SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa - PowerPoint PPT Presentation

SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky Department of Computer Science Rochester Institute of Technology

Agenda ● SipHash ● Boolean Satisfiability Problem ● SAT Solver ● Attack Design ● Results ● Conclusion ● Questions

SipHash - Motivation ● Hash flooding ● Server processing several requests ● Send several inputs with same hash ● Worst case lookup time

Message Authentication Code (MAC) ● Data Integrity and Authentication ● f(k,m) = t ● Pre-image resistant ● Most MAC not optimized for short input ● Large overhead

SipHash - Overview ● Uses 128-bit key ● Produces 64-bit tag ● SipHash-c,d ● Simple SipRounds – 4 ADD, 4 XOR and 6 rotate ● Internal state stored in 4 64-bit vectors

SipHash - Features ● Highly secure ● High speed ● Autonomy ● Small state ● Minimal overhead

SipHash - Design SipHash-2,4 processing a 15-byte message[1]

SipRound SipRound[1]

Boolean Satisfiability Problem ● Possible assignment of values to variables so that a boolean formula evaluates to true ● (A ˄ B) (B ˅ C) – Satisfiable: A = T, B = T ● (A ˄ B) (B ˅ C) (¬A ˄ C) – Unsatisfiable ● NP-complete

Conjunctive Normal Form (CNF) ● (A ˅ B ˅ ¬C) (A ˅ ¬B) (¬A ˅ ¬C) ● (A ˅ B) ● A ˄ B 3SAT ● (A ˅ B ˅ ¬C) (A ˅ ¬B ˅ ¬C) (¬A ˅ B ˅ ¬C)

SAT Solver - Overview ● Input: Boolean formula ● Output: if satisfiable, set of value assignments ● CNF

SAT Solver - Algorithm Search Tree [2]

SAT Solver - Propagation B = T (~A ˅ B ˅ C) (~A ˅ ~B ˅ ~C) (~B ˅ C) (A ˅ B ˅ C) C = T (~A ˅ ~B ˅ ~C) (~B ˅ C) A = F (~A ˅ ~B ˅ ~C)

SAT Solver – Conflict & Learnt Clauses B = F (~A ˅ B ˅ C) (~A ˅ ~B ˅ ~C) (~B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) A = F (~A ˅ B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) C = ? (A ˅ B ˅ C) (A ˅ ~C) Conflict = (~A ˄ ~B) Learnt clause = (A ˅ B)

SAT Solver - Backtracking A = T (~A ˅ B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) C = T (~A ˅ B ˅ C)

CryptoMiniSAT ● DPLL-based algorithm ● Winner of sequential category SAT Race2010 ● Version 2.9.5 for 32-bit Linux

Attack - Design ● Perform partial key recovery ● Convert primitive to CNF ● Add known values to CNF ● Feed CNF to SAT solver ● Retrieve solution if satisfiable

Attack – Building CNF for AND ● (A ˅ B ˅ ¬C) (A ˅ ¬B ˅ ¬C) (¬A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ C) Truth table for A ^ B = C

Attack - CNF for OR and XOR ● OR (¬A ˅ B ˅ C) (A ˅ ¬B ˅ C) (A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ C) ● XOR (¬A ˅ B ˅ C) (A ˅ ¬B ˅ C) (A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ ¬C)

Attack – CNF for single bit ADD Full Adder (A ˆ B = S) (A ˄ B = C1) (Ci ˆ S = Sum) (S ˄ Ci = C2) (C1 ˅ C2 = Carryout)

Attack – CNF for 64-bit ADD Adding 64 bits (A ˆ B = S) (A ˄ B = C1) (Ci ˆ S = Sum) (S ˄ Ci = C2) (C1 ˅ C2 = Carryout)

Attack - Variables ● Numbers represent variables ● Negative numbers represent negation of variable ● Keep track of lowest unused number (577) 256 255 254 253 252 …..............................196 195 194 193 A XOR 128 127 126 125 124......................................... 69 68 67 66 65 B = C 640 639 638 637 636 …..............................580 579 578 577

Attack – Reserved Variables ● Key: 1 – 128 ● Message: 129 – 192 ● Finalization Constant: 193 – 256 ● Final Hash: 257 – 320 ● Vectors 0 to 3: 321 – 576 ● Unused variable: 577

Attack - Setup Generate CNF: SipHash-c,d Randomize key and message bits 100 Compute tag for given key times and message block Load message block,tag and known key bits onto CNF Feed CNF to SAT solver and Record conflicts

Attack – Simulation Parameters ● Compression rounds: 1 – 2 ● Finalization rounds: 0 - 3 ● Missing key bits: 1 - 25

Data Collected ● Number of conflicts ● Analogous to brute force attempts ● Parse through SAT solver output

Results – Sample CNF

Results - Sample Output

Results – SipHash-1,0 SipHash-1,0

Results – SipHash-1,x SipHash-1,1 SipHash-1,2

Related Work ● Collision attacks on CubeHash [3] ● SAT attacks on Bivium stream cipher [4] - successfully recovered 48 bits in register ● Logical cryptanalysis of DES [5] - cracked upto 3 rounds

Future Work ● Use different SAT solvers and compare performance ● Use parallel SAT solver ● Combine other cryptanalysis techniques to forge new attacks

Conclusions ● Perform partial key recovery ● Convert primitive to CNF ● Solve CNF using SAT solver ● Compare result with brute force approach ● Worked better for fewer SipRounds

References [1] Jean-Philippe Aumasson and Daniel J. Bernstein. SipHash: A fast short-input PRF. In Steven D. Galbraith and Mridul Nandi, editors, INDOCRYPT, volume 7668 of Lecture Notes in Computer Science, pages 489–508. Springer, 2012. [2] http://www.msoos.org/wordpress/wp-content/uploads/2011/06/soos_summerschool.pdf [3] Benjamin Bloom. SAT solver attacks on CubeHash @ONLINE, April 2010. http://www.cs.rit.edu/~ark/students/bwb1636/index.shtml [4] Tobias Eibach, Enrico Pilz, and Gunnar V¨olkel. Attacking Bivium using SAT solvers.In Proceedings of the 11th international conference on Theory and applications of satisfiability testing, SAT’08, pages 63–76, Berlin, Heidelberg, 2008. Springer-Verlag. [5] Fabio Massacci and Laura Marraro. Logical cryptanalysis as a SAT problem: the encoding of the Data Encryption Standard. In Journal of Automated Reasoning, 24:165–203, 1999.

Thank you