Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Transcription

1 Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family Somitra Kr. Sanadhya and Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute, Kolkata India {somitra_r, ISC, Taipei, 17 th September 2008 Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

2 Cryptographic Hash functions À ÙÒØ ÓÒ h x h(x) {0, 1} {0, 1} n Fixed size Fingerprint" of arbitrary length data. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

3 Cryptographic Hash functions Used in : Verifying integrity of data. Digital signatures. Storing authentication information (Passwords).... Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

4 Hash function Security Requirements Collision resistance. Difficult to find x 1 and x 2 s.t. x 1 x 2 but h(x 1 ) = h(x 2 ) Preimage resistance. Given y, it is difficult to find an x s.t. h(x) = y Second Preimage resistance. Given x 1, it is difficult to find an x 2 s.t. x 1 x 2 but h(x 1 ) = h(x 2 ) Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

5 Merkle-Damgard Hash Design M 1 M 2 M k ÁÎ = h 0 f f f g h(m) h 1 h 2 h k Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

6 Hash Function Schema (for one block message) ÜÔ Ò Å ÁÎ W0 ËØ Ô ½ W1 ËØ Ô ¾ Å M0 M15 À ÇÙØÔÙØ Wn 2 ËØ Ô n 1 Wn 1 ËØ Ô n Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

7 Figure: Round function of SHA-2 family a i 1 b i 1 c i 1 d i 1 e i 1 f i 1 g i 1 h i K i + f MAJ f IF + + W i + + a i b i c i d i e i f i g i h i Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

8 The Notation Message words : I : {W 0, W 1,..., W 15 }, II: {W 0, W 1,..., W 15 }. These message words are then expanded upto W 20 and W 20 for this work. The word W i is used in Step i, where the index i starts from zero. Differences {δw 0,δW 1,...,δW 15 }. W i = W i + δw i. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

9 The Local Collision Ö Ø Ö = 0 ËØ Ô i W i ËØ Ô i W i + W i ËØ Ô i + 1 W i+1 ËØ Ô i + 1 W i+1 + W i+1 COPY 1 COPY 2 ËØ Ô i + 8 W i+8 ËØ Ô i + 8 W i+8 + W i+8 Ö Ø Ö = 0 Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

10 9-step Non-Linear Local Collision Step i δw i δa i δb i δc i δd i δe i δf i δg i δh i i i x x x i + 1 δw i+1 0 x 0 0 y x 0 0 i + 2 δw i x 0 z y x 0 i + 3 δw i x 0 z y x i + 4 δw i x 0 z y i + 5 δw i x 0 z i + 6 δw i x 0 i + 7 δw i x i + 8 x Nikolić-Biryukov (NB) : FSE 08 = {x, y, z}={1, 1, 0}; 2. Sanadhya-Sarkar (SS) : ACISP 08 = {x, y, z}={1, 1, 1} Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

11 The Cross Dependence Equation We note a special and simple relation in the a and the e register. For example, e i = d i 1 + Σ 1 (e i 1 ) + f IF (e i 1, f i 1, g i 1 ) + h i 1 + K i + W i = d i 1 + a i Σ 0 (a i 1 ) f MAJ (a i 1, b i 1, c i 1 ) = a i 4 + a i Σ 0 (a i 1 ) f MAJ (a i 1, a i 2, a i 3 ). (1) This relationship shows that the e register solely depends on the a register values of previous 5 steps. This relation also shows that the state update of the SHA-2 family can be written in terms of one variable only, as was also independently observed by Indesteege et al. (SAC 08). Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

12 Constructing the 21-Step SHA-2 Attack Have a single local collision spanning from Step 6 to Step 14. We take other message words to have no differences. That is δw i = 0 for i {0, 1, 2, 3, 4, 5, 15}. For the SS local collision, we have δw i = 0 for i {10, 11, 12, 13}. First 5 steps of message expansion of SHA-2 are shown next. W 16 = σ 1 (W 14 ) + W 9 + σ 0 (W 1 ) + W 0, W 17 = σ 1 (W 15 ) + W 10 + σ 0 (W 2 ) + W 1, W 18 = σ 1 (W 16 ) + W 11 + σ 0 (W 3 ) + W 2, W 19 = σ 1 (W 17 ) + W 12 + σ 0 (W 4 ) + W 3, W 20 = σ 1 (W 18 ) + W 13 + σ 0 (W 5 ) + W 4. Underlined terms may have non-zero differences. If W 16 = W 16 i.e. δw 16 = 0 then we have a 21-step collision. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

13 Constructing the 21-Step SHA-2 Attack W 16 = σ 1 (W 14 ) + W 9 + σ 0 (W 1 ) + W 0. δw 14 = 1. I.e. δw 16 = 0, = σ 1 (W 14 ) + W 9 = σ 1 (W 14 ) + W 9. I.e. δw 9 = σ 1 (W 14 ) σ 1 (W 14 1). In ACISP 08, we developed an improved probabilistic attack using the fact that the term σ 1 (X) σ 1 (X 1) is highly skewed. We created a list of pairs (X,σ 1 (X) σ 1 (X 1)). Now we can make the attack deterministic. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

14 Constructing the 21-Step SHA-2 Attack The SS local collision allows δw 9 to be set to any value. Even though σ 1 (W 14 ) σ 1 (W 14 1) is highly skewed, we can suitably choose δw 9 so as to satisfy the equality of these two terms. This allows the deterministic 21-step SHA-2 attack. Prior work had not been able to show 21-step SHA-512 collisions. We provide the first colliding message pair for 21-step SHA-512. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

15 Constructing the 21-Step SHA-2 Attack There are two different 21-step SHA-2 attacks in this work. Both the attacks are deterministic. There are 6 free words in the first attack. There are 5 free words in the second attack. In the first attack, the SS local collision has 4 consecutive δw i = 0. In the first attack, the SS local collision has 3 consecutive δw i = 0. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

16 The Case of the NB Local Collision δw 9 depends on e 6, e 7 and e 8. Assuming that these three register values are random, we have that Pr[δW 9 2 j ] < 1 2 j 1. I.e. δw 9 rarely takes very large values. On the other hand, for SHA-512, we have that σ 1 (X) σ 1 (X 1) ( ). The two lemmas above show that, using the NB local collision, obtaining equality of the two terms is very unlikely for SHA-512. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

17 The Case of the NB Local Collision More generally, if the NB local collision is started at Step i, then δw i+3 depends on e i, e i+1 and e i+2. Assuming that these three register values are random, we have that Pr[δW i+3 2 j ] < 1 2 j 1. But we still need to satisfy the equality δw i+3 = σ 1 (W i+8 ) σ 1 (W i+8 1). Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

18 Bridging the Gap for the NB Local Collision First of all, note that δw i+3 = f IF (e i+2, e i+1 1, e i ) + f IF (e i+2, e i+1, e i ). It is possible to ensure that the values of the registers e i+2, e i+1 and e i are such that the term δw i+3 is large. This allows attaining the equality possible. But, to attain such values of e i+2, e i+1 and e i, one needs to iterate over many initial words. = Equality is achieved at the cost of more work in the beginning of the search for message words. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

19 Recent work on SHA-2 22-step Deterministic SHA-512 Attack. (IACR eprint) 23-step SHA-512 attack with effort calls. (CoRR archive) 24-step SHA-512 attack with effort calls. (CoRR archive) Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20

20 Thank You The Organizers & The Audience. Sanadhya and Sarkar (ISI, Kolkata) Deterministic 21-step SHA-2 Attacks ISC / 20