Limited-Birthday Distinguishers for Hash Functions Collisions - - PowerPoint PPT Presentation

limited birthday distinguishers
SMART_READER_LITE
LIVE PREVIEW

Limited-Birthday Distinguishers for Hash Functions Collisions - - PowerPoint PPT Presentation

Jan 26, 2023 658 likes •879 views

Limited-Birthday Distinguishers for Hash Functions Collisions Beyond the Birthday Bound can be Meaningful Mitsugu Iwamoto 1 , Thomas Peyrin 2 and Yu Sasaki 3 1: The University of Electro-Communications, Japan 2:Nanyang Technological University,

slide-1
SLIDE 1

Limited-Birthday Distinguishers for Hash Functions

Collisions Beyond the Birthday Bound can be Meaningful

Mitsugu Iwamoto1, Thomas Peyrin2 and Yu Sasaki3

1: The University of Electro-Communications, Japan 2:Nanyang Technological University, Singapore 3:NTT Secure Platform Laboratories, Japan

Asiacrypt 2013 (5/Dec/2013@Bengaluru)

1

slide-2
SLIDE 2

Research Summary

2

  • Prove the generic attack cost of the LBD

– the known generic attack [GP10] is optimal.

  • LBD is useful

– LBD for hash functions  breaking the dTCR notion.

  • Constructing LBD on hash functions

– Converting semi-free-start collisions (on the comp. func.) even with complexity beyond 2n/2.

  • Find LBD for concrete designs

– Some achieve the best attack for the hash setting:

  • eg. RIPEMD128, Whirlpool
slide-3
SLIDE 3

Hash Functions

  • Hash Functions provide a fixed-size message

fingerprint for arbitrary length message.

  • Merkle-Damgård Construction
  • Many schemes are proven to be secure by

assuming the ideality of the underlying primitive.  Showing a non-ideality is important.

3

M0 IV

CF

M1

CF

M2

CF

MN-1

CF

Hash

slide-4
SLIDE 4

Limited Birthday Distinguishers (LBD)

  • Recently, especially in the SHA-3 competition,

many distinguishing attacks have been proposed.

e.g. q-multi-coll., Rotational dist., subspace dist.

  • Limited-Birthday Distinguisher [GP10] finds

paired values satisfying the set of pre-specified input diffs DIN and output diffs DOUT.

4

CF

target

DIN DOUT

CF

ideal

DIN DOUT compare the costs What’s the cost?

slide-5
SLIDE 5

Known Generic Attack for LBD [GP10]

  • Previous method conjectured to be the best

– Fix 2n-I inactive input bits – Choose all 2I active input bits and make all (22I-1) pairs. – Repeat the above, by changing inactive input bits.

5

8 rounds AES input

  • utput

n = 128 I = |DIN| = 32 O = |DOUT| = 32

slide-6
SLIDE 6

Describing LBD with Bigraph

6

  • Classify 2n input values into 2n-I groups indexed by

non-active n-I bits values. (Do the same for output.)

  • Represent each input/output group by a nodes
  • Represent the map from input to output by edges.

Each input node can have 2I edges in maximum.

Up to 2I edges from each node 1 query to obtain 1 edge

slide-7
SLIDE 7

7

  • Achieving LBD is equivalent to find multiedges.
  • Valid pair: a pair of edges sharing the same

input node.

  • If 2n-O valid pairs are generated, multiedges

will be found.

Up to 2I edges from each node 1 query to obtain 1 edge

Describing LBD with Bigraph

slide-8
SLIDE 8

8

  • How many valid pairs can be generated with X

queries?

  • Suppose di (1≤i ≤ 2𝑜−𝐽) is the number of edges

coming from the input node i.

  • The number of valid pairs (#V) is:

#V = d1

2/2 + d2 2/2 + … + 𝑒2𝑜−𝐽

2

/2

  • Constraint equations are:

d1 + d2 + … + 𝑒2𝑜−𝐽 = X 2I ≥ d1 ≥ d2 ≥ … ≥ 𝑒2𝑜−𝐽 ≥ 0. (Descendent order)

Describing LBD with Graph

slide-9
SLIDE 9

Proof Approach

  • Use the theory of majorization
  • Proof is available in the paper.
  • Interesting corollary: The proof can be

extended to

– limited-birthday multi-collisions – limited-birthday k-sums.

9

slide-10
SLIDE 10

LBD for Hash Functions

  • So far, LBD is mainly discussed only for a part of

the hash function i.e.

– underlying compression function – internal permutation

  • We discuss LBD for the hash function i.e.

