TheImpactofCarriesontheComplexityof Collision Attacks on SHA-1

Transcription

1 TheImpactoCarriesontheComplexityo Collision Attacks on SHA-1 Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen Institute or Applied Inormation Processing and Communications (IAIK) Graz University o Technology, Austria Norbert.Pramstaller@iaik.tugraz.at Abstract. In this article we present a detailed analysis o the impact o carries on the estimation o the attack complexity or SHA-1. We build up on existing estimates and reine them. We show that the attack complexity is slightly lower than estimated in all published work to date. We point out that it is more accurate to consider probabilities instead o conditions. 1 Introduction In past years, signiicant progress has been made in the cryptanalysis o the hash unctions MD4, MD, RIPEMD, SHA-0, and SHA-1 [,3,,6,9,10,11,13,14,1]. In 004 and 00, Wang et al. announced that they had broken the hash unctions MD4, MD, RIPEMD, HAVAL, SHA-0, and SHA-1 [16,17,19,0,1]. SHA-1, a widely used hash unction in practice, has attracted most attention over the last years. This year, at the CRYPTO 00 rump session, Wang et al. announced that they have urther improved their attack on SHA-1. They updated the attack complexity rom 69 to 63 [18]. As it will be explained in Section, the attack complexity is mainly determined by the probabilities o so-called 6-step local collisions in a linearized variant o SHA-1. For each local collision, the attacker derives conditions such that the local collision holds or the original SHA-1. Based on the derived conditions the attack complexity is conjectured. The main contribution o this article is that we will show that it is more accurate to look at probabilities instead o estimating the attack complexity based on the number o conditions. The remainder o this article is structured as ollowing. We start with a short description o the hash unction SHA-1 and review the basic attack strategy o Wang et al. in Section. In Section 3, we perorm a detailed analysis o local collisions. Section 3. describes how Wang et al. derive conditions or local collisions. In Section 3.3 and Section 3.4 we present a more accurate analysis o local collisions and the corresponding probabilities. Based on these results we update the complexity o the collision attack on SHA-1 in Section 3.. Finally, we present conclusions in Section 4. The work in this paper has been supported by CRYPTREC. This author is supported by the Austrian Science Fund (FWF) project P M.J.B. Robshaw (Ed.): FSE 006, LNCS 4047, pp. 78 9, 006. c International Association or Cryptologic Research 006

2 The Impact o Carries on the Complexity o Collision Attacks 79 Collision Attacks on SHA-1 In this section we will review the basic attack strategy or collision attacks on SHA-1. We start with a short description o SHA-1, giving only the details we need later in this article..1 Short Description o SHA-1 The input message is split into 1-bit message blocks (ater padding). The compression unction is then applied to each o these 1-bit message blocks. The compression unction basically consists o two parts: the message expansion and the state update. The message expansion expands the 1-bit input message block into 80 3-bit words W i that are used in each step o the state update. A single step o the state update is shown in Figure 1. A i B i C i D i E i << + + K i >> + + W i A i+1 B i+1 C i+1 D i+1 E i+1 Fig. 1. One step o the state update o SHA-1 As it can be seen in Figure 1, in each step the unction is applied to the inputs B i, C i,andd i. The unction depends on the step number: steps 0 to 19 (round 1) use IF and steps 40 to 9 (round 3) use MAJ. XOR is applied in the remaining steps (round and 4). The unctions are deined as: IF (B,C,D) =B C B D (1) MAJ (B,C,D) =B C B D C D () XOR (B,C,D) =B C D. (3) For a detailed description o SHA-1 reer to [1].. The Basic Attack Strategy on SHA-1 In 1998, Chabaud and Joux presented an attack on SHA-0 [3]. They used a linearized variant o SHA-0 to ind a characteristic, which we will reer to as L- characteristic throughout the remainder o this article. For the linearized variant all modular additions are replaced by XOR and the unctions MAJ and IF are replaced by XOR. They observed the ollowing: the probability that the characteristic holds or the original SHA-1 is related to the Hamming weight o the characteristic. In general, the lower the weight the higher the probability.

