Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1
Dfferental cryptanalyss of SHA Started n 1998 wth SHA-0 Many mprovements startng from 2004: Neutral bts technque Mult-block collsons Message modfcaton technques Non lnear dfferental paths In ths talk, we focus on: Neutral bts Message modfcaton Boomerang attack 2
Overvew of the basc attack 3
Notatons Notaton F q (X, Y,..., Z) Defnton Fnte feld wth q elements. Concatenaton of 32-bts words. + Addton on 32-bts words modulo 2 32. ROL (X) X Exclusve or on bts or 32-bts words. Inclusve or on bts or 32-bts words. Logcal and on bts or 32-bts words. Rotaton by R bts of a 32-bts word. The th bt of 32-bts word X, from the least sgnfcant 0 to the most sgnfcant 31. 4
Descrpton of SHA 5
Intalzaton of SHA compresson functon D E A (0), B (0),C (0), D (0), E (0) for = 0 to 79 A (+1) = ADD W (), ROL A () B () 5, f (), C (), D (),E (),K () B (+1) C (+1) = A () = ROL 30 B () D (+1) = C () E (+1) = D () Output D E A (0) + A (80), B (0) + B (80), C (0) + C (80), D (0) + D (80), E (0) + E (80) 6
Functons f () (X,Y,Z), and Constants K () Round Functon f () Constant K () Name Defnton 0 19 IF (X Y ) ( X Z) 0x5A827999 20 39 XOR (X Y Z) 0x6ED9EBA1 40 59 MAJ (X Y ) (X Z) (Y Z) 0x8F1BBCDC 60 79 XOR (X Y Z) 0xCA62C1D6 7
Input: W (0) (15),...,W Expanson of SHA-0 W () = W ( 3) W ( 8) W ( 14) W ( 16). (1) Output: W (0) (79),...,W 8
Dfference wth SHA-1 Slght dfference n the expanson: ( ) W () = ROL W ( 3) W ( 8) W ( 14) W ( 16) 1. (2) 32 E 0 = (e 0 ) non-nterleaved expanson of SHA-0. E 1 nterleaved expanson of SHA-1. 9
Lnearzed verson of SHA Replace ADD by XOR. Replace f by XOR. Then, collson can be found wth lnear algebra 10
Constructng Dfferental Collsons 11
Constructon of the Dfferental Mask For SHA-0: ( ) (0) (79) Fnd a dsturbance-vector m 0,...,m 0. Apply / t on bts 1, n order to obtan perturbatve mask ( 5) (79) M 0 = M,...,M defned by: 0 0 (), 5 1, M 0 = 0 (), 0 79, M 0,k = 0 f k = 1; () () 0,1 0, 0 79, M = m. For SHA-1: Drectly fnd the perturbatve mask M 0 Use a low weght vector of the expanson E 1 Algn many bts (not all) on bt 1 12
Correctve Masks From M 0 derve: M 1,...,M 5 : ( ), 4 79, M () 1 = ROL 5 M ( 1) 0 ; (3), 3 79, M () 2 = M ( 2) 0 ; (4) ( ) 0 ; (5) ( ) 0 ; (6) ( ) 0 ; (7), 2 79, M () 3 = ROL 30 M ( 3), 1 79, M () 4 = ROL 30 M ( 4), 0 79, M () 5 = ROL 30 M ( 5) 13
Constrants (basc attack on SHA-0) m 0 must be ended by 5 zeroes. Dfferental mask M defned by () () () () () (), 0 79, M () = M M M M M M, 0 1 2 3 4 5 (8) must be an output of E 0. Ensured by: () ( 3) ( 8) ( 14) ( 16) M = M M M M,, 11 < 80. 0 0 0 0 0 (9) 14
Consequence for lnearzed model There exsts 64 error vectors m 0 satsfyng the constrants. There exsts 64 masks M: we deduce µ such that M = E 0 (µ). For all nput W = W (0)...W (15), W = W µ has same output by the lnearzed compresson functon. Wth non-neglgble probablty, also gve attack on real SHA 15
Applcaton to SHA-0 A few patterns. Best one m 0 wth probablty 1/2 61 : 00000 00100010000000101111 01100011100000010100 01000100100100111011 00110000111110000000 Complexty goes down to 2 56 wth neutral bts of Bham and Chen 16
Multblock technques Non lnear characterstcs Recent mprovements Non lnearty for a few rounds n the frst SHA-0 collson Non lnearty durng about 16 rounds n Wang s et al SHA-1 attack Remove a lot of constrants (and mprove attacks) 17
Evaluatng the cost of the attack Three mportant phases: Early rounds, where control s possble Late rounds, where behavor s probablstc Fnal rounds, where msbehavor can be partally gnored Roughly the complexty arses from the probablty of success n the late rounds (the fnal rounds beng excepted) Evaluated by computng the probablty of success of each local collson 18
Evaluatng the cost of a sngle local collson Dsturbance nserton: No carry wanted (pr 1/2) A correcton: Need opposte sgn (pr 1) B correcton: Dsturbance propagates wth the rght sgn (pr 1/2) C correcton: Dsturbance propagates (Bt 31, pr 1 or 1/2) Other bts: wth the rght sgn (pr 1/2) Possble dependence on D wth MAJ D correcton: Dsturbance propagates (Bt 31, pr 1 or 1/2) Other bts: wth the rght sgn (pr 1/2) E correcton: Need opposte sgn (pr 1) 19