– Fixed initial value – DIN only exists in the input message before padding – DOUT is defined on the hash digest

10

slide-11
SLIDE 11

Applications of LBD for Hash Function

  • Target collision resistance is a security notion

for hash function with tweak value T.

  • Definition. (Target Collision Resistance)

The following attack must take 2n cost.

– The adversary chooses an input value I1. – T is chosen without a control of the adversary. – The adversary finds an input I2 s.t. H(I1) = H(I2).

11

IV

H

Hash I1, I2 T

slide-12
SLIDE 12

A New Security Notion dTCR

  • Definition. (differential Target Collision Resistance)

The following attack must take 2n cost.

– The adversary chooses an input difference D. – T is chosen without a control of the adversary. – The adversary finds an input I s.t. H(I) = H(I ⊕D).

  • A limited birthday distinguisher with |DIN|=1 and

DOUT={0} immediately breaks the dTCR notion.

12

I, I ⊕D IV

H

Hash T

slide-13
SLIDE 13

Converting Semi-Free-Start Collisions

  • Semi-free-start collisions (on CF ):

Find (𝐼𝑗−1, 𝑁𝑗−1, 𝑁𝑗−1

) s.t. 𝐷𝐺 𝐼𝑗−1, 𝑁𝑗−1 = 𝐷𝐺(𝐼𝑗−1, 𝑁𝑗−1

)

  • In many cases, the input message difference DIN is

fixed in advance.

  • This property is stronger than the collision attack

with the birthday paradox.

13

Mi-1 Hi-1

CF

D=0 D=DIN D=0 Hi

n n

slide-14
SLIDE 14
  • 3-block LBD with Input difference (0||DIN||0)
  • Suppose the cost for semi-free-start coll is 2x.

14

M1 H1

CF

D=DIN H2 M0 H0

CF

D=0 M2||pad

CF

D=0 H3 D=0 D=0

  • 1. Generate 2(𝑜−𝑦)/2 semi-free-start collisions.
  • 2. Generate 2(𝑜+𝑦)/2 random message blocks.
  • 3. Collision is preserved for padding block.

n n n

Converting Semi-Free-Start Collisions

n n

slide-15
SLIDE 15
  • 3-block LBD with Input difference (0||DIN||0)
  • Suppose the cost for semi-free-start coll is 2x.

15

M1 H1

CF

D=DIN H2 M0 H0

CF

D=0 D=0 D=0

  • 1. Generate 2(𝑜−𝑦)/2 semi-free-start collisions.
  • 2. Generate 2(𝑜+𝑦)/2 random message blocks.

n n

M2||pad

CF

D=0 H3

  • 3. Collision is preserved for padding block.

n

Converting Semi-Free-Start Collisions

n n

slide-16
SLIDE 16
  • 3-block LBD with Input difference (0||DIN||0)
  • Suppose the cost for semi-free-start coll is 2x.

16

M1 H1

CF

D=DIN H2 M0 H0

CF

D=0 M2||pad

CF

D=0 H3 D=0 D=0

  • 1. Generate 2(𝑜−𝑦)/2 semi-free-start collisions.
  • 2. Generate 2(𝑜+𝑦)/2 random message blocks.
  • 3. Collision is preserved for padding block.

n n n

Converting Semi-Free-Start Collisions

n n

slide-17
SLIDE 17

Remarks for Conversion Method

  • The attack complexity is 2(𝑜+𝑦)/2+1. Semi-free-start

collisions with comp. beyond 2n/2 can be a valid LBD.

  • Can be extended to (not too) wide-pipe, e.g. SHA224
  • Be careful for the freedom degrees of the semi-free-

start collision attack. Sometimes, generating 2(𝑜−𝑦)/2 of them is impossible.

  • Can be extended to limited-birthday near-collisions

(DOUT can be other than {0}).

– Differential path construction becomes easier. – Padding must be satisfied within the second block.

17

slide-18
SLIDE 18

Applications to Concrete Designs

18

: best attack in the hash function setting

slide-19
SLIDE 19

Concluding Remarks

19

Thank for your attention !!

  • Prove the optimality of the generic attack for LBD.
  • LBD on hash functions can be used to attack the

new security notion “differential-TCR”.

  • LBD on hash functions can be constructed from

semi-free-start collisions even with complexity beyond 2n/2.

  • Apply the above conversion for several hash
  • functions. Some achieved the best attack.
slide-20
SLIDE 20

20

Thank for your attention !!

  • Prove the optimality of the generic attack for LBD.
  • LBD on hash functions can be used to attack the

new security notion “differential-TCR”.

  • LBD on hash functions can be constructed from

semi-free-start collisions even with complexity beyond 2n/2.

  • Apply the above conversion for several hash
  • functions. Some achieved the best attack.

Concluding Remarks