3 80 F. Mendel et al. In 004 and 00, Wang et al. announced that they have broken the hash unctions MD4, MD, RIPEMD, SHA-0, and SHA-1 [19,0,1]. For the collision attack on SHA-1 they use basically the ollowing strategy, which is also depicted in Figure. They search or a low-weight L-characteristic that leads to a pseudo collision in the last 60 steps (reerred to as P in Figure ). Then by using a nonlinear characteristic (reerred to as NL-characteristic) in the irst 0 steps (reerred to as P1 in Figure ), they are able to turn the pseudo collision into a collision. Furthermore, they improved their attack by searching or an L-characteristic that leads to a pseudo-near collision in P. As beore, they turn the pseudo collision into a collision with the NL-characteristic and by using two-block messages they construct a collision rom the near collision in each block. The act that it is easier to ind a near collision than a collision was observed already by Biham and Chen in [1]. An important property o this attack strategy is that the NL-characteristic has no impact on the complexity o the attack since conditions in P1 are ulilled by using message modiication techniques invented by Wang et al. Thereore, only the L-characteristic determines the attack complexity. P1 P IV = 0 0 collision pseudo collision = 0 = 0 state out 0 pseudo-near collision L-characteristic Fig.. Attack strategy o Wang et al. The L-characteristic consists o overlapped single local collisions as it has been shown in [19]. To determine the attack complexity, Wang et al. count the number o conditions or each local collision such that it holds or the original SHA-1. Then they conjecture the attack complexity by assuming that ater ulilling the irst 0 steps, random trials are perormed to ind the colliding messages. The complexity or this random trials is estimated to be # conditions. Many researchersinvestigatedthe L-characteristic and tried to ind L-characteristics with lower weight. A possible approach is to exploit coding theory since inding a low-weight L-characteristic in P corresponds to inding a low-weight codeword in a linear code describing P. Results o the coding-theory approach are presented or instance in [8,11,13,1]. In 00, Jutla and Patthak [7] used a computer aided proo to show that the minimum Hamming weight in the last 60 steps o the SHA-1 message expansion is. This low-weight vector is also reerred to as the disturbance vector, since it contains the disturbances or the single local collisions. However, Wang et al. use a disturbance vector with higher weight (weight = 7). The reason or this is that the vector with higher weight leads to a smaller number o conditions (see [19]). Since the attack complexity is

4 The Impact o Carries on the Complexity o Collision Attacks 81 determined by the number o local collisions and the corresponding probabilities (conditions) we will analyze them accurately in the next section. 3 Detailed Analysis o Local Collisions in SHA-1 In the irst part o this section, we start with deriving the conditions and corresponding probabilities or all possible local collisions in the L-characteristic o SHA-1. We ollow the work o Wang et al. in [19] to conjecture the overall probability o a collision attack on SHA-1 based on these local collisions. Note that the L-characteristic does not include the irst 0 steps o SHA-1 and thereore, we only consider the unctions XOR and MAJ describedinsection.1.inthe second part o this section, we derive a more accurate estimation o the probabilities or local collisions. With this analysis we update the attack complexity o Wang et al. presented in [19]. 3.1 Notation and Deinitions For the analysis o local collisions we ollow the notation given in Table 1. Throughout the remainder o this article we will use signed bit dierences. In the ollowing we describe the basic properties o signed bit dierences that we require or our analysis. A detailed discussion o signed bit dierences can be ound in [4, Chapter 4]. We deine the sign o a dierence in bit position j as w j = w j wj, where w j,wj {0, 1} and w j { 1, 0, +1}. (4) In particular, i w j = 0 the dierence is zero. The signed bit dierence is then deined as W j = w j j. A useul property o signed bit dierences is the act that the dierence also includes inormation about the values o w j and wj.thisis shown in (). + j i w j =1andwj =0 W j = 0 i w j = wj () j i w j =0andwj =1 Table 1. Notation notation description step the SHA-1 compression unction consists o 80 steps, 0 i 79 round the SHA-1 compression unction consists o 4 rounds = 4 0 steps W i,j bit j o expanded message word in step i, 0 j 31 w j sign o bit dierence in bit position (j mod 3), w j { 1, 0, +1} W j = w j j signed bit dierence in bit position (j mod 3), W j { j, 0, + j } W i,j signed bit dierence in step i, bitpositionj (j + n mod 3) bit position j rotated to the let by n positions (j n mod 3) bit position j rotated to the right by n positions

5 8 F. Mendel et al. Table. Addition o signed bit dierences A j B j C j S j C j+1 A j B j C j S j C j u v 0 (u + v) 0 0 v ( 1) A j B j 1 v v(a j B j) u 0 v 0 (u + v) 0 v 0 ( 1) A j C j 1 v v(a j C j) u v 0 0 (u + v) v 0 0 ( 1) B j C j v v(b j C j) v v v ( 1) A j B j 1 v ( 1) A j B j v v v v ( 1) A j B j 1 v ( 1) A j B j v v v v ( 1) A j C j 1 v ( 1) A j C j v v v v ( 1) B j C j 1 v ( 1) B j C j v Table 3. Dierential properties o XOR and MAJ or signed bit dierences B j C j D j XOR(B j,c j,d j) MAJ(B j,c j,d j) 0 0 v ( 1) B j C j v (B j C j)v 0 v 0 ( 1) B j D j v (B j D j)v v 0 0 ( 1) C j D j v (C j D j)v Let us now consider the addition o two signed bit dierences. The addition S = A + B is deined as S j = A j B j C j and C j+1 = MAJ (A j,b j,c j ) with C 0 =0,whereC j+1 is the resulting carry o the addition in bit position j. Table lists all possible cases or the output and carry dierence o a signed bit addition with v, u { 1, +1}. To perorm the addition o two signed bit dierences we can use Table or computing the resulting dierence. We know that the output dierence is C j+1 j+1 + S j j. For instance, i there are two non-zero dierences at the input with opposite signs, then both C j+1 and S j are zero and hence the output dierence is zero. I the dierences have the same sign, or instance j and j, the output dierence is j+1,sincec j+1 = 1 ands j =0. For our analysis we need the dierential properties o XOR and MAJ with respect to signed bit dierences. In Table 3, we list the cases that occur in a local collision (see Figure 3) where v { 1, +1}. As it can be seen in Table 3, or XOR the sign o the input dierence is lipped with probability 1/ depending on the input values. For MAJ the sign is preserved but the dierence propagates with probability 1/. 3. Considering the Number o Conditions In [3], Chabaud and Joux showed how the corrections or a single bit disturbance in SHA-0 can be constructed. Since the state update or SHA-0 and SHA-1 is the same, this construction is also valid or SHA-1. Table 4 shows a local collision with signed bit dierences or XOR and MAJ. For the local collision deined in Table 4, we can now derive the number o conditions and the corresponding probabilities such that the local collision holds or the original SHA-1. We reer to conditions that contain only expanded message words as easy conditions since we can easily ulill them. Conditions that

6 The Impact o Carries on the Complexity o Collision Attacks 83 Table 4. Local collision (disturbance-corrections) or SHA-1 step dierence description XOR MAJ i W i = + j + j single bit disturbance at bit position j i +1W i+1 = j+ j+ correction i +W i+ = ± j j correction i +3W i+3 = ± j j correction i +4W i+ = ± j j correction i +W i+8 = j j correction Ai Bi Ci Di Ei Ai Bi Ci Di Ei step i W'i = + j step i W'i = j + j step i+1 W'i+1 = - j+ step i+1 W'i+1 = - step i+ + j + j, 0 + j, - j W'i+ = j MAJ XOR step i , 0-0, , , W'i+ = 0 XOR MAJ step i+3 + j- + j-, 0 + j-, - j- W'i+3 = j- MAJ XOR step i , 0-30, , , W'i+3 = 30 XOR MAJ step i+4 + j- + j-, 0 + j-, - j- W'i+4 = j- MAJ XOR step i , 0-30, , , W'i+4 = 30 XOR MAJ + j step i+ W' i+ = - j- step i+ W' i+ = - 30 Ai+6 Bi+6 Ci+6 Di+6 Ei+6 Ai+6 Bi+6 Ci+6 Di+6 Ei+6 Fig. 3. On the let, a local collision with disturbance in bit position j. No carry occurs in step i. On the right a local collision with disturbance in bit position j = 0. In step i a carry occurs. The dierences in the dashed rectangles are the possible output dierences o XOR and MAJ.

