Presentation is loading. Please wait.

Presentation is loading. Please wait.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin."— Presentation transcript:

1 MD4 1 MD4

2 MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin found 1st MD4 collision in 1998 o Clever and efficient attack o Nonlinear equation solving and differential cryptanalysis

3 MD4 3 MD4 Algorithm  Assumes 32-bit words  Little-endian convention o Leftmost byte is low-order (relevant when generating “meaningful” collisions)  Let M be message to hash  Pad M so length is 448 (mod 512) o Single “1” bit followed by “0” bits o At least one bit of padding, at most 512 o Length before padding (64 bits) is appended

4 MD4 4 MD4 Algorithm  After padding message is a multiple of the 512-bit block size o Also a multiple of 32 bit word size  Let N be number of 32-bit words o Then N is a multiple of 16  Message M = (Y 0,Y 1,…,Y N  1 ) o Each Y i is a 32-bit word

5 MD4 5 MD4 Algorithm  For 32-bit words A,B,C, define F(A,B,C) = (A  B)  (  A  C) G(A,B,C) = (A  B)  (A  C)  (B  C) H(A,B,C) = A  B  C where , , ,  are AND, OR, NOT, XOR  Define constants: K 0 = 0x00000000, K 1 = 0x5a827999, K 2 = 0x6ed9eba1  Let W i, i = 0,1,…47 be (permuted) inputs, Y j

6 MD4 6 MD4 Algorithm

7 MD4 7 MD4 Algorithm  Round 0: Steps 0 thru 15, uses F function  Round 1: Steps 16 thru 31, uses G function  Round 2: Steps 32 thru 47, uses H function

8 MD4 8 MD4: One Step  Where

9 MD4 9 Notation  Let MD4 i…j (A,B,C,D,M) be steps i thru j o “Initial value” (A,B,C,D) at step i, message M  Note that MD4 0…47 (IV,M)  h(M) o Due to padding and final transformation  Let f(IV,M) = (Q 44,Q 47,Q 46,Q 45 ) + IV o Where “ + ” is addition mod 2 32, per 32-bit word  Then f is the MD4 compression function

10 MD4 10 MD4 Attack: Outline  Dobbertin’s attack strategy o Specify a differential condition o If holds, some probability of collision o Derive system of nonlinear equations: solution satisfies differential condition o Find efficient method to solve equations o Find enough solutions to yield a collision

11 MD4 11 MD4 Attack: Motivation  Find one-block collision, where M = (X 0,X 1,…,X 15 ), M = (X 0,X 1,…,X 15 )  Difference is subtraction mod 2 32  Blocks differ in only 1 word o Difference in that word is exactly 1  Limits avalanche effect to steps 12 thru 19 o Only 8 of the 48 steps are critical to attack! o System of equations applies to these 8 steps

12 MD4 12 More Notation  Spse (Q j,Q j  1,Q j  2,Q j  3 ) = MD4 0…j (IV,M) and (Q j,Q j  1,Q j  2,Q j  3 ) = MD4 0…j (IV,M)  Define  j = (Q j  Q j, Q j  1  Q j  1, Q j  2  Q j  2, Q j  3  Q j  3 ) where subtraction is modulo 2 32  Let  2 n denote  2 n mod 2 32, for example, 2 25 = 0x02000000 and  2 5 = 0xffffffe0

13 MD4 13 MD4 Attack  All arithmetic is modulo 2 32  Denote M = (X 0,X 1,…,X 15 )  Define M by X i = X i for i  12 and X 12 = X 12 + 1  Word X 12 last appears in step 35  So, if  35 = (0,0,0,0) we have a collision  Goal is to find pair M and M with  35 = 0

14 MD4 14 MD4 Attack  Analyze attack in three phases 1.Show:  19 = (2 25,  2 5,0,0) implies probability at least 1/2 30 that the  35 condition holds o Uses differential cryptanalysis 2.“Backup” to step 12: We can start at step 12 and have  19 condition hold o By solving system of nonlinear equations 3.“Backup” to step 0: Find collision

15 MD4 15 MD4 Attack  In each phase of attack, some words of M are determined  When completed, have M and M o Where M  M but h(M) = h(M)  Equation solving step is tricky part o Nonlinear system of equations o Must be able to solve efficiently

16 MD4 16 Steps 19 to 35  Differential phase of the attack  Suppose M and M as given above o Only differ in word 12  Assume that  19 = (2 25,  2 5,0,0) o And G(Q 19,Q 18,Q 17 ) = G(Q 19,Q 18,Q 17 )  Then we compute probabilities of “  ” conditions at steps 19 thru 35

17 MD4 17 Steps 19 to 35  Differential and probabilities

18 MD4 18 Steps 19 thru 35  For example, consider  35  Spse j = 34 holds: Then  34 = (0,0,0,1) and  Implies  35 = (0,0,0,0) with probability 1 o As summarized in j = 35 row of table

19 MD4 19 Steps 12 to 19  Analyze steps 12 to 19, find conditions that ensure  19 = (2 25,  2 5,0,0) o And G(Q 19,Q 18,Q 17 ) = G(Q 19,Q 18,Q 17 ), as required in differential phase  Step 12 to 19—equation solving phase  This is most complex part of attack o Last phase, steps 0 to 11, is easy

20 MD4 20 Steps 12 to 19  Info for steps 12 to 19 given here  If i = 0, function F, if i = 1, function G

21 MD4 21 Steps 12 to 19  To apply differential phase, must have  19 = (2 25,  2 5,0,0) which states that Q 19 = Q 19 + 2 25 Q 18 + 2 5 = Q 18 Q 17 = Q 17 Q 16 = Q 16  Derive equations for steps 12 to 19…

22 MD4 22 Step 12  At step 12 we have Q 12 = (Q 8 + F(Q 11,Q 10,Q 9 ) + X 12 ) <<< 3  Since X 12 = X 12 + 1 and (Q 8,Q 9,Q 10,Q 11 ) = (Q 8,Q 9,Q 10,Q 11 ) it follows that (Q 12 <<< 29)  (Q 12 <<< 29) = 1

23 MD4 23 Steps 12 to 19  Similar analysis for remaining steps yields system of equations:

24 MD4 24 Steps 12 to 19  To solve this system must find so that all equations hold  Given such a solution, we determine X j for j = 13,14,15,0,4,8,12 so that we begin at step 12 and arrive at step 19 with  19 condition satisfied

25 MD4 25 Steps 12 to 19  This phase reduces to solving (nonlinear) system of equations  Can manipulate the equations so that o Choose (Q 14,Q 15,Q 16,Q 17,Q 18,Q 19 ) arbitrary o Which determines (Q 10,Q 13,Q 13,Q 14,Q 15 ) o See textbook for details  Result is 3 equations must be satisfied (next slide)

26 MD4 26 Steps 12 to 19  Three conditions must be satisfied:  First 2 are “check” equations o Third is “admissible” condition  Naïve algorithm: choose six Q j, yields five Q j,Q j until 3 equations satisfied  How much work is this?

27 MD4 27 Continuous Approximation  Each equation holds with prob 1/2 32  Appears that 2 96 iterations required o Since three 32-bit check equations o Birthday attack on MD4 is only 2 64 work!  Dobbertin has a clever solution o A “continuous approximation” o Small changes, converge to a solution

28 MD4 28 Continuous Approximation  Generate random Q i values until first check equation is satisfied, then o Random one-bit modifications to Q i o Save if 1st check equation still holds and 2nd check equation is “closer” to holding o Else try different random modifications  Modifications converge to solution o Then 2 check equations satisfied o Repeat until admissible condition holds

29 MD4 29 Continuous Approximation  For complete details, see textbook  Why does continuous approx work? o Small change to arguments of F (or G ) yield small change in function value  What is the work factor? o Not easy to determine analytically o Easy to determine empirically (homework) o Efficient, and only once per collision

30 MD4 30 Steps 0 to 11  At this point, we have (Q 8,Q 9,Q 10,Q 11 ) and MD4 12…47 (Q 8,Q 9,Q 10,Q 11,X) = MD4 12…47 (Q 8,Q 9,Q 10,Q 11,X)  To finish, we must have MD4 0…11 (IV,X) = MD4 0…11 (IV,X) = (Q 8,Q 9,Q 10,Q 11 )  Recall, X 12 is only difference between M, M  Also, X 12 first appears in step 12  Have already found X j for j = 0,4,8,12,13,14,15  Free to choose X j for j = 1,2,3,5,6,7,9,10,11 so that MD4 0…11 equation holds — very easy!

31 MD4 31 All Together Now  Attack proceeds as follows… 1.Steps 12 to 19: Find (Q 8,Q 9,Q 10,Q 11 ) and X j for j = 0,4,8,12,13,14,15 2.Steps 0 to 11: Find X j for remaining j 3.Steps 19 to 35: Check  35 = (0,0,0,0) o If so, have found a collision! o If not, goto 2.

32 MD4 32 Meaningful Collision  MD4 collisions exist where M and M have meaning o Attack is so efficient, possible to find meaningful collisions  Let “  ” represent a “random” byte o Inserted for “security” purposes  Can find collisions on next slide…

33 MD4 33 Meaningful Collision  Different contracts, same hash value

34 MD4 34 MD4 Conclusions  MD4 weaknesses exposed early o Never widely used  But took long time to find a collision  Dobbertin’s attack o Clever equation solving phase o Only need to solve equations once/collision o Also includes differential phase  Next, MD5…

Download ppt "MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin."

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.

MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.

MD5 Generation Auto-Generated Slides To Visualize MD5 Hash Generation by Chris Fremgen.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.

PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
FEAL FEAL 1.

FEAL FEAL 1.
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Similar presentations

Ads by Google