preimages for step reduced sha 2
play

Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 - PowerPoint PPT Presentation

Nov 24, 2023 •39 likes •249 views

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological University, Singapore Technical University of Denmark NTU, 25 Nov

  1. Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological University, Singapore Technical University of Denmark NTU, 25 Nov 2009 A merged version with Aoki, Sasaki and Wang will appear in ASIACRYPT 2009 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  2. Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Table of contents Description of SHA-2 1 General View Step Function Message Expansion Description of Preimage Attack 2 Application to SHA-2 3 Overview Message Stealing Message Compensation Extended Partial Matching Conclusions 4 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  3. Description of SHA-2 General View Description of Preimage Attack Step Function Application to SHA-2 Message Expansion Conclusions SHA-2 in General input state IV n M n input message message expansion algorithm iteration of the step transformation state feed-forward operation output state IV n +1 Step Function: update internal chaining Message Expansion: expand 16 message words to 64/80 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  4. Description of SHA-2 General View Description of Preimage Attack Step Function Application to SHA-2 Message Expansion Conclusions SHA-2 Step Function A i B i C i D i E i F i G i H i Σ 0 Σ 1 K i MAJ IF W i A i +1 B i +1 C i +1 D i +1 E i +1 F i +1 G i +1 H i +1 MAJ( A , B , C ) = ( A ∧ B ) ∨ ( A ∧ C ) ∨ ( B ∧ C ) , IF( E , F , G ) = ( E ∧ F ) ∨ ( ¬ E ∧ G ) , Σ 0 ( x ) = ( x ≫ 2) ⊕ ( x ≫ 13) ⊕ ( x ≫ 22) , Σ 1 ( x ) = ( x ≫ 6) ⊕ ( x ≫ 11) ⊕ ( x ≫ 25) . Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  5. Description of SHA-2 General View Description of Preimage Attack Step Function Application to SHA-2 Message Expansion Conclusions SHA-2 Message Expansion σ 0 σ 1 W 0 W 15 W 16 W 63 M 0 M 15 � M i for 0 ≤ i < 16 , W i = σ 1 ( W i − 2 ) + W i − 7 + σ 0 ( W i − 15 ) + W i − 16 for 16 ≤ i < 64 . Note: any consecutive 16 determine all message words. Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  6. Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimage Attack - in general split match Target n + l Find pseudo-preimage in 2 l , then preimage in 2 2 +1 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  7. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 W 11 , . . . , W 26 as a basis to generate all message words. Neutral words: W 16 and W 19 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  8. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Stealing Σ 0 Σ 1 Σ 0 Σ 1 K i K i MAJ IF MAJ IF W i +3 W i W i splitting point W i W i Σ 0 Σ 1 Σ 0 Σ 1 K i +1 K i +1 0 MAJ IF MAJ IF W i +1 W i +1 Σ 0 Σ 1 Σ 0 Σ 1 K i +2 K i +2 1 MAJ IF MAJ IF W i +2 W i +2 Σ 0 Σ 1 Σ 0 Σ 1 K i +3 K i +3 MAJ IF MAJ IF W i +3 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  9. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 W 11 , . . . , W 26 as a basis to generate all message words. Neutral words: W 16 and W 19 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  10. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  11. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  12. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  13. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - First Chunk W 10 = W 26 − σ 1 ( W 24 ) − W 19 − σ 0 ( W 11 ) , W 9 = W 25 − σ 1 ( W 23 ) − W 18 − σ 0 ( W 10 ) , W 8 = W 24 − σ 1 ( W 22 ) − W 17 − σ 0 ( W 9 ) , W 7 = W 23 − σ 1 ( W 21 ) − W 16 − σ 0 ( W 8 ) , = W 22 − σ 1 ( W 20 ) − W 15 − σ 0 ( W 7 ) , W 6 W 5 = W 21 − σ 1 ( W 19 ) − W 14 − σ 0 ( W 6 ) , = W 20 − σ 1 ( W 18 ) − W 13 − σ 0 ( W 5 ) , W 4 W 3 = W 19 − σ 1 ( W 17 ) − W 12 − σ 0 ( W 4 ) , = W 18 − σ 1 ( W 16 ) − W 11 − σ 0 ( W 3 ) , W 2 W 1 = W 17 − σ 1 ( W 15 ) − W 10 − σ 0 ( W 2 ) , = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) . W 0 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  14. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 W 11 , . . . , W 26 as a basis to generate all message words. Neutral words: W 16 and W 19 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  15. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Message Compensation - Second Chunk W 27 = σ 1 ( W 25 ) + W 20 + σ 0 ( W 12 ) + W 11 , = σ 1 ( W 26 ) + W 21 + σ 0 ( W 13 ) + W 12 , W 28 W 29 = σ 1 ( W 27 ) + W 22 + σ 0 ( W 14 ) + W 13 , W 30 = σ 1 ( W 28 ) + W 23 + σ 0 ( W 15 ) + W 14 , W 31 = σ 1 ( W 29 ) + W 24 + σ 0 ( W 16 ) + W 15 , W 32 = σ 1 ( W 30 ) + W 25 + σ 0 ( W 17 ) + W 16 , = σ 1 ( W 31 ) + W 26 + σ 0 ( W 18 ) + W 17 , W 33 W 34 = σ 1 ( W 32 ) + W 27 + σ 0 ( W 19 ) + W 18 . Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

  16. Description of SHA-2 Overview Description of Preimage Attack Message Stealing Application to SHA-2 Message Compensation Conclusions Extended Partial Matching Result on SHA-2 splitting point matching point S 17 S 35 indirect partial matching first chunk second chunk 0 1 16 19 34 41 W: A W 0 = W 16 − σ 1 ( W 14 ) − W 9 − σ 0 ( W 1 ) W 34 = σ 1 ( W 32 ) + W 27 + σ 0 ( W 19 ) + W 18 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

On behavior of Professors Ohta and Sakiyama. Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo Sakiyama The University of Electro-Communications, Japan Blake A candidate in second round for

433 views • 11 slides
On the Periods of Spatially Periodic Preimages in Linear Bipermutive CA Automata 2015 - June 8-10

On the Periods of Spatially Periodic Preimages in Linear Bipermutive CA Automata 2015 - June 8-10

On the Periods of Spatially Periodic Preimages in Linear Bipermutive CA Automata 2015 - June 8-10 - Turku Luca Mariot, Alberto Leporati Dipartimento di Informatica, Sistemistica e Comunicazione Universit degli Studi Milano - Bicocca

372 views • 22 slides
Sharing Secrets by Computing Preimages of Bipermutive CA ACRI 2014 - September 22-25 - Krakow

Sharing Secrets by Computing Preimages of Bipermutive CA ACRI 2014 - September 22-25 - Krakow

Sharing Secrets by Computing Preimages of Bipermutive CA ACRI 2014 - September 22-25 - Krakow Luca Mariot, Alberto Leporati Dipartimento di Informatica, Sistemistica e Comunicazione Universit degli Studi Milano - Bicocca

654 views • 38 slides
Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n

Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n

Polytron Lubrication Technology Based on Micro-Metallurgical Process Some Immediately Noticeable Benefits of using Polytron Reduced temperature n Reduced vibrations n Reduced noise level n Reduced electrical power consumption n Considerable

630 views • 16 slides
min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

a i a j a i , a j a j , a i min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A parallel compare-exchange operation. Processes P i and P j send their elements to each other. Process P i keeps min { a i ,

372 views • 22 slides
Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all customary information forms to Preparation and adoption of Convening and submission Submission of Application Ste land owned by ILG obtain

1.23k views • 4 slides
Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by step procedures Webster Groves School District 2009 Response to Intervention (RtI) is a comprehensive early detection and prevention strategy

688 views • 23 slides
o o o o Step 1:

o o o o Step 1:

o o o o Step 1: Bachelor of Laws (Western Sydney School of Law) Step 2: Professional Legal Training (College of Law et ors) Step 3: Admission to the Supreme

366 views • 14 slides
Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD., DTM&amp;H., MCTM. Surveillance and Investigation Section Bureau of Epidemiology, Department of Disease Control Ministry of Public Health, Thailand

1.27k views • 83 slides
Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3: Installing RSBlog! 3.1 Installing the component 3.2 Installing a new language file Step 4: Import plugins (optional) 4.1 Import Joomla! articles

889 views • 67 slides
Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3: Installing RSEvents! Step 4: Configure RSEvents! Step 5: Add user permissions Step 6: Create event categories Step 7: Create event locations Step 8:

627 views • 35 slides
Reduced Basis Collocation Methods for Partial Differential Equations with Random Coefficients

Reduced Basis Collocation Methods for Partial Differential Equations with Random Coefficients

Preliminary: Spectral Methods for PDEs with Uncertain Coefficients Reduced Basis Methods Reduced Basis + Sparse Grid Collocation Iterative Solution of Reduced Problem Concluding Remarks Reduced Basis Collocation Methods for Partial Differential

