Practical Free-Start Collision Attacks on full SHA-1

Similar documents
Practical Free-Start Collision Attacks on 76-step SHA-1

Finding collisions for SHA-1

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

AURORA: A Cryptographic Hash Algorithm Family

Crypto Engineering (GBX9SY03) Hash functions

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

The Hash Function JH 1

Beyond the MD5 Collisions

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Attacks on hash functions. Birthday attacks and Multicollisions

Weaknesses in the HAS-V Compression Function

Week 12: Hash Functions and MAC

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

The Advanced Encryption Standard

Avoiding collisions Cryptographic hash functions. Table of contents

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Known and Chosen Key Differential Distinguishers for Block Ciphers

Message Authentication Codes (MACs)

Lecture 14: Cryptographic Hash Functions

Improved Collision Search for SHA-0

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Cryptanalysis of the 10-Round Hash and Full Compression Function of SHAvite-3-512

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

2: Iterated Cryptographic Hash Functions

Cryptographic Hash Functions Part II

New Preimage Attacks Against Reduced SHA-1

Foundations of Network and Computer Security

Preimage Attacks on Reduced Tiger and SHA-2

CPSC 467: Cryptography and Computer Security

Attacks on hash functions: Cat 5 storm or a drizzle?

Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512

An Implementation of SPELT(31, 4, 96, 96, (32, 16, 8))

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Rebound Attack on Reduced-Round Versions of JH

New Attacks on the Concatenation and XOR Hash Combiners

Collision Attack on Boole

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Introduction Description of MD5. Message Modification Generate Messages Summary

Invariant Subspace Attack Against Full Midori64

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Foundations of Network and Computer Security

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Algebraic properties of SHA-3 and notable cryptanalysis results

Gröbner Basis Based Cryptanalysis of SHA-1

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

CPSC 467: Cryptography and Computer Security

Some Attacks on Merkle-Damgård Hashes

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Quantum Preimage and Collision Attacks on CubeHash

On the Security of Hash Functions Employing Blockcipher Post-processing

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Analysis of Differential Attacks in ARX Constructions

Introduction to Information Security

Practical pseudo-collisions for hash functions ARIRANG-224/384

An introduction to Hash functions

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

The Hash Function Fugue

Breaking H 2 -MAC Using Birthday Paradox

A Brief Comparison of Simon and Simeck

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium

Further progress in hashing cryptanalysis

A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith

Lecture 1. Crypto Background

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Preimages for Step-Reduced SHA-2

Introduction The LED Round Function Minimalism for Key Schedule Security Analysis Implementations and Results

S XMP LIBRARY INTERNALS. Niall Emmart University of Massachusetts. Follow on to S6151 XMP: An NVIDIA CUDA Accelerated Big Integer Library

The Security of Abreast-DM in the Ideal Cipher Model

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

ECS 189A Final Cryptography Spring 2011

SPCS Cryptography Homework 13

Provable Security in Symmetric Key Cryptography

1 Cryptographic hash functions

Shortest Lattice Vector Enumeration on Graphics Cards

Symmetric Crypto Systems

Cryptanalysis of block EnRUPT

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

New Preimage Attack on MDC-4

observations on the simon block cipher family

Introduction to Cryptography

Cryptanalysis of EnRUPT

Higher Order Universal One-Way Hash Functions

Hybrid CPU/GPU Acceleration of Detection of 2-SNP Epistatic Interactions in GWAS

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Preimage Attacks on 3, 4, and 5-Pass HAVAL

New attacks on Keccak-224 and Keccak-256

Provable Seconde Preimage Resistance Revisited

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

HASH FUNCTIONS 1 /62

STRIBOB : Authenticated Encryption

Transcription:

Practical Free-Start Collision Attacks on full SHA-1 Inria and École polytechnique, France Nanyang Technological University, Singapore Joint work with Thomas Peyrin and Marc Stevens Séminaire Cryptologie & Sécurité, Caen 2016 02 17 Free-Start Collisions / Full c-1 / Caen 2016 02 17 1/49

