Message modification, neutral bits and boomerangs

Similar documents
Boomerang Distinguisher for the SIMD-512 Compression Function

EEE 241: Linear Systems

For now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.

Kernel Methods and SVMs Extension

Introduction to Algorithms

Report on Image warping

Basic Regular Expressions. Introduction. Introduction to Computability. Theory. Motivation. Lecture4: Regular Expressions

Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key

Ensemble Methods: Boosting

NUMERICAL DIFFERENTIATION

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

Global Sensitivity. Tuesday 20 th February, 2018

PARTICIPATION FACTOR IN MODAL ANALYSIS OF POWER SYSTEMS STABILITY

VQ widely used in coding speech, image, and video

Geometric drawings of K n with few crossings

Errors for Linear Systems

A CLASS OF RECURSIVE SETS. Florentin Smarandache University of New Mexico 200 College Road Gallup, NM 87301, USA

NEW CONSTRUCTIONS IN LINEAR CRYPTANALYSIS OF BLOCK CIPHERS

Lecture 10: May 6, 2013

VARIATION OF CONSTANT SUM CONSTRAINT FOR INTEGER MODEL WITH NON UNIFORM VARIABLES

Supplement: Proofs and Technical Details for The Solution Path of the Generalized Lasso

Security Analysis of SIMD

Finding Dense Subgraphs in G(n, 1/2)

Uncertainty in measurements of power and energy on power networks

Algebraic properties of polynomial iterates

Hash functions : MAC / HMAC

ELASTIC WAVE PROPAGATION IN A CONTINUOUS MEDIUM

Société de Calcul Mathématique SA

Turing Machines (intro)

Search sequence databases 2 10/25/2016

Stanford University CS254: Computational Complexity Notes 7 Luca Trevisan January 29, Notes for Lecture 7

CHAPTER 17 Amortized Analysis

18.1 Introduction and Recap

Learning Theory: Lecture Notes

Resource Allocation with a Budget Constraint for Computing Independent Tasks in the Cloud

Differential Cryptanalysis of Nimbus

Computing Correlated Equilibria in Multi-Player Games

Note on EM-training of IBM-model 1

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

MACHINE APPLIED MACHINE LEARNING LEARNING. Gaussian Mixture Regression

FE REVIEW OPERATIONAL AMPLIFIERS (OP-AMPS)( ) 8/25/2010

Lecture Space-Bounded Derandomization

The Expectation-Maximization Algorithm

The Key-Dependent Attack on Block Ciphers

THE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens

Stanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011

Impossible differential attacks on 4-round DES-like ciphers

Pulse Coded Modulation

The Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL

The Geometry of Logit and Probit

Calculation of time complexity (3%)

HMMT February 2016 February 20, 2016

NP-Completeness : Proofs

One-sided finite-difference approximations suitable for use with Richardson extrapolation

Random Walks on Digraphs

Feature Selection: Part 1

3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X

Lecture 4: Universal Hash Functions/Streaming Cont d

Transfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system

An Introduction to Morita Theory

Statistics Chapter 4

Robust Norm Equivalencies and Preconditioning

CS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016

Economics 130. Lecture 4 Simple Linear Regression Continued

A New Refinement of Jacobi Method for Solution of Linear System Equations AX=b

Gasometric Determination of NaHCO 3 in a Mixture

Split alignment. Martin C. Frith April 13, 2012

arxiv:cs.cv/ Jun 2000

Semi-supervised Classification with Active Query Selection

Implicit Integration Henyey Method

Multilayer Perceptron (MLP)

Communication Complexity 16:198: February Lecture 4. x ij y ij

PHYS 705: Classical Mechanics. Newtonian Mechanics

Introduction to Algorithms

THE SUMMATION NOTATION Ʃ

Lecture Notes on Linear Regression

Affine transformations and convexity

Week3, Chapter 4. Position and Displacement. Motion in Two Dimensions. Instantaneous Velocity. Average Velocity

CHAPTER 14 GENERAL PERTURBATION THEORY

The Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction

Indeterminate pin-jointed frames (trusses)

Cryptanalysis of TWOPRIME

Lecture 14: Forces and Stresses

Beyond Zudilin s Conjectured q-analog of Schmidt s problem

Application of Nonbinary LDPC Codes for Communication over Fading Channels Using Higher Order Modulations

A new construction of 3-separable matrices via an improved decoding of Macula s construction

A Comparison between Weight Spectrum of Different Convolutional Code Types

), it produces a response (output function g (x)

Finding Primitive Roots Pseudo-Deterministically

Some Consequences. Example of Extended Euclidean Algorithm. The Fundamental Theorem of Arithmetic, II. Characterizing the GCD and LCM

1 Matrix representations of canonical matrices

CHAPTER 5 NUMERICAL EVALUATION OF DYNAMIC RESPONSE

FREQUENCY DISTRIBUTIONS Page 1 of The idea of a frequency distribution for sets of observations will be introduced,

Lecture 10 Support Vector Machines II

Difference Equations

An efficient algorithm for multivariate Maclaurin Newton transformation

Assortment Optimization under MNL

Temperature. Chapter Heat Engine

Maximizing the number of nonnegative subsets

Cokriging Partial Grades - Application to Block Modeling of Copper Deposits

Transcription:

Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1

Dfferental cryptanalyss of SHA Started n 1998 wth SHA-0 Many mprovements startng from 2004: Neutral bts technque Mult-block collsons Message modfcaton technques Non lnear dfferental paths In ths talk, we focus on: Neutral bts Message modfcaton Boomerang attack 2

Overvew of the basc attack 3

Notatons Notaton F q (X, Y,..., Z) Defnton Fnte feld wth q elements. Concatenaton of 32-bts words. + Addton on 32-bts words modulo 2 32. ROL (X) X Exclusve or on bts or 32-bts words. Inclusve or on bts or 32-bts words. Logcal and on bts or 32-bts words. Rotaton by R bts of a 32-bts word. The th bt of 32-bts word X, from the least sgnfcant 0 to the most sgnfcant 31. 4

Descrpton of SHA 5

Intalzaton of SHA compresson functon D E A (0), B (0),C (0), D (0), E (0) for = 0 to 79 A (+1) = ADD W (), ROL A () B () 5, f (), C (), D (),E (),K () B (+1) C (+1) = A () = ROL 30 B () D (+1) = C () E (+1) = D () Output D E A (0) + A (80), B (0) + B (80), C (0) + C (80), D (0) + D (80), E (0) + E (80) 6

Functons f () (X,Y,Z), and Constants K () Round Functon f () Constant K () Name Defnton 0 19 IF (X Y ) ( X Z) 0x5A827999 20 39 XOR (X Y Z) 0x6ED9EBA1 40 59 MAJ (X Y ) (X Z) (Y Z) 0x8F1BBCDC 60 79 XOR (X Y Z) 0xCA62C1D6 7

Input: W (0) (15),...,W Expanson of SHA-0 W () = W ( 3) W ( 8) W ( 14) W ( 16). (1) Output: W (0) (79),...,W 8

Dfference wth SHA-1 Slght dfference n the expanson: ( ) W () = ROL W ( 3) W ( 8) W ( 14) W ( 16) 1. (2) 32 E 0 = (e 0 ) non-nterleaved expanson of SHA-0. E 1 nterleaved expanson of SHA-1. 9

Lnearzed verson of SHA Replace ADD by XOR. Replace f by XOR. Then, collson can be found wth lnear algebra 10

Constructng Dfferental Collsons 11

Constructon of the Dfferental Mask For SHA-0: ( ) (0) (79) Fnd a dsturbance-vector m 0,...,m 0. Apply / t on bts 1, n order to obtan perturbatve mask ( 5) (79) M 0 = M,...,M defned by: 0 0 (), 5 1, M 0 = 0 (), 0 79, M 0,k = 0 f k = 1; () () 0,1 0, 0 79, M = m. For SHA-1: Drectly fnd the perturbatve mask M 0 Use a low weght vector of the expanson E 1 Algn many bts (not all) on bt 1 12

Correctve Masks From M 0 derve: M 1,...,M 5 : ( ), 4 79, M () 1 = ROL 5 M ( 1) 0 ; (3), 3 79, M () 2 = M ( 2) 0 ; (4) ( ) 0 ; (5) ( ) 0 ; (6) ( ) 0 ; (7), 2 79, M () 3 = ROL 30 M ( 3), 1 79, M () 4 = ROL 30 M ( 4), 0 79, M () 5 = ROL 30 M ( 5) 13

Constrants (basc attack on SHA-0) m 0 must be ended by 5 zeroes. Dfferental mask M defned by () () () () () (), 0 79, M () = M M M M M M, 0 1 2 3 4 5 (8) must be an output of E 0. Ensured by: () ( 3) ( 8) ( 14) ( 16) M = M M M M,, 11 < 80. 0 0 0 0 0 (9) 14

Consequence for lnearzed model There exsts 64 error vectors m 0 satsfyng the constrants. There exsts 64 masks M: we deduce µ such that M = E 0 (µ). For all nput W = W (0)...W (15), W = W µ has same output by the lnearzed compresson functon. Wth non-neglgble probablty, also gve attack on real SHA 15

Applcaton to SHA-0 A few patterns. Best one m 0 wth probablty 1/2 61 : 00000 00100010000000101111 01100011100000010100 01000100100100111011 00110000111110000000 Complexty goes down to 2 56 wth neutral bts of Bham and Chen 16

Multblock technques Non lnear characterstcs Recent mprovements Non lnearty for a few rounds n the frst SHA-0 collson Non lnearty durng about 16 rounds n Wang s et al SHA-1 attack Remove a lot of constrants (and mprove attacks) 17

Evaluatng the cost of the attack Three mportant phases: Early rounds, where control s possble Late rounds, where behavor s probablstc Fnal rounds, where msbehavor can be partally gnored Roughly the complexty arses from the probablty of success n the late rounds (the fnal rounds beng excepted) Evaluated by computng the probablty of success of each local collson 18

Evaluatng the cost of a sngle local collson Dsturbance nserton: No carry wanted (pr 1/2) A correcton: Need opposte sgn (pr 1) B correcton: Dsturbance propagates wth the rght sgn (pr 1/2) C correcton: Dsturbance propagates (Bt 31, pr 1 or 1/2) Other bts: wth the rght sgn (pr 1/2) Possble dependence on D wth MAJ D correcton: Dsturbance propagates (Bt 31, pr 1 or 1/2) Other bts: wth the rght sgn (pr 1/2) E correcton: Need opposte sgn (pr 1) 19

Where do the late rounds start In the basc attack, round 16 (or 18 wth some care) Wth neutral bts of Bham and Chen, round 23 Use the fact that some message bts changes do not affect conformance. From one canddate message par, generates many Wth message modfcatons of Wang et al., round 26 Use ad hoc message changes to force conformance n early rounds Much fewer pars to explore, however each par costs more Wang et al. at frst Hash Workshop announced cost 2 63 + 2 60. Crypto 05 was round 23, cost 2 2 71 pars, 2 69 SHA computatons 20

Where do the late rounds start Can we do better and mprove the overall complexty? One track s to mprove message modfcaton. For example Gröbner approach. The cost per message par s potentally hgh Another track s to mprove neutral bts. Our approach here: Use a varant of the boomerang attack 21

Boomerang pcture for block cphers P 1 P 2 P 1 P 2 C 1 C 2 C 1 C 2 22

Boomerang pcture for hash compresson M 1 M 2 M 1 M 2 h 1 h 2?? h 1 h 2 23

Boomerang for hash compresson Each M, M par s a partally conformant par of the man dfferental Both pars are related by a hgh probablty auxllary dfferental The auxllary dfferental preserves conformance n the early rounds Beyond these rounds, the man dfferental holds (heurstc) Each auxllary dfferental thus doubles the number of conformant pars Very smlar to the neutral bt technque Longer range of the conformance preservng property 24

Constructon of auxllary dfferentals A smple technque s to use collsons on pars at some ntermedate round Frst example of auxllary dfferental (expermentally seen n neutral bts) Insert dfference n round 6 at bt Correct n round 7 at bt + 7 Correct n round 11 at bt 2 Rely on non-lnearty for other correcton Wth a well-chosen message par, collson n round 12 No more (auxllary) dfference up to round 19 Conformance to the man dfferental contnues for a few addtonal rounds 25

An auxllary dfferental wth parwse collson up to round 26 Found by smple search on bts 2, and + 5 Contans 5 local collson patterns Collson n round 16, no more dfference up to round 26 Bt 0 4 6 8 10 Bt + 5 1 5 7 9 11 Bt Bt 2 Bt 2 8 10 14 Bt 2 5 9 11 13 15 26

Assocated constrants n ntal par M (0) A (1) = a = a M (4) A (5) = b = b M (6) A (7) = c = c M (8) A (9) = d = d M (10) A (11) M (1) +5 = ā M (5) +5 = b M (7) +5 = c M (9) +5 = d M (11) +5 = ē A (0) +2 = A ( 1) +2 A (4) +2 = A (3) +2 A (6) +2 = A (5) +2 A (8) +2 = A (7) +2 A (10) +2 = A (9) +2 A (2) 2 = 0 A (6) 2 = 0 A (8) 2 = 0 A (10) 2 = 0 A (12) 2 = 0 A (3) 2 = 1 A (7) 2 = 0 M (8) 2 = b A (9) 2 = 0 M (10) 2 = c = e = e A (11) 2 = 1 A (13) 2 = 0 M (14) 2 = ē M (5) 2 = ā M (9) 2 = b M (11) 2 = c M (13) 2 = d M (15) 2 = ē 27

An auxllary dfferental wth parwse collson up to round 24 Contans 4 local collson patterns Collson n round 14, no more dfference up to round 24 Bt 2 4 6 8 Bt + 5 3 5 7 9 Bt 2 5 7 9 Bt 2 6 8 12 Bt 2 7 9 11 13 28

M (2) A (3) Assocated constrants n ntal par = a = a M (4) A (5) = b = b M (6) A (7) = c = c M (8) A (9) = e = d M (3) +5 = ā M (5) +5 = b (7) M +5 = c M (9) +5 = d A (2) +2 = A (1) +2 A (4) +2 = A (3) +2 A (6) +2 = A (5) +2 A (8) +2 = A (7) +2 A (4) 2 = 1 A (6) 2 = 1 A (8) 2 = 1 A (10) 2 = 0 A (5) 2 = 0 A (7) 2 = 0 A (9) 2 = 1 A (11) 2 = 0 M (7) 2 = ā M (9) 2 = b (11) M 2 = c M (13) 2 = d 29

Ongong work Dependng on bt poston nduces conformance up to round 28, 29 or more No hgh message modfcaton cost Compatble wth the neutral bt technque Techncal dffcultes: Buld a non-lnear characterstc compatble wth enough auxllary characterstcs Useful tool: see talk of De Cannère and Rechberger Combne wth smple message modfcaton Expected result: SHA-1 weaker today than SHA-0 n 1998 30

A safety measure for collson bulders Sooner or later a SHA-1 collson wll be produced Ths wll be an mportant mlestone for hash functons Yet t would be nce to mnmze bad consequences Proposed safety measure: Change the IV whle keepng true SHA-1 For ths, prepend a long enough, publcly announced, strng Two smple possbltes: Prepend 1Gbyte of zeroes Prepend 1Gbyte of bnary expanson of π, e, 2,... 31

Concluson Questons 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback