Practical Free-Start Collision Attacks on 76-step SHA-1

Similar documents
Practical Free-Start Collision Attacks on full SHA-1

Finding collisions for SHA-1

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Crypto Engineering (GBX9SY03) Hash functions

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Analysis of Differential Attacks in ARX Constructions

Attacks on hash functions. Birthday attacks and Multicollisions

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

The Hash Function JH 1

Lecture 14: Cryptographic Hash Functions

Beyond the MD5 Collisions

Weaknesses in the HAS-V Compression Function

CPSC 467: Cryptography and Computer Security

2: Iterated Cryptographic Hash Functions

Known and Chosen Key Differential Distinguishers for Block Ciphers

Week 12: Hash Functions and MAC

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

Message Authentication Codes (MACs)

Introduction Description of MD5. Message Modification Generate Messages Summary

CPSC 467: Cryptography and Computer Security

Preimage Attacks on Reduced Tiger and SHA-2

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

New Attacks on the Concatenation and XOR Hash Combiners

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Foundations of Network and Computer Security

Attacks on hash functions: Cat 5 storm or a drizzle?

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Cryptographic Hash Functions Part II

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

AURORA: A Cryptographic Hash Algorithm Family

Avoiding collisions Cryptographic hash functions. Table of contents

Collision Attack on Boole

CPSC 467: Cryptography and Computer Security

Foundations of Network and Computer Security

Rebound Attack on Reduced-Round Versions of JH

Algebraic properties of SHA-3 and notable cryptanalysis results

New Preimage Attacks Against Reduced SHA-1

Practical pseudo-collisions for hash functions ARIRANG-224/384

Quantum Preimage and Collision Attacks on CubeHash

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Provable Seconde Preimage Resistance Revisited

Breaking H 2 -MAC Using Birthday Paradox

Improved Collision Search for SHA-0

Lecture 1. Crypto Background

S XMP LIBRARY INTERNALS. Niall Emmart University of Massachusetts. Follow on to S6151 XMP: An NVIDIA CUDA Accelerated Big Integer Library

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Cryptanalysis of EnRUPT

Shortest Lattice Vector Enumeration on Graphics Cards

Hybrid CPU/GPU Acceleration of Detection of 2-SNP Epistatic Interactions in GWAS

How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis

Preimages for Step-Reduced SHA-2

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

New attacks on Keccak-224 and Keccak-256

Preimage Attacks on 3, 4, and 5-Pass HAVAL

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Symmetric Crypto Systems

Further progress in hashing cryptanalysis

HASH FUNCTIONS 1 /62

1 Cryptographic hash functions

STRIBOB : Authenticated Encryption

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Practical pseudo-collisions for hash functions ARIRANG-224/384

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Cover Page. The handle holds various files of this Leiden University dissertation.

Haraka v2 Efficient Short-Input Hashing for Post-Quantum Applications

Higher Order Universal One-Way Hash Functions

Introduction to Cryptography

An introduction to Hash functions

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

An Implementation of SPELT(31, 4, 96, 96, (32, 16, 8))

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

12 Hash Functions Defining Security

New Preimage Attack on MDC-4

The Hash Function Fugue

CRYPTOGRAPHIC COMPUTING

Cryptanalysis of block EnRUPT

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Introduction to Information Security

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Some Attacks on Merkle-Damgård Hashes

HASH FUNCTIONS. Mihir Bellare UCSD 1

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

ECS 189A Final Cryptography Spring 2011

Provable Security in Symmetric Key Cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Martin Cochran. August 24, 2008

Symmetric Crypto Systems

non-trivial black-box combiners for collision-resistant hash-functions don t exist

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Transcription:

Practical Free-Start Collision Attacks on 76-step SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens CWI, Amsterdam 2015 07 22 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 1/43

Title deconstruction Practical }{{} We can compute it Free-Start }{{} Not unlike a false start Collision }{{} As in f(x)=f(x ) Attacks }{{} We re the baddies on 76-step }{{} Not quite the real thing SHA-1 }{{} Not a cat c Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 2/43

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 3/43

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 4/43

Hash functions Hash function A (binary) hash function is a mapping H : {0,1} {0,1} n Many uses in crypto: hash n sign, MAC constructions... It is a keyless primitive Sooo, what s a good hash function? Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 5/43

Three security notions (informal) First preimage resistance Given t, find m such that H(m) = t Best generic attack is in O(2 n ) Second preimage resistance Given m, find m m such that H(m) = H(m ) Best generic attack is in O(2 n ) Collision resistance Find m,m m such that H(m) = H(m ) Best generic attack is in O(2 n 2 ) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 6/43

Merkle-Damgård construction A domain of {0,1} is annoying, so... 1 Start from a compression function f : {0,1} n {0,1} b {0,1} n 2 Use a domain extender H(m 1 m 2... m l ) = f(f(...f(iv,m 1 )...),m l ) 3 Reduce the security of H to the one of f A(H) A(f) A(f) A(H) (A(f)???) Invalidates the security reduction, tho Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 7/43

MD in a picture pad(m) = m 1 m 2 m 3 m 4 h 0 = IV f f f h 1 h 2 f h 3 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 8/43

Additional security notions for MD Semi-free-start collisions The attacker may choose IV, but it must be the same for m and m Free-start preimages & collisions No restrictions on IV whatsoever Free-start preimages & collisions (variant) Attack f instead of H Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 9/43

What did we do? This work: collisions on 76/80 steps of the compression function of SHA-1 (95% of SHA-1) And it s practical One inexpensive GPU is enough for fast results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 10/43

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 11/43

The SHA-1 hash function Designed by the NSA in 1995 as a quick fix to SHA-0 Part of the MD4 family Hash size is 160 bits collision security should be 80 bits Message blocks are 512-bit long Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 12/43

SHA-1 round function It s a 5-branch ARX Feistel A i+1 = A 5 i + φ i 20 (A i 1,A 2 i 2,A 2 i 3 ) +A 2 i 4 +W i +K i 20 with a linear message expansion: W 0...15 = M 0...15, W i 16 = (W i 3 W i 8 W i 14 W i 16 ) 1 80 steps in total The only difference between SHA-0 and SHA-1 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 13/43

Round function in a picture A i B i C i D i E i φ i 20 5 2 W i K i 20 A i+1 B i+1 C i+1 D i+1 E i+1 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 14/43

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 15/43

Wang collisions SHA-1 is not collision-resistant (Wang, Yin, Yu, 2005) Differential collision attack Find a message difference that entails a good linear diff. path Construct a non-linear diff. path to bridge the IV with the linear path Use message modification to speed-up the attack Requires a pair of two-block messages Attack complexity 2 69 Eventually improved to 2 61 (Stevens, 2013) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 16/43

Two-block attack in a picture 0 δ M C δ M NL 1 NL 2 L -L C C C 0 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 17/43

Preimage detour SHA-1 is much more resistant to preimage attacks No attack on the full function Practical attacks up to 30 steps ( 37.5% of SHA-1) (De Cannière & Rechberger, 2008) Theoretical attacks up to 62 steps (77.5% of SHA-1) (Espitau, Fouque, Karpman, 2015) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 18/43

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 19/43

Let s break stuff! Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 20/43

Why doing free-start again? Main reason is starting from a middle state + shift the message Can use freedom in the message up to a later step But no control on the IV value Must ensure proper backward propagation Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 21/43

But then we need to... 1 Find a good linear part 2 Construct a good shifted non-linear part 3 Find accelerating techniques Let s do this for 76 steps! Best practical result is on 75 (we wanna beat em) (First step # with visible result for full SHA-1) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 22/43

Linear part selection Criteria: High overall probability No (or few) differences in last five steps (= differences in IV ) Few differences in early message words Not many candidates We picked II(55, 0) (Manuel notation, 2011) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 23/43

Linear path in a picture (part 1/2) A W 3 7 : x x 3 8 : 3 9 : x x x 4 0 : x 4 1 : x x 42: xx 43: x xx 44: xxx 4 5 : x x 46: x xx x 47: x xx 4 8 : x 4 9 : x 5 0 : x x 5 1 : x x 5 2 : x 5 3 : x 5 4 : x 5 5 : x 5 6 : x Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 24/43

Linear path in a picture (part 2/2) A W 5 7 : x x 5 8 : 5 9 : x x x 6 0 : x x 6 1 : 6 2 : x 6 3 : x 6 4 : 6 5 : 6 6 : 6 7 : 6 8 : 6 9 : 7 0 : x 7 1 : x x 7 2 : x 7 3 : x x 7 4 : x x x x 7 5 : x x x x 7 6 : Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 25/43

Non-linear part construction Start with prefix of high backward probability for the first 5 steps Use improved JLCA for the rest Good overall path with few conditions (236 up to #36) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 26/43

Non-linear path in a picture A W 4: 3: 2: n 1: 0 1 n 0 0 : 10 0 0 0 n 0 1 : 0 1 0 n u unn 0 2 : 1 u 1 n 1 u 1 xn un n u 0 3 : u 1 1 n 1 u 0 u 0 nu n 0 4 : u 1 11 01n 100u11 u 0 0n1 xu u 05: 1n 0 100 111 u0101u00 1 n n1 0 x nn u unu 0 6 : 00 u u1u1uunnnn001n0u1uu 11 1 0u nunn n 0 7 : 1n u nu0un10nu00nnun111 0n 0 11 x nuuu nu u 08: nu 1 nuuuuuuuuuuuuu1unn11 u n0 u 0 u 09: uun0 1 010 1000 10nu 0 100u1 10 n n 1 00 0 1 unn 10: u10 1 1000111011001 111 10 xun nu u n 1 1 : 1 u1 10 1 un u 1 2 : n n 1 xn n 1 3 : 0 n 10 u 0 x uu u nuu 1 4 : n 0 1 u un u 1 5 : 1u 1 x unnn nu 1 6 : n 10 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 27/43

Accelerating techniques Message modification: correct bad instances Neutral bits: generate more good instances when one s found We choose NBs because: Easy to find Easy to implement Good parallelization potential (more of that later) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 28/43

Neutral bits (with an offset) We start with an offset (remember?) Use neutral bits with an offset too In our attack, offset = 6 free message words = W6...21 instead of W0...15 Must also consider backward propagation Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 29/43

Our neutral bits A18 : W14.................. x x x x x......... W15............... x. x.............. A19 : W14....................... x x x x..... W15.................. x x x x x x........ W16............... x.. x............. W17............ x................... A20 : W15........................ x x x..... W16.................... x x x......... A21 : W16....................... x x x...... W17.................. x x x x.......... W18............... xx............... A23 : W19................. x. x x x x......... A24 : W19........................ xx...... W20................... xx........... W21.............. xx................ A25 : W19....................... x........ W20.................. x...... x...... W21.................... x........... A26 : W20............................... x Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 30/43

Let s sum up Initialize the state with an offset Initialize message words with an offset Use neutral bits with an offset many neutral bits up to late steps (yay) don t know the IV in advance (duh) Linear path differences in the IV Everything done in one block Attack on the compression function Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 31/43

Same thing in a picture -4 A i 0 W i 8 12 17 21 26 5 10 15 20 25 30 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 32/43

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 33/43

If it s practical you must run it Attack expected to be practical, but still expensive Why not using GPUs? One main challenge: how to deal with the branching? Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 34/43

Target platform Nvidia GTX-970 Recent, high-end, good price/performance 13 128 = 1664 cores @ 1 GHz High-level programming with CUDA Throughput for 32-bit arithmetic: all 1/cycle/core except S$ 500 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 35/43

Architecture imperatives Execution is bundled in warps of 32 threads Control-flow divergence is serialized minimize branching Hide latency by grouping threads into larger blocks But careful about register / memory usage Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 36/43

Our snippet-based approach 1 Store partial solutions up to some step in shared buffers 2 Every thread of a block loads one solution 3... tries all neutral bits for this step 4... stores successful candidates in next step buffer Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 37/43

Our snippet-based approach (cont.) Base solutions up to #17 generated on CPU Use neutral bits up to #26 on GPU Further checks up to #56 on GPU Final collision check on CPU Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 38/43

Snippets in a picture Sols 26 25? To 26 18? To 19 Sols 18 To 18 Base Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 39/43

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 40/43

GPU results Hardware: one GTX-970 (S$500) One partial solution up to #56 per minute on average Expected time to find a collision 5 days Complexity 2 50.25 SHA-1 compression function Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 41/43

GPU v. CPU On one CPU core @ 3.2 GHz, the attack takes 606 days One GPU 140 cores (To compare with 40 (Grechnikov & Adinetz, 2011)) For raw SHA-1 computations, ratio is 320 Lose only 2.3 from the branching (not bad) Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 42/43

For more details..., Thomas Peyrin, and Marc Stevens: Practical Free-Start Collision Attacks on 76-step SHA-1, CRYPTO 2015 Eprint 2015/530 Free-Start Collisions / 76-step SHA-1 / CWI 2015 07 22 43/43

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback