Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 - - PowerPoint PPT Presentation

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions

Preimages for Step-Reduced SHA-2

Jian Guo1 Krystian Matusiewicz2

Nanyang Technological University, Singapore Technical University of Denmark

NTU, 25 Nov 2009

A merged version with Aoki, Sasaki and Wang will appear in ASIACRYPT 2009

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions

Table of contents

1

Description of SHA-2 General View Step Function Message Expansion

2

Description of Preimage Attack

3

Application to SHA-2 Overview Message Stealing Message Compensation Extended Partial Matching

4

Conclusions

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions General View Step Function Message Expansion

SHA-2 in General

IVn Mn IVn+1 message expansion algorithm iteration of the step transformation

• utput state

input state input message state feed-forward operation

Step Function: update internal chaining Message Expansion: expand 16 message words to 64/80

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions General View Step Function Message Expansion

SHA-2 Step Function

Σ0 MAJ Σ1 IF Ki Wi Ai Bi Ci Di Ei Fi Gi Hi Ai+1Bi+1Ci+1Di+1Ei+1Fi+1Gi+1Hi+1

MAJ(A, B, C) = (A ∧ B) ∨ (A ∧ C) ∨ (B ∧ C) , IF(E, F, G) = (E ∧ F) ∨ (¬E ∧ G) , Σ0(x) = (x ≫ 2) ⊕ (x ≫ 13) ⊕ (x ≫ 22) , Σ1(x) = (x ≫ 6) ⊕ (x ≫ 11) ⊕ (x ≫ 25) .

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions General View Step Function Message Expansion

SHA-2 Message Expansion

σ1 σ0

W0 W15 W16 W63 M0 M15

Wi =

• Mi

for 0 ≤ i < 16 , σ1(Wi−2) + Wi−7 + σ0(Wi−15) + Wi−16 for 16 ≤ i < 64 . Note: any consecutive 16 determine all message words.

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions

Preimage Attack - in general

match split Target Find pseudo-preimage in 2l, then preimage in 2

n+l 2 +1 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Result on SHA-2

W11, . . . , W26 as a basis to generate all message words. Neutral words: W16 and W19

A 1 19 second chunk first chunk 16 34 41 W: indirect partial matching splitting point S17 matching point S35 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Message Stealing

Σ0 MAJ Σ1 IF Ki Wi Σ0 MAJ Σ1 IF Ki+1 Wi+1 Σ0 MAJ Σ1 IF Ki+2 Wi+2 Σ0 MAJ Σ1 IF Ki+3 Wi+3 splitting point 1 Σ0 MAJ Σ1 IF Ki Σ0 MAJ Σ1 IF Ki+1 Wi+1 Σ0 MAJ Σ1 IF Ki+2 Wi+2 Σ0 MAJ Σ1 IF Ki+3 Wi Wi Wi+3 Wi Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Result on SHA-2

W11, . . . , W26 as a basis to generate all message words. Neutral words: W16 and W19

A 1 19 second chunk first chunk 16 34 41 W: indirect partial matching splitting point S17 matching point S35 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Message Compensation - First Chunk

W10 = W26 − σ1(W24) − W19 − σ0(W11) , W9 = W25 − σ1(W23) − W18 − σ0(W10) , W8 = W24 − σ1(W22) − W17 − σ0(W9) , W7 = W23 − σ1(W21) − W16 − σ0(W8) , W6 = W22 − σ1(W20) − W15 − σ0(W7) , W5 = W21 − σ1(W19) − W14 − σ0(W6) , W4 = W20 − σ1(W18) − W13 − σ0(W5) , W3 = W19 − σ1(W17) − W12 − σ0(W4) , W2 = W18 − σ1(W16) − W11 − σ0(W3) , W1 = W17 − σ1(W15) − W10 − σ0(W2) , W0 = W16 − σ1(W14) − W9 − σ0(W1) .

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Message Compensation - First Chunk

W10 = W26 − σ1(W24) − W19 − σ0(W11) , W9 = W25 − σ1(W23) − W18 − σ0(W10) , W8 = W24 − σ1(W22) − W17 − σ0(W9) , W7 = W23 − σ1(W21) − W16 − σ0(W8) , W6 = W22 − σ1(W20) − W15 − σ0(W7) , W5 = W21 − σ1(W19) − W14 − σ0(W6) , W4 = W20 − σ1(W18) − W13 − σ0(W5) , W3 = W19 − σ1(W17) − W12 − σ0(W4) , W2 = W18 − σ1(W16) − W11 − σ0(W3) , W1 = W17 − σ1(W15) − W10 − σ0(W2) , W0 = W16 − σ1(W14) − W9 − σ0(W1) .

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Message Compensation - First Chunk

W10 = W26 − σ1(W24) − W19 − σ0(W11) , W9 = W25 − σ1(W23) − W18 − σ0(W10) , W8 = W24 − σ1(W22) − W17 − σ0(W9) , W7 = W23 − σ1(W21) − W16 − σ0(W8) , W6 = W22 − σ1(W20) − W15 − σ0(W7) , W5 = W21 − σ1(W19) − W14 − σ0(W6) , W4 = W20 − σ1(W18) − W13 − σ0(W5) , W3 = W19 − σ1(W17) − W12 − σ0(W4) , W2 = W18 − σ1(W16) − W11 − σ0(W3) , W1 = W17 − σ1(W15) − W10 − σ0(W2) , W0 = W16 − σ1(W14) − W9 − σ0(W1) .

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Message Compensation - First Chunk

W10 = W26 − σ1(W24) − W19 − σ0(W11) , W9 = W25 − σ1(W23) − W18 − σ0(W10) , W8 = W24 − σ1(W22) − W17 − σ0(W9) , W7 = W23 − σ1(W21) − W16 − σ0(W8) , W6 = W22 − σ1(W20) − W15 − σ0(W7) , W5 = W21 − σ1(W19) − W14 − σ0(W6) , W4 = W20 − σ1(W18) − W13 − σ0(W5) , W3 = W19 − σ1(W17) − W12 − σ0(W4) , W2 = W18 − σ1(W16) − W11 − σ0(W3) , W1 = W17 − σ1(W15) − W10 − σ0(W2) , W0 = W16 − σ1(W14) − W9 − σ0(W1) .

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Result on SHA-2

W11, . . . , W26 as a basis to generate all message words. Neutral words: W16 and W19

A 1 19 second chunk first chunk 16 34 41 W: indirect partial matching splitting point S17 matching point S35 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Message Compensation - Second Chunk

W27 = σ1(W25) + W20 + σ0(W12) + W11 , W28 = σ1(W26) + W21 + σ0(W13) + W12 , W29 = σ1(W27) + W22 + σ0(W14) + W13 , W30 = σ1(W28) + W23 + σ0(W15) + W14 , W31 = σ1(W29) + W24 + σ0(W16) + W15 , W32 = σ1(W30) + W25 + σ0(W17) + W16 , W33 = σ1(W31) + W26 + σ0(W18) + W17 , W34 = σ1(W32) + W27 + σ0(W19) + W18 .

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Result on SHA-2

A 1 19 second chunk first chunk 16 34 41 W: indirect partial matching splitting point S17 matching point S35

W0 =W16 − σ1(W14) − W9 − σ0(W1) W34 =σ1(W32) + W27 + σ0(W19) + W18

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Extended Partial Matching

Backward Forward Backward

Σ0 MAJ Σ1 IF K40 W40 Σ0 MAJ Σ1 IF K39 W39 Σ0 MAJ Σ1 IF K38 W38

Target

Σ0 MAJ Σ1 IF K0 W0 Σ0 MAJ Σ1 IF K41 W41 A35 Match? Σ0 MAJ Σ1 IF K37 W37 Σ0 MAJ Σ1 IF K36 W36 Σ0 MAJ Σ1 IF K35 W35 Σ0 MAJ Σ1 IF K34 W34 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Overview Message Stealing Message Compensation Extended Partial Matching

Extended Partial Matching

ψ(W16) + σ0(W19) = µ(W19) − W16 ⇐ ⇒ ψ(W16) + W16 = µ(W19) − σ0(W19)

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions

Result on SHA-2

A 1 19 second chunk first chunk 16 34 41 W: indirect partial matching splitting point S17 matching point S35 Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions

Conclusions

We find preimages for 42 out of 64 (66%) step-reduced SHA-256 with complexity 2251.7 and memory requirement of

• rder 212 bits

The same attack applies to SHA-512 with complexity 2502.3 and memory requirement of order 222

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions

END

THANK YOU! QUESTIONS?

Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2