Structural Attacks on Two SHA-3 Candidates: Blender- n and DCH- n - PowerPoint PPT Presentation

Institute for Applied Information Processing and Communications (IAIK) - Krypto Structural Attacks on Two SHA-3 Candidates: Blender- n and DCH- n Mario Lamberger and Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria mario.lamberger@iaik.tugraz.at Mario Lamberger ISC 2009 Analysis of Blender-DCH 1

Institute for Applied Information Processing and Communications (IAIK) - Krypto Outline Motivation 1 Security Analysis of Blender- n 2 3 Security Analysis of DCH- n Conclusion 4 Mario Lamberger ISC 2009 Analysis of Blender-DCH 2

Institute for Applied Information Processing and Communications (IAIK) - Krypto Motivation Mario Lamberger ISC 2009 Analysis of Blender-DCH 3

Institute for Applied Information Processing and Communications (IAIK) - Krypto Motivation x x x x x x x x Mario Lamberger ISC 2009 Analysis of Blender-DCH 3

Institute for Applied Information Processing and Communications (IAIK) - Krypto Motivation NIST SHA-3 competition Weaknesses in the MD-family of hash functions Find a successor of SHA-1 and SHA-2 SHA-3 candidates 51 first round candidates 15 second round candidates (August 2009) 5 finalists (2010) Choose SHA-3 in 2012 Mario Lamberger ISC 2009 Analysis of Blender-DCH 4

Institute for Applied Information Processing and Communications (IAIK) - Krypto Main Security Requirements Collision Resistance Find m , m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Generic complexity: 2 n / 2 Second-Preimage Resistance Given m , h ( m ) find m ′ with m � = m ′ and h ( m ) = h ( m ′ ) Generic complexity: 2 n Preimage Resistance Given h ( m ) find m Generic complexity: 2 n Mario Lamberger ISC 2009 Analysis of Blender-DCH 5

Institute for Applied Information Processing and Communications (IAIK) - Krypto Outline Motivation 1 Security Analysis of Blender- n 2 3 Security Analysis of DCH- n Conclusion 4 Mario Lamberger ISC 2009 Analysis of Blender-DCH 6

Institute for Applied Information Processing and Communications (IAIK) - Krypto The Blender- n Hash Function Designed by C. Bradbury Blender- n is an iterated hash function Message blocks of 32 (respectively 64) bits Hash value of 224/256 (respectively 384/512) bits Two checksums: Σ 1 = ¬ Σ t i = 1 W i , Σ 2 = Σ t i = 1 ¬ W i f f f f f 1 2 t 1 2 Mario Lamberger ISC 2009 Analysis of Blender-DCH 7

Institute for Applied Information Processing and Communications (IAIK) - Krypto Preimage Attack on Blender- n The preimage attack is based on structural weaknesses in the design of the hash function and is independent of the underlying compression function It works for all output sizes of Blender-n and has a complexity of about n · 2 n / 2 compression function evaluations The attack is based on two simple observations Mario Lamberger ISC 2009 Analysis of Blender-DCH 8

Institute for Applied Information Processing and Communications (IAIK) - Krypto Observation 1: The checksums � 1 and � 2 are strongly related � 2 does not provide additional security Let X = � t i = 1 W i . Then we have: t � � 1 = ¬ W i = ¬ X i = 1 t t t � � � � 2 = ¬ W i = ( − W i − 1 ) = − t − W i = − t − X i = 1 i = 1 i = 1 Mario Lamberger ISC 2009 Analysis of Blender-DCH 9

Institute for Applied Information Processing and Communications (IAIK) - Krypto Observation 2: The final hash value h of Blender is computed from the chaining values A i by modular additions In other words, the computation of h is invertible Mario Lamberger ISC 2009 Analysis of Blender-DCH 10

Institute for Applied Information Processing and Communications (IAIK) - Krypto Outline of the Attack on Blender-512: Assume, that we can find 2 512 messages w ∗ = W 1 || W 2 || . . . || W t (and hence chaining values A i for 0 < i ≤ t ), such that all produce the same value A t and X , then we can construct a preimage for h Mario Lamberger ISC 2009 Analysis of Blender-DCH 11

Institute for Applied Information Processing and Communications (IAIK) - Krypto Outline of the Attack on Blender-512: The attack basically consists of two steps: Construct a 2 512 -multicollision to get 2 512 messages w ∗ which result all in the same value A t and X Apply a meet-in-the-middle attack to find a message w ′ among all the w ∗ which also is a preimage for h Mario Lamberger ISC 2009 Analysis of Blender-DCH 12

Institute for Applied Information Processing and Communications (IAIK) - Krypto Constructing the 2 512 -multicollision Construct a single collision Let d ∈ { 0 , 1 } 64 be an arbitrary value For all 2 256 choices of W i , . . . , W i + 3 we take W i + 4 such that � i + 4 j = i W j = d is fulfilled and compute A i + 4 for i > 0 After computing all 2 256 candidates for A i + 4 we expect to find a collision due to the birthday paradox Mario Lamberger ISC 2009 Analysis of Blender-DCH 13

Institute for Applied Information Processing and Communications (IAIK) - Krypto Constructing the 2 512 -multicollision Construct a single collision Let d ∈ { 0 , 1 } 64 be an arbitrary value For all 2 256 choices of W i , . . . , W i + 3 we take W i + 4 such that � i + 4 j = i W j = d is fulfilled and compute A i + 4 for i > 0 After computing all 2 256 candidates for A i + 4 we expect to find a collision due to the birthday paradox In other words, we can find a collision for the iterative part (chaining values) and X with a complexity of about 2 256 (instead of 2 288 ) Mario Lamberger ISC 2009 Analysis of Blender-DCH 13

Institute for Applied Information Processing and Communications (IAIK) - Krypto Constructing the 2 512 -multicollision Construct a single collision Let d ∈ { 0 , 1 } 64 be an arbitrary value For all 2 256 choices of W i , . . . , W i + 3 we take W i + 4 such that � i + 4 j = i W j = d is fulfilled and compute A i + 4 for i > 0 After computing all 2 256 candidates for A i + 4 we expect to find a collision due to the birthday paradox In other words, we can find a collision for the iterative part (chaining values) and X with a complexity of about 2 256 (instead of 2 288 ) Hence, we can construct a 2 512 -multicollision with a complexity of about 512 · 2 256 = 2 265 and negligible memory requirements Mario Lamberger ISC 2009 Analysis of Blender-DCH 13

Institute for Applied Information Processing and Communications (IAIK) - Krypto Constructing the Preimage for h From this set of 2 512 messages w ∗ leading to the same chaining value A t and X , we now have to find a message w ′ that leads to the given preimage h Mario Lamberger ISC 2009 Analysis of Blender-DCH 14

Institute for Applied Information Processing and Communications (IAIK) - Krypto Constructing the Preimage for h From this set of 2 512 messages w ∗ leading to the same chaining value A t and X , we now have to find a message w ′ that leads to the given preimage h To do this, we make use of a meet-in-the-middle attack: i = 1 ( A r i 5 i − 4 + A r i 5 i − 3 + · · · + A r i Compute S 1 = Σ 256 5 i ) with r i ∈ { 0 , 1 } and store all 2 256 candidates in a list L i = 257 ( A r i 5 i − 4 + A r i 5 i − 3 + · · · + A r i Compute S 2 = Σ 512 5 i ) and check whether h − S 2 is in the list L Mario Lamberger ISC 2009 Analysis of Blender-DCH 14

Institute for Applied Information Processing and Communications (IAIK) - Krypto Constructing the Preimage for h From this set of 2 512 messages w ∗ leading to the same chaining value A t and X , we now have to find a message w ′ that leads to the given preimage h To do this, we make use of a meet-in-the-middle attack: i = 1 ( A r i 5 i − 4 + A r i 5 i − 3 + · · · + A r i Compute S 1 = Σ 256 5 i ) with r i ∈ { 0 , 1 } and store all 2 256 candidates in a list L i = 257 ( A r i 5 i − 4 + A r i 5 i − 3 + · · · + A r i Compute S 2 = Σ 512 5 i ) and check whether h − S 2 is in the list L After testing all 2 256 values for S 2 we expect to find a match and hence a preimage for Blender-512 Mario Lamberger ISC 2009 Analysis of Blender-DCH 14

Institute for Applied Information Processing and Communications (IAIK) - Krypto Summary We have shown a preimage attack on Blender- n with a complexity of about n · 2 n / 2 compression function evaluations and negligible memory The attack is based on structural weaknesses in the design of the hash function Blender- n and is independent of the design of the underlying compression function Related work: C. Newbold: Preimage attack, complexity n · 2 ( n + | w | ) / 2 V. Klima: Preimage and collision attack, complexity 10 · 2 n / 4 Mario Lamberger ISC 2009 Analysis of Blender-DCH 15

Institute for Applied Information Processing and Communications (IAIK) - Krypto Outline Motivation 1 Security Analysis of Blender- n 2 3 Security Analysis of DCH- n Conclusion 4 Mario Lamberger ISC 2009 Analysis of Blender-DCH 16

Institute for Applied Information Processing and Communications (IAIK) - Krypto The DCH- n Hash Function SHA-3 candidate by D. Wilson DCH- n is an iterated hash function Processes message blocks of 504 bits Each message block is preceded by an 8-bit dithering block Produces a hash value of 224 , 256 , 384 or 512 bits In each iteration the chaining value is updated as follows: H i + 1 = f ( H i , M i ) = H i ⊕ M i ⊕ g ( M i ) Mario Lamberger ISC 2009 Analysis of Blender-DCH 17