Title deconstruction Practical }{{} We can compute it Free-Start }{{} Not unlike a false start Collision }{{} As in f(x)=f(x ) Attacks }{{} We re the baddies on full }{{} The real thing this time! SHA-1 }{{} Not a cat c Free-Start Collisions / Full c-1 / Caen 2016 02 17 2/49

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / Full c-1 / Caen 2016 02 17 3/49

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / Full c-1 / Caen 2016 02 17 4/49

Hash functions Hash function A (binary) hash function is a mapping H : {0,1} {0,1} n Many uses in crypto: hash n sign, MAC constructions... It is a keyless primitive Sooo, what s a good hash function? Free-Start Collisions / Full c-1 / Caen 2016 02 17 5/49

Three security notions (informal) First preimage resistance Given t, find m such that H(m) = t Best generic attack is in O(2 n ) Second preimage resistance Given m, find m m such that H(m) = H(m ) Best generic attack is in O(2 n ) Collision resistance Find m,m m such that H(m) = H(m ) Best generic attack is in O(2 n 2 ) Free-Start Collisions / Full c-1 / Caen 2016 02 17 6/49

Merkle-Damgård construction A domain of {0,1} is annoying, so... 1 Start from a compression function f : {0,1} n {0,1} b {0,1} n 2 Use a domain extender H(m 1 m 2... m l ) = f(f(...f(iv,m 1 )...),m l ) 3 Reduce the security of H to the one of f A(H) A(f) A(f) A(H) (A(f)???) Invalidates the security reduction, tho Free-Start Collisions / Full c-1 / Caen 2016 02 17 7/49

MD in a picture pad(m) = m 1 m 2 m 3 m 4 h 0 = IV f f f h 1 h 2 f h 3 Free-Start Collisions / Full c-1 / Caen 2016 02 17 8/49

Additional security notions for MD Semi-free-start collisions The attacker may choose IV, but it must be the same for m and m Free-start preimages & collisions No restrictions on IV whatsoever Free-start preimages & collisions (variant) Attack f instead of H Free-Start Collisions / Full c-1 / Caen 2016 02 17 9/49

What did we do? First try: collisions on 76/80 steps of the compression function of SHA-1 (95% of SHA-1) And it s practical Cost 2 50.3 SHA-1, one inexpensive GPU is enough for fast results Second try: collisions on the full compression function of SHA-1 (100% of SHA-1) Still practical Cost 2 57.5 SHA-1, 64 GPUs for a result in less than two weeks Not the same attack as 1) with more computation power Free-Start Collisions / Full c-1 / Caen 2016 02 17 10/49

The collision Message 1 IV 1 50 6b 01 78 ff 6d 18 90 20 22 91 fd 3a de 38 71 b2 c6 65 ea M 1 9d 44 38 28 a5 ea 3d f0 86 ea a0 fa 77 83 a7 36 33 24 48 4d af 70 2a aa a3 da b6 79 d8 a6 9e 2d 54 38 20 ed a7 ff fb 52 d3 ff 49 3f c3 ff 55 1e fb ff d9 7f 55 fe ee f2 08 5a f3 12 08 86 88 a9 Compr(IV 1,M 1 ) f0 20 48 6f 07 1b f1 10 53 54 7a 86 f4 a7 15 3b 3c 95 0f 4b Message 2 IV 2 50 6b 01 78 ff 6d 18 91 a0 22 91 fd 3a de 38 71 b2 c6 65 ea M 2 3f 44 38 38 81 ea 3d ec a0 ea a0 ee 51 83 a7 2c 33 24 48 5d ab 70 2a b6 6f da b6 6d d4 a6 9e 2f 94 38 20 fd 13 ff fb 4e ef ff 49 3b 7f ff 55 04 db ff d9 6f 71 fe ee ee e4 5a f3 06 04 86 88 ab Compr(IV 2,M 2 ) f0 20 48 6f 07 1b f1 10 53 54 7a 86 f4 a7 15 3b 3c 95 0f 4b Free-Start Collisions / Full c-1 / Caen 2016 02 17 11/49

