Time-memory Trade-offs for Near-collisions Conclusion Combining - PowerPoint PPT Presentation

Introduction 1/24 Gaëtan Leurent Time-memory Trade-offs for Near-collisions Conclusion Combining trunc & codes Time-memory trade-offs Memoryless FSE 2013 UCL Crypto Group FSE 2013 Time-memory Trade-offs for Near-collisions G. Leurent Microelectronics Laboratory UCL Crypto Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Introduction 2/24 UCL Crypto Group An Ideal Hash Function: the Random Oracle Microelectronics Laboratory Conclusion G. Leurent Combining trunc & codes Time-memory Trade-offs for Near-collisions Time-memory trade-offs FSE 2013 Memoryless . . . . . . . . . . . . . . . . . . . . . . ▶ Public Random Oracle ▶ The output can be used as a fingerprint of the document . . . . . . . .

Introduction Memoryless UCL Crypto Group 0x1d66ca77ab361c6f Microelectronics Laboratory An Ideal Hash Function: the Random Oracle G. Leurent Conclusion Time-memory Trade-offs for Near-collisions Combining trunc & codes FSE 2013 Time-memory trade-offs 2/24 . . . . . . . . . . . . . . . . . . . . . . . ▶ Public Random Oracle ▶ The output can be used as a fingerprint of the document . . . . . . . .

Memoryless Time-memory trade-offs Introduction 3/24 Conclusion FSE 2013 Concrete security goals Time-memory Trade-offs for Near-collisions Preimage attack G. Leurent Second-preimage attack Microelectronics Laboratory Collision attack UCL Crypto Group Combining trunc & codes . . . . . . . . . . . . . . . . . . . . . Given F and H , find M s.t. F ( M ) = H . Ideal security: 2 n . Given F and M 1 , find M 2 ≠ M 1 s.t. F ( M 1 ) = F ( M 2 ) . Ideal security: 2 n . Given F , find M 1 ≠ M 2 s.t. F ( M 1 ) = F ( M 2 ) . Ideal security: 2 n / 2 . . . . . . . . .

Memoryless Introduction UCL Crypto Group Extra goals Microelectronics Laboratory Conclusion G. Leurent Combining trunc & codes Time-memory Trade-offs for Near-collisions Time-memory trade-offs FSE 2013 4/24 . . . . . . . . . . . . . . . . . . . . . Hash functions are used in many different contexts, with various assumptions: ▶ MAC security ▶ Multicollision resistance ▶ Herding resistance ▶ Partialcollisions ▶ Random looking output ▶ Nearcollisions ▶ … . . . . . . . .

Topic of this talk FSE 2013 Near-collision attack Near-collisions Conclusion Combining trunc & codes Time-memory trade-offs Introduction 5/24 Memoryless G. Leurent Time-memory Trade-offs for Near-collisions UCL Crypto Group Microelectronics Laboratory . . . . . . . . . . . . . . . . . . . . . Given F , w , find M 1 ≠ M 2 s.t. ‖ F ( M 1 ) ⊕ F ( M 2 )‖ ≤ w . ▶ Relaxation of a collision attack ▶ Similar techniques than collision ▶ Security margin ▶ Turning nearcollisions into collisions ▶ Many attack papers What is the complexity of generic nearcollision attacks? . . . . . . . .

Combining trunc & codes UCL Crypto Group State of the art Microelectronics Laboratory Conclusion G. Leurent Time-memory trade-offs Time-memory Trade-offs for Near-collisions FSE 2013 Memoryless 6/24 Introduction . . . . . . . . . . . . . . . . . . . . . ▶ Lower bound 2 n / 2 /√ B w ( n ) ▶ Memoryfull algorithm 2 n / 2 /√ B w ( n ) ▶ Timememory tradeoff? ▶ Truncate more, TMT for many collisions 2 n / 2 /√ B w (𝜐) 2 𝜐 / B w (𝜐) ≈ M ▶ Memoryless algorithms ▶ Truncation based 2 ( n +𝜐)/ 2 / B w (𝜐) 𝜐 ∼ ( 2 + √ 2 )( w − 1 ) ▶ Covering codes based 2 n / 2 /􏽯 B w / 2 ( n ) ▶ Combine both? ▶ Truncate and find truncated nearcollisions with covering code . . . . . . . .

Definition (size of a Hamming ball) FSE 2013 Lower bound Conclusion Combining trunc & codes Time-memory trade-offs Memoryless 7/24 Introduction G. Leurent UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions . . . . . . . . . . . . . . . . . . . . . ▶ After i hash evaluations, about i 2 pairs. ▶ Each pair is a w nearcollision with probability B w ( n )/ 2 n ▶ Lower bound: i 2 ≈ 2 n / B w ( n ) , i.e. i ≈ 2 n / 2 /√ B w ( n ) ▶ Easier than collisions by a factor √ B w ( n ) B w ( n ) = # { x ∈ { 0 , 1 } n ∶ ‖ x ‖ ≤ w } . . . . . . . . .

