Time-memory Trade-offs for Near-collisions

Size: px

Start display at page:

Download "Time-memory Trade-offs for Near-collisions"

Amice Smith
5 years ago
Views:

1 Time-memory Trade-offs for Near-collisions Gaëtan Leurent UCL Crypto Group FSE 2013 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

2 An Ideal Hash Function: the Random Oracle Public Random Oracle The output can be used as a fingerprint of the document UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

3 An Ideal Hash Function: the Random Oracle 0x1d66ca77ab361c6f Public Random Oracle The output can be used as a fingerprint of the document UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

4 Concrete security goals Preimage attack Given F and H, find M st F(M) = H Ideal security: 2 n Second-preimage attack Given F and M 1, find M 2 M 1 st F(M 1 ) = F(M 2 ) Ideal security: 2 n Collision attack Given F, find M 1 M 2 st F(M 1 ) = F(M 2 ) Ideal security: 2 n/2 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

5 Extra goals Hash functions are used in many different contexts, with various assumptions: MAC security Multi collision resistance Herding resistance Partial collisions Random looking output Near collisions UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

6 Near-collisions Near-collision attack Given F, w, find M 1 M 2 st F(M 1 ) F(M 2 ) w Relaxation of a collision attack Similar techniques than collision Security margin Turning near collisions into collisions Many attack papers Topic of this talk What is the complexity of generic near collision attacks? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

7 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) State of the art Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

8 Lower bound After i hash evaluations, about i 2 pairs Each pair is a w near collision with probability Bw (n)/2 n Lower bound: i 2 2 n /B w (n), ie i 2 n/2 / B w (n) Easier than collisions by a factor B w (n) Definition (size of a Hamming ball) B w (n) = # {x {0, 1} n x w} UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

9 Naive algorithm Near-collision algorithm for 0 a < i do L[a] h(a) end for for 0 a < b < i do if L[a] L[b] w then return (a, b) end if end for i computations i 2 comparisons i hash computations i 2 comparisons, memory accesses i memory Can we avoid this? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

10 Naive algorithm Near-collision algorithm for 0 a < i do L[a] h(a) end for for 0 a < b < i do if L[a] L[b] w then return (a, b) end if end for i computations i 2 comparisons i hash computations i 2 comparisons, memory accesses i memory Can we avoid this? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

11 Naive algorithm Near-collision algorithm for 0 a < i do L[a] h(a) end for for 0 a < b < i do if L[a] L[b] w then return (a, b) end if end for i computations i 2 comparisons i hash computations i 2 comparisons, memory accesses i memory Can we avoid this? UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

12 collision finding algorithms are known for full collisions: Pollard s rho x 3 x 4 Iterate h: xi = f(x i 1 ) x 2 x 7 x 5 Collision after 2 n/2 iterations Iteration cycles ẋ 0 x 1 x 6 cycle detection Floyd (tortoise and hare) Brent Nivasch Distinguished points UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

13 near-collisions algorithms collision algorithms based on iterating chains Collisions can be detected later in the chain x 1 x 1 x 0 Start Collision Detection x 0 Start Near-collision This doesn t work for near collision New approaches needed UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

14 Using truncation 1 Truncate w bits 2 Find n w bit collision (memoryless) 3 Gives w near collision for the full output 0 n w n no difference w diff Complexity: 2 (n w)/2 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

15 Using truncation 1 Truncate 2w + 1 bits 2 Find n 2w 1 bit collisions (memoryless) 3 Gives w near collision with probability ½ 0 n 2w 1 n no difference 2w + 1 diff Complexity: 2 (n 2w 1)/2 2 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

16 Using truncation 1 Truncate τ bits 2 Find n τ bit collisions (memoryless) 3 Gives w near collision with probability B w (τ)/2 τ 0 n τ n no difference τ diff Complexity: 2 (n+τ)/2 /B w (τ) Optimal τ (2 + 2)(w 1) [Lamberger Teufl, IPL 2013] UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

17 Generalization 1 Build a function f so that f(x) = f(y) x y w 2 Find collisions in f h (memoryless) 3 Gives a w near collision f(h(x)) = f(h(y)) h(x) h(y) w Use a covering code [Lamberger Rijmen] Covering radius R, decoding function f: x f(x) R f(x) = f(y) x y x f(x) + y f(y) 2R UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

18 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) Outline Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

19 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) Outline Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

20 Another look at truncation Near collision using truncation by τ bits i(τ) = 2 τ /B w (τ) collisions needed Increase with τ One truncated collision costs 2 n τ Decrease with τ Can we do better than i 2 (n τ)/2 to find i collisions? : no With memory: yes, keep state after first collision Improved near collision algorithms UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

21 Another look at truncation Near collision using truncation by τ bits i(τ) = 2 τ /B w (τ) collisions needed Increase with τ One truncated collision costs 2 n τ Decrease with τ Can we do better than i 2 (n τ)/2 to find i collisions? : no With memory: yes, keep state after first collision Improved near collision algorithms UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

22 Finding several collisions Parallel collision search [van Oorschot Wiener, JoC 1999] Definition (distinguished point) y distinguished iff y mod θ 1 = 0 x 0 y 0 x 1 x 2 x 3 x 4 y 1 y 2 y 3 1 Compute chains x y Stop when y distinguished 2 If y {y i }, new collision found 3 Store (x, y) M chains cover M/θ points UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

23 Finding several collisions Complexity: [van Oorschot Wiener, JoC 1999] Small number of collisions ie i M C small = π/2 2 n i Speedup: i (optimal) Large number of collisions ie i M C large = 5 2 n /M i Speedup: M/4 Combining: C C small + C large = π i M 2 n i UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

24 TM Trade-off for Near-collisions using Truncation Truncate τ bits i(τ) = 2 τ /B w (τ) collisions needed Small τ, i(τ) M C small = π/2 2 n/2 / B w (τ) Decreasing C Large τ, i(τ) M C large = 5 2 n/2+τ/2 /B w (τ) M Increasing i(τ) = M τ Optimum for i(τ) M C 2 n/2 / B w (τ) UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

25 Comparison: n = 128, w = 10 Lower bounds C 2 n/2 / B w (n) (memory full) C Covering codes C 2 n/2 / B w/2 (n) for code based C 2 50 Best code known C = Truncation, memoryless, τ = 2w + 1 τ = 21 C 2 (n τ)/2 2 C = Truncation, memoryless, optimal τ (2 + 2)(w 1) τ = 32 C 2 (n+τ)/2 /B w (τ) C = Truncation, with 1GB memory 2 τ /B w (τ) M τ = 56 C 2 n/2 / B w (τ) C = 2 47 UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

26 Truncate more, TMT for many collisions 2 τ /B w (τ) M 2 n/2 / B w (τ) Outline Lower bound 2 n/2 / B w (n) Memory full algorithm 2 n/2 / B w (n) Time memory trade off? Memory less algorithms Truncation based τ (2 + 2)(w 1) 2 (n+τ)/2 /B w (τ) Covering codes based 2 n/2 / B w/2 (n) Combine both? Truncate and find truncated near collisions with covering code UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

27 New approach 0 1 Truncate τ bits 2 Find n τ bit w near collisions 3 Gives w near collision with some probability n τ n w differences w w differences Large parameter space w, τ Special cases: τ = 0: coding based algorithm w = 0: truncation based algorithm Use a covering code to find near collisions in the truncation UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

28 New approach 0 1 Truncate τ bits 2 Find n τ bit w near collisions 3 Gives w near collision with some probability n τ n 2R differences w 2R differences Large parameter space (R, τ) Special cases: τ = 0: coding based algorithm R = 0: truncation based algorithm Use a covering code to find near collisions in the truncation UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

29 Complexity Analysis: No closed formula for parameter choice Exhaustive search over τ and R, compute complexity M Full Time memory trade off (τ, R) Covr codes Trunc 128 bits 2 16 (1MB) 2 26 (1GB) 2 36 (1TB) bnd best τ=2w 1 w = ( 1,1) 600 (25,0) 595 (35,0) w = (17,1) 565 (27,1) 556 (44,0) w = (19,2) 531 (35,1) 520 (46,1) w = (26,2) 498 (43,1) 485 (54,1) w = (33,2) 467 (50,1) 452 (62,1) Number of hash function evaluation More than 2 n/2 memory accesses UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

30 Summary 1 Time memory trade off Finding i collisions costs less than i 2 n/2 Use larger τ 2 Combine truncation and covering codes Find near collisions in truncated function Significant improvement for practical parameters 10-near-collision for a 128-bit hash Complexity in using 1TB, versus memoryless Lower bound: ; reduce the gap for practical attacks UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

31 Thanks Q uestions? With the support of ERC project CRASH UCL Crypto Group Microelectronics Laboratory Time-memory Trade-offs for Near-collisions FSE /24 G Leurent

Time-memory Trade-offs for Near-collisions

Time-memory Trade-offs for Near-collisions Gaëtan Leurent UCL Crypto Group Gaetan.Leurent@uclouvain.be Abstract. In this work we consider generic algorithms to find nearcollisions for a hash function.