Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Finding Differential Patterns for the Wang Attack CITS – Cryptology.

Similar presentations


Presentation on theme: "Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Finding Differential Patterns for the Wang Attack CITS – Cryptology."— Presentation transcript:

1 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Finding Differential Patterns for the Wang Attack CITS – Cryptology and IT-Security Faculty of Mathematics Ruhr University Bochum Magnus Daum

2 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack2 M1:M1: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a e fc9cdf7 f2bd1dd9 5b3c3780 d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 0cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35 M1:M1: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a41f125 e fc9cdf7 72bd1dd9 5b3c3780 d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 0cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35 Motivation Crypto 04 (Wang et al.): actual collisions for various hash functions E.g. for MD5: M2:M2: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a e fc9cdf7 f2bd1dd9 5b3c e82d8 5b8f3456 d4ac6dae c619c936 b4e253dd fd03da a0cd48d fe9 e87e570f 70b654ce 1e0da880 bc2198c6 9383a8b6 2b65f af76f M2:M2: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a41f125 e fc9cdf7 72bd1dd9 5b3c e82d8 5b8f3456 d4ac6dae c619c936 34e253dd fd03da a0cd48d fe9 e87e570f 70b654ce 1e0d2880 bc2198c6 9383a8b6 ab65f af76f

3 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack3 42e7b9ca 8726b6c4 24a51ab9 c1056b84 13fb9588 9fa6e965 ff f3b2c 0634ad41 03b4adff 7a844bdf 4f01b74d cb8332db a86fd419 33c665a7 30bf16f0 2e7cff6a 9b b83319 f5e7ab cfb9 0c79fee4 367d04ee aeb077cc 307f085d 88eb60b5 404d72b3 2d65f d8 809bbd7d cff29e98 a30e2eb8 42e7b9ca 8726b6c4 24a51ab9 c1056b84 93fb9588 9fa6e965 ff f3b2c 0634ad41 03b4adff 7a844bdf 4f01374d cb8332db a86fd419 b3c665a7 30bf16f0 2e7cff6a 9b b83319 f5e7ab64 c566cfb9 0c79fee4 367d04ee aeb077cc 307f085d 88eb60b5 404d72b3 2d d8 809bbd7d 4ff29e98 a30e2eb8 Motivation Lenstra/Wang/de Weger: colliding (w.r.t. MD5) X.509 certificates Differing part:

4 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack4 Motivation Other actual collisions published (Klima, Lucks/D.) show the same characteristics Reason: Attack applies a special differential pattern with fixed input differences ( 0,…, 15 ) = (0,0,0,0,2 31,…, § 2 15,…,2 31,0) Considered bytewise these are only differences in the most significant bit May be a problem in certain applications, e.g. when trying to find colliding ASCII texts Possible to use other input difference patterns?

5 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack5 Wangs Attack

6 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack6 Wangs Attack Differential attack with modular differences (i.e. differences with respect to addition modulo 2 32 ) Starts from a given/chosen message and modifies its bits to produce a collision Two main parts: –Choosing the differential pattern (done by hand) –Single-Step and Multi-Step Modifications ?

7 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack7 Choosing the Differential Pattern Not much is known about how Wang actually found this pattern used in all the implementations Wang: intuitively and by hand Some ideas can be reconstructed by looking at what is happening during the attack

8 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack8 Attack on MD5 attack uses two applications of the compression function with two different but related differential patterns: (0,0,0,0)(2 31, , , ) (2 31, , , )(2 31, , , ) addition of IV at the end of compression function causes differences to cancel Here: only look at one application of the compression function

9 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack9 Attack on MD5 Construction of the pattern starts in last rounds design of MD5 allows differential pattern for round 3+4 which leads to a useful near-collision Input differences are chosen such that this difference propagation happens with high probability Look for conditions on register values which make the difference propagation in first two rounds possible W W W 36 W W W W W W W W W W

10 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack10 Step Operation in MD5

11 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack11 Structure of the Compression Function Message Expansion

12 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack12 MD5 Message expansion by roundwise permutations of the M i (four rounds) Step operation:

13 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack13 MD5 K t,s t :constants W t :message words f:bitwise defined Boolean function R t :new content of register changed in step t Step operation:

14 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack14 Step Operation Advantage of considering modular differences: Most operations used in the step operation have a deterministic propagation of modular differences Analyse the other parts: –Bit rotations –Bitwise defined functions

15 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack15 Difference Propagation

16 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack16 Various Differences bitwise (XOR) differences:modular differences: ? signed bitwise differences: differences usually low weight: uniquely determined

17 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack17 Various Differences modular differences signed bitwise differences Special case: Depends on actual value of x: Can be generalized to other differences For fixed + x=[k]:

18 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack18 Difference Propagation: Bitwise Functions f is applied bitwise -> modular differences are not very useful transform to signed bitwise diff. propagation of signed bitwise differences can be analysed easily ?

19 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack19 Difference Propagation: Bitwise Functions

20 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack20 Difference Propagation: Bitwise Functions f is applied bitwise -> modular differences are not very useful transform to signed bitwise diff. propagation of signed bitwise differences can be analysed easily -> possible values for together with corresponding conditions for each of the cases corresponding modular differences are uniquely determined ?

21 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack21 Bit Rotation and Modular Addition

22 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack22 Bit Rotation and Modular Addition A random, B fixed:

23 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack23 Difference Propagation: Bit Rotations Register R with a fixed difference + R =[t] A=R, B= + R: Applying the Theorem described earlier yields for t

24 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack24 Example: Analysis of Difference Propagation taken from first round of MD4

25 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack25 Automated Searching of such Differential Patterns

26 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack26 Bit 31: Degrees of Freedom Choices when constructing such patterns: –(Input differences W i ) –Bitwise function: 1-3 choices per nonzero bit Bits 22,25: Bit 29:

27 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack27 Degrees of Freedom Choices when constructing such patterns: –(Input differences W i ) –Bitwise function: 1-3 choices per nonzero bit –Bit rotation: 4 choices in general (but usually one dominant case) –Assumptions on bitwise differences (expand differences)

28 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack28 Example: Analysis of Difference Propagation taken from first round of MD4

29 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack29 Degrees of Freedom Choices when constructing such patterns: –(Input differences W i ) –Bitwise function: 1-3 choices per nonzero bit –Bit rotation: 4 choices in general (but usually one dominant case) –Assumptions on bitwise differences (expand differences)

30 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack30 Searching for Differential Patterns Idea: build trees of difference patterns Each vertex represents a possible state of differences, e.g. Possible differences resulting after following step are computable –Leads to several new vertices -> pruning necessary For the pruning use a cost function depending on the following properties: –Probability that this difference state is actually achieved –Weights of the differences –Distance from the root of the tree

31 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack31 Finding Useful Patterns Additional constraints for useful patterns, e.g. start and end with zero differences a)Trivial solution: take root with zero differences and add new vertices till a vertex with zero differences is found b)Build two trees, one goind foreward, one going backward Fix a layer corresponding to some step and look for common vertices c)Two trees as above, but stop some steps before fixed layer, find connection by solving additional equations Has not been fully tested up to now

32 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack32 Conclusion Some analysis of background of Wangs attack Theoretical basis for analysing the propagation of modular differences Ideas for automatically finding useful difference patterns

33 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Finding Differential Patterns for the Wang Attack33 Thank you! Questions???


Download ppt "Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Finding Differential Patterns for the Wang Attack CITS – Cryptology."

Similar presentations


Ads by Google