Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL - - PowerPoint PPT Presentation

Meet‐in‐the‐Middle Attack Using Output Truncation in 3‐Pass HAVAL

Yu Sasaki NTT Corporation 07/Sep/2009 ISC2009@Pisa

1/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Summary

• HAVAL is a hash function that can produce

variable output lengths.

• We present the first analysis on short output

sizes of 3‐pass HAVAL. Output bit‐sizes: 128, 160, 192, 224, 256

Narrow‐pipe Wide‐pipe

Already attacked Our target

2/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Motivation

• Recently designed hash functions use “wide‐

pipe”

• mode. (See, SHA‐3 round2 cands.)

– Internal state size is larger than hash value.

• Previous work only analyzes without truncation

(narrow‐pipe). We should analyze wide‐pipe.

• It is useful to evaluate SHA‐224/SHA‐384.

HN Hash

Trunc.

L

H0 M0 H1 M1 HN‐1 MN‐1 H2

n n n

CF CF CF

n n n n

3/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Target of our attacks

• Our attacks generate followings:
• Generic attack will cost 2n

for both attacks. For given y, find M s.t. HashIV (M)=y. For given y, find (X, M) s.t. HashX (M)=y. Preimages Pseudo‐preimages

Trunc.

L

IV M

n

CF

n

y Hash

Trunc.

L

X M

n

CF

n

y Hash

4/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Impact of attack

Finding pseudo‐preimages indicates: 1. CF is distinguished from Random Oracle.

(reduction security)

2. eTCR property for Key‐via‐IV are broken.

(keyed‐hash function security)

For given (K, M, y), find (K’, M’) s.t. HashK’ (M’)=y.

eTCR:

Trunc.

L

K M

n

CF

n

y HashK

5/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Results

• We propose 2 approaches to find preimages
• r pseudo‐preimages for short output size.

Output Length 256 224 192 160 128

Approach

1

Pseudo‐ preimage Not target

2192 2160 2144 ‐

Preimage Not target

‐ ‐ ‐ ‐

Approach

2

Pseudo‐ preimage Not target

2160 2128 2106 284

Preimage Not target

2209 ‐ ‐ ‐ First preimage attacks on HAVAL short output

6/22

Yu Sasaki, MitM using output truncation of 3‐Haval

HAVAL

• Designed by Zheng, Pieprzyk, Seberry in 1992.

HN

Trunc.

L

H0 M0 H1 M1 HN‐1 MN‐1 H2

256 256 256

CF

1024

Executed if L≠256 Attack focus CF CF y

7/22

Yu Sasaki, MitM using output truncation of 3‐Haval

HAVAL compression function

• Split Mi‐1

into 32 bit message words (m0 ||m1 ||…||m31).

• Set a 256‐bit variable p0

= Hi‐1 .

• Compute step func: pj+1

= Step(pj , mπ(j) ), j=0,1,…,95.

• Output Hi

= Trunc(p0 + p96 ).

p0

step

mπ(0) p1

step

mπ(1) p2

step

mπ(2) p3 p94

step

mπ(94) p95

step

mπ(95) p96 Hi

Note that step function is invertible.

Trunc.

D

8/22

Yu Sasaki, MitM using output truncation of 3‐Haval

HAVAL message schedule

• Message index π

for 96 steps:

• In every 32 steps, each m0

– m31 appears once.

• Each mi

appears 3 times during 96 steps.

• In each round, message order changes.

9/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Idea of MitM preimage attack

• Split msg schedule into 2 chunks
• f steps so

that each chunk includes independent word.

• Ex. 2‐round (64‐step HAVAL)

pj+1 = Step(pj , mπ(j) ), for j=8,9,…,54 pj = Step‐1(pj+1 , mπ(j) ), for j=7,6,…,0 p64 = y ‐ p0 pj = Step‐1(pj+1 , mπ(j) ), for j=63,62,…,55 function of m9 , independent of m2 function of m2 , independent of m9

10/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Idea of MitM preimage attack

• Split msg schedule into 2 chunks
• f steps so

that each chunk includes independent word.

• Ex. 2‐round (64‐step HAVAL)

Start MitM

pj+1 = Step(pj , mπ(j) ), for j=8,9,…,54 pj = Step‐1(pj+1 , mπ(j) ), for j=7,6,…,0 p64 = y ‐ p0 pj = Step‐1(pj+1 , mπ(j) ), for j=63,62,…,55 function of m9 , independent of m2 function of m2 , independent of m9

11/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Idea of MitM preimage attack

• When we split msg schedule into 2 chunks, up

to 9 consecutive steps can be skipped.

• Ex. 3‐round (96‐step HAVAL)

Skip Start

This strategy doesn’t work for truncated output. (in other words, wide‐pipe mode)

12/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Problem of previous work

p0

step

mπ(0) p1

step

mπ(1) p2

step

mπ(2) p3 p94

step

mπ(94) p95

step

mπ(95) p96 y

Trunc.

D

256 256 256 256 256 256 256 256 224 Ex.

• Hash value is truncated, hence, cost for brute‐

force attack is reduced. (this case: 2224).

• MitM on a 256‐bit variable with 32 free‐bits is the

same cost as brute force attack.

• If each chunk includes more than 1 independent

words, the attack works. But, it unlikely occurs.

13/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Attack outline

• Approach 1

–Use unbalanced free bits in two chunks. –Increasing free bits by finding all inverse images in the truncated function.

• Approach 2

–Perform the match of MitM on the input for truncated function.

14/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Approach 1: unbalanced free bits

• Consider the 224‐bit output (1‐word truncation).
• It unlikely occurs that both chunks have 2 free words.
• The following situation often occurs:

15/22

A chunk includes 2 free words, but the other includes 1.

Yu Sasaki, MitM using output truncation of 3‐Haval

Previous MitM: unbalanced free bits

y

given

Even if a chunk has 64 free bits, the attackers advantage is limited to only 32 bits as long as the other chunk has only 32 free bits.

p0 m5 m5 p88

fix

MitM 32‐bit 64‐bit (m27 , m28 )

step 0 step 95

16/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Attack on 224‐bit output

p0

given

m5 m5 p88

fix

MitM 32‐bit 64‐bit (m27 , m28 )

Red chunk is now including 64 free‐bits; (m5 , D). Pseudo‐preimages are found by (2256 * 2‐64).

D

Trunc.

224 256

Invert Trunc. Find all 232 D s.t. Trunc(D)=y.

32‐bit

step 0 step 95

y

17/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Split steps into 2 chunks so that the match is performed on this variable.

Approach 2 (match at input of Trunc.)

p0

step

mπ(0) p1

step

mπ(1) p2

step

mπ(2) p3 p94

step

mπ(94) p95

step

mπ(95) p96

Trunc.

D

256 256 256 256 256 256 256 256 224 Ex.

y

Perform the match of MitM on the variable which is input of Truncation.

18/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Attack idea

Qj‐7 Qj‐6 Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj Qj‐7 Qj‐6 Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj

Truncate

Efficient match Randomly satisfy Efficient match Randomly satisfy Discard (1) (2)

Randomly searched space is reduced. The attack efficiency does not change.

19/22

y y D

Yu Sasaki, MitM using output truncation of 3‐Haval

Chunk separation for approach 2

20/22

The match is performed between Step 0 and 95.

Note: Truncation of HAVAL is more complicated. More detailed analysis is necessary.

Yu Sasaki, MitM using output truncation of 3‐Haval

Results

21/22

Output length 256 224 192 160 128

Approach

1

Pseudo‐ preimage Not target

2192 2160 2144 ‐

Preimage Not target

‐ ‐ ‐ ‐

Approach

2

Pseudo‐ preimage Not target

2160 2128 2106 284

Preimage Not target

2209 ‐ ‐ ‐

Approach 2 is prevented with small tweak of Trunc. Approach 1 works as long as Trunc‐1 is easily computed.

Yu Sasaki, MitM using output truncation of 3‐Haval

Summary

• Two approaches of finding preimages and

pseudo‐preimages against wide‐pipe hash with MitM attack.

• First results on short ouput 3‐pass HAVAL.
• This technique can be also applied to reduced

SHA‐224 and SHA‐384:

Kazumaro Aoki, Jian Guo, Kristian Matusiewicz, Yu Sasaki, Lei Wang.

Preimages for Step Reduced SHA‐2, Asiacrypt’09.

22/22

Yu Sasaki, MitM using output truncation of 3‐Haval

23

Thank you for your attention!!