practical near collisions on the compression function of
play

Practical Near-Collisions on the Compression Function of BMW Gatan - PowerPoint PPT Presentation

Apr 08, 2024 •337 likes •840 views

Introduction Solving AX systems BMW analysis Conclusion Practical Near-Collisions on the Compression Function of BMW Gatan Leurent and Sren S. Thomsen University of Luxembourg Technical University of Denmark FSE 2011 G. Leurent, S.

  1. Introduction Solving AX systems BMW analysis Conclusion Practical Near-Collisions on the Compression Function of BMW Gaëtan Leurent and Søren S. Thomsen University of Luxembourg Technical University of Denmark FSE 2011 G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 1 / 24

  2. Introduction Solving AX systems BMW analysis Conclusion The SHA-3 competition The SHA-3 competition ◮ 51 valid submissions ◮ 14 in the second round (July 2009) ◮ 5 finalists in December 2010 ◮ Winner in 2012? ◮ BMW was the fastest second-round candidate in software ◮ Not selected for the third round G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 2 / 24

  3. Introduction Solving AX systems BMW analysis Conclusion Hash Function Design ◮ Build a small compression function, and iterate. ◮ Cut the message in chunks M 0 , ... M k ◮ H i = f ( M i , H i − 1 ) ◮ F ( M ) = Ω ( H k ) M 0 M 1 M 2 M 3 f f f f IV H 0 H 1 H 2 H 3 G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 3 / 24

  4. Introduction Solving AX systems BMW analysis Conclusion Compression Function Attacks Fist results usually target the compression function ◮ Because it’s easier: more degrees of freedom ◮ Because good compression imply good hash function MD5 cryptanalysis ◮ 1993: Free-start collisions [den Boer and Bosselaers] ◮ 1996: Semi-free-start collisions [Dobbertin] ◮ 2005: Collisions [Wang et. al ] ◮ 2009: Rogue certificate [Stevens et. al ] Wang’s and Stevens’s attacks are based on the dBB path G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 4 / 24

  5. Introduction Solving AX systems BMW analysis Conclusion Compression Function Attacks Fist results usually target the compression function ◮ Because it’s easier: more degrees of freedom ◮ Because good compression imply good hash function MD5 cryptanalysis ◮ 1993: Free-start collisions [den Boer and Bosselaers] ◮ 1996: Semi-free-start collisions [Dobbertin] ◮ 2005: Collisions [Wang et. al ] ◮ 2009: Rogue certificate [Stevens et. al ] Wang’s and Stevens’s attacks are based on the dBB path G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 4 / 24

  6. Introduction Solving AX systems BMW analysis Conclusion Blue Midnight Wish f 0 x y Q a M P H f 2 H f 1 AddElement Q b ◮ Wide pipe: each line is 16 words (32 or 64 bits) ◮ Most of the diffusion happens in f 1 ◮ ARX: Addition, Rotations, Xors see details G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 5 / 24

  7. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  8. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  9. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  10. Introduction Solving AX systems BMW analysis Conclusion Solving AX Systems Important Example x ⊕ ∆ = x ⊞ δ ◮ On average one solution ◮ Easy to solve because it’s a T-function. ◮ Guess LSB, check, and move to next bit ◮ How easy exactly? ◮ Backtracking is exponential in the worst case: x ⊕ ✵①✽✵✵✵✵✵✵✵ = x ◮ For random δ , ∆ , most of the time the system is inconsistent G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 6 / 24

  11. Introduction Solving AX systems BMW analysis Conclusion Transition Automata We use automata to study AX systems: [Mouha et. al ] ◮ States represent the carries ◮ Transitions are labeled with the variables Carry transitions for x ⊕ ∆ = x ⊞ δ . c x c’ c x c’ ∆ δ ∆ δ 0 0 0 0 0 1 0 0 0 - 0 0 0 1 0 1 0 0 1 - 0 0 1 0 - 1 0 1 0 1 0 0 1 1 - 1 0 1 1 1 0 1 0 0 - 1 1 0 0 0 0 1 0 1 - 1 1 0 1 1 0 1 1 0 0 1 1 1 0 - 0 1 1 1 1 1 1 1 1 - G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 7 / 24

  12. Introduction Solving AX systems BMW analysis Conclusion Transition Automata We use automata to study AX systems: [Mouha et. al ] ◮ States represent the carries ◮ Transitions are labeled with the variables Carry transitions for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ , x 0,0,0 1,0,1 0,0,1 0,1,0 1,1,0 0,1,1 1,1,1 start 0 1 see example 1,0,0 G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 7 / 24

  13. Introduction Solving AX systems BMW analysis Conclusion Decision Automata ◮ Remove x from the transitions ◮ Convert the non-deterministic automata to deterministic. Carry transitions for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ , x 0,0,0 1,0,1 0,0,1 0,1,0 1,1,0 0,1,1 1,1,1 start 0 1 1,0,0 ◮ Can decide whether a given ∆ , δ is compatible. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 8 / 24

  14. Introduction Solving AX systems BMW analysis Conclusion Decision Automata ◮ Remove x from the transitions ◮ Convert the non-deterministic automata to deterministic. Decision automaton for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ 0,0 1,0 0,0 0,1 1,1 0,1 1,1 start 0 1 1,0 ◮ Can decide whether a given ∆ , δ is compatible. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 8 / 24

  15. Introduction Solving AX systems BMW analysis Conclusion Decision Automata ◮ Remove x from the transitions ◮ Convert the non-deterministic automata to deterministic. Decision automaton for x ⊕ ∆ = x ⊞ δ . The edges are indexed by ∆ , δ 1,0 0,0 1,1 0,1 1,1 0,1 { 0 } { 0 , 1 } { 1 } start 0,0 1,0 ◮ Can decide whether a given ∆ , δ is compatible. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 8 / 24

  16. Introduction Solving AX systems BMW analysis Conclusion Solving AX systems Take an AX system with variables and parameters. e.g. x ⊕ ∆ = x ⊞ δ 1 Compute carry transitions 2 Build transition automaton 3 Remove variables and compute equivalent deterministic automaton ◮ For each values of the parameters: ◮ Test if system is coherent in linear time ◮ Find a solution in linear time Can also study properties of the systems. G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 9 / 24

  17. Introduction Solving AX systems BMW analysis Conclusion Some Properties Important Example x ⊕ ∆ = x ⊞ δ ◮ For this particular system, we can build very efficient test: � ∆ 0 = δ 0 ◮ Consistent iff ∀ i : ∆ i = 1 δ i ⊕ ∆ i + 1 ⊕ δ i + 1 = 0 or ✦✭✭❉❫❞✮✫✶✮ ✫✫ ✦✭✭✭✭✭❉❫❞✮❃❃✶✮❫❞✮ ✫ ✭⑦❉✮✮ ❁❁ ✶✮ ◮ Probability 2 − 13 . 9 for random δ , ∆ ◮ Probability 2 − 1 for random δ and ∆ = − 1 ◮ Solutions: ✭❉❫❞✮❃❃✶ ❫ ✭r✫✭⑦❉⑤✵①✽✵✵✵✵✵✵✮✮ G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 10 / 24

  18. Introduction Solving AX systems BMW analysis Conclusion Application to BMW f 0 x y Q a M P H f 2 H f 1 AddElement Q b ◮ If we have ◮ a (near) collision in Q a ◮ a (near) collision in M ◮ a (near) collision in the the first rounds of f 1 this can be seen in the output: HH 0 = ( XH ≫ 5 ⊕ Q ≫ 5 16 ⊕ M 0 ) ⊞ ( XL ⊕ Q 24 ⊕ Q 0 ) G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 11 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven, Belgium Fast Software Encryption 2009 Sebastiaan Indesteege (COSIC) Practical Collisions for EnRUPT 1/27 Outline 1 Introduction 2 Description of

704 views • 69 slides
Angular Correlations as a function of multiplicity in pp and p-Pb collisions in the ATLAS

Angular Correlations as a function of multiplicity in pp and p-Pb collisions in the ATLAS

Angular Correlations as a function of multiplicity in pp and p-Pb collisions in the ATLAS experiment Deepak Kar On behalf of ATLAS collaboration MPI@LHC Workshop, Chiapas, Mexico, November 2016 Collective Behaviour in a small system ~30000

366 views • 20 slides
Production of the D s meson in proton-proton collisions at 13 TeV as a function of multiplicity

Production of the D s meson in proton-proton collisions at 13 TeV as a function of multiplicity

Rencontres QGP France 2019 Production of the D s meson in proton-proton collisions at 13 TeV as a function of multiplicity Arthur Gal University of Strasbourg Institut Pluridisciplinaire Hubert Curien Outline Part I : Physics motivations

343 views • 22 slides
Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512 Praveen Gauravaram 1 , Ga eten Leurent 2 , Florian Mendel 3 , Mar a Naya-Plasencia 4 , Thomas Peyrin 5 , Christian Rechberger 6 , Martin Schl affer 3 , 1

822 views • 45 slides
collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
Fast approximately application of Greens function of Hamiltonian using symbol compression Song

Fast approximately application of Greens function of Hamiltonian using symbol compression Song

Fast approximately application of Greens function of Hamiltonian using symbol compression Song Mei ICME, Stanford May 1, 2015 Joint work with Lin Lin and Lexing Ying. . . . . . . . . . . . . . . . . . . . . .. . .. .

563 views • 27 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
Process dependence of the gluon Sivers function in inclusive pp collisions: theory Cristian Pisano

Process dependence of the gluon Sivers function in inclusive pp collisions: theory Cristian Pisano

Process dependence of the gluon Sivers function in inclusive pp collisions: theory Cristian Pisano In collaboration with: U. DAlesio, C. Flore, F. Murgia, P. Taels TMD factorization and process dependence 2/24 TMD factorization Two scale

283 views • 24 slides
Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression Background Focus on spatial compression Best in class lossy compressor Point wise max error bound: 10 -5 Open questions Random noise

564 views • 19 slides
Development of high rate MWPC and data compression function with FADC (II) Nguyen Minh Truong

Development of high rate MWPC and data compression function with FADC (II) Nguyen Minh Truong

Development of high rate MWPC and data compression function with FADC (II) Nguyen Minh Truong (Osaka U.), Coworker: Masaharu Aoki(Osaka U.), Youichi Igarashi(KEK), Masatoshi Saito(KEK), Hiroaki Natori (KEK), Nguyen Duy Thong (Osaka U.) Open-It,

310 views • 27 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system

Lossless compression in lossy compression systems Almost every lossy compression system contains a lossless compression system Lossy compression system Dequantizer Transform Lossless Lossless Inverse Quantizer Encoder Decoder

771 views • 29 slides
FORWARD LOOKING STATEMENTS ADVISORY This presentation is issued by Enerflex Ltd.

FORWARD LOOKING STATEMENTS ADVISORY This presentation is issued by Enerflex Ltd.

C OMPANY O VERVIEW March 2020 FORWARD LOOKING STATEMENTS ADVISORY This presentation is issued by Enerflex Ltd. (Enerflex or the Company). This presentation is for information purposes only and is not intended to, and should not

559 views • 51 slides
Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating

Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating

take a closer look Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating Equipment Engineer Tom Ripper | Facilities Operations Coordinator CIEC Networking Event | October 05 | 2012 Future oriented

577 views • 22 slides
Synthetic Aperture Radar Image Compression By Magesh Valliappan Guner Arslan 1 Synthetic

Synthetic Aperture Radar Image Compression By Magesh Valliappan Guner Arslan 1 Synthetic

Synthetic Aperture Radar Image Compression By Magesh Valliappan Guner Arslan 1 Synthetic Aperture Radar (SAR) SAR ? Active imaging system Working in the frequency range 1-10 GHz All-weather system High resolution compared

738 views • 12 slides
Company Presentation SEPTEMBER 2018 Cautionary Statement This presentation includes

Company Presentation SEPTEMBER 2018 Cautionary Statement This presentation includes

Company Presentation SEPTEMBER 2018 Cautionary Statement This presentation includes "forward-looking statements". Such forward-looking statements are subject to a number of risks and uncertainties, many of which are beyond ARs

1.2k views • 80 slides
ELISA Environmental Life-cycle Impacts of Solar Air- conditioning systems Marco Beccali,

ELISA Environmental Life-cycle Impacts of Solar Air- conditioning systems Marco Beccali,

Solar Air Conditioning and Cooling - IEA SHC Solar Academy Task 53 ELISA Environmental Life-cycle Impacts of Solar Air- conditioning systems Marco Beccali, Sonia Longo University of Palermo, Department of Energy, Information Engineering

472 views • 25 slides
Disclaimer This presentation has been prepared by Genesis Energy Limited (Genesis Energy) for

Disclaimer This presentation has been prepared by Genesis Energy Limited (Genesis Energy) for

Disclaimer This presentation has been prepared by Genesis Energy Limited (Genesis Energy) for information purposes only. The informati on in this presentation is of a general nature and does not purport to be complete nor does it contain all

908 views • 73 slides
Error Resilient Internet Video Transmission Ciro A. Noronha, Ph.D. Director of Technology,

Error Resilient Internet Video Transmission Ciro A. Noronha, Ph.D. Director of Technology,

Error Resilient Internet Video Transmission Ciro A. Noronha, Ph.D. Director of Technology, Compression Systems Juliana W. Noronha University of California, Davis Motivation There are a number of protocols in use today to transport Video

708 views • 37 slides
Proposed RAs Option for All- Island Harmonised Transmission Loss Adjustment Factors (TLAFs)

Proposed RAs Option for All- Island Harmonised Transmission Loss Adjustment Factors (TLAFs)

Proposed RAs Option for All- Island Harmonised Transmission Loss Adjustment Factors (TLAFs) System Operator Presentations 1 . Current M ethodology Pros & Cons 2. Responses to Preferred Options Paper 3. Studies into ULF and Impact on

821 views • 28 slides

More recommend