476 views • 43 slides
FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

Co-funded by the Horizon 2020 Framework Programme of the European Union Grant Agreement Number 644771 FROM XML TO RDF STEP BY STEP: APPROACHES

613 views • 26 slides
FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH GRADE AUGUST 10,2020 IS A MINIMUM DAY STUDENTS WILL LOG 7:45AM - ONTO THEIR 12:27PM CLASSES AND ENGAGE WITH THEIR TEACHERS AND PEERS STEP 1:

276 views • 6 slides
Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Type Theory and Coq Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big step specify how a given expression can be evaluated to its final value. The style is simple and natural for many purposes and is

196 views • 19 slides
Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading RSTickets!Pro 2.1 Downloading the component 2.2 Downloading the plugins/modules 2.3 Downloading additional language packs Step 3: Installing RSTickets!Pro

548 views • 44 slides
Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S

Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S

next generation of access control Authentication and Transaction S ecurity in E-Business AXSionics AG, BFH S pin-off Park, S eevorstadt 103b, CH-2501 Biel-Bienne Lorenz Mller Mobile: + 41 79 341 03 26 Lorenz.mueller@axsionics.ch 1 next

1.21k views • 60 slides
Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys

Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Minerva: The curse of ECDSA nonces Jan Jancar , Vladimir Sedlacek, Petr Svenda, Marek Sys Systematic analysis of lattice attacks on noisy leakage of

549 views • 53 slides
Office of Research Administration KPI Summary/Highlights Proposals FYTD February 2020 2018 2019

Office of Research Administration KPI Summary/Highlights Proposals FYTD February 2020 2018 2019

Office of Research Administration KPI Summary/Highlights Proposals FYTD February 2020 2018 2019 2020 School % change 2018 % change 2019 vs Total Proposal Proposed (#) Total Proposal Proposed Total Proposal Proposed vs 2019 2020 (#)

281 views • 6 slides
Genera&amp;ve Models and Model Cri&amp;cism via Op&amp;mized Maximum Mean Discrepancy Dougal J.

Genera&amp;ve Models and Model Cri&amp;cism via Op&amp;mized Maximum Mean Discrepancy Dougal J.

Genera&amp;ve Models and Model Cri&amp;cism via Op&amp;mized Maximum Mean Discrepancy Dougal J. Sutherland Gatsby unit, UCL Two-sample tes&amp;ng Observe two different datasets: vs Y Q X P Ques&amp;on we want to answer: is

688 views • 56 slides
6.808: Mobile and Sensor Computing Lecture 10: The Pothole Patrol Hari Balakrishnan hari@mit.edu

6.808: Mobile and Sensor Computing Lecture 10: The Pothole Patrol Hari Balakrishnan hari@mit.edu

6.808: Mobile and Sensor Computing Lecture 10: The Pothole Patrol Hari Balakrishnan hari@mit.edu Slides from Jakob Eriksson road decay unavoidable, hard to predict current monitoring methods costly/ineffective 3 the Pothole Patrol

592 views • 32 slides
Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities 1.Security &amp; Integrity

Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities 1.Security &amp; Integrity

Jonathan S. Shapiro Jonathan M. Smith David J. Farber Priorities 1.Security &amp; Integrity 2.High availability 3.Fault Tolerance 4.Evolvability 5.Performance This ordering has architectural and performance implications. Pure

450 views • 21 slides
Disclosures Philips, consultant Case Presentations: Problem Cases from the Liver/GI Consult

Disclosures Philips, consultant Case Presentations: Problem Cases from the Liver/GI Consult

5/28/2016 Disclosures Philips, consultant Case Presentations: Problem Cases from the Liver/GI Consult Service Ryan M. Gill What kind of case requires consultation? What kind of case requires consultation? 1. Common tumor, but something is

410 views • 24 slides
ServerSwitch: A Programmable and High Performance Platform for Data Center Networks Guohan Lu,

ServerSwitch: A Programmable and High Performance Platform for Data Center Networks Guohan Lu,

ServerSwitch: A Programmable and High Performance Platform for Data Center Networks Guohan Lu, Chuanxiong Guo, Yulong Li, Zhiqiang Zhou , Tong Yuan, Haitao Wu, Yongqiang Xiong, Rui Gao, Yongguang Zhang Microsoft Research Asia Tsinghua

326 views • 19 slides

More recommend