Structural Attacks on Two SHA-3 Candidates: Blender- n and DCH- n - - PowerPoint PPT Presentation

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Structural Attacks on Two SHA-3 Candidates: Blender-n and DCH-n

Mario Lamberger and Florian Mendel

Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria mario.lamberger@iaik.tugraz.at

Mario Lamberger ISC 2009 Analysis of Blender-DCH 1

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Outline

1

Motivation

2

Security Analysis of Blender-n

3

Security Analysis of DCH-n

4

Conclusion

Mario Lamberger ISC 2009 Analysis of Blender-DCH 2

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Motivation

Mario Lamberger ISC 2009 Analysis of Blender-DCH 3

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Motivation

x x x x x x x x

Mario Lamberger ISC 2009 Analysis of Blender-DCH 3

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Motivation

NIST SHA-3 competition

Weaknesses in the MD-family of hash functions Find a successor of SHA-1 and SHA-2

SHA-3 candidates

51 first round candidates 15 second round candidates (August 2009) 5 finalists (2010) Choose SHA-3 in 2012

Mario Lamberger ISC 2009 Analysis of Blender-DCH 4

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Main Security Requirements

Collision Resistance

Find m, m′ with m = m′ and h(m) = h(m′) Generic complexity: 2n/2

Second-Preimage Resistance

Given m, h(m) find m′ with m = m′ and h(m) = h(m′) Generic complexity: 2n

Preimage Resistance

Given h(m) find m Generic complexity: 2n

Mario Lamberger ISC 2009 Analysis of Blender-DCH 5

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Outline

1

Motivation

2

Security Analysis of Blender-n

3

Security Analysis of DCH-n

4

Conclusion

Mario Lamberger ISC 2009 Analysis of Blender-DCH 6

Institute for Applied Information Processing and Communications (IAIK) - Krypto

The Blender-n Hash Function

Designed by C. Bradbury Blender-n is an iterated hash function

Message blocks of 32 (respectively 64) bits Hash value of 224/256 (respectively 384/512) bits Two checksums: Σ1 = ¬Σt

i=1Wi, Σ2 = Σt i=1¬Wi

f f f f f

1 2 t 1 2 Mario Lamberger ISC 2009 Analysis of Blender-DCH 7

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Preimage Attack on Blender-n

The preimage attack is based on structural weaknesses in the design of the hash function and is independent of the underlying compression function It works for all output sizes of Blender-n and has a complexity of about n · 2n/2 compression function evaluations The attack is based on two simple observations

Mario Lamberger ISC 2009 Analysis of Blender-DCH 8

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Observation 1:

The checksums

1 and 2 are strongly related

• 2 does not provide additional security

Let X = t

i=1 Wi. Then we have:

• 1 = ¬

t

• i=1

Wi = ¬X

• 2 =

t

• i=1

¬Wi =

t

• i=1

(−Wi − 1) = −t −

t

• i=1

Wi = −t − X

Mario Lamberger ISC 2009 Analysis of Blender-DCH 9

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Observation 2:

The final hash value h of Blender is computed from the chaining values Ai by modular additions In other words, the computation of h is invertible

Mario Lamberger ISC 2009 Analysis of Blender-DCH 10

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Outline of the Attack on Blender-512:

Assume, that we can find 2512 messages w∗ = W1||W2|| . . . ||Wt (and hence chaining values Ai for 0 < i ≤ t), such that all produce the same value At and X, then we can construct a preimage for h

Mario Lamberger ISC 2009 Analysis of Blender-DCH 11

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Outline of the Attack on Blender-512:

The attack basically consists of two steps: Construct a 2512-multicollision to get 2512 messages w∗ which result all in the same value At and X Apply a meet-in-the-middle attack to find a message w′ among all the w∗ which also is a preimage for h

Mario Lamberger ISC 2009 Analysis of Blender-DCH 12

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Constructing the 2512-multicollision

Construct a single collision

Let d ∈ {0, 1}64 be an arbitrary value For all 2256 choices of Wi, . . . , Wi+3 we take Wi+4 such that i+4

j=i Wj = d is fulfilled and compute Ai+4 for i > 0

After computing all 2256 candidates for Ai+4 we expect to find a collision due to the birthday paradox

Mario Lamberger ISC 2009 Analysis of Blender-DCH 13

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Constructing the 2512-multicollision

Construct a single collision

Let d ∈ {0, 1}64 be an arbitrary value For all 2256 choices of Wi, . . . , Wi+3 we take Wi+4 such that i+4

j=i Wj = d is fulfilled and compute Ai+4 for i > 0

After computing all 2256 candidates for Ai+4 we expect to find a collision due to the birthday paradox

In other words, we can find a collision for the iterative part (chaining values) and X with a complexity of about 2256 (instead of 2288)