7 84 F. Mendel et al. include state variables are considered to be hard conditions. For the analysis we can assume without loss o generality that the sign o the disturbance is positive, i.e. W i =+j. I the disturbance is j, we get the same results by just lipping all the other signs. The propagation o the disturbance and corrections is shown in the let part o Figure 3. Disturbance in step i. In step i, where the disturbance is introduced, it is required that the disturbance propagates to state variable A i+1 without causing a carry in the dierence, i.e. A i+1 = W i =+j. This occurs with probability 1/. I the disturbance is introduced at bit position j = 31, it propagates to A i+1 with probability 1. Correctioninstepi +1. As shown in Figure 3, the dierence in state variable A is rotated to the let by positions. Thereore, the correction is W i+1 = j+. It ollows rom Table that i the sign o the correction is the opposite o the sign o the disturbance, then the correction occurs with probability 1. We can ensure the negative sign o the correction with condition CW i+1 : W i+1,j+ W i,j =1. This condition is in W only and we can easily ulill it. Correction in step i +. In this step, we have to consider the modular addition and the unction. As described in Table 3, XOR lips the sign o the input dierence with probability 1/. Thereore, or B i+ =+j the output dierence o XOR can be either + j or j depending on C i+ and D i+.since we cannot easily inluence the values o C i+ and D i+ the probability or the correction is 1/. For MAJ we get the same probability as or XOR by deining a condition in W only. For the input dierence B i+ =+j the possible output dierence o MAJ is either + j or 0. This results in a probability o 1/4. However, i the sign o the correction is negative, then the correction has a probability o 1/. This can be ensured by ulilling condition CW i+ : W i+,j W i,j =1. Correctioninstepi +3and i +4. These steps are the same as step i + except that the dierence + j is rotated to the right by positions, i.e. + j. For XOR we get a probability o 1/ ineachstep.for MAJ we also get the probability 1/ by ulilling the ollowing easy conditions in W only: CW i+3 : W i+3,j W i,j =1,andCW i+4 : W i+4,j W i,j =1. Correctioninstepi +. I all corrections have taken place in the previous steps the signed bit dierence is in state variable E. As it can be seen in Figure 3, E i+ is the same dierence as A i+1 =+j rotated by to the right, i.e. E i+ = + j. We only have to consider the modular addition. As in step i +1, we can ulill condition CW i+ : W i+,j W i,j = 1 such that the correction has negative sign. Hence, the correction in step i + has probability 1. Local collision with best probability. With the above described probabilities or each step o the local collision we can deine a local collision that has the best probability or XOR. Assume the disturbance is introduced in bit position

8 The Impact o Carries on the Complexity o Collision Attacks 8 Table. Probabilities or local collisions in SHA-1 probability easy conditions on W disturbance XOR MAJ XOR MAJ j =1 4 CW i+1 CW i+1,cw i+ j =6 4 4 CW i+ CW i+,cw i+3,cw i+4,cw i+ j = CW i+1,cw i+ CW i+1,cw i+3,cw i+4,cw i+ j =0,,..., j =7,..., CW i+1,cw i+ CW i+1,cw i+,cw i+3,cw i+4,cw i+ j =1.Instepi we have a probability o 1/. Since we can easily ulill condition CW i+1 we have a probability o 1 in step i +1.Instepi + the probability is 1/. Now, or steps i+3 to i+ the disturbance is rotated to bit position j = 31. Since a carry in the dierence can be ignored (addition mod 3 ), we get a total probability o or a local collision with disturbance in bit position j =1. Summary o probabilities o local collisions. Table summarizes the probabilities or all possible local collisions with a single-bit disturbance and lists the easy conditions in W that have to be ulilled. For the discussion so ar we only considered probabilities and easy conditions. However, the probabilities or the modular addition and the unctions MAJ and XOR can also be described in terms o so-called hard conditions. Each single condition is ulilled with probability 1/. Consider or instance MAJ. The input dierence B i =+j leads to the output dierence + j (C i D i ) (see Table 3). In order to ensure that the dierence propagates, we require that C i D i = 1. Since we cannot easily inluence the values o C i and D i, the condition is ulilled with probability 1/. The same can be done or the other cases. For a local collision with disturbance in bit position j = 1, we have a probability o 4. In other words there are 4 hard conditions that we cannot easily ulill. With the probabilities listed in Table the complexity o the attack on SHA-1 can be determined. For the description we ollow the work o Wang et al. [19]. For the disturbance vector [19, Table ] we compute the product o all probabilities or each disturbance bit to determine the overall probability and hence the attack complexity. 3.3 Accurate Probability Computation In Section 3., we determined the probabilities o local collisions with disturbances introduced at dierent bit positions. For the analysis we did not allow carries in step i where the disturbance is introduced. This restriction can actually be relaxed. In the ollowing we will analyze the impact o carries in step i on the probability o local collisions. We will show that the probabilities are actually higher or most bit positions o the disturbance. Single bit disturbance. We start with a disturbance in bit position j =0.As shown in Table this results in a probability o 4. Now consider that a carry

