Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Size: px

Start display at page:

Download "Linearization and Message Modification Techniques for Hash Function Cryptanalysis"

George Gibbs
5 years ago
Views:

1 Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification Techniques 1 / 25

2 Overview Introduction Linearization and Message Modifications Application to ARIRANG Conclusions Jian Guo Linearization and Message Modification Techniques 2 / 25

3 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Jian Guo Linearization and Message Modification Techniques 3 / 25

4 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Jian Guo Linearization and Message Modification Techniques 3 / 25

5 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Preimage Resistance: given a digest t, it is computationally difficult to find x, such that h(x) = t with expected complexity 2 n. Jian Guo Linearization and Message Modification Techniques 3 / 25

6 Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Preimage Resistance: given a digest t, it is computationally difficult to find x, such that h(x) = t with expected complexity 2 n. Second Preimage Resistance: given a message x, it is computationally difficult to find x x, such that h(x) = h(x ) with expected complexity 2 n k. Jian Guo Linearization and Message Modification Techniques 3 / 25

Merkle-Damgård Strengthening by Merkle and Damgård in 1989, with proof for collision resistance reduction, i.e., if the compression function f is collision resistant, then the hash function.

7 Merkle-Damgård Strengthening by Merkle and Damgård in 1989, with proof for collision resistance reduction, i.e., if the compression function f is collision resistant, then the hash function. Jian Guo Linearization and Message Modification Techniques 4 / 25

8 Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Jian Guo Linearization and Message Modification Techniques 5 / 25

9 Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Compression Function Collisions free-start collision: f(cv, m) = f(cv, m ). semi-free-start collision: f(cv, m) = f(cv, m ). Jian Guo Linearization and Message Modification Techniques 5 / 25

10 Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Compression Function Collisions free-start collision: f(cv, m) = f(cv, m ). semi-free-start collision: f(cv, m) = f(cv, m ). Note: collisions of compression function do not necessarily, and in most of the cases do not, lead to collisions of hash directly. However, it breaks the assumption of the collision proof, hence weakens the confidence on the hash securities. Jian Guo Linearization and Message Modification Techniques 5 / 25

11 Linearization Jian Guo Linearization and Message Modification Techniques 6 / 25

12 XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. Jian Guo Linearization and Message Modification Techniques / 25

13 XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. when g(x) = x r (r is a rotation constant), then g( ) = (x r) (x r) = (x x ) r = r. Jian Guo Linearization and Message Modification Techniques / 25

14 XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. when g(x) = x r (r is a rotation constant), then g( ) = (x r) (x r) = (x x ) r = r. However, when g(x) = x + C (C is a constant), g( ) = (x + C) (x + C), which is not for some cases. Jian Guo Linearization and Message Modification Techniques / 25

15 XOR Differences and Addition Modulo 2 8 Consider g(x) = x + C with the simplest case, i.e., x = 0, x = 1, hence = 1 C g(x) g(x ) g( ) Prob Jian Guo Linearization and Message Modification Techniques 8 / 25

16 XOR Differences and Addition Modulo 2 8 Consider g(x) = x + C with the simplest case, i.e., x = 0, x = 1, hence = 1 C g(x) g(x ) g( ) Prob Linearization Approximate the behaviour of addition, w.r.t. XOR differences, as XOR with probability 2. Jian Guo Linearization and Message Modification Techniques 8 / 25

17 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Jian Guo Linearization and Message Modification Techniques 9 / 25

18 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Jian Guo Linearization and Message Modification Techniques 9 / 25

19 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Rotation Invariant Differences is called rotation invariant w.r.t r, if r =. E.g., is rotation invariant w.r.t. r = 4 with k = 8. Jian Guo Linearization and Message Modification Techniques 9 / 25

20 Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Rotation Invariant Differences is called rotation invariant w.r.t r, if r =. E.g., is rotation invariant w.r.t. r = 4 with k = 8. ALL-ONE difference ( ) is rotation invariant w.r.t. any r, k. Jian Guo Linearization and Message Modification Techniques 9 / 25

