Download presentation

Presentation is loading. Please wait.

Published byNatalie Dunlap Modified over 3 years ago

1
**Finding Differential Patterns for the Wang Attack**

Magnus Daum CITS – Cryptology and IT-Security Faculty of Mathematics Ruhr University Bochum

2
**Daum - Finding Differential Patterns for the Wang Attack**

Motivation Crypto ’04 (Wang et al.): actual collisions for various hash functions E.g. for MD5: M2: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a e fc9cdf7 f2bd1dd9 5b3c3780 313e82d8 5b8f3456 d4ac6dae c619c936 b4e253dd fd03da a0cd48d2 42339fe9 e87e570f 70b654ce 1e0da880 bc2198c6 9383a8b6 2b65f af76f M1: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a e fc9cdf7 f2bd1dd9 5b3c3780 d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 0cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35 kurz M2‘: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a41f125 e fc9cdf7 72bd1dd9 5b3c3780 313e82d8 5b8f3456 d4ac6dae c619c936 34e253dd fd03da a0cd48d2 42339fe9 e87e570f 70b654ce 1e0d2880 bc2198c6 9383a8b6 ab65f af76f M1‘: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e ffbb8 0634ad55 02b3f e483 5a41f125 e fc9cdf7 72bd1dd9 5b3c3780 d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 0cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35 Daum - Finding Differential Patterns for the Wang Attack

3
**Daum - Finding Differential Patterns for the Wang Attack**

Motivation Lenstra/Wang/de Weger: colliding (w.r.t. MD5) X.509 certificates Differing part: 42e7b9ca 8726b6c4 24a51ab9 c1056b84 93fb9588 9fa6e965 ff f3b2c 0634ad41 03b4adff 7a844bdf 4f01374d cb8332db a86fd419 b3c665a7 30bf16f0 2e7cff6a 9b b83319 f5e7ab64 c566cfb9 0c79fee4 367d04ee aeb077cc 307f085d 88eb60b5 404d72b3 2d d8 809bbd7d 4ff29e98 a30e2eb8 kurz 42e7b9ca 8726b6c4 24a51ab9 c1056b84 13fb9588 9fa6e965 ff f3b2c 0634ad41 03b4adff 7a844bdf 4f01b74d cb8332db a86fd419 33c665a7 30bf16f0 2e7cff6a 9b b83319 f5e7ab cfb9 0c79fee4 367d04ee aeb077cc 307f085d 88eb60b5 404d72b3 2d65f d8 809bbd7d cff29e98 a30e2eb8 Daum - Finding Differential Patterns for the Wang Attack

4
**Daum - Finding Differential Patterns for the Wang Attack**

Motivation Other actual collisions published (Klima, Lucks/D.) show the same characteristics Reason: Attack applies a special differential pattern with fixed input differences (M0,…,M15) = (0,0,0,0,231,…,§ 215,…,231,0) Considered bytewise these are only differences in the most significant bit May be a problem in certain applications, e.g. when trying to find colliding ASCII texts Possible to use other input difference patterns? kurz Daum - Finding Differential Patterns for the Wang Attack

5
**Daum - Finding Differential Patterns for the Wang Attack**

Wang‘s Attack Daum - Finding Differential Patterns for the Wang Attack

6
**Daum - Finding Differential Patterns for the Wang Attack**

Wang‘s Attack Differential attack with modular differences (i.e. differences with respect to addition modulo 232) Starts from a given/chosen message and modifies its bits to produce a collision Two main parts: Choosing the differential pattern (done by hand) Single-Step and Multi-Step Modifications ? Daum - Finding Differential Patterns for the Wang Attack

7
**Choosing the Differential Pattern**

Not much is known about how Wang actually found this pattern used in all the implementations Wang: „intuitively“ and „by hand“ Some ideas can be reconstructed by looking at what is happening during the attack kurz Daum - Finding Differential Patterns for the Wang Attack

8
**Daum - Finding Differential Patterns for the Wang Attack**

Attack on MD5 attack uses two applications of the compression function with two different but related differential patterns: (0,0,0,0) (231, , , ) (231, , , ) (231, , , ) addition of IV at the end of compression function causes differences to cancel Here: only look at one application of the compression function Daum - Finding Differential Patterns for the Wang Attack

9
**Daum - Finding Differential Patterns for the Wang Attack**

Attack on MD5 Construction of the pattern starts in last rounds design of MD5 allows differential pattern for round 3+4 which leads to a useful near-collision Input differences are chosen such that this difference propagation happens with high probability Look for conditions on register values which make the difference propagation in first two rounds possible W15=-215 W4= 231 W14= 231 W18=-215 W23= 231 W25= 231 W34=-215 W35= 231 W36= 0 W37= 231 W61=-215 W50= 231 W60= 231 Daum - Finding Differential Patterns for the Wang Attack

10
**Daum - Finding Differential Patterns for the Wang Attack**

Step Operation in MD5 Daum - Finding Differential Patterns for the Wang Attack

11
**Structure of the Compression Function**

kurz Message Expansion Daum - Finding Differential Patterns for the Wang Attack

12
**Daum - Finding Differential Patterns for the Wang Attack**

MD5 Message expansion by roundwise permutations of the Mi (four rounds) Step operation: wichtig !!! Daum - Finding Differential Patterns for the Wang Attack

13
**Daum - Finding Differential Patterns for the Wang Attack**

MD5 Step operation: Kt,st: constants Wt: message words f: bitwise defined Boolean function Rt: new content of register changed in step t wichtig !!! Daum - Finding Differential Patterns for the Wang Attack

14
**Daum - Finding Differential Patterns for the Wang Attack**

Step Operation Advantage of considering modular differences: Most operations used in the step operation have a deterministic propagation of modular differences Analyse the other parts: Bit rotations Bitwise defined functions kurz Daum - Finding Differential Patterns for the Wang Attack

15
**Difference Propagation**

Daum - Finding Differential Patterns for the Wang Attack

16
**Daum - Finding Differential Patterns for the Wang Attack**

Various Differences ? bitwise (XOR) differences: modular differences: uniquely determined kurz signed bitwise differences: differences usually low weight: Daum - Finding Differential Patterns for the Wang Attack

17
**Daum - Finding Differential Patterns for the Wang Attack**

Various Differences signed bitwise differences modular differences Special case: kurz Depends on actual value of x: For fixed +x=[k]: Can be generalized to other differences Daum - Finding Differential Patterns for the Wang Attack

18
**Difference Propagation: Bitwise Functions**

? f is applied bitwise -> modular differences are not very useful transform to signed bitwise diff. propagation of signed bitwise differences can be analysed easily kurz Daum - Finding Differential Patterns for the Wang Attack

19
**Difference Propagation: Bitwise Functions**

kurz Daum - Finding Differential Patterns for the Wang Attack

20
**Difference Propagation: Bitwise Functions**

? f is applied bitwise -> modular differences are not very useful transform to signed bitwise diff. propagation of signed bitwise differences can be analysed easily -> possible values for together with corresponding conditions for each of the cases corresponding modular differences are uniquely determined kurz Daum - Finding Differential Patterns for the Wang Attack

21
**Bit Rotation and Modular Addition**

Daum - Finding Differential Patterns for the Wang Attack

22
**Bit Rotation and Modular Addition**

A random, B fixed: Daum - Finding Differential Patterns for the Wang Attack

23
**Difference Propagation: Bit Rotations**

Register R with a fixed difference +R =[t] A=R, B=+R: kurz Applying the Theorem described earlier yields for t<n-s: for t¸n-s: Daum - Finding Differential Patterns for the Wang Attack

24
**Example: Analysis of Difference Propagation**

taken from first round of MD4 kurz Daum - Finding Differential Patterns for the Wang Attack

25
**Automated Searching of such Differential Patterns**

Daum - Finding Differential Patterns for the Wang Attack

26
**Daum - Finding Differential Patterns for the Wang Attack**

Degrees of Freedom Choices when constructing such patterns: (Input differences Wi) Bitwise function: 1-3 choices per nonzero bit kurz Bit 29: Bits 22,25: Bit 31: Daum - Finding Differential Patterns for the Wang Attack

27
**Daum - Finding Differential Patterns for the Wang Attack**

Degrees of Freedom Choices when constructing such patterns: (Input differences Wi) Bitwise function: 1-3 choices per nonzero bit Bit rotation: 4 choices in general (but usually one dominant case) Assumptions on bitwise differences (“expand“ differences) kurz Daum - Finding Differential Patterns for the Wang Attack

28
**Example: Analysis of Difference Propagation**

taken from first round of MD4 kurz Daum - Finding Differential Patterns for the Wang Attack

29
**Daum - Finding Differential Patterns for the Wang Attack**

Degrees of Freedom Choices when constructing such patterns: (Input differences Wi) Bitwise function: 1-3 choices per nonzero bit Bit rotation: 4 choices in general (but usually one dominant case) Assumptions on bitwise differences (“expand“ differences) kurz Daum - Finding Differential Patterns for the Wang Attack

30
**Searching for Differential Patterns**

Idea: build trees of difference patterns Each vertex represents a possible state of differences, e.g. Possible differences resulting after following step are computable Leads to several new vertices -> pruning necessary For the pruning use a cost function depending on the following properties: Probability that this difference state is actually achieved Weights of the differences Distance from the root of the tree kurz Daum - Finding Differential Patterns for the Wang Attack

31
**Finding Useful Patterns**

Additional constraints for useful patterns, e.g. start and end with zero differences Trivial solution: take root with zero differences and add new vertices till a vertex with zero differences is found Build two trees, one goind foreward, one going backward Fix a layer corresponding to some step and look for common vertices Two trees as above, but stop some steps before fixed layer, find connection by solving additional equations Has not been fully tested up to now kurz Daum - Finding Differential Patterns for the Wang Attack

32
**Daum - Finding Differential Patterns for the Wang Attack**

Conclusion Some analysis of background of Wang‘s attack Theoretical basis for analysing the propagation of modular differences Ideas for automatically finding useful difference patterns Daum - Finding Differential Patterns for the Wang Attack

33
**Daum - Finding Differential Patterns for the Wang Attack**

Thank you! Questions??? Daum - Finding Differential Patterns for the Wang Attack

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google