9 86 F. Mendel et al. occurs in the dierence in step i, i.e. the disturbance W i =+0 propagates to A i+1 =+1 0. This case is shown on the right hand side in Figure 3. The carry in step i occurs with probability 1/4. The dierence in bit position j = 1 can be seen as a new disturbance that leads to a second local collision with a certain probability. To cancel out the dierence A i+1 =+1 we require that the corrections in the consecutive steps also produce a carry in the dierence. As described in Section 3., we ulill condition CW i+1 to ensure that W i+1 =. Thereore, the dierences cancel out with probability 1 since (+ 6 )+( )= 0 (as shown in Table, +( )= 6 and hence 6 6 = 0). For steps i+ to i+4 we irst consider XOR.Instepi+ we have a probability o 1/4 because XOR lips the sign o a bit dierence with probability 1/. Since we have two bit dierences this results in a probability o 1/4. The same holds or steps i +3 and i + 4. However, since the disturbance is introduced in bit position j =0,the second dierence caused by the carry is rotated to bit position j =31instep i +. We can ignore carries in this bit position and hence the sign in bit position j = 31 has no impact. Thereore, we get a probability o 1/ or each step. We can do the same analysis or MAJ. As already mentioned, MAJ preserves the sign o the input dierence but the dierence propagates only with probability 1/. Thereore, we cannot exploit bit position j = 31 the probability or steps i +3andi +4 is 1/4 each.forstepi + the probability is 1/4 sincecw i+ is ulilled. In step i + we have a probability o 1 or XOR and MAJ based on the same reasoning as or step i + 1. With the results o this analysis we can update the probability o Section 3.. The best probability or XOR and MAJ with a disturbance in bit position j =0is: p( XOR,j =0)= = , (6) p( MAJ,j =0)= = (7) Uncorrectable carries. Let us now consider the case where two carries in step i occur, i.e. W i =+0 propagates to A i+1 = Two carries occur with probability 1/8. I we work with the dierence in bit position j =,we encounter the ollowing problem, which we reer to as uncorrectable carries. In step i+ the dierence is rotated by two positions to the right, i.e It is not possible to correct the dierence + 0 in step i + 3 anymore since the correction takes place in bit position j = 30. For MAJ, uncorrectable carries or this example take place only in step i +. This is due to the act that the dierence + 0 is blocked by MAJ with probability 1/ instepsi +toi +4. However, in step i + we cannot correct the dierence + 0 since the correction takes place in j = 30. Thereore, the probabilities given in (6) and (7) are the best probabilities or both unctions with a disturbance in j = 0. I we perorm the carry analysis or bit position j =1,wealsoencounter uncorrectable carries as or the disturbance in j = 0. Namely, a carry in step i cannot be corrected anymore in step i + 3 (step i + or MAJ, respectively) and thereore, a carry does not increase the probability or a local collision with disturbance in j =1orboth XOR and MAJ. Uncorrectable carries can also occur due to the let rotation by in step i + 1. A disturbance in j =6that

10 The Impact o Carries on the Complexity o Collision Attacks 87 leads to a carry in step i cannot be corrected anymore in step i + 1 since the correction W i+1 takes place in bit position j = 31 but the carry is rotated to j =0. Carries that improve the probability o local collisions. Ater determining the probabilities or j =0andj = 1, we describe now the impact o carry eects or disturbances in bit position j =,...,31. Due to uncorrectable carries ater bit position j = 6 we have to analyze the probability or j =,...,6 and j =7,...,31 separately. We start the explanation or XOR.For j 6 we have the same probability in steps i, i+, i+3, and i+4, namely the probability that no carry occurs and the probabilities or all possible carries. Note that the probability in steps i +1 and i + is 1 since we ulill the easy conditions CW i+1 and CW i+ (see Section 3.). For 7 j 31 we have the same except that the probability in step i + is increased by a actor o i the carry in step i reaches bit position j = 31. For MAJ we also assume that the easy conditions in W are ulilled. Then we get the same probabilities as or XOR with the dierence that or 7 j 31 we cannot exploit bit position j =31.In(8)and(9)wegivethe ormulae to compute the accurate probability or a local collision including all carry eects. Probability bounds or (8) and (9) are given in Appendix A. For a disturbance in bit position j = 3 the probability or both XOR and MAJ is instead o 4 which is the probability derived by counting conditions. or j = or j =0 p( XOR,j)= 7 j (8) k=1 4k or j =,...,6 4 (3 j) + 31 j k=1 4k or j =7,...,31 4 or j =1 3 or j =31 p( MAJ,j)= or j =0 (9) 7 j k=1 4k or j =,...,6 3 j k=1 4k or j =7,..., Disturbances in Consecutive Bit Position I we have a look at the disturbance vector in [19, Table ] or [13, Table 7] there occur disturbances in consecutive bit positions, i.e. W i =+j+1 + j or XOR. For the explanation we take the concrete case with disturbance W i = 1 + 0, and the ive corrections W i+1 =+6, W i+ =+1 0, W i+3 = , W i+4 = ,andW i+ = In a straightorward way we can just treat them as separate disturbances and compute the probability based on (8). This results in a probability o p( XOR, )= }{{} ( )= }{{}.678. (10) j=1 j=0

11 88 F. Mendel et al. Table 6. Update on complexity or collision attack on SHA-1 [19, Table 9] our work disturbance disturbance number o estimated accurate bit position index conditions probability probability j =1 3, 4, 7, 8, 3, 3, 36 7= j =0, 9, = j =1 39, 43, 4, 47, 49 4 =0 0 0 j = {, 3, 4,, 7} 6, 68, 71, 73, 74 4 = = total However, by perorming a detailed analysis we show that the probability or this case can be improved to p( XOR, )= by deining two additional conditions in W only, reerred to as CW i and CW1 i+. We assume that the easy conditions described in Section 3. are ulilled. I no carry occurs in step i, both disturbances are corrected with probability 6. This ollows rom Section 3.. Now consider the case that a carry occurs in step i. Assume that in step i the disturbances have opposite signs, e.g. W i = Thiscanbe ensured by ulilling the new condition CW i : W i,1 W i,0 = 1. I a carry occurs in bit position j = 0 the dierence that propagates to A i+1 is 0 since the positive sign o the carry (see Table ) cancels the negative dierence in j =1. This occurs with probability 1/. In step i + 1 the probability is 1 since CW i+1 is ulilled. In step i + we can increase the probability to 1/ i the additional condition CW1 i+ : W i+,1 W i+,0 = 1 is ulilled. This is based on the same reasoning as or step i. For the remaining steps i +3 to i + 4 we get a probability o 1/ or each step. Again, in step i+ we have a probability o 1. Hence we have a total probability o 4 or the case that a carry occurs in step i. Thereore, the total probability or the disturbance or is p( XOR, )= }{{} 4 + }{{} 6 = (11) carry in j=0 no carry in step i Wang et al. use a probability o 4 or their estimation. For disturbances in other consecutive bit positions the same analysis can be perormed. For XOR the analysis is given in Appendix B. 3. Update o Attack Complexity by Wang et al. With the above analysis we covered all cases o disturbances that occur in the disturbance vector o [19]. Since they count conditions in the last 60 steps o SHA-1 the overall probability can be updated based on (8) and (9). Table 6 lists the comparison with [19, Table 9]. As it can be seen in Table 6 the probability is by a actor o approx..7 higher than estimated in [19]. Note that we did not count the disturbances in step i =1andstepi = 77 since some o the conditions are ulilled due to message modiication or truncation. This means that the path o the disturbance is ixed and we cannot exploit any carry eects.

12 The Impact o Carries on the Complexity o Collision Attacks 89 In order to determine the overall probability, we assume that the probabilities o local collisions are independent. To conirm this assumption, we have perormed several computer measurements or a ew overlapping local collisions. The measurement results match the computed probabilities. 3.6 Importance o Carry Eects In the case o SHA-1, the improvement o the attack complexity is rather small. This is due to the act that the disturbance vector is very sparse and the disturbances are introduced in bit positions where we cannot exploit any carry eects due to uncorrectable carries, e.g. bit position j =1. Consider or instance the hash unction SHA1-IME [8]. Jutla and Patthak claim to improve the collision resistance o SHA-1 by modiying the existing message expansion with the goal to increase the minimum Hamming weight. By using a computer aided proo they show that the minimum weight in the last 60 steps o the message expansion o SHA1-IME is at least 7. It is clear that the overall complexity increases with a higher weight in the disturbance vector. However, due to the higher weight also the impact o carry eects as shown in this section increases. Thereore, our way o looking at probabilities instead o conditions gives a more accurate complexity estimation. 4 Conclusion and Further Work In this article we analyzed local collisions and corresponding probabilities in detail. We showed that it is more accurate to consider probabilities instead o conditions or the estimation o the overall attack complexity or collision attacks on SHA-1. This is due to the act that carry eects increase the probability. Based on the accurate probability computation we updated the complexity o the collision attack on SHA-1 presented by Wang et al. Currently we areinvestigating the impact o our approach on SHA1-IME and local collisions in SHA-6. Acknowledgements We would like to thank Christophe De Cannière or ruitul discussions and comments on this article. Reerences 1. Eli Biham and Rai Chen. Near-Collisions o SHA-0. In Matthew K. Franklin, editor, CRYPTO 004, Santa Barbara, Caliornia, USA, August 1-19, 004, Proceedings, volume 31 o LNCS, pages Springer, Eli Biham, Rai Chen, Antoine Joux, Patrick Carribault, Christophe Lemuet, and William Jalby. Collisions o SHA-0 and Reduced SHA-1. In Ronald Cramer, editor, EUROCRYPT 00, Aarhus, Denmark, May -6, 00. Proceedings, volume 3494 o LNCS, pages Springer, 00.

13 90 F. Mendel et al. 3. Florent Chabaud and Antoine Joux. Dierential Collisions in SHA-0. In Hugo Krawczyk, editor, CRYPTO 98, Santa Barbara, Caliornia, USA, August 3-7, 1998, Proceedings, volume 146, pages Springer, Magnus Daum. Cryptanalysis o Hash Functions o the MD4-Family. PhD thesis, Ruhr Universität Bochum, 00. Available at Hans Dobbertin. Cryptanalysis o MD4. In Bart Preneel, editor, Fast Sotware Encryption, Cambridge, UK, February 1-3, 1996, Proceedings, volume 1039 o LNCS, pages Springer, Hans Dobbertin. Cryptanalysis O MD4. Journal o Cryptology, 11(4):3 71, Charanjit S. Jutla and Anindya C. Patthak. A Matching Lower Bound on the Minimum Weight o SHA-1 Expansion Code. Cryptology eprint Archive, Report 00/66, Charanjit S. Jutla and Anindya C. Patthak. A Simple and Provably Good Code or SHA Message Expansion. Cryptology eprint Archive, Report 00/47, Vlastimil Klima. Finding MD Collisions on a Notebook PC Using Multi-message Modiications, 00. Preprint, available at Arjen Lenstra, Xiaoyun Wang, and Benne de Weger. Colliding X.09 Certiicates, 00. Preprint, available online at Krystian Matusiewicz and Jose Pieprzyk. Finding good dierential patterns or attacks on SHA-1. Cryptology eprint Archive, Report 004/364, National Institute o Standards and Technology (NIST). FIPS-180-: Secure Hash Standard, August 00. Available online at nist.gov/ipspubs/. 13. Norbert Pramstaller, Christian Rechberger, and Vincent Rijmen. Exploiting Coding Theory or Collision Attacks on SHA-1. In Nigel P. Smart, editor, Cryptography and Coding, Cirencester, UK, December 19-1, 00, Proceedings, volume 3796 o LNCS, pages Springer, Bart Preneel. Analysis and Design o Cryptographic Hash Functions. PhDthesis, Katholieke Universiteit Leuven, Vincent Rijmen and Elisabeth Oswald. Update on SHA-1. In Alred Menezes, editor, CT-RSA 00, San Francisco, CA, USA, February 14-18, 00, Proceedings, volume 3376 o LNCS, pages Springer, Xiaoyun Wang, Dengguo Feng, Xuejia Lai, and Xiuyuan Yu. Collisions or Hash Functions MD4, MD, HAVAL-18 and RIPEMD, August 004. Preprint, available at Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, and Xiuyuan Yu. Cryptanalysis o the Hash Functions MD4 and RIPEMD. In Ronald Cramer, editor, EUROCRYPT 00, Aarhus, Denmark, May -6, 00. Proceedings, volume 3494 o LNCS, pages Springer, Xiaoyun Wang, Andrew Yao, and Frances Yao. New Collision Search or SHA-1, August 00. Presented at rump session o CRYPTO Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In Victor Shoup, editor, CRYPTO 00, Santa Barbara, Caliornia, USA, August 14-18, 00, Proceedings, volume 361 o LNCS, pages Springer, 00.

14 The Impact o Carries on the Complexity o Collision Attacks Xiaoyun Wang and Hongbo Yu. How to Break MD and Other Hash Functions. In Ronald Cramer, editor, EUROCRYPT 00, Aarhus, Denmark, May -6, 00. Proceedings, volume 3494 o LNCS, pages Springer, Xiaoyun Wang, Hongbo Yu, and Yiqun Lisa Yin. Eicient Collision Search Attacks on SHA-0. In Victor Shoup, editor, CRYPTO 00, Santa Barbara, Caliornia, USA, August 14-18, 00, Proceedings, volume 361 o LNCS, pages Springer, 00. A Probability Bounds or Single-Bit Disturbances Based on ormulae (8) and (9) in Section 3.3, the probability o XOR and MAJ can be bounded as ollows. We know that 3 j k=1 7 j k=1 4k 4 1 4(8 j) = = 1 4 1, 4k 4 1 4(33 j) = = 1 4 1, and 31 j 4(3 j) + 4k = k=1 4(3 j) (3 j) = Thereore, we get the ollowing bounds on the probability or XOR and MAJ : 1 4 p( XOR,j) 1 4 or j =,...,6, (1) p( XOR,j) or j =7,...,31, (13) p( MAJ,j) 1 4 or j =,...,6 and j =7,...,30, (14) 1 where the lower bound or the probability 4 is derived by counting conditions. For instance, i we compute the probability or a disturbance in bit position j = 3 we get or both XOR and MAJ a probability o instead o 4. B Probabilities or Disturbances in Consecutive Bit Position Here we give the probabilities or disturbances in consecutive bit positions or XOR. This is the generalization o the case presented in Section 3.4. Again,

15 9 F. Mendel et al. we have to consider uncorrectable carries. Uncorrectable carries occur i the disturbances are in bit position j =, 1andj = 7, 6. In these cases, we get the probability o both disturbances without carry. I j =, 1, we obtain a probability o 4 = 6 and j =7, 6 results in 4 4 = 8.Letus now consider disturbances in consecutive bit positions rom j =,..., i.e. the tuples j =(3, ), (4, 3),...,(6, ), and rom j =7,...,30, i.e. the tuples j =(8, 7), (9, 8), (30, 9), (31, 30). The ormulae or all cases are given in (1), where j reers to the right entry o the tuple or j = or j =1andj =6 p( XOR, (j +1,j)) = 7 j (1) k=1 4k or j =,..., 4(3 j) + 31 j k=1 4k or j =7,...,30