Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Similar documents
Preimage Attack on ARIRANG

ARIRANG. Designed by CIST ARIRANG. Designed by CIST. Algorithm Name : ARIRANG

The Hash Function JH 1

Practical pseudo-collisions for hash functions ARIRANG-224/384

Practical pseudo-collisions for hash functions ARIRANG-224/384

Avoiding collisions Cryptographic hash functions. Table of contents

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

SPCS Cryptography Homework 13

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Introduction to Information Security

Week 12: Hash Functions and MAC

Practical Free-Start Collision Attacks on full SHA-1

An introduction to Hash functions

Known and Chosen Key Differential Distinguishers for Block Ciphers

Introduction Description of MD5. Message Modification Generate Messages Summary

Practical Free-Start Collision Attacks on 76-step SHA-1

Beyond the MD5 Collisions

Lecture 14: Cryptographic Hash Functions

Attacks on hash functions. Birthday attacks and Multicollisions

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Leftovers from Lecture 3

AURORA: A Cryptographic Hash Algorithm Family

New Attacks on the Concatenation and XOR Hash Combiners

Solution of Exercise Sheet 7

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Provable Seconde Preimage Resistance Revisited

Cryptographic Hash Functions

New Preimage Attacks Against Reduced SHA-1

The Hash Function Fugue

Provable Chosen-Target-Forced-Midx Preimage Resistance

Weaknesses in the HAS-V Compression Function

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Preimages for Step-Reduced SHA-2

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Preimage Attacks on 3, 4, and 5-pass HAVAL

Public-key Cryptography: Theory and Practice

Pseudo-cryptanalysis of the Original Blue Midnight Wish

Provable Security in Symmetric Key Cryptography

Improved Collision Attack on MD5

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Lecture 1. Crypto Background

Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption

Collapsing sponges: Post-quantum security of the sponge construction

Breaking H 2 -MAC Using Birthday Paradox

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

New Techniques for Cryptanalysis of Cryptographic Hash Functions. Rafael Chen

An Improved Fast and Secure Hash Algorithm

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

1 Cryptographic hash functions

New attacks on Keccak-224 and Keccak-256

Attacks on hash functions: Cat 5 storm or a drizzle?

How (not) to efficiently dither blockcipher-based hash functions?

A Composition Theorem for Universal One-Way Hash Functions

Collision Attack on Boole

Cryptographic Hash Functions Part II

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Cryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway

Preimage Attacks on Reduced Tiger and SHA-2

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

A (Second) Preimage Attack on the GOST Hash Function

Algebraic properties of SHA-3 and notable cryptanalysis results

Preimage Attacks on 3, 4, and 5-Pass HAVAL

Introduction to Cybersecurity Cryptography (Part 4)

Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners

Lecture 10 - MAC s continued, hash & MAC

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Notes for Lecture 9. 1 Combining Encryption and Authentication

Crypto Engineering (GBX9SY03) Hash functions

Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration

A Study of the MD5 Attacks: Insights and Improvements

Foundations of Network and Computer Security

1 Cryptographic hash functions

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

The PHOTON Family of Lightweight Hash Functions

Foundations of Network and Computer Security

Finding good differential patterns for attacks on SHA-1

SMASH - A Cryptographic Hash Function

3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function

New Preimage Attack on MDC-4

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cryptography

Lattice Cryptography

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

Introduction to Cryptography Lecture 4

Second Preimages for Iterated Hash Functions and their Implications on MACs

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Symmetric Crypto Systems

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

CPSC 467: Cryptography and Computer Security

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Transcription:

Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification Techniques 1 / 25

Overview Introduction Linearization and Message Modifications Application to ARIRANG Conclusions Jian Guo Linearization and Message Modification Techniques 2 / 25

Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Jian Guo Linearization and Message Modification Techniques 3 / 25

Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Jian Guo Linearization and Message Modification Techniques 3 / 25

Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Preimage Resistance: given a digest t, it is computationally difficult to find x, such that h(x) = t with expected complexity 2 n. Jian Guo Linearization and Message Modification Techniques 3 / 25

Hash Functions - Definitions and Properties Definition A hash function h is a function to take a bit string of arbitrary length as input and produces a fixed-size output of n bits. Properties Collision Resistance: it is computationally difficult to find x and x, such that h(x) = h(x ) with expected complexity 2 n/2. Preimage Resistance: given a digest t, it is computationally difficult to find x, such that h(x) = t with expected complexity 2 n. Second Preimage Resistance: given a message x, it is computationally difficult to find x x, such that h(x) = h(x ) with expected complexity 2 n k. Jian Guo Linearization and Message Modification Techniques 3 / 25

Merkle-Damgård Strengthening by Merkle and Damgård in 1989, with proof for collision resistance reduction, i.e., if the compression function f is collision resistant, then the hash function. Jian Guo Linearization and Message Modification Techniques 4 / 25

Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Jian Guo Linearization and Message Modification Techniques 5 / 25

Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Compression Function Collisions free-start collision: f(cv, m) = f(cv, m ). semi-free-start collision: f(cv, m) = f(cv, m ). Jian Guo Linearization and Message Modification Techniques 5 / 25

Davies-Meyer Construction and Collisions Davies-Meyer Construction To construct a compression function f from block cipher E: f(cv, m) = E m (CV) CV Compression Function Collisions free-start collision: f(cv, m) = f(cv, m ). semi-free-start collision: f(cv, m) = f(cv, m ). Note: collisions of compression function do not necessarily, and in most of the cases do not, lead to collisions of hash directly. However, it breaks the assumption of the collision proof, hence weakens the confidence on the hash securities. Jian Guo Linearization and Message Modification Techniques 5 / 25

Linearization Jian Guo Linearization and Message Modification Techniques 6 / 25

XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. Jian Guo Linearization and Message Modification Techniques / 25

XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. when g(x) = x r (r is a rotation constant), then g( ) = (x r) (x r) = (x x ) r = r. Jian Guo Linearization and Message Modification Techniques / 25

XOR Differences In many designs, Addition-Rotation-Xor (ARX) are involved. XOR Differences Let = x x, and denote g( ) as g(x) g(x ), then: when g(x) = x C (C is a constant), then g( ) = g(x) g(x ) = (x C) (x C) = x x =. when g(x) = x r (r is a rotation constant), then g( ) = (x r) (x r) = (x x ) r = r. However, when g(x) = x + C (C is a constant), g( ) = (x + C) (x + C), which is not for some cases. Jian Guo Linearization and Message Modification Techniques / 25

XOR Differences and Addition Modulo 2 8 Consider g(x) = x + C with the simplest case, i.e., x = 0, x = 1, hence = 1 C g(x) g(x ) g( ) Prob. 0 0 1 1 2 1 01 01 10 11 2 2 011 11 100 111 2 3 11111111 11111111 00000000 11111111 2 8 Jian Guo Linearization and Message Modification Techniques 8 / 25

XOR Differences and Addition Modulo 2 8 Consider g(x) = x + C with the simplest case, i.e., x = 0, x = 1, hence = 1 C g(x) g(x ) g( ) Prob. 0 0 1 1 2 1 01 01 10 11 2 2 011 11 100 111 2 3 11111111 11111111 00000000 11111111 2 8 Linearization Approximate the behaviour of addition, w.r.t. XOR differences, as XOR with probability 2. Jian Guo Linearization and Message Modification Techniques 8 / 25

Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Jian Guo Linearization and Message Modification Techniques 9 / 25

Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Jian Guo Linearization and Message Modification Techniques 9 / 25

Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Rotation Invariant Differences is called rotation invariant w.r.t r, if r =. E.g., 10001000 is rotation invariant w.r.t. r = 4 with k = 8. Jian Guo Linearization and Message Modification Techniques 9 / 25

Special Notes MSB is free Difference in most significant bit (MSB) preserves with probability 1, i.e., with x = 0, x = 2 k 1, g(x) = (x + C) mod 2 k, g( ) = for any C. Linearization probability is 2, where is the difference excluding MSB. Rotation Invariant Differences is called rotation invariant w.r.t r, if r =. E.g., 10001000 is rotation invariant w.r.t. r = 4 with k = 8. ALL-ONE difference (111 111) is rotation invariant w.r.t. any r, k. Jian Guo Linearization and Message Modification Techniques 9 / 25

ARIRANG Jian Guo Linearization and Message Modification Techniques 10 / 25

SHA-3 candidate ARIRANG One of the first round SHA-3 candidates Designed by a team from Center for Information Security Technologies (CIST), Korea University: Donghoon Chang, Seokhie Hong, Changheon Kang, Jinkeon Kang, Jongsung Kim, Changhoon Lee, Jesang Lee, Jongtae Lee, Sangjin Lee, Yuseop Lee, Jongin Lim, Jaechul Sung Design mixing parts from AES-based (S-box, MixColumn) and ARX designs (word addition, rotations, xor) Follows Merkle-Damgård strengthening Jian Guo Linearization and Message Modification Techniques 11 / 25