Combining trunc & codes Memoryless UCL Crypto Group Near-collision algorithm Microelectronics Laboratory Naive algorithm G. Leurent Conclusion Time-memory Trade-offs for Near-collisions Time-memory trade-offs FSE 2013 8/24 Introduction . . . . . . . . . . . . . . . . . . . . . for 0 ≤ a < i do L [ a ] ← h ( a ) ▷ i computations end for for 0 ≤ a < b < i do ▷ i 2 comparisons if ‖ L [ a ] ⊕ L [ b ]‖ ≤ w then return ( a , b ) end if end for ▶ i hash computations ▶ i 2 comparisons, memory accesses ▶ i memory Can we avoid this? . . . . . . . .

Combining trunc & codes Memoryless UCL Crypto Group Near-collision algorithm Microelectronics Laboratory Naive algorithm G. Leurent Conclusion Time-memory Trade-offs for Near-collisions Time-memory trade-offs FSE 2013 8/24 Introduction . . . . . . . . . . . . . . . . . . . . . for 0 ≤ a < i do L [ a ] ← h ( a ) ▷ i computations end for for 0 ≤ a < b < i do ▷ i 2 comparisons if ‖ L [ a ] ⊕ L [ b ]‖ ≤ w then return ( a , b ) end if end for ▶ i hash computations ▶ i 2 comparisons, memory accesses ▶ i memory Can we avoid this? . . . . . . . .

Combining trunc & codes Memoryless UCL Crypto Group Near-collision algorithm Microelectronics Laboratory Naive algorithm G. Leurent Conclusion Time-memory Trade-offs for Near-collisions Time-memory trade-offs FSE 2013 8/24 Introduction . . . . . . . . . . . . . . . . . . . . . for 0 ≤ a < i do L [ a ] ← h ( a ) ▷ i computations end for for 0 ≤ a < b < i do ▷ i 2 comparisons if ‖ L [ a ] ⊕ L [ b ]‖ ≤ w then return ( a , b ) end if end for ▶ i hash computations ▶ i 2 comparisons, memory accesses ▶ i memory Can we avoid this? . . . . . . . .

Time-memory trade-offs Memoryless collision finding Memoryless Introduction 9/24 Conclusion Combining trunc & codes FSE 2013 Time-memory Trade-offs for Near-collisions G. Leurent Microelectronics Laboratory UCL Crypto Group . . . . . . . . . . . . . . . . . . . . . Memoryless algorithms are known for full collisions: Pollard’s rho x 3 ▶ Iterate h : x i = f ( x i − 1 ) x 4 ▶ Collision after ≈ 2 n / 2 iterations x 2 x 7 ▶ Iteration cycles x 5 x 6 ▶ Memoryless cycle detection x 1 ▶ Floyd (tortoise and hare) ▶ Brent ▶ Nivasch ▶ Distinguished points ▶ … . . . . . . . . . x 0 . . . . . . . .

Memoryless near-collisions algorithms FSE 2013 Combining trunc & codes Time-memory trade-offs Memoryless Introduction 10/24 Start Collision Detection Time-memory Trade-offs for Near-collisions Start G. Leurent Near-collision Microelectronics Laboratory ‽‽‽‽‽ UCL Crypto Group Conclusion . . . . . . . . . . . . . . . . . . . . . ▶ Memoryless collision algorithms based on iterating chains ▶ Collisions can be detected later in the chain x 1 x 1 x 0 . . . . . . x 0 . . . . . . ▶ This doesn’t work for nearcollision ▶ New approaches needed . . . . . . . .

Combining trunc & codes UCL Crypto Group Using truncation Microelectronics Laboratory Conclusion G. Leurent Time-memory trade-offs Time-memory Trade-offs for Near-collisions FSE 2013 Memoryless 11/24 Introduction . . . . . . . . . . . . . . . . . . . . . 1 Truncate w bits 2 Find n − w bit collision (memoryless) 3 Gives w nearcollision for the full output n 0 n − w no difference ≤ w diff. . . . . . . ▶ Complexity: 2 ( n − w )/ 2 . . . . . . . .

Combining trunc & codes UCL Crypto Group Using truncation Microelectronics Laboratory Conclusion G. Leurent Time-memory trade-offs Time-memory Trade-offs for Near-collisions FSE 2013 Memoryless 11/24 Introduction . . . . . . . . . . . . . . . . . . . . . 1 Truncate 2 w + 1 bits 2 Find n − 2 w − 1bit collisions (memoryless) 3 Gives w near collision with probability ½ n 0 n − 2 w − 1 no difference ≤ 2 w + 1 diff. . . . . . . ▶ Complexity: 2 ( n − 2 w − 1 )/ 2 × 2 . . . . . . . .

Combining trunc & codes Memoryless UCL Crypto Group Using truncation Microelectronics Laboratory Conclusion G. Leurent Time-memory Trade-offs for Near-collisions Time-memory trade-offs FSE 2013 11/24 Introduction . . . . . . . . . . . . . . . . . . . . . 1 Truncate 𝜐 bits 2 Find n − 𝜐 bit collisions (memoryless) 3 Gives w near collision with probability B w (𝜐)/ 2 𝜐 n 0 n − 𝜐 no difference ≤ 𝜐 diff. . . . . . . ▶ Complexity: 2 ( n +𝜐)/ 2 / B w (𝜐) ▶ Optimal 𝜐 ∼ ( 2 + √ 2 )( w − 1 ) [Lamberger  Teufl, IPL 2013] . . . . . . . .