Embed Size (px)
Citation preview
1
Cryptanalysis
Lecture Block 5: Cryptographic Hashes
John [email protected]
© 2004-2008, John L. Manferdelli.This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.
jlm20090310
JLM 20090310 2
Cryptographic Hashes
• A cryptographic hash (“CH”) is a “one way function,” h, from all binary strings (of arbitrary length) into a fixed block of size n (called the size of the hash) with the following properties:
1. Computing h is relatively cheap.2. Given y=h(x) it is infeasible to calculate x. (“One way,”
“non-invertibility” or “pre-image” resistance). Functions satisfying this condition are called One Way Hash Functions (OWHF)
3. Given u, it is infeasible to find w such that h(u)=h(w). (weak collision resistance, 2nd pre-image resistance).
4. It is infeasible to find u, w such that h(u)=h(w). (strong collision resistance). Note 43. Functions satisfying this condition are called Collision Resistant Functions (CRFs).
JLM 20060105 12:16 3
Cryptographic Hashes
• h must be compressive (otherwise copy of original binary string satisfies requirement)
• Just like symmetric ciphers ratio of work factor for computation of hash vs work factor to break hash should be very high.
• Adversary has complete information on computing hash and (obviously) can compute as many hashes from the target as she wants.
JLM 20060105 12:16 4
Observations on Cryptographic Hashes
• Hashes are a strong “checksum”
• OWHF and CRF conditions make CHs satisfy many of the properties
of “random functions”– Small changes should create large changes (otherwise the pre-
image of near neighbors are near neighbors making collisions easy to find)
– Small input changes should be statistically unrelated (uncorrelated) to changes in a subset of the hash bits
– Analysis of CHs very similar to Symmetric Cipher techniques
Popular practical cryptographic hashes– MD4, MD5 (now “broken”)
– SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 (last 4 are “SHA-2”)
– RIPEMD
JLM 20060105 12:16 5
Observations
• Collision Resistance 2nd pre-image resistance• Let f(x)= x2-1 (mod p).
– f(x) acts like a random function but is not a OWHF since square roots are easy to calculate mod p.
• Let f(x)= x2 (mod pq). – f(x) is a OWHF but is neither collision nor 2nd pre-image resistant
• If either h1(x) or h2(x) is a CRHF so is h(x)= h1(x)||h2(x) • MDC+signature & MAC+unknown Key require all three properties• Ideal Work Factors:
Type Work Property
OWHF 2n Pre-image
2nd Pre-image
CRHF 2n/2 Collision
MAC 2t Key recovery, computational resistance
JLM 20060105 12:16 6
What are Hash Functions Good for?
• Modification Detection Codes (MDCs): This is a strong checksum (integrity check). Sometimes called “unkeyed” hashes.
• Message Authentication Code (MACs): If shared secret is part of the hash, two parties can determine authenticated integrity with CHs. Called “keyed hashes”.
• Message Digests (MDs): Encrypting (with private key) the CH of a message (its MD) acts as a certification that the message was “approved” by possessor of private key. This is called a Digital Signature. [Note: you could “sign’ the whole message rather than the hash but this would take oodles of time by comparison.]
JLM 20060105 12:16 7
What are Hash Functions Good for?
• Uniquely and securely identifies bit streams like programs. Hash is strong name for program.
• Entropy mixing: Since CHs are random functions into fixed size blocks with the properties of random functions, they are often used to “mix” biased input to produce a “seed” for a psuedo-random number generator.
• Password Protection: Store salted hash of password instead of password (Needham).
• Bit Commitment
JLM 20060105 12:16 8
MACs using Hashes
• Prefix and suffix attacks
• Hash(k1, Hash(k2, m))
• Hash(k|p|m|k)
• HMACK(x)= SHA-1(Kopad||SHA-1(Kipad)||x)
JLM 20060105 12:16 9
One-Way Functions
Hashes come from two basic classes of one-way functions– Mathematical
• Multiplication: Z=X•Y• Modular Exponentiation: Z = YX (mod n) (Chaum vP
Hash)– Ad-hoc (Symmetric cipher-like constructions)
• Custom Hash functions (MD4, SHA, MD5, RIPEMD)
JLM 20060105 12:16 10
Attacks on Cryptographic Hashes
• Birthday (Yuval) attacks– Probability of collision determined by “Birthday Paradox” calculation:
• (1- 1/n) (1- 2/n) … (1-(k-1)/n)= (n!/k!)/nk
• Probability of collision is >.5 when k2 > n.• Need 280 blocks for SHA.
• 1+x ex, i=1i=k (1-i/n) e-k(k-1)/(2n)
• Dobbertin Attacks on MD4• Attacks on 2nd preimage
– (Old) If you hash 2t messages, the average work to find a 2nd primage is 2n-t
– (New) If you hash 2t blocks, the average work to find a 2nd primage is t2n/2+1+ 2n-t+1 [Kelsey Schneier]
– Appending length doesn’t help against 2nd pre-image attacks
JLM 20060105 12:16 11
Attacks on Hashes
• Selective and Existential Forgery• Key Recovery for MAC• Chaining
– Meet in Middle– Fixed Point
• Padding• Differential
JLM 20060105 12:16 12
Attacks on Cryptographic Hashes
• Berson (1992) using differential cryptanalysis on 1 round MD-5.• Boer and Bosselaers (1993), Pseudo collision in MD5.• Dobbertin (1996), Collisions in compression function. Attacks
inspired RIPEMD proposal.• Biham and Chen (2004), Collisions in SHA-0.• Chabaud and Joux (2004), Collisions in SHA-0 .• Wang, Feng, Lai, Yu, (2004), MD4, MD5, RIPEMD• Wang et al, (2004, 2005), SHA-1• SHA-1 has stood up best: best known theoretical attack (11/05)
requires 263 operations.
JLM 20060105 12:16 13
Birthday Attacks
• Probability of collision determined by “Birthday Paradox” calculation: – (1-1/n) (1-2/n) … (1-(k-1)/n)= (n!/k!)/nk
– Probability of collision is >.5 when k2 > n.– Need 280 blocks for SHA.
– 1+x ex, i=1i=k (1-i/n) e-k(k-1)/(2n)
JLM 20060105 12:16 14
Chaum-vanHeijst-Pfitzmann Compression Function
• Suppose p is prime, q=(p-1)/2 is prime, a is a primitive root in Fp, b is another primitive root so ax=b (mod p) for some unknown x).
• g: {1,2,…,q-1}2 {1,2,…,p-1}, q=(p-1)/2 by:– g(s, t) = as bt (mod p)
• Reduction to discrete log:Suppose g(s, t)= g(u, v) can be found. Then as bt (mod p)= au bv (mod
p).
So as-u (mod p)= bv-t (mod p). Let b= ax (mod p). Then (s-u)=x(y-t) (mod p-1).
But p-1= 2q so we can solve for x, thus determining the discrete log of b.
JLM 20060105 12:16 15
Merkle/Damgard Construction
CompressionFunction (f)
Hash Value
Padded n bit blocksHi-1
Graphic by Josh Benaloh
Input: x=x1||…||xt
Input is usually padded
H0= IVHi= f(Hi-1, xi)h(x)= g(ht)
JLM 20081026 16
Proofs about compression function
• Theorem: If g: {0,1}m {0,1}n, for a sequence of n bit blocks, x= x1, x2, …, xt, we can define a hash function h: {0,1}* {0,1}n by H0= c, Hi+1= g(Hi||xi) with h(x)=Ht. h is collision resistant if g is.
– Proof: Let x= x1, x2, …, xt and x’= x1’, x2’, …, xt’’ be two strings with h(x)=h(x’) and let Hi, Hi’ be the intermediate values. Suppose there is an i<t: Ht-i=Ht’-i’ and Ht-i-1Ht’-i-1’. Then g(Ht-i-1||xi)= g(Ht-i-1’||xi’) so g is not collision resistant. Otherwise Hi=Hi’ and either xi=xi’, it, in which case there is nothing to prove or some xixi’(but then g(Hi||xi) = g(Hi’||xi’) and again g is not collision resistant) or g(Ht-1)= g(Hj’||xj’), j>t and again g is not collision resistant.
JLM 20060105 12:16 17
Technique for CHs from Block Ciphers
Let input be x= x1||x2|| … ||xt where each xi is n bits long. Let g be a function taking an n bit input to an m bit input. Let E(k, x) be a block cipher with m bit keyspace and n bit block. Let H0= IV.
Construction 1: Hi= E(g(Hi-1), xi)Hi-1
Construction 2: Hi= E(xi, Hi-1)Hi-1
Construction 3: Hi= E(g(Hi-1), xi)xiHi-1
Note: Because of collisions n should be >64. Ideally, m=n and g= id. DES with n= 64 is too small. AES with n=m=128 is better.
DM/MMO constructions for block ciphers
18JLM 20090222
Hi-1
E
Hi
mi(key)
• Differential attack on C• Related key attack on E
Hi-1 (key) E
Hi
mi(key)
• Differential attack on C• Differential attack on E
JLM 20060105 12:16 19
Nostradamus (“herding") attack
• Let h be a Merkle-Damgard hash with compression function f and initial value IV . Goal is to hash a prefix value (P) quickly by appending random suffixes (S).
• Procedure
– Phase 1: Pick k, generate K= 2k random d0i from each pair of the values f(IV ||di,i+1) and two messages M0,j ;M1,j which collide under f . Call this value d1,j this takes effort 2n/2 for each pair. Do this (colliding di,j ; di+1,j under Mi,j ;Mi+1,j to produce di,j+1 until you reach dK,0). This is the diamond.
– Publish y = w(dK,0) where w is the final transformation in the hash as the hash (i.e. - claim y = h(P||S).
JLM 20081028 20
Diamond structure
h(0,0)
h(0,1)
h(0,2)
h(0,3)
h(0,4)
h(0,5)
h(0,6)
h(0,7) h(1, 3)
h(1, 2)
h(1, 0)
h(1, 1)
h(2, 1)
h(2,0)
h(3,0)
Published hash
w(h(3,0))
P
M0
M7
M5
JLM 20060105 12:16 21
Nostradamus (“herding") attack
• The cost of phase 1 is (2k -1)2n/2.
• In phase 2, guess S’ and compute T = f(IV||P||S’).
• Keep guessing until T is one of the dij. Once you get a collision, follow a path through the Mij to dK,0. Append these Mij to P||S’ and apply w to get right hash.
• Total cost: W= 2n-k-1+2n/2+k/2+k2n/2+1. k=(n-5)/3 is a good choice. For 160 bit hash, k=52.
JLM 20060105 12:16 22
Multicollision (Joux)
• Iterative construction is vulnerable to multi-collision
• Suppose M1;M1’; M2;M2’; …; Mt;Mt’ all collide.
• From these we get 2t collisions.
• If r people each have one of N possible birthdays, there is a greater than 50% chance of k collisions if r>N, = k-1/k.
JLM 20081024 23
Random Oracle Model
• Let f be a OWF with trapdoor, (y1, y2) = (f(r); h(r)+m) is used as encryption.
• An oracle with i requests L.• Pr(guess right) = P(rL)+½ P(rL). • Set p = 1/2+, • Pr(rL).• Canetti, Goldreich, Halevi constructed cryptosystem that is
secure in the Random Oracle model but any secure for any concrete hash.
JLM 20060105 12:16 24
A Cryptographic Hash: SHA-1
Picture from Wikipedia
JLM 20060105 12:16 25
A Cryptographic Hash: SHA-1
CompressionFunction
160-bit Output
512-bit Input(IV ) – 160 bits
Slide by Josh Benaloh
JLM 20060105 12:16 26
A Cryptographic Hash: SHA-0/1
Picture from Wikipedia
JLM 20060105 12:16 27
A Cryptographic Hash: SHA-1
• Depending on the round, the “non-linear” function f is one of the following.
f(X,Y,Z) = (XY)((X)Z)f(X,Y,Z) = (XY)(XZ)(YZ)f(X,Y,Z) = XYZ
JLM 20060105 12:16 28
A Cryptographic Hash: SHA-1
What’s in the final 32-bit transform?• Take the rightmost word.• Add in the leftmost word rotated 5 bits.• Add in a round-dependent function f of the middle
three words.• Add in a round-dependent constant.• Add in a portion of the 512-bit message.
JLM 20060105 12:16 29
SHA-0
A= 0x67452301, B= 0xefcdab89,
C= 0x98badcfe, D= 0x10325476
E= 0xc3d2e1f0
Ft(X,Y,Z)= (XY)((X)Z),
t= 0,…,19
Ft(X,Y,Z)= XYZ,
t= 20,…,39
Ft(X,Y,Z)= (XY)(XZ)(YZ),
t= 40,…,59
Ft(X,Y,Z)= XYZ, t= 60,…,79
Kt= 0x5a827999, t= 0,…,19
Kt= 0x6ed9eba1, t=20,…,39
Kt= 0x8f1bbcdc, t= 40,…,59
Kt= 0xca62c1d6, t=60,…,79
Do until no more input blocks {
If last input block
Pad to 512 bits by adding 1
then 0s then 64 bits of length.
Mi= input block(32 bits)
i= 0,…,15
Wt= Mt, t= 0,…,15;
Wt= (Wt-3Wt-8Wt-14Wt-16) <<<1,
t= 16,…,79
a= A; b= B; c= C; d= D; e= E;
for(t=0 to 79) {
x= (a<<<5)+ft(b,c,d)+e+Wt+Kt
e= d; d=c; c= b<<<30;
b=a; a= x;
}
A+= a; B+=b; C+= c; D+= d; E+= e;
}
Absence of this term is only difference between SHA-0 and SHA-1
JLM 20060105 12:16 30
SHA-1
A= 0x67452301, B= 0xefcdab89,
C= 0x98badcfe, D= 0x10325476
E= 0xc3d2e1f0
Ft(X,Y,Z)= (XY)((X)Z),
t= 0,…,19
Ft(X,Y,Z)= XYZ,
t= 20,…,39
Ft(X,Y,Z)= (XY)(XZ)(YZ),
t= 40,…,59
Ft(X,Y,Z)= XYZ, t= 60,…,79
Kt= 0x5a827999, t= 0,…,19
Kt= 0x6ed9eba1, t=20,…,39
Kt= 0x8f1bbcdc, t= 40,…,59
Kt= 0xca62c1d6, t=60,…,79
Do until no more input blocks {
If last input block
Pad to 512 bits by adding 1
then 0s then 64 bits of length.
Mi= input block(32 bits) i= 0,…,15
Wt= Mt , t= 0,…,15;
Wt= (Wt-3Wt-8Wt-14Wt-16)<<<1,
t= 16,…,79
a= A; b= B; c= C; d= D; e= E;
for(t=0 to 79) {
x= (a<<<5)+ft(b,c,d)+e+Wt+Kt
e= d; d=c; c= b<<<30;
b=a; a= x;
}
A+= a; B+=b; C+= c; D+= d; E+= e;
}
Message expansion
MD4 and Dobbertin
• Invented by Rivest, ca 1990• Weaknesses found by 1992
– Rivest proposed improved version (MD5), 1992
• Dobbertin found 1st MD4 collision in 1998– Clever and efficient attack– Nonlinear equation solving and differential
31
Slide by Mark Stamp
MD4 Algorithm
• After padding message is a multiple of the 512-bit block size– Also a multiple of 32 bit word size
• Let N be number of 32-bit words
• Message M = (Y0,Y1,…,YN1)
– Each Yi is a 32-bit word
• 32-bit words• Little-endian convention
– Leftmost byte is low-order (relevant when generating “meaningful” collisions)
• Pad M so length is 448 (mod 512)– Single “1” bit followed by “0” bits
– At least one bit of padding, at most 512
– Length before padding (64 bits) is appended
Slide by Mark Stamp
32
MD4 Algorithm
• For 32-bit words A,B,C, define
F(A,B,C) = (AB)(AC)G(A,B,C) = (AB)(AC)(BC)H(A,B,C) = ABCwhere , , , are AND, OR, NOT, XOR
• Define constants: K0 = 0x00000000,
K1 = 0x5a827999, K2 = 0x6ed9eba1.
• Let Wi, i = 0,1,…47 be (permuted) inputs, Yj
Slide by Mark Stamp
33
MD4 Algorithm
34
MD4 Algorithm
• Round 0: Steps 0 thru 15, uses F function• Round 1: Steps 16 thru 31, uses G function• Round 2: Steps 32 thru 47, uses H function
Slide by Mark Stamp 35
MD4: One Step
• Where
Slide by Mark Stamp 36
Dobbertin’s attack strategy
• Specify a differential condition• If condition holds, probability of collision• Derive system of nonlinear equations: solution satisfies differential
condition• Find efficient method to solve equations• Find enough solutions to yield a collision• Find one-block collision, where M= (X0,X1,…,X15), M= (X0,X1,…,X15)
• Difference is subtraction mod 232
• Blocks differ in only 1 word– Difference in that word is exactly 1
• Limits avalanche effect to steps 12 thru 19– Only 8 of the 48 steps are critical to attack!– System of equations applies to these 8 steps
Slide by Mark Stamp37
Notation
• Suppose (Qj,Qj1,Qj2,Qj3) = MD40…j(IV,M)
and (Qj,Qj1,Qj2,Qj3) = MD40…j(IV,M)
• Define j = (QjQj, Qj1Qj1, Qj2Qj2, Qj3Qj3 )
where subtraction is modulo 232
• Let 2n denote 2n mod 232.– 225 = 0x02000000 and 25 = 0xffffffe0
• All arithmetic is modulo 232
38
Strategy
• Try to find one block collision
• Denote M = (X0,X1,…,X15)
• Define M by Xi = Xi for i12 and
X12= X12+1
• Word X12 last appears in steps 12, 19, 35
– This provides a “natural” division of the attack strategy
• We are freedom to choose X0,X1,…,X11 at our convenience
• Goal is to find pair M and M with 35= 0, if 35= (0,0,0,0) we have a collision
Slide by Mark Stamp39
MD4 Attack
Analyze attack in three phases
1. Show: 19= (225,25,0,0) implies probability at least 1/230 that the 35 condition holds
– Uses differential cryptanalysis
2. “Backup” to step 12: We can start at step 12 and have 19 condition hold
– By solving system of nonlinear equations
3. “Backup” to step 0: And find collision– In each phase of attack, some words of M are determined– When completed, have M and M
• Where M M but h(M) = h(M)– Equation solving step is tricky part
• Nonlinear system of equations• Must be able to solve efficiently
Slide by Mark Stamp 40
Steps 19 to 35
• Differential phase of the attack
• Suppose M and M as given above– Only differ in word 12
• Assume that 19= (225,25,0,0) – And G(Q19,Q18,Q17) =
G(Q19,Q18,Q17)
• Then we compute probabilities of “” conditions at steps 19 thru 35
Slide by Mark Stamp 41
Steps 19 thru 35
• For example, consider 35
• Suppose j = 34 holds: Then 34= (0,0,0,1) and
• Implies 35= (0,0,0,0) with probability 1
– As summarized in j = 35 row of table
Slide by Mark Stamp
42
Steps 12 to 19
• Analyze steps 12 to 19, find conditions that ensure 19 = (225,25,0,0)
– And G(Q19,Q18,Q17)= G(Q19,Q18,Q17), as required in differential phase
• Step 12 to 19—equation solving phase
• This is most complex part of attack– Last phase, steps 0 to 11, is
easy
Slide by Mark Stamp
43
Steps 12 to 19
• To apply differential phase, must have
19= (225,25,0,0) which states that
Q19= Q19+225
Q18+25 = Q18
Q17= Q17
Q16= Q16
• Derive equations for steps 12 to 19…• At step 12 we have
Q12= (Q8 + F(Q11,Q10,Q9) + X12) <<< 3
Q12=(Q8 + F(Q11,Q10,Q9) + X12) <<< 3
• Since X12= X12+1 and (Q8,Q9,Q10,Q11)= (Q8,Q9,Q10,Q11),
(Q12<<<29)(Q12<<<29)= 1
Slide by Mark Stamp44
Steps 12 to 19
• Similar analysis for remaining steps yields system of equations:
Slide by Mark Stamp 45
Steps 12 to 19
• To solve this system must find
so that all equations hold.• Since there are 14 variables and 8 equations, we have wiggle room
• Given such a solution, we determine Xj for j = 13,14,15,0,4,8,12
so that we begin at step 12 and arrive at step 19 with 19 condition satisfied
• This phase reduces to solving (nonlinear) system of equations• Can manipulate the equations so that
– Choose (Q14,Q15,Q16,Q17,Q18,Q19) arbitrary
– Which determines (Q10,Q13,Q13 ,Q14 ,Q15)
• Result is 3 equations must be satisfied (next slide)
Slide by Mark Stamp46
Solving equations for 12 to 19
• Using this we can solve for seven message words:– X13= anything
– X14= (Q14<<<21)-Q10-F(Q13, Q12, Q11)
– X15= (Q15<<<21)-Q11-F(Q14, Q13, Q12)
– X0= (Q16<<<21)-Q12-G(Q15, Q14, Q13) –K1
– X4= (Q17<<<21)-Q13-G(Q16, Q15, Q14) –K1
– X8= (Q18<<<21)-Q14-G(Q17, Q16, Q15) –K1
– X12= (Q19<<<21)-Q15-G(Q18, Q17, Q16) –K1
47
Solving equations for 12 to 19
• Choose Q12= -1, Q12’=0, Q11=0. Then
– Q15’= Q15-G(Q18’,Q17,Q16)+G(Q18,Q17,Q16)+(Q19’<<<19)-(Q19<<<19)-1
– Q14’= Q14-G(Q18’,Q17,Q16)+G(Q18,Q17,Q16)+(Q18’<<<23)-(Q19<<<23)
– Q13= (Q14<<<21)-(Q14’<<<21)
– Q13’= Q13-G(Q16,Q15’,Q14’)+G(Q16,Q15,Q14)
– Q10= (Q13’<<<25)-(Q13<<<25)
– F(Q18’,Q17,Q16)-F(Q18,Q17,Q16)= (Q15’<<<13)-(Q15<<<13)
– G(Q18’,Q17,Q16)-G(Q18,Q17,Q16)= Q12-Q11’
• Choose Q14, …, Q19 arbitrarily and solve for Q10, Q13, Q13’, Q14’, Q15’
– G(Q15,Q14,Q13)-G(Q15’, Q14’, Q13’)= 1
– F(Q14’, Q13’, 0)-F(Q14, Q13,, -1)= 0
– G(Q19’, Q18’, Q17)= G(Q19, Q18,, Q17)
48
Steps 12 to 19
• Three conditions must be satisfied:
• First 2 are “check” equations– Third is “admissible” condition
• Naïve algorithm: choose six Qj, yields five Qj, Qj until 3 equations satisfied
• How much work is this?
Slide by Mark Stamp 49
Continuous Approximation
• Each equation holds with probability 1/232
• Appears that 296 iterations required– Since three 32-bit check equations– Birthday attack on MD4 is only 264 work!
• Solution– A “continuous approximation”– Small changes, converge to a solution
Slide by Mark Stamp 50
Continuous Approximation
• Generate random Qi values until first check equation is satisfied– Random one-bit modifications to Qi
– Save if 1st check equation still holds and 2nd check equation is “closer” to holding
– Else try different random modifications
• Modifications converge to solution– Then 2 check equations satisfied– Repeat until admissible condition holds
Slide by Mark Stamp 51
Steps 0 to 11
• At this point, we have (Q8,Q9,Q10,Q11) and
MD412…47(Q8,Q9,Q10,Q11,X)= MD412…47(Q8,Q9,Q10,Q11,X)
• To finish, we must have MD40…11(IV,X) = MD40…11(IV,X)= (Q8,Q9,Q10,Q11)
• Recall, X12 is only difference between M, M
• Also, X12 first appears in step 12
• Have already found Xj for j= 0,4,8,12,13,14,15
• Free to choose Xj for j= 1,2,3,5,6,7,9,10,11 so that MD40…11 equation holds easily!
Slide by Mark Stamp 52
All Together Now
• Attack proceeds as follows…1. Steps 12 to 19: Find (Q8,Q9,Q10,Q11) and Xj for j=
0,4,8,12,13,14,15
2. Steps 0 to 11: Find Xj for remaining j
3. Steps 19 to 35: Check 35= (0,0,0,0)
– If so, have found a collision!– If not, go to 2.
Slide by Mark Stamp53
Meaningful Collision
• Different contracts, same hash value
Slide by Mark Stamp54
JLM 20060105 12:16 55
SHA-0 Strategy (Chabaud and Joux)
• Basic idea is to look for small differences that can be tracked through rounds like differential cryptanalysis.
• Consider three approximations to the SHA-0 compression function.– SHI-1
• Use Xor instead of Add• Make f(i) linear
– SHI-2• Use Xor instead of Add• Restore f(i) to original values
– SHI-3• Restore Add• Make f(i) linear
JLM 20060105 56
SHI-1 Finding Collisions
• Assume the W(i) are unrelated and follow progress of a change to W(1).
A B C D E
1 W1+ROL5(A)+f(B,C,D)+
E+K
A ROL30(B) C D
2 W2+ …
3 ROL30(-)
4
5 ROL30(W1+ROL5(A)+
f(B,C,D)+E+K)
6 W6+ … - fixes W1 perturbation
JLM 20060105 12:16 57
SHI-1 Error Propagation in Hash
State
W1(i) W6
(i+1) W1(i+2) W31
(i+3) W31(i+4) W31
(i+5)
A(i) A1(i) A(i+1) A(i+2) A(i+3) A(i+4) A(i+5)
B(i) B31(i+1) B(i+5)
C(i) C31(i+2) C(i+5)
D(i) D31(i+3) D(i+5)
E(i) E31(i+4) E(i+5)
PerturbationOn bit 1
Corrections defining masks
JLM 20060105 12:16 58
SHI-1 Restoring Expansion
• Flip bit 1 of W1. This modified A in round “0” resulting, potentially to different (A, B, C, D, E) in round 6. By following linear process we can determine bits in W1, , W6 which, when flipped, produce the same (A,B,C,D,E) in round 6.
• Let M(i) be 0 in all positions that are unchanged in round i and 1 where bits are flipped to restore the result in round 6. This is called a local collision.
• This is easy to do, as we’ve seen if there is no expansion.• Question: If there is expansion, what successful masks are preserved by
expansion if bits are flipped in W(1)?• Answer: M(i)= M(i-3)M(i-8)M(i-14)M(i-16) , 10<i<80• Because SHA-0 expansion doesn’t interleave bits, we can consider each
of the 32 bits independently and exhaustively search for a successful pattern
JLM 20060105 12:16 59
SHI-2
• Restore f(i) and note that rounds 0-19, 40-59 are no longer Xors
• When does f(i) behave like an Xor for IF and MAJ?• Again the action on each of the 32 bits is independent
Round Name f(i)(X,Y,Z) K(i)
0-19 IF (XY(XZ) 0x5a827999
20-39 XOR XYZ 0x6ed9eba1
40-59 MAJ (XY)(XZ)(YZ) 0x8f1bbcdc
60-79 XOR XYZ 0xca62c1d6
JLM 20060105 12:16 60
SHI-2 Finding Collisions• What inputs make IF and MAJ act like Todoand XOR
– B(i)’= B(i), C(i)’= C(i), D(i)’= D(i)
– Single bit change in B(i), e.g. B(i) 21.
– Single bit change in C(i)31 or D(i)
31, e.g. C(i) 231 or D(i) 231 or both.
• The mask becomes probabilistic: We can find a pattern that has the probability with p=2-24 from these. Must check every perturbation has foregoing effect: 2,6,14,16,17,18,19,21,22,26,27,28,35,37,41,45,48, 51,54,55,56,58,59,62,63,68,69,70,71,72.
• Perturbations in positions 2, 6 occurs with p=2-6. Try many W(15).• Collision!
1a6191b0 3c4a331c 1f228ea2 403b7609 04
062ec496 48611ca8 583401bc 399879d0 4d9
2270fdbd 2a8090f0 4b12fd98 473cc7a1 acc
002831a9 50fe1535 61ac0d3d f26700ec fa
JLM 20060105 12:16 61
SHI-3
• Change the Xor back to add and f back to linear
• Perturbation in bit 1 of W(i) leading to corrections in W31(i+3),
W31(i+4), W31
(i+5).
• To prevent carries, non linear constraints must hold on W1(i),
W6(i+1), W1
(i+2).
• So we fix these.• Collision
53c29e14 44fe051b 4a8ce882 576e1943 91
0c0abc30 3806260d 76cbeb2f 1b8379a8 8bfe
0da433ac 6337b011 1041e2a9 20b44364 e596
1a3f8b70 0e7a4620 25e81245 289acb2b 9382aa9
JLM 20060105 12:16 62
SHA-0
• Perturbations must be inserted without carry.• Case in SHI-2 where bit 31 in both C and D flip doesn’t work• Yields two good patterns with probability 2-69.• Trick to suppress perturbations in rounds 16 and 17 reduces
probability to 2-61.• Probability of finding on is 2-22 using basic 2-14 collision• Partial Collision (35 rounds)
78fb1285 77a2dc84 4035a90b b61f0b39 97
4a4d1c83 186e8429 74326988 7f220f79 19fa7
a08e7920 16a3e469 2ed4213d 4a75b904 29ac
38bef788 2274a40c 4c14e934 cee12cec 6a
• None of this works in SHA-1 because of interleaved bits.
JLM 20060105 12:16 63
SHA-0 Finding Collisions
• Change the Xor back to add• Prob of finding on is 2-22 using basic 2-14 collision• Partial Collision (35 rounds)
78fb1285 77a2dc84 4035a90b b61f0b39 97
4a4d1c83 186e8429 74326988 7f220f79 19fa7
a08e7920 16a3e469 2ed4213d 4a75b904 29ac
38bef788 2274a40c 4c14e934 cee12cec 6a
JLM 20060105 12:16 64
SHA-0 Collisions --- Comments
• Message Expansion: Wi-3Wi-8Wi-14Wi-16 means any round can be determined from any consecutive 16 rounds of message expansion.
• The expanded rounds (all 80) can be represented using a linear transformation, A on 512 bits: (w, Aw, A2w, A3w, A4w)T.
• When the round functions are linearized, a change in bit j of word W i can be “corrected” by changes in bits j+6, j, j+30, j+30, j+30 in rounds i+1, i+2, i+3, i+4 and i+5.
• When the round functions are replaced by their non-linear versions a change in bit 1 can be corrected by the same pattern with probability between 2-2 and 2-5. If change is made to position j1, the probability of correction is reduced by 2-3.
• For SHA-1, because of rotation, one bit change propagates to 107 bits in expansion.
JLM 20060105 12:16 65
SHA-0 Biham and Chen
• Introduces “disturbance vectors”– Collision when last 5 vectors is 0
• Full collision on 65 rounds• 82 round SHA-0 is weaker than 80 round• Neutral Bits: Bit i is neutral if disturbance pattern
unchanged with complemented i.• 2-neutral set. Size k(r) of maximal 2-neutral set.
JLM 20060105 12:16 66
Other Cryptographic Hashes and Performance
Hash Name Block Size Relative Speed
MD4 128 1
MD5 128 .68
RIPEMD-128 128 .39
SHA-1 160 .28
RIPEMD-160 160 .24
JLM 20060105 12:16 67
Padding
• Standard technique – Let last message block have k bits. If k=n, make a
new block and set k= 0.– Append a 1 to last block leaving r=n-k-1 remaining bits
in block.– If r64, append r-64 0s then append bit length of input
expressed as 64 bit unsigned integer– If r<64, append n-r 0’s (to fill out block), append n-64
0’s at beginning of next block then append bit length of input expressed as 64 bit unsigned integer
JLM 20060105 12:16 68
Winnowing and Chaffing (Rivest)
• Want to send 1001. Pick random stream (mi) and embed message at positions (say) 3, 7, 8 14 MAC each packet (mmi).
• Make sure MAC is correct only in message positions
JLM 20060105 12:16 69
Lai-Massey
• Assume the padding contains the length of the input string and that the input to the CH function, h, is at least two blocks long. Finding a 2nd pre-image for h with fixed IV requires 2n operations iff finding a 2nd pre-image for the compression function, f, with arbitrarily chosen Hi-1 requires 2n operations where n is the number of bits of h’s output.
JLM 20060105 12:16 70
Breaking news on Hashes
• Don’t use MD4 or you’ll look really, really, silly.• Don’t use MD5.• Don’t use RIPEMD-128• SHA-1 appears to have collision attacks of the order 261
• Use SHA-2 functions– Truncate to provide legacy compatibility if you have
to (i.e. – gun to head)– Required by “Suite B” Standards
JLM 20060105 12:16 71
Message Expansion
• Process of expanding from 16 32 bit words to 80 32 bit words in the compression function is called message expansion– MD5
• Permutations
– SHA-0• Linear code (LFSR)
– SHA-1• Linear code with rotation
• Has profound effect on possible disturbance vectors in Differential attacks
• Being studied to provide greater protection• Replace xor with modular addition to prevent codeword difference
propagation• Conditions on chaining variables for local collision (Probability
between 2-39 and 2-42)
JLM 20060105 12:16 72
SHA-2
• FIPS 180-2, 8/02. – Defines SHA-256, SHA-384, SHA-512.– SHA-224 (truncated) added 2/04
• Great increase in mixing between bits of the words compared to SHA-1.
• US Patent 6,829,355 • Inventor: Glenn Lilly• Assignee: NSA• Can obtain source from
– http://en.wikipedia.org/wiki/SHA-2
JLM 20060105 12:16 73
SHA-256//Initialize variables:
h0 := 0x6a09e667 //232 times the square root of the first 8 primes 2..19
h1 := 0xbb67ae85, h2 := 0x3c6ef372, h3 := 0xa54ff53a, h4 := 0x510e527f
h5 := 0x9b05688c, h6 := 0x1f83d9ab,h7 := 0x5be0cd19
//Initialize table of round constants:
k(0..63) := //232 times the cube root of the first 64 primes 2..311• 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
0x923f82a4, 0xab1c5ed5,• 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe,
0x9bdc06a7, 0xc19bf174,• 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa,
0x5cb0a9dc, 0x76f988da,• 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
0x06ca6351, 0x14292967,• 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb,
0x81c2c92e, 0x92722c85,• 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624,
0xf40e3585, 0x106aa070,• 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
0x5b9cca4f, 0x682e6ff3,• 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb,
0xbef9a3f7, 0xc67178f2
JLM 20060105 12:16 74
SHA-256
//Pre-processing:
append a single "1" bit to message
append "0" bits until message length ≡ 448 ≡ -64 (mod 512)
append length of message (before pre-processing), in bits as 64-bit big-endian integer to message
//Process the message in successive 512-bit chunks:
break message into 512-bit chunks;
For(each chunk)
break chunk into sixteen 32-bit big-endian words w(i), 0≤i≤15
//Extend the sixteen 32-bit words into sixty-four 32-bit words:
for i from 16 to 63
s0 := (w(i-15>>>7)(w(i-15)>>>18)(w(i-15)>>3) s1 := (w(i-2)>>>17)(w(i-2)>>>19)(w(i-2)>>10) w(i) := w(i-16)+s0+w(i-7)+s1
//Initialize hash value for this chunk:
a := h0, b := h1, c := h2, d := h3, e := h4, f := h5, g := h6, h := h7
JLM 20060105 12:16 75
SHA-256//Main loop:
for 0i63 s0:= (a>>>2)(a>>>13)(a>>>22) maj:= (ab)(bc)(ca) t0:= s0+maj
s1:= (e>>>6)(e>>>11)(e>>>25) ch:= (ef)((e)g) t1:= h+s1+ch+k(i)+w(i)
h:= g, g := f, f := e, e := d t1,
d:= c, c := b, b := a, a := t0+t1
//Add this chunk's hash to result so far:
h0:= h0+a, h1:= h1+b , h2:= h2+c, h3:= h3+d
h4:= h4+e, h5:= h5+f, h6:= h6+g, h7:= h7+h
//Output the final hash value (big-endian):
digest = hash = h0||h1||h2||h3||h4||h5||h6||h7;
JLM 20051124 14:16 76
Chinese Attack-1
Find M, M': H(M)=H(M'). Select Message difference M'=MDifferential path bi'=bibi
For MD5: Hi= f(Hi-1, Mi), 0i<16, f: (a,b,c,d, wi, wi+1, wi+2, wi+3) is computed as follows:
a= b+((a+i(b,c,d)+wi+ ti)<<<si),
d= a+((d+i+1(a,b,c)+wi+1+ti+1)<<<si+1),
c= d+((c+i+2 (d,a,b)+wi+2+ti+2)<<<si+2),
b= c+((b+i+3(c,d,a)+wi+3+ti+3)<<<si+3).
JLM 20051124 14:16 77
Chinese Attack-2
i (X,Y,Z)= (XY)(XZ), 0i15,
i(X,Y,Z)= (XZ)(YZ), 16i31,
i (X,Y,Z)= (XYZ), 32i47,
i (X,Y,Z)= Y(XZ), 48i63 and
wi is the expanded message, wi, ti are round dependant constants.
Now, define X = X'-X. H0 [(M0, M0‘)] H1[(M1, M1‘)] H2 …[(Mi-1, M i-1 ‘)] Hi= H with each composed of
Hi[P2 ]R i+1,1 [P2] R i+1,2[P3]R i+1,3 [P4]R i+1,4= H i+1.
JLM 20051124 14:16 78
Chinese Attack-3
• Let i,j=x i,j’-x i,j=±1 and xi [ j1, j2, …,jl ]= xi [j1, j2, … , jl]-xi.• Collision is caused by 1024 bit input: (M0, M1) with
M0= (0,0,0,0,231, 0,0,0,0,0,0,215,0,0,231,0)
M1= (0,0,0,0,231, 0,0,0,0,0,0,-215,0,0,231,0).
• Sufficient conditions insure that differential holds with high probability.
• At 8th iteration, b2= c2+(b1+F(c2,d2,a2)+m7+t7)<<<22• Try to control (c2 , d2, a2, b1) b2 as indicated in next
slide
JLM 20051124 14:16 79
Chinese Attack-4
(A) Non-zero bits of b2:
d2,11=1, b2,1=0,
d2,26= overline a2,26=1, b2,16=0.
d2,28= overline a2,28=0, b2,i=0.
d2,11=1, b2,24=0.
(B) Zero bits of b2:
c2,i=0, d2,i= a2,I, c2,i=1.
d 2,6 =overline a2,6 =0.
d2,i= 0, d2,12= 1, a2,24= 0.
7th bit of c2, d2, a2 result in no change in b2.
JLM 20051124 14:16 80
Chinese Attack-5
Algorithm1: Repeat until first block is found
(a) Select random M0,
(b) Modify M0,
(c) M0, M0'= M0+M0 produce M0 (H1, M1) with probability 2-37, (d) Test characteristics.
2: Repeat until first block is found (a) Select random M1,
(b) Modify M1,
(c) M1, M1'= M1+M1 produce M1 0 with probability 2-30
(d) Test characteristics.
JLM 20060212 14:16 81
SHA-2
• FIPS 180-2, 8/02. – Defines SHA-256, SHA-384, SHA-512.– SHA-224 (truncated) added 2/04
• Great increase in mixing between bits of the words compared to SHA-1.
• US Patent 6,829,355 – Inventor: Glenn Lilly– Assignee: NSA
• Can obtain source from – http://en.wikipedia.org/wiki/SHA-2
JLM 20051124 14:16 82
SHA-256 Definitions
Ch(x,y,z)= (xy)(xz), Maj(x,y,z)= (xy)(xz)(yz).
256{i, j, k}(x)= ROTRi(x)ROTRj(x)ROTRk(x),
256{i, j, k}(x)= ROTR i(x)ROTR j(x)SHRk(x).
0256(x)= 256
{2, 13, 22}(x),
1256 x)= 256
{6, 11, 25}(x).
0256(x)= 256
{7, 18, 3}(x),
1256(x)= 256
{17, 19, 10}(x).
JLM 20051124 14:16 83
SHA-512 Definitions
Ch(x,y,z)= (xy)(xz), Maj(x,y,z)= (xy)(xz)(yz).
512{i, j, k}(x)= ROTRi(x)ROTRij(x)ROTRk(x),
512{i, j, k} (x)= ROTRi(x)ROTRj(x)SHRk(x).
0512 (x)= 512
{28,34,39}(x),
1512(x)= 512
{14, 18, 41}(x).
0512(x)= 512
{1,8,7}(x),
1512 (x)= 512
{19, 61, 6}(x).
JLM 20051124 14:16 84
SHA-256
SHA-256(M1||M2||…||MN):for(i=1; iN; i++) {
Wt= Mt(i) , 0t15,
Wt = 1256(Wt-2)Wt-70256(Wt-15)Wt-1,16t63;a= H0
(i-1); b= H1(i-1); c= H2
(i-1); d= H2(i-1);
e= H4(i-1); f= H5
(i-1); g= H6(i-1); e= H7
(i-1); for(t=0; t<64;t++) {
T1=h+1256(e)+Ch(e,f,g)+Kt256+Wt; T2=0256(a)+Maj(e,f,g);
h= g; g= f; f=e; e= d+T1; d=c;
c=b; b=a; a= T1+T2; }
H0(i)= a+H0
(i-1);H1(i)= b+H1
(i-1);H2(i)= c+H2
(i-1);H3(i)= d+H3
(i-1);
H4(i)= e+H4
(i-1);H5(i)= f+H5
(i-1);H6(i)= g+H6
(i-1);H7(i)= h+H7
(i-1);}
• SHA-512 is the same except there are 79 rounds and the words are 64 bits long.
JLM 20060212 14:16 85
Other Cryptographic Hashes and Performance
Hash Name Block Size Relative Speed
MD4 128 1
MD5 128 .68
RIPEMD-128 128 .39
SHA-1 160 .28
RIPEMD-160 160 .24
JLM 20060212 14:16 86
What to take home
• Symmetric ciphers and hashes provide key ingredients for “distributed security”
– Fast data transformation to provide confidentiality– Integrity– Public key crypto provides critical third component (trust
negotiation, key distribution)
• It’s important to know properties of cryptographic primitives and how likely possible attacks are, etc.
– Most modern ciphers are designed so that knowing output of n-1 messages provides no useful information about nth message.
– This has an effect on some modes of operation.
87
SHA-3 Competition
JLM 20090310
Notes
• Message expansion and related key attacks• Rebound attacks, bottleneck attacks (FSE 2009)• Extension attacks: permutations, output function• Multicollision resistance• Indifferentiability attacks• Bijective Feistel 5R impossible differential
• Matsui: How far can we go on the x64. FSE 2006, v4047.• Matsui: Power of bitslice. CHES 2007, v4727.
88JLM 20090222
Haifa
• Dean 2nd Pre-image on fixed points• H=EM
-1(0)1. Find 2mc/2 fixed points, A= (h,m)
2. Find 2mc/2 single block outputs B= CMD(IVM|m’)3. Obtain collision
• hi+1= C(hi,Mi,nBitsSoFar,salt)• Wide path. C1: {0,1}mc x {0,1}n {0,1}mc; C2: {0,1}mc {0,1}n.
89JLM 20090222
RadioGatun
• Compression (state, message to state)
• Expand (message expansion, 3-5x)
• IMF has given capacity lc• Alternating input construction
– Internal collision– State guessing– Decorrelation– Difference propagation
• Operates on ls bit state• State guess infeasible implies that
pre-image is infeasible
90JLM 20090222
Alternating input construction
• In: li-bit input blocks. p0, … , pnp-1
• Out: lo-bit input blocks. z0, … , znz-1
• R is round function
S= 0;for(i=0;i<np;i++) {
T= SFi(pi);S= R(T);
}for(i=0;i<nb;i++)
S= R(T);for(i=0;i<np;i++) {
S= R(S);
zi= F0(S);}
Blake
• Haifa design.
h0= IVfor(i=0;i<N;i++)
hi= compress(hi,mi,s,li)• Gi(a,b,c,d):
– a= a+b+(mr(2i)cr(2i))– d= (da)>>>16– c= c+d– b= (bc)>>>12– a= a+b+(mr(2i+1)cr(2i+1))– d= (da)>>>8– c= c+d– b= (bc)>>>7
91JLM 20090222
• h0’= h0s0v0v8 • h1’= h1s1v1v9
• h2’= h2s2v2v10
• h3’= h3s3v3v11
• h4’= h4s4v4v12
• h5’= h5s5v5v13
• h6’= h6s6v6v14
• h7’= h7s7v7v15
v0 v1 v2 v3 h0 h1 h2
h3
v4 v5 v6 v7 h4 h5 h6
h7
v8 v9 v10 v11 c0s0 c1s1 c2s2 c3s3
v12 v13 v14 v15 c4t0 c5t1 c6t2 c7t3
chain value Init
salt ctr
Rounds Final next chain value
M salt ctr
Grostl
92JLM 20090222
Hi-1
P
Hi
Mt
Q
• h0= IV, hi= f(hi-1,mi), H(M)= G(ht).• Compression: f(h,m)= P(hm)Q(m)h• G(x)=truncn(P(x)x)• R(x)=Mix(Shift(Subbyte(AddRoundKey(x))))• Mix: 8 x 8 MDS over GF(28)• P and Q only differ by use of constants in 10
rounds of applying R(x).
Sponge
• A sponge function takes a variable length input, p, of characters from A and produces an infinite length output z, zj A , f: A x C A, |p|1 and final character is 0. State is S=(SA,SC).– Absorbing: S= f(SA+pi,SC)– Squeezing: S=f(S).– Rate: lg(|A|).– Capacity: lg(|C|).– Sf[p]: state after absorbing p.– zj= SA,f[p|0j].– State collision: Sf[p]=Sf[q].– Inner collision: Sf,c[p]=Sf,c [q].– Simultates Random oracle
93JLM 20090222
T/P-Sponge• A P-sponge is a permutation selected uniformly and randomly from
(AC)!.• A T-sponge is a function selected uniformly and randomly from (AC)AC.• Theorem: The output returned by a random sponge to a sequence of
queries are uniformly and randomly distributed if no inner collision occurs.
• Theorem: The probability of success of distinguishing between a RS and a random oracle (RO) is P ½+½P(IC|RS). For a randome T-sponge, P(IC)=1-exp(-i=1
q i/|C|)
• 2nd pre-image: Find 2nd path to some inner state: T=SC,f[p’]
94JLM 20090222
Case Inner collision Path Find Out cycle Out bind (rm>c)
Out bind (rm<c)
T-sponge [q(q+1)]/[2|C|] q/|C| [q(q+1)]/[2|C||A|] ( N/|C|) [|A|-1]/A)
( N/|C|) [|A|-1]/Am)
P-sponge [q(q+1)]/[2|C|]- [q(q-1)]/[2|A||C|]
[q(q+4)]/[4|C|]-[q2]/[4|A||C|]
q/[|A||C|] ( N/|C|) [|A|-1]/A)
( N/|C|) [|A|-1]/Am)
Sponge
95JLM 20090222
SA
p0
SC
absorbing
f
SA
z0
SC
squeezing
f
r c
• r is bit rate• c is capacity
Sponge
• Theorem: A random sponge can only be distinguished from a random oracle by the presence of an inner collision which is unlikely if q<<2c/2.
• Theorem: A random sponge can be differentiated from a random oracle with probability p ~ – q (q+1) 2-(c+1), N<2c.
96JLM 20090222
T P
Output collision 2(min(n,c)+3)/2 2(min(n,c)+3)/2
Pre-image 2n min(2c/2+2n, 2n)
2nd pre-image min(2c/l, 2n) min(2(min(n,c)+3)/2, 2n)
Sponge
• Simulate:: make interface the same as to an ideal compression function, F.
• Def: A Turing Machine C with oracle access to an ideal primitive, F, is said to be (tD, tS, q,)-indifferentiable from an ideal primitive, G, if there is a simulator P[G] such that DPr[D[C(F); F]=1]-Pr[D[G,P[G]]=1]; F]=1]|<.
97JLM 20090222
Keccak
• Keccak-f(r+c). r+c= 25, 50, 100, 200, 400,800, 1600– r=1024, c=575– r=512, c=1088
• State: 5 x 5 x 2l bits– for diffusion– for inter slice dispersion– for disturbing vertical/horizontal alignment– for non-linearity– for symmetry breaking
98JLM 20090222
Keccak
: for(y=0; y<5; y++){ for(x=0;x<5;x++)
A[x][y]= a[x][y]((a[x+1][y])a[x+2][y]);}
: for(x=0; x<5; x++){ p[x]= a[x][0]; for(y=0;y<5;y++)
p[x]= a[x][y]p[x];}for(x=0; x<5; x++){ p[x]= p[x-1]p[x+1]<<1; for(y=0;y<5;y++)
p[x]= a[x][y]p[x];}
99JLM 20090222
Keccak
: for(x=0;x<5;x++) { for(y=0; y<5; y++)
[X, Y]T= [0 1] [X, Y]T
[2 3]}A[X][Y]= a[X][Y]
: A[0][0]= a[0][0]; [X, Y]T= [1, 0]T;for(t=0; t<5; t++){ A[x][y]= a[x][y]<<<[(t+1)(t+2)]/2;}
: Add round constants;
100JLM 20090222
Lane
• IVn,S= f(0,||bin32(n)||0k|S,0), is the salt.
• P-6 round, Q- 3 round.
• Mi= m1 || m2 || m3 || m4
• Hi= h0 || h1
• W0= h0 m0 m1 m2 m3 || h1 m0 m2
• W1= h0 h1 m0 m2 m3 || h0 m1 m2
• W2= h0 h1 m0 m1 m2 || h0 m0 m3
• W3= h0 || h1
• W4= m0 || m1
• W5= m2 || m3
101JLM 20090222
Lane
102JLM 20090222
Hi-1
E
Hi
P0
M
P1 P2 P3 P4 P5
Q1
Q0
Lane
• Round(r, X)
• 1: X ← SubBytes(X)
• 2: X ← ShiftRows(X)
• 3: X ← MixColumns(X)
• 4: X ← AddConstants(r,X)
• 5: X ← AddCounter(r,X)
• 6: X ← SwapColumns(X)
• 7: return X
• function LastRound(X)
• 1: X ← SubBytes(X)
• 2: X ← ShiftRows(X)
• 3: X ← MixColumns(X)
• 4: X ← SwapColumns(
103JLM 20090222
• function Pj(X)
• 1: for i = 0 to 4 do
• 2: r ← 5j + i
• 3: X ← Round (r,X)
• 4: end for
• 5: X ← LastRound(X)
• 6: return X
• function Qj(X)
• 1: for i = 0 to 1 do
• 2: r ← 30 + 2j + i
• 3: X ← Round (r,X)
• 4: end for
• 5: X ←LastRound(X)
• Return x;
Lane
• 1: k0 ← 07fc703dx• 2: for i = 1 to 272 (resp. 768 for Lane-384 and Lane-512) do• 3: ki = ki−1 1≫• 4: if ki−1 00000001x then∧• 5: ki = ki d0000001x⊕• 6: end if• 7: end for• Figure 2.4: Pseudocode
104JLM 20090222
Shavite• Use Haifa mode/MD-construction. Compression: C256, Encrypt: E256.• E: (Li+1, Ri+1) = (Ri, LiF3
rk[i](Ri).• F3
k0,k1,k2(x)= AESR(0128, AESR(k1, AESR(k2, xk0)))• C256(M, cnt, salt)
– Message expansion– Repeat 4 times
• Repeat 2 times1. rk[i]= M, i= 0,…,152. i=163. t[0…3]= AESR(0128, rk[i-15], rk[i-14], rk[i-13], rk[i-16])salt[0…3]4. rk[i+j]=t[j] rk[i+j-4]5. if(i==16) rk[16]cnt[0]; rk[17]cnt[1];6. if(i==84) rk[86]cnt[1]; rk[87]cnt[0];7. i+= 4;8. t[0…3]= AESR(0128, rk[i-15], rk[i-14], rk[i-13], rk[i-16])salt[4…7]9. rk[i+j]=t[j]rk[i+j-4]10. if(i==56) rk[57]cnt[0]; rk[58]cnt[1];11. if(i==124) rk[124]cnt[1]; rk[127]cnt[0];12. i+= 1;
105JLM 20090222
ShaviteRepeat 2 times
1. rk[i]=rk[i-16]rk[i-3]2. i++;
Pad M’=M|1|0k|len(M)|len(m)
b= 0;
h0= IVfor(i=0; i<|M|/512; i++)
b+= 512;
hi=C256(hi-1, Mi, b, salt)if(|M|=0 (mod512))
hl-1=C256(hl-2, Ml, b, salt)
hl=C256(hl-1, Ml, b, salt)
106JLM 20090222
Shavite
• Message expansion X(M,cnt,salt256) 144 32 bit words rk[0…143]• Theorem for C256: The exact maximal expected 2 round differential
characteristic has probability (53/234)=1.656 x 2-29. The exact maximal expected 4 round differential characteristic has probability (53/234)4=1.881 x 2-114. The best 3 round differential characteristic has probability <2-49.
• Theorem: Except for the 00 characteristic:1. There is no iterative 2 round characteristic of E256.
2. There is no four round characteristic of E256. with probability > 2-147.
3. There is no 3 round characteristic of E256. with probability > 2-98.
4. There is no 9 round characteristic of E256. with probability > 2-294.
• With MD construction, there is no preimage if block cipher is safe.• In wide pipe need mc2m for safety against pre-image.• Need salt1/2 mc for safety against herding attack.• MIV256= C256(0,0,0,0)
107JLM 20090222
Skein
108JLM 20090222
<<<
+
Mix
+Round-Key0
Mix Mix Mix…
Permute
UBI
M0
G
M1
Mk
… LenFirstFinal
DM/MMO
109JLM 20090222
Hi-1
E
Hi
mi(key)
• Differential attack on C• Related key attack on E
Hi-1 (key) E
Hi
mi(key)
• Differential attack on C• Differential attack on E
MD6 has…
• Bottom-up tree-based mode of operation (like Merkle-tree)
• 4-to-1 compression ratio at each node
110JLM 20090228
MD6 has…
• 1024-bit intermediate (chaining) values
• root truncated to desired final length
• Location (level,index) input to each node
(2,2)(2,0) (2,1) (2,3)
111JLM 20090228
Prepend Constant + Map + Chop
1-1 map
const key+UV data
15 8+2 64
89 words
89 words
16 words
PrependMap
Chop
112JLM 20090228
Constants
• Taps 17, 18, 21, 31, 67 optimize diffusion
• Constants Si defined by simple recurrence; change at end of each 16-step round
• Shift amounts repeat each round (best diffusion of 1,000,000 such tables):
0 1 2 3 4 5 6 7 8 9 10
11
12
13
14
15
ri 10
5 13
10
11
12
2 7 14
15
7 13
11
7 6 12
li 11
24
9 16
15
9 27
15
6 2 29
8 15
5 31
9
113JLM 20090228
Large Memory (sliding window)
2 3 1 4 5 3 2 1 2 0 3 3 4 2 2
• Array of 16r + 89 64-bit words.• Each computed as function of preceding 89 words.• Last 16 words computed are output.
114JLM 20090228
Small memory (shift register)
2 3 2 1 5 6 3 2 7 1 3 2 6 3 1 4 0 1
Si
Shifts
• Shift-register of 89 words (712 bytes)• Data moves right to left
89 words
115JLM 20090228
MD6 Description• Compress
– Input: A[0], …, A[88], A[0]..A[14]- constants, A[15]..A[22] key/level, A[25]..A[88] – data
– One step:• for (i=89; i<= 16r+88) {
x= SiA[i-17] A[i-88] (A[i-18]A[i-21) A[i-67]
x= x(x>>ri)
A[i]= x(x<<li)}
– Output: A[16r+73]..A[16r+88] (64 bit words)• MD6 proposes 1280 steps• S0= 0123456789abcdef, • Si= (S0<<1) (S0>>63) (Si-17311c2812425cfa)
JLM 20090222116
s 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
ri 10 5 13 10 11 12 2 7 14 15 7 13 11 7 6 12
li 11 24 9 16 15 9 27 15 6 2 29 8 15 5 31 9
117
End
JLM 20081006
JLM 20090201 118
Next Quarter
• 2-4 weeks to cover 16, 17, 18 and results on boolean functions.• Rest on major reports:
– Full Linear cryptanalysis of DES.– Full Differential cryptanalysis of DES.– Full Linear and differential cryptanalysis of FEAL.– Intro Algebraic cryptanalysis (including SFLASH) – John. – An algebraic cryptanalysis.– Dobbertin’s attack on MD4.– Chinese (Wang et. al) attack on SHA-1.
• Other topics (final quarter?)– Full factoring attack.– Full Elliptic Curve crypto selection, attacks, etc (3 weeks).– Full Discrete Log attack.– Full Re-estimation attack.– Random number analysis.– NIST Hash analysis.– Full Stream cipher analysis.