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / Full c-1 / Caen 2016 02 17 12/49

The SHA-1 hash function Designed by the NSA in 1995 as a quick fix to SHA-0 Part of the MD4 family Hash size is 160 bits collision security should be 80 bits Message blocks are 512-bit long Compression function in MD mode Free-Start Collisions / Full c-1 / Caen 2016 02 17 13/49

SHA-1 round function Block cipher in Davies-Meyer mode 5-branch ARX Feistel A i+1 = A 5 i + φ i 20 (A i 1,A 2 i 2,A 2 i 3 ) +A 2 i 4 +W i +K i 20 with a linear message expansion: W 0...15 = M 0...15, W i 16 = (W i 3 W i 8 W i 14 W i 16 ) 1 80 steps in total The only difference between SHA-0 and SHA-1 Free-Start Collisions / Full c-1 / Caen 2016 02 17 14/49

Round function in a picture A i B i C i D i E i φ i 20 5 2 W i K i 20 A i+1 B i+1 C i+1 D i+1 E i+1 Free-Start Collisions / Full c-1 / Caen 2016 02 17 15/49

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / Full c-1 / Caen 2016 02 17 16/49

Wang collisions SHA-1 is not collision-resistant (Wang, Yin, Yu, 2005) Differential collision attack Find a message difference that entails a good linear diff. path Construct a non-linear diff. path to bridge the IV with the linear path Use message modification to speed-up the attack Requires a pair of two-block messages Attack complexity 2 69 Eventually improved to 2 61 (Stevens, 2013) Free-Start Collisions / Full c-1 / Caen 2016 02 17 17/49

Two-block attack in a picture 0 δ M C δ M NL 1 NL 2 L -L C C C 0 Free-Start Collisions / Full c-1 / Caen 2016 02 17 18/49

Preimage detour SHA-1 is much more resistant to preimage attacks No attack on the full function Practical attacks up to 30 steps ( 37.5% of SHA-1) (De Cannière & Rechberger, 2008) Theoretical attacks up to 62 steps (77.5% of SHA-1) (Espitau, Fouque, Karpman, 2015) Free-Start Collisions / Full c-1 / Caen 2016 02 17 19/49

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / Full c-1 / Caen 2016 02 17 20/49

Let s break stuff! Free-Start Collisions / Full c-1 / Caen 2016 02 17 21/49

Why doing free-start again? Main reason is starting from a middle state + shift the message Can use freedom in the message up to a later step But no control on the IV value Must ensure proper backward propagation Free-Start Collisions / Full c-1 / Caen 2016 02 17 22/49

The point of free-start (in a picture) Usual Free-Start Free-Start Collisions / Full c-1 / Caen 2016 02 17 23/49

But then we need to... 1 Find a good linear part 2 Construct a good shifted non-linear part 3 Find accelerating techniques Let s do this for 80 steps! Free-Start Collisions / Full c-1 / Caen 2016 02 17 24/49

Linear part selection Criteria: High overall probability No (or few) differences in last five steps (= differences in IV ) Few differences in early message words Not many candidates We picked II(59, 0) (Manuel notation, 2011) (This is just a shifted version of II(55,0) used for 76 steps) Free-Start Collisions / Full c-1 / Caen 2016 02 17 25/49

Linear path in a picture (part 1/2) A W 4 1 : x x 4 2 : 4 3 : x x x 4 4 : x 4 5 : x x 46: xx 47: x xx 48: xxx 4 9 : x x 50: x xx x 51: x xx 5 2 : x 5 3 : x 5 4 : x x 5 5 : x x 5 6 : x 5 7 : x 5 8 : x 5 9 : x 6 0 : x Free-Start Collisions / Full c-1 / Caen 2016 02 17 26/49