Mario Lamberger ISC 2009 Analysis of Blender-DCH 13

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Constructing the 2512-multicollision

Construct a single collision

Let d ∈ {0, 1}64 be an arbitrary value For all 2256 choices of Wi, . . . , Wi+3 we take Wi+4 such that i+4

j=i Wj = d is fulfilled and compute Ai+4 for i > 0

After computing all 2256 candidates for Ai+4 we expect to find a collision due to the birthday paradox

In other words, we can find a collision for the iterative part (chaining values) and X with a complexity of about 2256 (instead of 2288) Hence, we can construct a 2512-multicollision with a complexity of about 512 · 2256 = 2265 and negligible memory requirements

Mario Lamberger ISC 2009 Analysis of Blender-DCH 13

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Constructing the Preimage for h

From this set of 2512 messages w∗ leading to the same chaining value At and X, we now have to find a message w′ that leads to the given preimage h

Mario Lamberger ISC 2009 Analysis of Blender-DCH 14

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Constructing the Preimage for h

From this set of 2512 messages w∗ leading to the same chaining value At and X, we now have to find a message w′ that leads to the given preimage h To do this, we make use of a meet-in-the-middle attack:

Compute S1 = Σ256

i=1(Ari 5i−4 + Ari 5i−3 + · · · + Ari 5i) with

ri ∈ {0, 1} and store all 2256 candidates in a list L Compute S2 = Σ512

i=257(Ari 5i−4 + Ari 5i−3 + · · · + Ari 5i) and check

whether h − S2 is in the list L

Mario Lamberger ISC 2009 Analysis of Blender-DCH 14

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Constructing the Preimage for h

From this set of 2512 messages w∗ leading to the same chaining value At and X, we now have to find a message w′ that leads to the given preimage h To do this, we make use of a meet-in-the-middle attack:

Compute S1 = Σ256

i=1(Ari 5i−4 + Ari 5i−3 + · · · + Ari 5i) with

ri ∈ {0, 1} and store all 2256 candidates in a list L Compute S2 = Σ512

i=257(Ari 5i−4 + Ari 5i−3 + · · · + Ari 5i) and check

whether h − S2 is in the list L

After testing all 2256 values for S2 we expect to find a match and hence a preimage for Blender-512

Mario Lamberger ISC 2009 Analysis of Blender-DCH 14

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Summary

We have shown a preimage attack on Blender-n with a complexity of about n · 2n/2 compression function evaluations and negligible memory The attack is based on structural weaknesses in the design

• f the hash function Blender-n and is independent of the

design of the underlying compression function Related work:

• C. Newbold: Preimage attack, complexity n · 2(n+|w|)/2
• V. Klima: Preimage and collision attack, complexity 10 · 2n/4

Mario Lamberger ISC 2009 Analysis of Blender-DCH 15

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Outline

1

Motivation

2

Security Analysis of Blender-n

3

Security Analysis of DCH-n

4

Conclusion

Mario Lamberger ISC 2009 Analysis of Blender-DCH 16

Institute for Applied Information Processing and Communications (IAIK) - Krypto

The DCH-n Hash Function

SHA-3 candidate by D. Wilson DCH-n is an iterated hash function

Processes message blocks of 504 bits Each message block is preceded by an 8-bit dithering block Produces a hash value of 224, 256, 384 or 512 bits

In each iteration the chaining value is updated as follows: Hi+1 = f(Hi, Mi) = Hi ⊕ Mi ⊕ g(Mi)

Mario Lamberger ISC 2009 Analysis of Blender-DCH 17

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Basic Attack Strategy

The attack is again based on a structural weakness in the design of the hash function and uses an observation of Khovratovich and Nikoli´ c Let γi(M′

i ) := g(miM′ i ) ⊕ (miM′ i ) where M′ i is the 504-bit

message block and mi is the 8-bit dithering input Then we can write: Hi+1 = H0 ⊕ γ0(M′

0) ⊕ γ1(M′ 1) ⊕ · · · ⊕ γi(M′ i )

Mario Lamberger ISC 2009 Analysis of Blender-DCH 18

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Collision Attack

Consider a message m = M0||M1|| . . . ||MN consisting of N + 1 message blocks with Mi = mi||M′

i , then

HN+1 = H0 ⊕ γ0(M′

0) ⊕ γ1(M′ 1) ⊕ · · · ⊕ γN(M′ N)

Since there are only 28 possible dithering inputs there must be 0 ≤ i, j ≤ 28 with i = j such that mi = mj and thus γi = γj By setting M′

i = M′ j = a ∈ {0, 1}504 for the above i and j

implies that these blocks dont contribute to the computation of HN+1 Hence, we can trivially construct collisions for DCH-n

Mario Lamberger ISC 2009 Analysis of Blender-DCH 19

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Preimage Attack

The core observation for the preimage attack is that the

• utputs of DCH-n form a vector space of dimension n over

F2 This can be easily seen when looking at the alternative description of DCH-n Hi+1 = H0 ⊕ γ0(M′

0) ⊕ γ1(M′ 1) ⊕ · · · ⊕ γi(M′ i )

Hence, we only need to compute a basis of this vector space to construct a preimage for DCH-n

Mario Lamberger ISC 2009 Analysis of Blender-DCH 20

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Preimage Attack

As in the collision case we need to find different indices i and j for which the dithering blocks mi and mj are the

• same. Only now, we need to find many such index pairs

(ik, jk) having mik = mjk (and thus γik = γjk)

Mario Lamberger ISC 2009 Analysis of Blender-DCH 21

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Preimage Attack

As in the collision case we need to find different indices i and j for which the dithering blocks mi and mj are the

• same. Only now, we need to find many such index pairs

(ik, jk) having mik = mjk (and thus γik = γjk) We can show that for a message having 2 · ℓ + 28 message blocks, we can find at least ℓ such index pairs (ik, jk): ℓ = 32 ·

7

• i=0

ni 2

• = 32 ·

7

• i=0

ni 2 − ni 2

• ≥ N

2 − 27

Mario Lamberger ISC 2009 Analysis of Blender-DCH 21

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Preimage Attack

Assume we want to construct a preimage for h consisting

• f N + 1 message blocks:

h = H0 ⊕

N

• i=0

γi(M′

i )

We choose the last message block MN such that the padding is correct:

N−1

• i=0

γi(M′

i ) = h ⊕ H0 ⊕ γN(M′ N)

Write N = 2 · ℓ + 28. Thus, we get at least ℓ index pairs (ik, jk) such that γik = γjk

Mario Lamberger ISC 2009 Analysis of Blender-DCH 22

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Preimage Attack

Next, we compute ℓ ≥ n vectors ak = γik(Mk

′) ⊕ γjk(Mk 1 ′)

with random Mk

′ and Mk 1 ′

Among these vectors ak we try to find a basis for the

• utput vector space of DCH-n. This has a probability of

n−1

• i=0

2ℓ − 2i 2ℓ Once we have found a basis for the vector space, we can construct a (second) preimage for DCH-n by solving a linear system of equations over F2

Mario Lamberger ISC 2009 Analysis of Blender-DCH 23

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Summary

We have shown trivial collisions for DCH-n for all output sizes. We have shown that by computing a basis for the outputs

• f DCH-n, (second) preimages can be constructed by

solving a linear system of equations over F2 Both, the collision and the (second) preimage attack, are independent of the design of the compression function of DCH-n

Mario Lamberger ISC 2009 Analysis of Blender-DCH 24

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Outline

1

Motivation

2

Security Analysis of Blender-n

3

Security Analysis of DCH-n

4

Conclusion

Mario Lamberger ISC 2009 Analysis of Blender-DCH 25

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Conclusion

We have shown structural weaknesses in the SHA-3 candidates Blender-n and DCH-n

Mario Lamberger ISC 2009 Analysis of Blender-DCH 26

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Conclusion

We have shown structural weaknesses in the SHA-3 candidates Blender-n and DCH-n We have shown trivial collision and preimage attacks on DCH-n

Mario Lamberger ISC 2009 Analysis of Blender-DCH 26

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Conclusion

We have shown structural weaknesses in the SHA-3 candidates Blender-n and DCH-n We have shown trivial collision and preimage attacks on DCH-n We have shown a preimage attack on Blender-n having complexity n · 2n/2

Mario Lamberger ISC 2009 Analysis of Blender-DCH 26

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Conclusion

We have shown structural weaknesses in the SHA-3 candidates Blender-n and DCH-n We have shown trivial collision and preimage attacks on DCH-n We have shown a preimage attack on Blender-n having complexity n · 2n/2 The attacks are independent of the design of the underlying compression function and thus serve as examples for weak modes of operation

Mario Lamberger ISC 2009 Analysis of Blender-DCH 26

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Conclusion

We have shown structural weaknesses in the SHA-3 candidates Blender-n and DCH-n We have shown trivial collision and preimage attacks on DCH-n We have shown a preimage attack on Blender-n having complexity n · 2n/2 The attacks are independent of the design of the underlying compression function and thus serve as examples for weak modes of operation The weaknesses adressed in this paper are not isolated

Blender → GOST, AURORA (SHA-3 candidate) DCH-n → SMASH

Mario Lamberger ISC 2009 Analysis of Blender-DCH 26

Institute for Applied Information Processing and Communications (IAIK) - Krypto

Thank you for your attention!

Mario Lamberger ISC 2009 Analysis of Blender-DCH 27