21 ARIRANG Jian Guo Linearization and Message Modification Techniques 10 / 25

22 SHA-3 candidate ARIRANG One of the first round SHA-3 candidates Designed by a team from Center for Information Security Technologies (CIST), Korea University: Donghoon Chang, Seokhie Hong, Changheon Kang, Jinkeon Kang, Jongsung Kim, Changhoon Lee, Jesang Lee, Jongtae Lee, Sangjin Lee, Yuseop Lee, Jongin Lim, Jaechul Sung Design mixing parts from AES-based (S-box, MixColumn) and ARX designs (word addition, rotations, xor) Follows Merkle-Damgård strengthening Jian Guo Linearization and Message Modification Techniques 11 / 25

23 Hash function M pad(m) 10 0 len M 1 M 2 M N 1 M N H 0 h(m) Ctr 1 Ctr 2 Ctr N 1 Ctr N Jian Guo Linearization and Message Modification Techniques 12 / 25

24 Compression function H M step 1 step 2 W σ(0), W σ(1) W σ(2), W σ(3) message expansion step 20 W σ(38), W σ(39) step 21 step 22 W σ(40), W σ(41) W σ(42), W σ(43) step 40 W σ(8), W σ(9) Jian Guo Linearization and Message Modification Techniques / 25

25 Message expansion 1 Generate 16 more words as linear combinations of M 0,...,M 15 2 Pick (with repetitions) 80 words out of the 32 words obtained in the previous step M 0,..., M 15 W 16 (M 9 M 11 M M 15 K 0 ) r 0 W 1 (M 8 M 10 M 12 M 14 K 1 ) r 1 W 18 (M 1 M 3 M 5 M K 2 ) r 2 W 19 (M 0 M 2 M 4 M 6 K 3 ) r 3 W 20 (M 14 M 4 M 10 M 0 K 4 ) r 0 W 21 (M 11 M 1 M M K 5 ) r 1 W 22 (M 6 M 12 M 2 M 8 K 6 ) r 2 W (M 3 M 9 M 15 M 5 K ) r 3 W 24 (M M 15 M 1 M 3 K 8 ) r 0 W 25 (M 4 M 6 M 8 M 10 K 9 ) r 1 W 26 (M 5 M M 9 M 11 K 10 ) r 2 W 2 (M 12 M 14 M 0 M 2 K 11 ) r 3 W 28 (M 10 M 0 M 6 M 12 K 12 ) r 0 W (M 15 M 5 M 11 M 1 K ) r 1 W 30 (M 2 M 8 M 14 M 4 K 14 ) r 2 W 31 (M M M 3 M 9 K 15 ) r 3 σ(i) σ(i) 16, 1 24, 25 0, 1 12, 5 2, 3 14, 4, 5 0, 9 6, 2, 11 18, 19 26, 2 8, 9 4, 10, 11 6, 15 12, 8, 1 14, 15 10, 3 20,21 28, 3, 6, 2 9,12, 8 15, 2 3, 14 5, 8 9, 4 22, 30, 31 11,14 15, 10 1, 4 5, 0,10 11, 6, 0 1, 12 Jian Guo Linearization and Message Modification Techniques 14 / 25

26 Step transformation transforms 8 32-bit words of the state and 8 words of the expanded message to new state uses 32-bit rotations, XORs and a bit function G 256 only non-linear (over F 2 ) part is G 256 A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 15 / 25

27 Function G 256 S S S S MDS composite megabox : 4 bytewise AES S-boxes Followed by MDS 4 4 transformation (AES MixColumn) ARIRANG-512 uses a similar function G 512 defined on bit words and using MDS 8 8. Jian Guo Linearization and Message Modification Techniques 16 / 25

28 Basic observations MDS 4 4 has fixed points of the form (a, a, a, a) MDS 4 4 = z z z z z z + 1 z z S-box differential 0xff 0xff is possible with prob. 2. Differential 0xffffffff 0xffffffff for G 256 has probability bit variant: no fixed points for MDS, but still can get all-ones to all-ones differences Jian Guo Linearization and Message Modification Techniques 1 / 25

29 All-one differences If we consider only all-one differences: A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

30 All-one differences If we consider only all-one differences: rotations in step function do not play any role A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

31 All-one differences If we consider only all-one differences: rotations in step function do not play any role A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

32 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

33 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

34 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. One register can be represented as a single bit (truncated differential) A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

35 All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob ), i.e., 2 4 values. One register can be represented as a single bit (truncated differential) Linearized model has variables: we have 2 24 paths A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

36 Satisfying conditions To eliminate probabilistic behaviour, we want to set inputs of active G 256 to good values. We have full control over words W 0,..., W 15 Through linear combinations, we have some control over words W 16,...,W 31 For semi-free-start collisions and pseudo-collisions, we additionally have control over initial values IV 0,..., IV Jian Guo Linearization and Message Modification Techniques 19 / 25

37 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

38 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

39 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

40 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

41 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

42 Satisfying conditions If we can use initial values, conditions in steps 1 4 are always possible Depending on the number of active G, usually we can correct around steps Might be possible to correct 20 steps in some cases Jian Guo Linearization and Message Modification Techniques 21 / 25

43 Pseudo-collision path: steps 1 5 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 11, 0 W W, W 16 W 1 W 8, W 10, 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 22 / 25

44 Pseudo-collision path: steps 6 10 A B 5 C 5 D 5 E 5 F 5 G 5 H W 5 1, W 3, 5 W W 5, W 18 W 19 W 0, W 2, W 4, W 6 A 6 B 6 C 6 D 6 E 6 F 6 G 6 H 6 W 8 W 9 A B C D E F G H W 10 W 11 A 8 B 8 C 8 D 8 E 8 F 8 G 8 H 8 W 12 W A 9 B 9 C 9 D 9 E 9 F 9 G 9 H 9 W 14 W 15 Jian Guo Linearization and Message Modification Techniques 22 / 25

45 Pseudo-collision path: steps A B 10 C 10 D 10 E 10 F 10 G 10 H W 10 14, W 4, 10 W W 10, W 20 W 21 W 11, W 1, 0 W, W A 11 B 11 C 11 D 11 E 11 F 11 G 11 H 11 W 3 W 6 A 12 B 12 C 12 D 12 E 12 F 12 G 12 H 12 W 9 W 12 A B C D E F G H W 15 W 2 A 14 B 14 C 14 D 14 E 14 F 14 G 14 H 14 W 5 W 8 Jian Guo Linearization and Message Modification Techniques 22 / 25

46 Pseudo-collision path: steps A B 15 C 15 D 15 E 15 F 15 G 15 H W 15 6, W 12, 15 W W 2, W 22 W W 3, W 9, 8 W 15, W 5 A 16 B 16 C 16 D 16 E 16 F 16 G 16 H 16 W 11 W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 1 W 4 A 18 B 18 C 18 D 18 E 18 F 18 G 18 H 18 W W 10 A 19 B 19 C 19 D 19 E 19 F 19 G 19 H 19 W W 0 H 1 H 2 H 3 H 4 H 5 H 6 H Jian Guo Linearization and Message Modification Techniques 22 / 25

47 Pseudo-collisions for ARIRANG-224/384 IV M step 1 step 2 step 20 step 21 step 22 step 40 message expansion single message block can use 14 message words, last two for padding message corrections: 12 active G 256 in steps 2 18, complexity 2 register H discarded for ARIRANG-224/384 pseudo-collision for the complete hash function Jian Guo Linearization and Message Modification Techniques / 25

48 Summary of results Compression function Result Complexity Example 32-bit near-collision for full ARIRANG-256 compress 1 Y 64-bit near-collision for full ARIRANG-512 compress 1 Y 26-step (out of 40) collision for ARIRANG-256/512 1 Y Hash function Result Complexity Example pseudo-collision for full ARIRANG-224/384 hash 2 / 1 Y Jian Guo Linearization and Message Modification Techniques 24 / 25

49 Conclusions A brief introduction on linearization and message modification techniques have been introduced, with example of applications to ARIRANG. Jian Guo Linearization and Message Modification Techniques 25 / 25

50 Conclusions A brief introduction on linearization and message modification techniques have been introduced, with example of applications to ARIRANG. Thanks for your attention! Jian Guo Linearization and Message Modification Techniques 25 / 25

Preimage Attack on ARIRANG

Preimage Attack on ARIRANG Deukjo Hong, Woo-Hwan Kim, Bonwook Koo The Attached Institute of ETRI, P.O.Box 1, Yuseong, Daejeon, 305-600, Korea {hongdj,whkim5,bwkoo}@ensec.re.kr Abstract. The hash function