the final one!! I Done on GPU 4 Profit! Enjoy! I cost: ⇡ 2 63 SHA-1 computations I A bit more/less than expected I ) about 6 500 CPU-year + 100 GPU-year I ... or US$ 100K+ of the cheapest Amazon instances (second block only) 2018–01–11 Finding collisions for SHA-1 24/38 Pierre Karpman

  25. Some more impact I Finally got Git planning to move away from SHA-1 I Unwittingly broke SVN for a time I Further deprecation of SHA-1 certificates 2018–01–11 Finding collisions for SHA-1 25/38 Pierre Karpman

  26. SHA-1 collisions recap On the way to full practical attacks What complexity for an attack Conclusion & Future work 2018–01–11 Finding collisions for SHA-1 26/38 Pierre Karpman

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1 This Talk Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgrd hash

890 views • 55 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
Cryptanalysis of FORK-256 Krystian Matusiewicz 1 , Thomas Peyrin 2 , Olivier Billet 2 , Scott

Cryptanalysis of FORK-256 Krystian Matusiewicz 1 , Thomas Peyrin 2 , Olivier Billet 2 , Scott

Overview FORK-256 Micro-collisions Simple path Finding paths Getting collisions Conclusions Cryptanalysis of FORK-256 Krystian Matusiewicz 1 , Thomas Peyrin 2 , Olivier Billet 2 , Scott Contini 1 and Josef Pieprzyk 1 1 Centre for Advanced

507 views • 39 slides
Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion collision? Focus on collective phenomena present in nucleus-nucleus collisions, but absent in pp collisions (condensed matter physics of

879 views • 23 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re- measures C+C collisions 2003 N+N and pi-N collisions in HADES Phys. Lett B 750, 12 (2015) What have we learnt from inclusive spectra p p X e+

505 views • 24 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

GGI, 18.04.2019 Transplanckian collisions of particles, strings and branes: results & challenges Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane collisions (2010->) III: Gravitational

883 views • 67 slides
Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Electron-Molecule Collision Calculations on Vector and MPP Systems Carl Winstead Vincent McKoy Cray site: Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron transport and energy deposition

365 views • 23 slides
From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gatan

935 views • 37 slides
Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit 5: More Collisions 3D Modelling & Animation Module F21MA Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation Unit contents Detecting collisions Springing off a fixed ball

460 views • 23 slides
October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

Florida Public Transportation Association Annual Conference Florida Transit Safety Network October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and rear- ending collisions Show Florida transit Motorbus

443 views • 43 slides
STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11 LICENSED 148 PENDING 27 WITHDRAWN 32 TOTAL 239 ADUs reviewed as Special Exceptions Pre 2013 ZTA 12-11 Allows ADUs as

741 views • 14 slides
Fundamental Algorithms Chapter 1: Introduction Michael Bader Winter 2011/12 M. Bader:

Fundamental Algorithms Chapter 1: Introduction Michael Bader Winter 2011/12 M. Bader:

Technische Universit at M unchen Fundamental Algorithms Chapter 1: Introduction Michael Bader Winter 2011/12 M. Bader: Fundamental Algorithms Chapter 1: Introduction, Winter 2011/12 1 Technische Universit at M unchen Part I

296 views • 25 slides
2000-2012 military spending increases 2.8 X 4.5 X 1.7

2000-2012 military spending increases 2.8 X 4.5 X 1.7

2000-2012 military spending increases 2.8 X 4.5 X 1.7 X Data courtesy of SIPRI: h3p://www.sipri.org/ 2 Which of the following is a more

554 views • 51 slides
and problem-solving techniques 2 Some mathematical principles and problem-solving techniques

and problem-solving techniques 2 Some mathematical principles and problem-solving techniques

Problem Solving Skills (14021601-3 ) Part 2 Some mathematical principles and problem-solving techniques 2 Some mathematical principles and problem-solving techniques Invariant Principle 3 1 Gauss When Karl Friedrich Gauss was still in

1.11k views • 77 slides
The Law s of High Impact Presenting Maurice De Castro Maurice De Castro Maurice De Castro Maurice

The Law s of High Impact Presenting Maurice De Castro Maurice De Castro Maurice De Castro Maurice

The Law s of High Impact Presenting Maurice De Castro Maurice De Castro Maurice De Castro Maurice De Castro I N T E N 1 st T I Maurice De Castro O N PMMFS P U R P 2 nd O S Maurice De Castro E P U R P What do you remember? O S

435 views • 24 slides
WATER Water Filtration Module 2.2 Proudly developed by SMART with funding from Inspiring

WATER Water Filtration Module 2.2 Proudly developed by SMART with funding from Inspiring

WATER Water Filtration Module 2.2 Proudly developed by SMART with funding from Inspiring Australia Can we drink water from everywhere we find it? Image sources: www.haikudeck.com www.pixabay.com How do we get clean water? Image source:

573 views • 18 slides
L k ( a , b ) = a i b i k i = 1 1 dimensional i = 1 L 1 (a,b)=|a-b| What if k=1 (

L k ( a , b ) = a i b i k i = 1 1 dimensional i = 1 L 1 (a,b)=|a-b| What if k=1 (

9/28/08 The properties of a metric D(a,b) the distance between a and b Non-negativity: D(a,b)>=0 Reflexivity: D(a,b)=0 if and only if a=b Symmetry: D(a,b)=D(b,a) Triangle inequality: D(a,b)+D(b,c)>=D(a,c) 4.6 METRICS AND

222 views • 7 slides
ENGLISH PAZ NA LAWDO VERB MOOD, VERB 13/04/2019 ESCOLA TENSE E EXERCISES NATELL

ENGLISH PAZ NA LAWDO VERB MOOD, VERB 13/04/2019 ESCOLA TENSE E EXERCISES NATELL

ENGLISH PAZ NA LAWDO VERB MOOD, VERB 13/04/2019 ESCOLA TENSE E EXERCISES NATELL 1)CONTEXTUALIZAO 2)DEFINIO DE VERB MOOD 3) VERB TENSES (Simple Present, Simple Past, Simple Future, Simple Conditional, Near Future,

599 views • 12 slides
University Technology Transfer: The best way for entrepreneurship programs to work with

University Technology Transfer: The best way for entrepreneurship programs to work with

University Technology Transfer: The best way for entrepreneurship programs to work with university technology transfer offices Dave Barbe, University of Maryland Presentation Types Hot licensing Cold licensing Company formation Factors for

561 views • 3 slides

More recommend