Hash function M pad(m) 10 0 len M 1 M 2 M N 1 M N H 0 h(m) Ctr 1 Ctr 2 Ctr N 1 Ctr N Jian Guo Linearization and Message Modification Techniques 12 / 25

Compression function H M step 1 step 2 W σ(0), W σ(1) W σ(2), W σ(3) message expansion step 20 W σ(38), W σ(39) step 21 step 22 W σ(40), W σ(41) W σ(42), W σ(43) step 40 W σ(8), W σ(9) Jian Guo Linearization and Message Modification Techniques / 25

Message expansion 1 Generate 16 more words as linear combinations of M 0,...,M 15 2 Pick (with repetitions) 80 words out of the 32 words obtained in the previous step M 0,..., M 15 W 16 (M 9 M 11 M M 15 K 0 ) r 0 W 1 (M 8 M 10 M 12 M 14 K 1 ) r 1 W 18 (M 1 M 3 M 5 M K 2 ) r 2 W 19 (M 0 M 2 M 4 M 6 K 3 ) r 3 W 20 (M 14 M 4 M 10 M 0 K 4 ) r 0 W 21 (M 11 M 1 M M K 5 ) r 1 W 22 (M 6 M 12 M 2 M 8 K 6 ) r 2 W (M 3 M 9 M 15 M 5 K ) r 3 W 24 (M M 15 M 1 M 3 K 8 ) r 0 W 25 (M 4 M 6 M 8 M 10 K 9 ) r 1 W 26 (M 5 M M 9 M 11 K 10 ) r 2 W 2 (M 12 M 14 M 0 M 2 K 11 ) r 3 W 28 (M 10 M 0 M 6 M 12 K 12 ) r 0 W (M 15 M 5 M 11 M 1 K ) r 1 W 30 (M 2 M 8 M 14 M 4 K 14 ) r 2 W 31 (M M M 3 M 9 K 15 ) r 3 σ(i) σ(i) 16, 1 24, 25 0, 1 12, 5 2, 3 14, 4, 5 0, 9 6, 2, 11 18, 19 26, 2 8, 9 4, 10, 11 6, 15 12, 8, 1 14, 15 10, 3 20,21 28, 3, 6, 2 9,12, 8 15, 2 3, 14 5, 8 9, 4 22, 30, 31 11,14 15, 10 1, 4 5, 0,10 11, 6, 0 1, 12 Jian Guo Linearization and Message Modification Techniques 14 / 25

Step transformation transforms 8 32-bit words of the state and 8 words of the expanded message to new state uses 32-bit rotations, XORs and a 32 32 bit function G 256 only non-linear (over F 2 ) part is G 256 A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 15 / 25

Function G 256 S S S S MDS 4 4 32 32 composite megabox : 4 bytewise AES S-boxes Followed by MDS 4 4 transformation (AES MixColumn) ARIRANG-512 uses a similar function G 512 defined on 8 32- bit words and using MDS 8 8. Jian Guo Linearization and Message Modification Techniques 16 / 25

Basic observations MDS 4 4 has fixed points of the form (a, a, a, a) MDS 4 4 = z z + 1 1 1 1 z z + 1 1 1 1 z z + 1 z + 1 1 1 z S-box differential 0xff 0xff is possible with prob. 2. Differential 0xffffffff 0xffffffff for G 256 has probability 2 28 512-bit variant: no fixed points for MDS, but still can get all-ones to all-ones differences Jian Guo Linearization and Message Modification Techniques 1 / 25

All-one differences If we consider only all-one differences: A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

All-one differences If we consider only all-one differences: rotations in step function do not play any role A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

All-one differences If we consider only all-one differences: rotations in step function do not play any role A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob. 2 28 ), i.e., 2 4 values. A t B t C t D t E t F t G t H t W σ(2t) G 256 G 256 W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob. 2 28 ), i.e., 2 4 values. A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob. 2 28 ), i.e., 2 4 values. One register can be represented as a single bit (truncated differential) A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

All-one differences If we consider only all-one differences: rotations in step function do not play any role we can replace G 256 with identity (with prob. 2 28 ), i.e., 2 4 values. One register can be represented as a single bit (truncated differential) Linearized model has 8 + 16 variables: we have 2 24 paths A t B t C t D t E t F t G t H t W σ(2t) W σ(2t+1) A t+1 B t+1 C t+1 D t+1 E t+1 F t+1 G t+1 H t+1 Jian Guo Linearization and Message Modification Techniques 18 / 25

Satisfying conditions To eliminate probabilistic behaviour, we want to set inputs of active G 256 to good values. We have full control over words W 0,..., W 15 Through linear combinations, we have some control over words W 16,...,W 31 For semi-free-start collisions and pseudo-collisions, we additionally have control over initial values IV 0,..., IV Jian Guo Linearization and Message Modification Techniques 19 / 25

A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W 10 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W 10 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W 10 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W 10 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 0 11 W W, W 16 W 1 W 8, W 10 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 20 / 25

Satisfying conditions If we can use initial values, conditions in steps 1 4 are always possible Depending on the number of active G, usually we can correct around 16 18 steps Might be possible to correct 20 steps in some cases Jian Guo Linearization and Message Modification Techniques 21 / 25

Pseudo-collision path: steps 1 5 A B 0 C 0 D 0 E 0 F 0 G 0 H W 0 9, W 11, 0 W W, W 16 W 1 W 8, W 10, 15 W 12, W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 0 W 1 A 2 B 2 C 2 D 2 E 2 F 2 G 2 H 2 W 2 W 3 A 3 B 3 C 3 D 3 E 3 F 3 G 3 H 3 W 4 W 5 A 4 B 4 C 4 D 4 E 4 F 4 G 4 H 4 W 6 W Jian Guo Linearization and Message Modification Techniques 22 / 25

Pseudo-collision path: steps 6 10 A B 5 C 5 D 5 E 5 F 5 G 5 H W 5 1, W 3, 5 W W 5, W 18 W 19 W 0, W 2, W 4, W 6 A 6 B 6 C 6 D 6 E 6 F 6 G 6 H 6 W 8 W 9 A B C D E F G H W 10 W 11 A 8 B 8 C 8 D 8 E 8 F 8 G 8 H 8 W 12 W A 9 B 9 C 9 D 9 E 9 F 9 G 9 H 9 W 14 W 15 Jian Guo Linearization and Message Modification Techniques 22 / 25

Pseudo-collision path: steps 11 15 A B 10 C 10 D 10 E 10 F 10 G 10 H W 10 14, W 4, 10 W W 10, W 20 W 21 W 11, W 1, 0 W, W A 11 B 11 C 11 D 11 E 11 F 11 G 11 H 11 W 3 W 6 A 12 B 12 C 12 D 12 E 12 F 12 G 12 H 12 W 9 W 12 A B C D E F G H W 15 W 2 A 14 B 14 C 14 D 14 E 14 F 14 G 14 H 14 W 5 W 8 Jian Guo Linearization and Message Modification Techniques 22 / 25

Pseudo-collision path: steps 16 20 A B 15 C 15 D 15 E 15 F 15 G 15 H W 15 6, W 12, 15 W W 2, W 22 W W 3, W 9, 8 W 15, W 5 A 16 B 16 C 16 D 16 E 16 F 16 G 16 H 16 W 11 W 14 A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 W 1 W 4 A 18 B 18 C 18 D 18 E 18 F 18 G 18 H 18 W W 10 A 19 B 19 C 19 D 19 E 19 F 19 G 19 H 19 W W 0 H 1 H 2 H 3 H 4 H 5 H 6 H Jian Guo Linearization and Message Modification Techniques 22 / 25

Pseudo-collisions for ARIRANG-224/384 IV M step 1 step 2 step 20 step 21 step 22 step 40 message expansion single message block can use 14 message words, last two for padding message corrections: 12 active G 256 in steps 2 18, complexity 2 register H discarded for ARIRANG-224/384 pseudo-collision for the complete hash function Jian Guo Linearization and Message Modification Techniques / 25

Summary of results Compression function Result Complexity Example 32-bit near-collision for full ARIRANG-256 compress 1 Y 64-bit near-collision for full ARIRANG-512 compress 1 Y 26-step (out of 40) collision for ARIRANG-256/512 1 Y Hash function Result Complexity Example pseudo-collision for full ARIRANG-224/384 hash 2 / 1 Y Jian Guo Linearization and Message Modification Techniques 24 / 25

Conclusions A brief introduction on linearization and message modification techniques have been introduced, with example of applications to ARIRANG. Jian Guo Linearization and Message Modification Techniques 25 / 25

Conclusions A brief introduction on linearization and message modification techniques have been introduced, with example of applications to ARIRANG. Thanks for your attention! Jian Guo Linearization and Message Modification Techniques 25 / 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback