Time-Memory Tradeoffs for Short Hash Collisions Akshima University - PowerPoint PPT Presentation

Time-Memory Tradeoffs for Short Hash Collisions Akshima University of Chicago Joint work with David Cash, Andrew Drucker, Hoeteck Wee 1

This Talk • Inspects time-space tradeo ff s for finding short collisions in Merkle-Damgård hash functions. • Shows gaps in complexity of finding 1, 2 and -block B collisions. 2

Talk Outline • Basic definitions • Our work and comparison with prior work • Why prior techniques cannot extend to short collisions • Our technique for • Bound on 2-block collisions • Bound on zero-walk adversaries • Conclusion 3

Cryptographic Hash Functions Hash function H {0,1} 512 {0,1}* Output domain (fixed, e.g. 2 512 ) Input domain (large) • Widely deployed practical hashes (SHA512, SHA3) • Many security properties required 4

Collisions in Hash Functions x y H ( x ) = H ( x ′ � ) x ′ � Output domain (fixed, e.g. 2 512 ) Input domain (large) • Collisions damaging in practice (e.g. in authentication) • Finding collisions should be very hard (e.g. 2 256 time) 5

Modeling Hashes: The ROM [Bellare-Rogaway,96] • Can’t actually prove collisions are hard to find (P vs NP) • Instead, pretend H is a random function and give proofs • Called the “random oracle model” (ROM) • Adversary is computationally unbounded and deterministic. q 1 q 2 H ⋮ q T : # queries T 6

Finding Collisions in the ROM • Can prove unconditionally that a random function is collision resistant • T queries: T 2 /N probability of success x q 1 q 2 y H : {0,1}* → [ N ] ⋮ q T Output domain ( x , x ′ � ) = [ N ] Pr [ x ≠ x ′ � and H ( x ) = H ( x ′ � )] ≤ T 2 / N where [ N ] = {1,2,…, N } Input domain = {0,1}* 7

Pre-Computation in the ROM [Unruh,07] • Unbounded pre-computation produces bits of advice S • Bounded number of queries in online phase T Online Phase Pre-computation q 1 H q 2 H σ ∈ {0,1} S ⋮ q T (Advice) • Trivial attack: Just precompute a collision. 8

Salting to Confound 
 Pre-Computation [Dodis-Guo-Katz,17] • Require adversary to find collision with a random prefix, called a salt • Adversary learns salt only in online phase • Defeats trivial attack salt ← $ [ N ] q 1 H q 2 H σ ∈ {0,1} S ⋮ q T H : [ N ] × {0,1} * → [ N ] ( x , x ′ � ) θ ( ( S + T 2 )/ N ) Pr[ x ≠ x ′ � and H ( salt , x ) = H ( salt , x ′ � )] = ˜ • Showed optimal attack is to write down collisions and hope there is a S collision for input or perform birthday. salt 9

Merkle-Damgård Hash Functions x ← [ M ] h a ← [ N ] h ( a , x ) ∈ [ N ] Input x = x 1 || … || x B , x i ∈ [ M ] x 1 x B x 2 h h h MD h ( a , x ) Salt a ∈ [ N ] 10

Salting Merkle-Damgård [Coretti-Dodis-Guo-Steinberger,18] • h is modeled as RO • Adversary must find salted collision in H = MD h Pre-computation Online Phase a ∈ [ N ] q 1 h q 2 h σ ∈ {0,1} S . . . q T ( x , x ′ � ) Pr[ x ≠ x ′ � and MD h ( a , x ) = MD h ( a , x ′ � )] = ˜ θ ( ST 2 / N ) • Non-trivial time-space tradeoffs improve over birthday using 
 T = S = N 1/3 advice ( )

Talk Outline • Basic definitions • Our work and comparison with prior work • Why prior techniques cannot extend to short collisions • Our technique for • Bound on 2-block collisions • Bound on zero-walk adversaries • Conclusion 12

Our Work Initiate study of short collision-finding in Merkle-Damgård hashes with pre-computation • Same model as before, but adversary is required to find colliding messages with or fewer blocks. B

Our Work Initiate study of short collision-finding in Merkle-Damgård hashes with pre-computation • Same model as before, but adversary is required to find colliding messages with or fewer blocks. B Result 1: Qualitative time-space hardness jumps from , , and unbounded lengths. B = 1 B = 2 B • Via new concentration+compression-based techniques 14

Our Work Initiate study of short collision-finding in Merkle-Damgård hashes with pre-computation • Same model as before, but adversary is required to find colliding messages with or fewer blocks. B Result 1: Qualitative time-space hardness jumps from , , and unbounded lengths. B = 1 B = 2 B • Via new concentration+compression-based techniques • Open : Fine-grained bounds for B = 3,4,… 15

Our Work Initiate study of short collision-finding in Merkle-Damgård hashes with pre-computation • Same model as before, but adversary is required to find colliding messages with or fewer blocks. B Result 1: Qualitative time-space hardness jumps from , , and unbounded lengths. B = 1 B = 2 B • Via new concentration+compression-based techniques • Open : Fine-grained bounds for B = 3,4,… Result 2: Impossibility for restricted class of attacks on general (includes all known attacks). B 16

Our Concrete Results Advantage Bound Work # Blocks in Collision S: advice size T: Queries θ ( ) S + T 2 ˜ [DGK17] 1 N θ ( N ) ST 2 [CDGS18] Unbounded ˜ Ω ( N ) STB ˜ Our Work B O ( N ) B STB ˜ Our Work (only for restricted adversary) θ ( N ) ST ˜ Our Work 2 17

Why Short Collisions? • Consider SHA2: N=2 256 , M=2 512 • When S=2 70 , B=T= 2 93 • Collisions have to be over 2 93 blocks long 18

Why Short Collisions? • Consider SHA2: N=2 256 , M=2 512 • When S=2 70 , B=T= 2 93 • Collisions have to be over 2 93 blocks long • Say we want B= 2 20 , then the best known attack needs T= 2 166 19

Talk Outline • Basic definitions • Our work and comparison with prior work • Why prior techniques cannot extend to short collisions • Our technique for • Bound on 2-block collisions • Bound on zero-walk adversaries • Conclusion 20

Pre-Sampling Model [Unruh,07] • Adversary hard-codes some points before oracle chosen • Online phase gets oracle, no advice Phase 2 Phase 1 h (1) 1 . . . a 1 a ′ � 1 a i a ′ � . i q 1 . . Deals & Rebates Best Sellers Parts Accessories Tools & Equipment Car Car #F q 2 a P Bumper Stickers, Decals & Magnets a ′ � Funny Text Message Emoji Faces Expression Cartoon P Vinyl Sticker (2" Tall, Purple Evil Devil Unhappy) h by Shinobi Stickers Price: $1.99 + $3.50 shipping . . Size: 2" Tall 2" Tall 2" Wide . . 4" Tall 4" Wide 8" Tall 8" Wide . . 12" Tall 12" Wide q T h ( j ) j . . . h ( N ) N 21

Pre-Computation to Pre-Sampling [Unruh,07] h (1) h (1) 1 1 a a . . . . a i a i a ′ � h ( a i ) q 1 i q 1 σ ∈ {0,1} S Deals & Rebates Best Sellers Parts Accessories Tools & Equipment Car Car #F q 2 Bumper Stickers, Decals & Magnets q 2 Funny Text Message Emoji Faces Expression Cartoon Vinyl Sticker (2" Tall, Purple Evil Devil . Unhappy) by Shinobi Stickers . . Price: $1.99 + $3.50 shipping . . Size: 2" Tall 2" Tall 2" Wide . q T 4" Tall 4" Wide q T . . 8" Tall 8" Wide 12" Tall 12" Wide . . j h ( j ) j h ( j ) . . ( y , y ′ � ) ( x , x ′ � ) . . h ( N ) N N h ( N ) Adversary with Pre-computation Adversary with Pre-sampling Indicates pre-fixed point Pre-computing adversary with Pre-sampling adversary pre-fixing -> -bit advice, making queries points making queries S T ST T Proving impossibility of pre-sampling adversary is su ffi cient. 22

Pre-Sampling Bound, then 
 Pre-Computation Bound [Unruh,07] • Analyzing MD-based hash in the pre-sampling model with fixed points and ST queries to find unbounded collisions. T ST Or pre-fixed points a a . . . O ( ST 2 / N ) This proves a bound of on finding unbounded collisions in MD hashes with Pre-computation. 23

Pre-Sampling is Length Insensitive We give a 2-block collision finding attack with pre-sampling that has Ω ( ST 2 / N ) advantage . Pre-sampling Online Phase h x a 1 h x z h 1 z a i h x ′ � a . . . h x ′ � . . . h i . h x . i ∈ [ ST /2] . h T z a ST /2 h x ′ � Thus, short collisions are as easy as long collisions for pre-sampling 24

Pre-Sampling is Length Insensitive We give a 2-block collision finding attack with pre-sampling that has Ω ( ST 2 / N ) advantage . Pre-sampling Online Phase h x a 1 h x z h 1 z a i h x ′ � a . . . h x ′ � . . . h i . h x . i ∈ [ ST /2] . h T z a ST /2 h x ′ � Thus, short collisions are as easy as long collisions for pre-sampling We prove short collisions are harder than long collisions for pre-computation. 25

Compression Technique [Dodis-Guo-Katz,17] out h Compressor • Shannon bound: entropy 𝔽 [ | out | ] ≥ ( h ) 26

Compression Technique [Dodis-Guo-Katz,17] out h Compressor • Shannon bound: 𝔽 [ | out | ] ≥ entropy ( h ) • Say adversary wins on some salt making queries and getting a , ( q 1 , …, q T ) 𝒝 responses . Then ∃ i , j such that r i = r j . ( r 1 , …, r T ) r j +1 r 1 r i r T r T r j r 1 r i , . . . . . . . . . . . . . . . . . . a , ( i , j ) Compressor Say wins on fraction of salts. Then compressor repeats this on every winning salt. 𝒝 ε 27