Where do the late rounds start In the basc attack, round 16 (or 18 wth some care) Wth neutral bts of Bham and Chen, round 23 Use the fact that some message bts changes do not affect conformance. From one canddate message par, generates many Wth message modfcatons of Wang et al., round 26 Use ad hoc message changes to force conformance n early rounds Much fewer pars to explore, however each par costs more Wang et al. at frst Hash Workshop announced cost 2 63 + 2 60. Crypto 05 was round 23, cost 2 2 71 pars, 2 69 SHA computatons 20
Where do the late rounds start Can we do better and mprove the overall complexty? One track s to mprove message modfcaton. For example Gröbner approach. The cost per message par s potentally hgh Another track s to mprove neutral bts. Our approach here: Use a varant of the boomerang attack 21
Boomerang pcture for block cphers P 1 P 2 P 1 P 2 C 1 C 2 C 1 C 2 22
Boomerang pcture for hash compresson M 1 M 2 M 1 M 2 h 1 h 2?? h 1 h 2 23
Boomerang for hash compresson Each M, M par s a partally conformant par of the man dfferental Both pars are related by a hgh probablty auxllary dfferental The auxllary dfferental preserves conformance n the early rounds Beyond these rounds, the man dfferental holds (heurstc) Each auxllary dfferental thus doubles the number of conformant pars Very smlar to the neutral bt technque Longer range of the conformance preservng property 24
Constructon of auxllary dfferentals A smple technque s to use collsons on pars at some ntermedate round Frst example of auxllary dfferental (expermentally seen n neutral bts) Insert dfference n round 6 at bt Correct n round 7 at bt + 7 Correct n round 11 at bt 2 Rely on non-lnearty for other correcton Wth a well-chosen message par, collson n round 12 No more (auxllary) dfference up to round 19 Conformance to the man dfferental contnues for a few addtonal rounds 25
An auxllary dfferental wth parwse collson up to round 26 Found by smple search on bts 2, and + 5 Contans 5 local collson patterns Collson n round 16, no more dfference up to round 26 Bt 0 4 6 8 10 Bt + 5 1 5 7 9 11 Bt Bt 2 Bt 2 8 10 14 Bt 2 5 9 11 13 15 26
Assocated constrants n ntal par M (0) A (1) = a = a M (4) A (5) = b = b M (6) A (7) = c = c M (8) A (9) = d = d M (10) A (11) M (1) +5 = ā M (5) +5 = b M (7) +5 = c M (9) +5 = d M (11) +5 = ē A (0) +2 = A ( 1) +2 A (4) +2 = A (3) +2 A (6) +2 = A (5) +2 A (8) +2 = A (7) +2 A (10) +2 = A (9) +2 A (2) 2 = 0 A (6) 2 = 0 A (8) 2 = 0 A (10) 2 = 0 A (12) 2 = 0 A (3) 2 = 1 A (7) 2 = 0 M (8) 2 = b A (9) 2 = 0 M (10) 2 = c = e = e A (11) 2 = 1 A (13) 2 = 0 M (14) 2 = ē M (5) 2 = ā M (9) 2 = b M (11) 2 = c M (13) 2 = d M (15) 2 = ē 27
An auxllary dfferental wth parwse collson up to round 24 Contans 4 local collson patterns Collson n round 14, no more dfference up to round 24 Bt 2 4 6 8 Bt + 5 3 5 7 9 Bt 2 5 7 9 Bt 2 6 8 12 Bt 2 7 9 11 13 28
M (2) A (3) Assocated constrants n ntal par = a = a M (4) A (5) = b = b M (6) A (7) = c = c M (8) A (9) = e = d M (3) +5 = ā M (5) +5 = b (7) M +5 = c M (9) +5 = d A (2) +2 = A (1) +2 A (4) +2 = A (3) +2 A (6) +2 = A (5) +2 A (8) +2 = A (7) +2 A (4) 2 = 1 A (6) 2 = 1 A (8) 2 = 1 A (10) 2 = 0 A (5) 2 = 0 A (7) 2 = 0 A (9) 2 = 1 A (11) 2 = 0 M (7) 2 = ā M (9) 2 = b (11) M 2 = c M (13) 2 = d 29
Ongong work Dependng on bt poston nduces conformance up to round 28, 29 or more No hgh message modfcaton cost Compatble wth the neutral bt technque Techncal dffcultes: Buld a non-lnear characterstc compatble wth enough auxllary characterstcs Useful tool: see talk of De Cannère and Rechberger Combne wth smple message modfcaton Expected result: SHA-1 weaker today than SHA-0 n 1998 30
A safety measure for collson bulders Sooner or later a SHA-1 collson wll be produced Ths wll be an mportant mlestone for hash functons Yet t would be nce to mnmze bad consequences Proposed safety measure: Change the IV whle keepng true SHA-1 For ths, prepend a long enough, publcly announced, strng Two smple possbltes: Prepend 1Gbyte of zeroes Prepend 1Gbyte of bnary expanson of π, e, 2,... 31
Concluson Questons 32