Linear path in a picture (part 2/2) A W 6 1 : x x 6 2 : 6 3 : x x x 6 4 : x x 6 5 : 6 6 : x 6 7 : x 6 8 : 6 9 : 7 0 : 7 1 : 7 2 : 7 3 : 7 4 : x 7 5 : x x 7 6 : x 7 7 : x x 7 8 : x x x x 7 9 : x x x x 8 0 : Free-Start Collisions / Full c-1 / Caen 2016 02 17 27/49

Non-linear part construction Start with prefix of high backward probability for the first 4 steps Use improved JLCA for the rest Good overall path with few conditions (246 up to #30) Free-Start Collisions / Full c-1 / Caen 2016 02 17 28/49

Non-linear path in a picture A W 4:................................ 3:................................ 2:............................. ^. 1: 1... 1.................... 0..... + 0 0 : 0 1.. 0.................... 1...... x. +... +.................... +.... 0 1 : 1 1 + ^.. +............. ^...... +............................. + +.. 0 2 :.. 1 1 1. 1...... ^..... 1 + 1 1 0. 1. 0.... +....................... +.. 0 3 :. 0. 0 0 0 1 1. ^. 1 0... + 0 1. 0 1 1 1 1 ^ 0. 1. 1........................ +.. 0 4 :.1.11+ 1+^^^+1^^^011^^. +++++.+........................... +.... 0 5 :.+.+. ++++++++++++++++++.+0 1111.......................... + + +.. 0 6 :. 0. 0. 1. 0 1 1. 1 1 1. 1 1 1 1 0 0 1 0 0 1. 1 0 + x +.. + +...................... +.. 0 7 : 1.+.1.010100010000000111+..0.+.... +........................ +. 0 8 : 0 +. 0. 0................ 0.. +.. 0. 1 x......................... +.... 0 9 :. +. 0. 0................... 0. +... ^ x. +...................... + +.. 1 0 :. +......................... +. 0.... + + +......................... 1 1 :............................... x. + + + +..................... +. +. 1 2 :... 0. 1....................... 1................................ 1 3 :. 1... 0........................! ^.. +.. +..................... + +.. 1 4 : +.............................. x + +. +...................... +.. 1 5 : 1. 1..........................!..... +........................ +. 1 6 : +. 1 0. 1.......................... x +............................. Free-Start Collisions / Full c-1 / Caen 2016 02 17 29/49

Accelerating techniques Message modification: correct bad instances Neutral bits: generate more good instances when one s found We choose NBs because: Easy to find Easy to implement Good parallelization potential (more of that later) Includes both single NBs and boomerangs Free-Start Collisions / Full c-1 / Caen 2016 02 17 30/49

Neutral bits (with an offset) We start with an offset (remember?) Use neutral bits with an offset too In our attack, offset = 5 free message words = W5...20 instead of W0...15 Must also consider backward propagation Free-Start Collisions / Full c-1 / Caen 2016 02 17 31/49

Our 60 single neutral bits A18 : W14.................... x x x x........ W15............... x x x x............. A19 : W14........................ x. x..... W15................... x x x x x........ W16............... x x x x x............ A20 : W15........................ x.. x.... W16.................... x x x x........ W17............ x x x x x x.............. A21 : W17.................. x x x x.......... W18................ x............... A22 : W18................. x x x x x x......... W19................. x... x.......... A23 : W18....................... x x x. x.... W19................... xx. x......... W20................ x............... A24 : W19....................... x x x...... W20.................. x x x........... A25 : W20......................... x...... Free-Start Collisions / Full c-1 / Caen 2016 02 17 32/49

Our 4 boomerangs W10 :...................... BA........ W11 :................. ba.... DC....... W12 :.................. dc............ W13 :................................ W14 :......................... a...... W15 :........................ ba...... W16 :......................... dc..... Free-Start Collisions / Full c-1 / Caen 2016 02 17 33/49

Let s sum up Initialize the state with an offset Initialize message words with an offset Use neutral bits with an offset many neutral bits up to late steps (yay) don t know the IV in advance (duh) Linear path differences in the IV Everything done in one block Attack on the compression function Free-Start Collisions / Full c-1 / Caen 2016 02 17 34/49

Same thing in a picture -4 A i 0 W i 8 12 17 5 10 15 20 25 25 30 Free-Start Collisions / Full c-1 / Caen 2016 02 17 35/49

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / Full c-1 / Caen 2016 02 17 36/49

If it s practical you must run it Attack expected to be practical, but still expensive Why not using GPUs? One main challenge: how to deal with the branching? Free-Start Collisions / Full c-1 / Caen 2016 02 17 37/49

Target platform Nvidia GTX-970 Recent, high-end, good price/performance 13 128 = 1664 cores @ 1 GHz High-level programming with CUDA Throughput for 32-bit arithmetic: all 1/cycle/core except SGD 500 Free-Start Collisions / Full c-1 / Caen 2016 02 17 38/49

Architecture imperatives Execution is bundled in warps of 32 threads Single Instruction Multiple Threads: Control-flow divergence is serialized minimize branching Hide latency by grouping threads into larger blocks But careful about register / memory usage Free-Start Collisions / Full c-1 / Caen 2016 02 17 39/49

Our snippet-based approach 1 Store partial solutions up to some step in shared buffers 2 Every thread of a block loads one solution 3... tries all neutral bits for this step 4... stores successful candidates in next step buffer Free-Start Collisions / Full c-1 / Caen 2016 02 17 40/49

Our snippet-based approach (cont.) 1 Base solutions up to #17 generated on CPU 2 Use single neutral bits up to #25 on GPU 3 Use boomerangs on #28 and #30 on GPU 4 Further checks up to #60 on GPU 5 Final collision check on CPU Free-Start Collisions / Full c-1 / Caen 2016 02 17 41/49

Snippets in a picture (w/o boomerangs) Sols 25 24? To 25 18? To 19 Sols 18 To 18 Base Free-Start Collisions / Full c-1 / Caen 2016 02 17 42/49

Introduction SHA-1 quickie History of SHA-1 attacks Our attack Implementation Results Free-Start Collisions / Full c-1 / Caen 2016 02 17 43/49

GPU results (76 steps) Hardware: one GTX-970 One partial solution up to #56 per minute on average Expected time to find a collision 5 days Complexity 2 50.3 SHA-1 compression function Free-Start Collisions / Full c-1 / Caen 2016 02 17 44/49

GPU v. CPU On one CPU core @ 3.2 GHz, the attack takes 606 days One GPU 140 cores (To compare with 40 (Grechnikov & Adinetz, 2011)) For raw SHA-1 computations, ratio is 320 Lose only 2.3 from the branching (not bad) Free-Start Collisions / Full c-1 / Caen 2016 02 17 45/49

GPU results (80 steps) Hardware: 64 GTX-970 Expected time to find a collision 10 days Complexity 2 57.5 SHA-1 compression function On Amazon Elastic C2 cost USD 2K (with older GPUs) Free-Start Collisions / Full c-1 / Caen 2016 02 17 46/49

What about a full hash function collision? Estimated complexity: 2 61 GPU framework translates swimmingly to this case 64-GTX970 cluster 110-220 days ( 4-8 months) On Amazon Elastic C2 USD 22-44K Free-Start Collisions / Full c-1 / Caen 2016 02 17 47/49

For more details, Thomas Peyrin, and Marc Stevens: Practical Free-Start Collision Attacks on 76-step SHA-1, CRYPTO 2015 Eprint 2015/530 Marc Stevens,, and Thomas Peyrin: Freestart collision for full SHA-1, EUROCRYPT 2016 Eprint 2015/967 Free-Start Collisions / Full c-1 / Caen 2016 02 17 48/49

C est fini! Free-Start Collisions / Full c-1 / Caen 2016 02 17 49/49

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback