new message difference for md4
play

New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and - PowerPoint PPT Presentation

Mar 28, 2024 •159 likes •562 views

New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro The University of Electro-Communications 28/March/2007 @ FSE 2007 1 Introduction of MD4 Input Output Hash Arbitrary Defined Function length data length

  1. New Message Difference for MD4 Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro The University of Electro-Communications 28/March/2007 @ FSE 2007 1

  2. Introduction of MD4 Input Output Hash Arbitrary Defined Function length data length data ﻪ MD4 is a 128-bit hash function. ﻪ Many hash functions such as MD5 and SHA-1, are designed based on MD4. ﻪ Cryptanalysis of MD4 is important. 2

  3. Collision Attack is Important !! ﻪ Collision attack means finding (M, M ’ ) such that Hash(M)=Hash(M ’ ), M ≠ M ’ . ﻪ Collision can threaten some applications. forging certificate, forging signature, key recovery on NMAC/HMAC password recovery on APOP, and so on. 3

  4. Message Difference for Various Improved Collision Attack ﻪ In 2005, Wang et al. proposed efficient collision attack. (less than 2 8 MD4) ﻪ Naito et al. improved the complexity. (less than 3 MD4) ﻪ Shulaffer and Oswald proposed automated sufficient condition search algorithm. Common Fact All previous known attacks use the same message difference as Wang et al. ’ s. 4

  5. Our Result ﻪ We propose new message difference and new local collision that are the best for collision attack on MD4. ﻪ Our attack generates a collision with less than 2 MD4 computations. Generating collision is faster Generating collision is faster than checking collision!! than checking collision!! 5

  6. Procedure of Collision Attack 6

  7. Differential Attack ⊿ M ≠ 0 M ’ M 1 st Round 1 st Round 1 st Round 2 nd Round 2 nd Round 2 nd Round ー = 3 rd Round 3 rd Round 3 rd Round ⊿ H(M)=0 H(M) H(M ’ ) 7

  8. 1. Local Collision in 3 rd round. Attack Procedure Insert some difference in 3 rd round ⊿ M = -2 31 + 2 21 and cancel it in few steps. 2. ⊿ M Core Technique 1R 2 31 -2 24 2 12 2 8 Insert message difference to 2 30 2 21 2 10 2 3 realize local collision. b 2,12 =0 3. Differential Path 2R -2 31 2 27 -2 13 2 7 Analyze how ⊿ M propagates. 4. Chaining Variable Condition 0 0 0 0 Make Conditions of chaining 3R 0 0 0 0 variables to hold differential path. LC 5. Collision Search 0 0 0 0 By using message modification, search a message satisfying all ⊿ H= 0 conditions. 8

  9. Constructing the Best Local Collision 1. Study of Wang et al. ’ s local collision 2. Analyze why it is not the best 3. Construct the best local collision 9

  10. Structure of MD4 Structure of MD4 Structure of MD4 i step a i-1 b i-1 c i-1 d i-1 MD4 has 48 steps. f <<< s i : Left Rotation Const m i-1 f: Boolean Function <<<s 1 (XOR is considered for Local Collision) a i b i c i d i 10

  11. Wang et al ’ s Local Collision 1/6 i step 1. Make diff with 2 j-s1 of m i-1 . a i-1 b i-1 c i-1 d i-1 2 j-s1 f Const m i-1 2 j-s1 <<<s 1 <<<s 1 2 j a i b i c i d i 2 j 11

  12. Wang et al ’ s Local Collision 2/6 i+1 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f f 2 j 2 j 2 j Const m i 2 j-s2 2 j-s2 <<<s 1 <<<s 2 2 j a i b i c i d i 2 j 2 j 12

  13. Wang et al ’ s Local Collision 3/6 i+2 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f f 3. No difference 0 Const m i+1 <<<s 3 a i b i c i d i 2 j 2 j 13

  14. Wang et al ’ s Local Collision 4/6 i+3 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f f 3. No difference 0 Const 4. No difference m i+2 <<<s 4 a i b i c i d i 2 j 2 j 14

  15. Wang et al ’ s Local Collision 5/6 i+4 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . 2 j 2 j f f 3. No difference 2 j Const 4. No difference m i+3 5. No difference <<<s 5 a i b i c i d i 2 j 15

  16. Wang et al ’ s Local Collision 6/6 i+5 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 Make diff with 2 j-s2 of m i . f 3. No difference 2 j 2 j Const 4. No difference m i+4 5. No difference <<<s 6 6. Cancel diff with 2 j of m i+4 . All differences are cancelled !! a i b i c i d i 16

  17. Summary of Wang et al. ’ s LC If j = MSB, cancellation 1. Make diff with 2 j-s1 of m i-1 . succeeds with probability 1. 2. Cancel diff with 2 j of m i . Make diff with 2 j-s2 of m i . When we make diff at 3. No difference MSB, we will fail with 1/2. 4. No difference 5. No difference Proof: next page 6. Cancel diff with 2 j of m i+4 . Therefore, total success probability is 1/4. 17

  18. Proof: Difference in MSB bit position (31-s1) a i-1 b i-1 c i-1 d i-1 v: 000000001000000 ⊿ v ⊿ v: 000000001000000 f v ’ : 000000010000000 Const m i-1 2 31-s1 After rotation by s1 bits. <<<s 1 u: 100000000000000 2 31 ⊿ u u ’ : 000000000000001 ⊿ u ≠ 2 31 , not desired difference . a i b i c i d i Prob of avoiding carry is 1/2 . 18

  19. The Best Local Collision • Wang et al. ’ s LC makes two differences in MSB. Success prob of LC : 1/4 • At least 1 difference is necessary. • If LC that consists of 1 difference in MSB exists, such LC is the best. Success prob is 1/2 19

  20. New Local Collision 1/5 i step 1. Make diff with 2 j-s1 of m i-1 . a i-1 b i-1 c i-1 d i-1 2 j-s1 f Const m i-1 2 j-s1 <<<s 1 <<<s 1 2 j a i b i c i d i 2 j 20

  21. New Local Collision 2/5 i+1 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 f f 2 j 2 j 2 j Const m i <<<s 2 a i b i c i d i 2 j 21

  22. New Local Collision 3/5 i+2 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 3. Cancel diff with 2 j of m i+1 . 2 j f f 2 j 2 j Const m i+1 <<<s 3 a i b i c i d i 2 j 22

  23. New Local Collision 4/5 i+3 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 3. Cancel diff with 2 j of m i+1 . 2 j f f 2 j 4. Cancel diff with 2 j of m i+2 . 2 j Const m i+2 <<<s 4 a i b i c i d i 2 j 23

  24. New Local Collision 5/5 i+4 step 1. Make diff with 2 j-s1 of m i-1 . 2 j 2. Cancel diff with 2 j of m i . a i-1 b i-1 c i-1 d i-1 3. Cancel diff with 2 j of m i+1 . f 4. Cancel diff with 2 j of m i+2 . 2 j 2 j Const 5. Cancel diff with 2 j of m i+3 . m i+3 <<<s 5 All differences are cancelled !! a i b i c i d i 24

  25. Comparison of Both Local Collisions Wang et al. ’ s Ours (1/4) (1/2) a b c d a b c d m m m m m m m m m m 5 msgs m Msg expansion should be evaluated. 3 msgs are involved 25

  26. Analysis of Message Expansion 26

  27. Which step we Index of apply LC ? step message 33 0 34 8 35 4 New local collision 36 12 1. Make diff with 2 j-s1 of m i-1 . 37 2 38 10 2. Cancel diff with 2 j of m i . 39 6 40 14 3. Cancel diff with 2 j of m i+1 . 41 1 42 9 4. Cancel diff with 2 j of m i+2 . 43 5 5. Cancel diff with 2 j of m i+3 . 44 13 45 3 46 11 47 7 48 15 There are 12 patterns. 27

  28. Criteria for Good Msg Expansion 3R 2R step message step message 17 0 33 0 18 4 34 8 Criteria 19 8 35 4 Some 20 12 36 12 diff 21 1 37 2 Last difference 22 5 38 10 23 9 39 6 in 2R round 24 13 40 14 should be as 25 2 41 1 early as possible. 26 6 42 9 27 43 10 5 28 14 44 13 In this example: No 29 3 45 3 25 30 7 46 11 diff 31 11 47 7 32 15 48 15 28

  29. Msg Expansion: New LC Last step of diff in 2R 3R 2R step message step message Case 1 25 17 0 33 0 Case 2 18 4 34 8 Case 3 19 8 35 4 20 12 36 12 Case 4 21 1 37 2 Case 5 22 5 38 10 23 9 39 6 Case 6 24 13 40 14 Case 7 25 2 41 1 26 6 42 9 Case 8 27 43 10 5 Case 9 28 14 44 13 29 3 45 3 Case 10 30 7 46 11 Case 11 31 11 47 7 Case 12 32 15 48 15 29

  30. Msg Expansion: New LC Last step of diff in 2R 3R 2R step message step message Case 1 25 17 0 33 0 Case 2 27 18 4 34 8 Case 3 19 8 35 4 20 12 36 12 Case 4 21 1 37 2 Case 5 22 5 38 10 23 9 39 6 Case 6 24 13 40 14 Case 7 25 2 41 1 26 6 42 9 Case 8 27 43 10 5 Case 9 28 14 44 13 29 3 45 3 Case 10 30 7 46 11 Case 11 31 11 47 7 Case 12 32 15 48 15 30

  31. Msg Expansion: New LC Last step of diff in 2R 3R 2R step message step message Case 1 25 17 0 33 0 Case 2 27 18 4 34 8 Case 3 27 19 8 35 4 20 12 36 12 Case 4 21 1 37 2 Case 5 22 5 38 10 23 9 39 6 Case 6 24 13 40 14 Case 7 25 2 41 1 26 6 42 9 Case 8 27 43 10 5 Case 9 28 14 44 13 29 3 45 3 Case 10 30 7 46 11 Case 11 31 11 47 7 Case 12 32 15 48 15 31

  32. Result: Good msg Difference of our LC Case 1 25 As a result, Case 1 is the best. 27 Case 2 m 0 : 2 28 m 12 : 2 31 27 Case 3 ⊿ M= m 2 : 2 31 m 8 : 2 31 Case 4 28 m 4 : 2 31 Case 5 28 Case 6 28 We also evaluated Wang et al. ’ s LC by Case 7 28 using the same criteria. Then, the best Case 8 28 value was the same. 29 Case 9 31 Case 10 Confirmed that the best LC is really 31 Case 11 the best. 32 Case 12 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in

Causal inference Part II: Difference In Difference and Instrumental Variables Difference in difference Card &amp; Krueger (1995,AER) Rise in minimum wage from 4,2$ to 5,05$ in April 1992 in the State of New Jersey. Research question:

405 views • 28 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Lecture Notes: Message Management 1 Slide 1: Message Management Message Management A critical

Lecture Notes: Message Management 1 Slide 1: Message Management Message Management A critical

Lecture Notes: Message Management 1 Slide 1: Message Management Message Management A critical aspect of successful advocacy is the ability to create and deliver a message. While your passion matters greatly, your coalitions make the work

487 views • 15 slides
Topic 11: A message What Is a Message in Communication? In rhetorical and communication studies,

Topic 11: A message What Is a Message in Communication? In rhetorical and communication studies,

Topic 11: A message What Is a Message in Communication? In rhetorical and communication studies, a message is defined as information conveyed by words (in speech or writing), and/or other signs and symbols. A message (verbal or nonverbal, or

485 views • 17 slides
GSM Short Message Service GSM Short Message Service GSM Short Message Service GSM Short Message

GSM Short Message Service GSM Short Message Service GSM Short Message Service GSM Short Message

National Taiwan University Department of Computer Science and Information Engineering GSM Short Message Service GSM Short Message Service GSM Short Message Service GSM Short Message Service Phone Lin Phone Lin Ph.D. Ph.D. Email:

360 views • 13 slides
ping Program ICMP Message Format Available at /usr/sbin/ping Test whether another host is

ping Program ICMP Message Format Available at /usr/sbin/ping Test whether another host is

ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by

473 views • 10 slides
Message integrity Message Auth. Codes Dan Boneh Message

Message integrity Message Auth. Codes Dan Boneh Message

Online Cryptography Course

556 views • 52 slides
Web Engineering HTTP-message = Request | Response generic-message = start-line *message-header

Web Engineering HTTP-message = Request | Response generic-message = start-line *message-header

Structure of HTTP Messages Web Engineering HTTP-message = Request | Response generic-message = start-line *message-header Prof. Dr. Dr. h.c. mult. Gerhard Krger, Albrecht Schmidt CRLF [ message-body ] Universitt Karlsruhe start-line =

289 views • 12 slides
MPI - Message Passing Interface MPI is the mostly used message passing-standard By

MPI - Message Passing Interface MPI is the mostly used message passing-standard By

MPI - Message Passing Interface MPI is the mostly used message passing-standard By using MPI you obtain portable programs MPI is based on earlier message passing libraries Lecture 7: NX, MPL, PVM, P4, TCGMSH, PARMACS, ...

360 views • 9 slides
Message Passing Concepts Message Passing Model The message passing model is based on the

Message Passing Concepts Message Passing Model The message passing model is based on the

Message Passing Concepts Message Passing Model The message passing model is based on the notion of processes can think of a process as an instance of a running program, together with the programs data In the message passing model,

601 views • 16 slides
GIVING A PRESENTATION The Core structure Introduction Message 1 Message 2 Message 3

GIVING A PRESENTATION The Core structure Introduction Message 1 Message 2 Message 3

GIVING A PRESENTATION The Core structure Introduction Message 1 Message 2 Message 3 Conclusion INTRODUCTION Introduce yourself Summary of the messages USEFUL PHRASES: USEFUL PHRASES: Good morning/afternoon everyone. Im

772 views • 8 slides
What was your message? what were you trying to achieve, your goal? what was your core message?

What was your message? what were you trying to achieve, your goal? what was your core message?

PRESENTATION TO CHILDREN YOUTH AND FAMILIES FORUM FOR YR IN MAY 2011 AT THEIR ADVOCACY PLANNING DAY I PRESENTED OUR AAA PROJECT AT THAT TIME. What was your message? what were you trying to achieve, your goal? what was your core message?

193 views • 5 slides
IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

IP Datagram ICMP Message Format 1 byte 1 byte 1 byte 1 byte VERS HL Service Total Length

ICMP Internet Control Message Protocol ICMP is a protocol used for exchanging control messages. CSCE 515: Two main categories Query message Computer Network Error message Programming Usage of an ICMP message is determined by

261 views • 12 slides
Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI?

Message Passing Programming with MPI Message Passing Programming with MPI 1 What is MPI? Message Passing Programming with MPI 2 MPI Forum First message-passing interface standard. Sixty people from forty different organisations.

1.61k views • 113 slides
Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will

Message-Passing Programming with MPI Message-Passing Concepts Overview This lecture will cover message passing model SPMD communication modes collective communications Programming Models Message-Passing Serial Programming

406 views • 28 slides
ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient

ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient

ROI HSP Design Clarification Recipient ID in Message must match the physical Message recipient IGG 04-04-2012 Recipient ID in Message must match the physical Message recipient Background Message routing in the new Tibco-based environment will

79 views • 3 slides
Overview Introduction 1 Costly signal model 2 A model with a RABC 3 Payoffs 4 Conclusion

Overview Introduction 1 Costly signal model 2 A model with a RABC 3 Payoffs 4 Conclusion

Real Asset Backed Coins 1 Fernando Diaz, Ricardo Mayer, Nicola Miglietta, Carlos Perez, and Gabriel Ramirez January 21, 2020 1 Preliminary and incomplete. Do not cite. 1 / 17 Overview Introduction 1 Costly signal model 2 A model with a

366 views • 23 slides
Introduction to ggplot2 R Pruim July, 2014 Goals What I will try to do give a tour of

Introduction to ggplot2 R Pruim July, 2014 Goals What I will try to do give a tour of

Introduction to ggplot2 R Pruim July, 2014 Goals What I will try to do give a tour of ggplot2 explain how to think about plots the ggplot2 way prepare/encourage you to learn more later What I cant do in one session show every

880 views • 61 slides
Author: thor: Gonza nzalo lo Benito to gonzabenito nzabenito@gma gmail.co l.com Advisors:

Author: thor: Gonza nzalo lo Benito to gonzabenito nzabenito@gma gmail.co l.com Advisors:

Mast ster er The hesis is Dissertat ertation ion Comparing classical and deep approaches for face recognition in a smartgym application Author: thor: Gonza nzalo lo Benito to gonzabenito nzabenito@gma gmail.co l.com Advisors:

391 views • 19 slides
Abstract DPLL and Abstract DPLL Modulo Theories Robert Nieuwenhuis 1 , Albert Oliveras 1 , and

Abstract DPLL and Abstract DPLL Modulo Theories Robert Nieuwenhuis 1 , Albert Oliveras 1 , and

Abstract DPLL and Abstract DPLL Modulo Theories Robert Nieuwenhuis 1 , Albert Oliveras 1 , and Cesare Tinelli 2 1 Technical University of Catalonia 2 The University of Iowa Abstract DPLL and Abstract DPLL Modulo Theories p.1/24 Overview of

842 views • 29 slides
CVC4 1.5 for Sygus Comp 2015 CVC4 is an SMT solver Fourth generation of Cooperating

CVC4 1.5 for Sygus Comp 2015 CVC4 is an SMT solver Fourth generation of Cooperating

CVC4 1.5 for Sygus Comp 2015 CVC4 is an SMT solver Fourth generation of Cooperating Validity Checker (CVC, CVC Lite, CVC3, CVC4) Supports many ground theories: Linear arithmetic, bitvectors , UF, datatypes, arrays, sets, strings,

341 views • 14 slides
1 Filtering, OT-style A Troublesome Example = candidate violates constraint twice Input:

1 Filtering, OT-style A Troublesome Example = candidate violates constraint twice Input:

a little pre-talk review a little pre-talk review Regular Relation (of strings) Regular Relation (of strings) Relation: like a function, but multiple outputs ok Can weight the arcs: vs. Regular: finite-state a {} b

217 views • 9 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Quantum Mechanical Foundations of Causal Entropic Forces Swapnil Shah Department of Electrical

Quantum Mechanical Foundations of Causal Entropic Forces Swapnil Shah Department of Electrical

Quantum Mechanical Foundations of Causal Entropic Forces Swapnil Shah Department of Electrical and Computer Engineering North Carolina State University, USA As the number of experts increase, each specialty becomes all the more

435 views • 14 slides

More recommend