Analysis of Message Injection in Stream Cipher-based Hash Functions

Transcription

1 Analysis o Message Injection in Stream Cipher-based Hash Functions Yuto Nakano 1, Carlos Cid 2, Kazuhide Fukushima 1, and Shinsaku Kiyomoto 1 1 KDDI R&D Laboratories Inc. 2 Royal Holloway, University o London

2 SCH : stream cipher-based hash unction Use stream cipher as core component Can be used not only as a hash unction but also as a stream cipher Suit or resource-constrained devices Arbitrary length o hash value Message injection unction is attached Three phases Message injection Blank rounds Hash generation 2

3 Motivation Not much research has been done on SCHs Some SHA-3 candidates are stream cipher-based, but not secure In this talk, Deinition o message injection unctions Inject into eedback Inject into the internal state Security analysis o message injection unction with One LFSR and ilter unction Two LFSRs and ilter unction Comparison to real algorithm (Abacus, Boole, MCSSHA-3) 3

4 Deinition o Stream cipher Simple stream cipher based on an l-bit LFSR and a ilter unction Feedback polynomial p is primitive Filter unction takes n-bit input (n l) and outputs 1-bit keystream p l-bit LFSR keystream 4

5 Inject into eedback The message is XORed with keystream and eedback polynomial p M State S t is updated into S t+1 as s t,i+1 s t+1,i = p s t,1,, s t,l d 1 s t,1, d l s t,l M The most natural way to inject message SHA-amily and MD-amily apply this type 5

6 ΔM = 1 Δ 1 = 1 0 Security analysis p Δ 2 = 0 Blue-colored register x can easily controlled by the message x = Δ 1 Δ 2 M Dierence on the LFSR is orced out and collision is easily generated Message expansion is required 6

7 Inject into internal state 1 Message dependent data is XORed with r registers p M s t+1,i = s t,i+1 σ i (z t M), p s t,1,, s t,l where σ i is a selector that selects which register to be updated Quick message diusion over the state 7

8 Security analysis p ΔM = 1 0 Δ = 1 The adversary can control blue-colored l/r bits Use the birthday attack against remaining l(1 1/r) bits, the probability is given by l(1 1 r) Pr coll = 2 2 8

9 Security analysis p ΔM = Δ = 1 The adversary can control blue-colored l/r bits Use the birthday attack against remaining l(1 1/r) bits, the probability is given by l(1 1 r) Pr coll = 2 2 9

10 Inject into internal state 2 Message is XORed with r registers p M s t,i+1 σ i M s t+1,i = p s t,1,, s t,l z t where σ i is a selector that selects which register to be updated 10

11 Collision attack p M 0 0 Blue-colored registers can be controlled Dierence on orange-colored will vanish when eedback & keystream have dierence Both do not have dierence 11

12 Collision attack(cont d) p M p M 12

13 Collision attack(cont d) p M The adversary can control r l bits o the state Collision attack will be successul when dierence on l 1 1/r bits vanishes 13

14 Security analysis Filter unction outputs dierence with probability p When the internal state has dierence, eedback has also dierence with 1/2 The ilter unction must output dierence Pr coll = p 1 p l 1 1/r 2 l 1 1/r When the ilter unction is balanced, then it propagates dierence with p = 1/2 2 times l 1 1/r Pr coll = 2 l 1 1/r Birthday attack is more eicient: Pr coll =

15 Extension to Two LFSRs A l A -bit LFSR-A B l B -bit LFSR-B keystream l A -bit LFSR-A and l B -bit LFSR-B (l A > l B ) A and B are primitive LFSR-A is used to determine the output o ilter unction Output o ilter unction is XORed with eedback o LFSR-B 15

16 Inject into eedback o LFSR-A A M B Message is XORed with eedback s t,i+1 s t+1,i = A s t,1,, s t,la M u t,i+1 u t+1,i = B u t,1,, u t,lb (S ) 16

17 Security analysis A M B Dierence on LFSR-A can be canceled out Collision probability depends on that o LFSR-B Pr coll = max 2 l B 2, Pr di. on B canceled = 2 l B 2 17

18 Inject into part o the state o LFSR-A A M B Message dependent data is XORed with r registers o LFSR-A Message spread over the state quickly 18

19 Security analysis A M B Blue-colored l A r-bit registers can be controlled Birthday attack on l A 1 1 r + l B bits Pr coll = 2 l A 1 1 r +l B 2 19

20 Summary MIF Collision probability # o operation/cycle Single LFSR Inject into eedback 1 1 XOR Inject into the int. state Inject into eedback o LFSR-A Inject into eedback o both LFSRs Inject into int. state o LFSR-A Inject into int. state o both LFSRs l 1 1 r 2 2 Two LFSRs r XORs 2 l B 2 1 XOR 2 l B 2 2 XORs 2 l A 1 1 r +l B 2 2 l A 1 1 r +l B 2 r XORs (r+q) XORs 20

21 Comparison to real algorithms Apply our estimation to real algorithms Abacus (inject into eedback) Boole (inject into the internal state) MCSSHA-3 (inject into eedback) Assume these algorithms are bit-oriented Substitute register size to the estimated probability 21

22 Comparison to real algorithms Our estimation Real attack Abacus Boole MCSSHA Our estimation can be applied to existing algorithms Gap o Boole is due to Dierent message-dependent data is used update registers Boolean unctions o Boole have a vulnerability 22

23 Conclusion Deinition o message injection unctions Inject into eedback Inject into the internal state Security analysis o message injection unction with One LFSR and ilter unction Two LFSRs and ilter unction Required length o LFSRs Number o message-injecting registers Our evaluation can be applied to existing algorithm 23