SLIDE 1
SAT Based Attacks on SipHash
By
Santhosh Kantharaju Siddappa
Supervised by
- Prof. Alan Kaminsky
Agenda
- SipHash
- Boolean Satisfiability Problem
- SAT Solver
- Attack Design
- Results
- Conclusion
- Questions
SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa - - PowerPoint PPT Presentation
SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa - - PowerPoint PPT Presentation
SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky Department of Computer Science Rochester Institute of Technology Agenda SipHash Boolean Satisfiability Problem SAT Solver Attack
SLIDE 2
SLIDE 3
SipHash - Motivation
- Hash flooding
- Server processing several requests
- Send several inputs with same hash
- Worst case lookup time
SLIDE 4
Message Authentication Code (MAC)
- Data Integrity and Authentication
- f(k,m) = t
- Pre-image resistant
- Most MAC not optimized for short input
- Large overhead
SLIDE 5
SipHash - Overview
- Uses 128-bit key
- Produces 64-bit tag
- SipHash-c,d
- Simple SipRounds – 4 ADD, 4 XOR and 6 rotate
- Internal state stored in 4 64-bit vectors
SLIDE 6
SipHash - Features
- Highly secure
- High speed
- Autonomy
- Small state
- Minimal overhead
SLIDE 7
SipHash - Design
SipHash-2,4 processing a 15-byte message[1]
SLIDE 8
SipRound
SipRound[1]
SLIDE 9
Boolean Satisfiability Problem
- Possible assignment of values to variables so that a boolean
formula evaluates to true
- (A ˄ B) (B ˅ C) – Satisfiable: A = T, B = T
- (A ˄ B) (B ˅ C) (¬A ˄ C) – Unsatisfiable
- NP-complete
SLIDE 10
Conjunctive Normal Form (CNF)
- (A ˅ B ˅ ¬C) (A ˅ ¬B) (¬A ˅ ¬C)
- (A ˅ B)
- A ˄ B
3SAT
- (A ˅ B ˅ ¬C) (A ˅ ¬B ˅ ¬C) (¬A ˅ B ˅ ¬C)
SLIDE 11
SAT Solver - Overview
- Input: Boolean formula
- Output: if satisfiable, set of value assignments
- CNF
SLIDE 12
SAT Solver - Algorithm
Search Tree [2]
SLIDE 13
SAT Solver - Propagation
(~A ˅ B ˅ C) (~A ˅ ~B ˅ ~C) (~B ˅ C) (A ˅ B ˅ C) B = T (~A ˅ ~B ˅ ~C) (~B ˅ C) C = T (~A ˅ ~B ˅ ~C) A = F
SLIDE 14
SAT Solver – Conflict & Learnt Clauses
(~A ˅ B ˅ C) (~A ˅ ~B ˅ ~C) (~B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) B = F (~A ˅ B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) A = F (A ˅ B ˅ C) (A ˅ ~C) C = ? Conflict = (~A ˄ ~B) Learnt clause = (A ˅ B)
SLIDE 15
SAT Solver - Backtracking
(~A ˅ B ˅ C) A = T (~A ˅ B ˅ C) (A ˅ B ˅ C) (A ˅ ~C) C = T
SLIDE 16
CryptoMiniSAT
- DPLL-based algorithm
- Winner of sequential category SAT Race2010
- Version 2.9.5 for 32-bit Linux
SLIDE 17
Attack - Design
- Perform partial key recovery
- Convert primitive to CNF
- Add known values to CNF
- Feed CNF to SAT solver
- Retrieve solution if satisfiable
SLIDE 18
Attack – Building CNF for AND
Truth table for A ^ B = C
- (A ˅ B ˅ ¬C) (A ˅ ¬B ˅ ¬C) (¬A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ C)
SLIDE 19
Attack - CNF for OR and XOR
- OR
(¬A ˅ B ˅ C) (A ˅ ¬B ˅ C) (A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ C)
- XOR
(¬A ˅ B ˅ C) (A ˅ ¬B ˅ C) (A ˅ B ˅ ¬C) (¬A ˅ ¬B ˅ ¬C)
SLIDE 20
Attack – CNF for single bit ADD
Full Adder (AˆB = S) (A˄B = C1) (CiˆS = Sum) (S˄Ci = C2) (C1˅C2 = Carryout)
SLIDE 21
Attack – CNF for 64-bit ADD
Adding 64 bits (AˆB = S) (A˄B = C1) (CiˆS = Sum) (S˄Ci = C2) (C1˅C2 = Carryout)
SLIDE 22
Attack - Variables
- Numbers represent variables
- Negative numbers represent negation of variable
- Keep track of lowest unused number (577)
256 255 254 253 252 …..............................196 195 194 193 128 127 126 125 124......................................... 69 68 67 66 65 640 639 638 637 636 …..............................580 579 578 577 XOR = A B C
SLIDE 23
Attack – Reserved Variables
- Key: 1 – 128
- Message: 129 – 192
- Finalization Constant: 193 – 256
- Final Hash: 257 – 320
- Vectors 0 to 3: 321 – 576
- Unused variable: 577
SLIDE 24
Attack - Setup
Randomize key and message bits Compute tag for given key and message block Load message block,tag and known key bits onto CNF Generate CNF: SipHash-c,d Feed CNF to SAT solver and Record conflicts 100 times
SLIDE 25
Attack – Simulation Parameters
- Compression rounds: 1 – 2
- Finalization rounds: 0 - 3
- Missing key bits: 1 - 25
SLIDE 26
Data Collected
- Number of conflicts
- Analogous to brute force attempts
- Parse through SAT solver output
SLIDE 27
Results – Sample CNF
SLIDE 28
Results - Sample Output
SLIDE 29
Results – SipHash-1,0
SipHash-1,0
SLIDE 30
Results – SipHash-1,x
SipHash-1,1 SipHash-1,2
SLIDE 31
Related Work
- Collision attacks on CubeHash [3]
- SAT attacks on Bivium stream cipher [4]
- successfully recovered 48 bits in register
- Logical cryptanalysis of DES [5]
- cracked upto 3 rounds
SLIDE 32
Future Work
- Use different SAT solvers and compare performance
- Use parallel SAT solver
- Combine other cryptanalysis techniques to forge new attacks
SLIDE 33
Conclusions
- Perform partial key recovery
- Convert primitive to CNF
- Solve CNF using SAT solver
- Compare result with brute force approach
- Worked better for fewer SipRounds
SLIDE 34
References
[1] Jean-Philippe Aumasson and Daniel J. Bernstein. SipHash: A fast short-input PRF. In Steven
- D. Galbraith and Mridul Nandi, editors, INDOCRYPT, volume 7668 of Lecture Notes in Computer
Science, pages 489–508. Springer, 2012. [2] http://www.msoos.org/wordpress/wp-content/uploads/2011/06/soos_summerschool.pdf [3] Benjamin Bloom. SAT solver attacks on CubeHash @ONLINE, April 2010. http://www.cs.rit.edu/~ark/students/bwb1636/index.shtml [4] Tobias Eibach, Enrico Pilz, and Gunnar V¨olkel. Attacking Bivium using SAT solvers.In Proceedings of the 11th international conference on Theory and applications of satisfiability testing, SAT’08, pages 63–76, Berlin, Heidelberg, 2008. Springer-Verlag. [5] Fabio Massacci and Laura Marraro. Logical cryptanalysis as a SAT problem: the encoding of the Data Encryption Standard. In Journal of Automated Reasoning, 24:165–203, 1999.
SLIDE 35