Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology.

Similar presentations


Presentation on theme: "Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology."— Presentation transcript:

1 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology and Information Security Faculty of Mathematics Ruhr University Bochum Magnus Daum

2 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family2 Overview Hash Functions: Properties and Applications The MD4-Family –Design Principles –Historical Overview Attack Techniques –Dobbertins Attacks on MD4, MD5 and RIPEMD Improvements of Dobbertins Methods –Chabaud/Joux and Biham/Chen Attacks on SHA-0/1 –Wang et al. Attacks on MD4, MD5 HAVAL and RIPEMD Conclusions

3 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family3 Properties and Applications

4 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family4 What is a Hash Function? A hash function –is efficiently computable –compresses information of arbitrary length to some information of fixed length (digital fingerprint) message Hash function

5 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family5 Application in Digital Signature Schemes Bob Alice Signature okay? ?=?= h h

6 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family6 Properties of Cryptographic Hashfunctions preimage-resistance: Given V, find M such that h(M)=V is infeasible 2 nd -preimage-resistance: Given M, find M M such that h(M)=h(M) is infeasible collision-resistance: Find M M such that h(M)=h(M) is infeasible

7 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family7 Application in Digital Signature Schemes Bob Alice ?=?= Eve 10k 50k h h Alice, please sign this contract! 10k Bob, Alice signed this contract! 50k Alice h h Okay, I will sign the contract about 10k. Alice signed the contract about 50k. Signature is okay ! Collision!

8 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family8 Hash Functions of the MD4 Family

9 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family9 MD4-Family Hash Functions Hash functions of practical interest: –Hash functions based on blockciphers: Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel MDC-2, MDC-4 –Dedicated hash functions: MD4, MD5 RIPEMD-{0,128,160,256,320} SHA-{0,1,224,256,384,512} HAVAL Tiger Whirlpool

10 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family10 General Structure Iterated Compression Functions collision-resistance of the compression function collision-resistance of the hash function

11 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family11 Common Structure of the Compression Functions Message Expansion

12 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family12 Different Message Expansions MD / RIPEMD roundwise permu- tations of the M i SHA recursive definition e.g. SHA-1:

13 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family13 Step Operation SHA-0/1:MD5: Only 1 register changed per step Mixture of different kinds of operations

14 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family14 SHA-224 SHA-256 SHA-384 SHA-512 (NIST, 02/04) SHA-0 (NIST, 93) Overview MD4-Family MD4 (Rivest 90) Ext. MD4 (Rivest 90) RIPEMD-0 (RIPE, 92) MD5 (Rivest 92) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel 96) SHA-1 (NIST, 95) HAVAL (Zheng, Pieprzyk, Seberry 93) Dobbertin 95/96 Kasselman/ Penzhorn 2000 Chabaud/Joux 98 van Rompay/ Preneel/??? 2003 Biham/Chen 2004 Joux 2004 Wang/Feng/ Lai/Yu 2004

15 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family15 Attack Methods

16 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family16 Find M M such that h(M)=h(M) Three different kinds of (successfull) attacks: –Dobbertin (1995/96) –Chabaud/Joux (1998), Biham/Chen(2004), Joux(2004) –Wang/Feng/Lai/Yu (2004) all attacks use some kind of differential pattern –input differential output differential –modular differentials XOR differentials Collision Attacks

17 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family17 Dobbertins Attack on MD4, MD5, RIPEMD

18 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family18 General Principle Idea: Describe the whole Compression functions by the means of a huge system of equations Variables: –Message words –Contents of the registers Equations: –Step operation –Message Expansion –Collision

19 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family19 General Principle Properties of these systems of equations: –Strongly underdefined Many degrees of freedom May consider highly specialised cases in order to simplify the system and avoid the avalanche effect –Equations include many very different kinds of operations, e.g. F 2 -linear, modulo 2 32 operations and bitwise defined Boolean functions Hard to solve with algebraic means Special methods are needed

20 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family20 Try to find with Message expansion by roundwise permutation in MD5: –Each M i is used in exactly four steps in the computation –Choose especially 15 =1 and i =0 for all other i Computations for and differ only in 4 Steps Example: Attack on MD5

21 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family21 Attack on MD5 Computations run in parallel to each other up to the first appearance of i 0 Another special restriction: Require Inner Collisions ( further step operations which run in parallel) i =0 15 0

22 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family22 Main steps in the attack: Choose Find 2 inner Collisions Connect inner Collisions Connect IV and first inner Collision How to do this ? By solving systems of equations i = Attack on MD5

23 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family23 Setting up the Systems of Equations By the example of the step operation of SHA-1: R t : new content of register changed in step t K t : constants W t : message words f bitwise defined Boolean function f 2 {MAJ,ITE,XOR}

24 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family24 Setting up the Systems of Equations Two Equations for each Step: Inner Collision after Step t: Message expansion:

25 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family25 Overview Situation in SHA-1 For the steps with t =0: Both equations identical Equations in the last part can be ignored completely

26 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family26 Setting up the Systems of Equations Simplify equations for the steps with t 0 by considering differences: Elimination of the W t

27 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family27 Overview Systems of Equations for SHA-1

28 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family28 Specialized Algorithms for Solving such Systems of Equations

29 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family29 Specialized Algorithms Equations include different kinds of operations: –addition/subtraction modulo 2 n –bitwise defined functions –bitrotations / -shifts Two kinds of auxiliary means: –for transforming the equations –for determining/representing the set of solutions of such equations

30 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family30 Examples for Transformation

31 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family31 Algorithms for Determining/ Representing the Set of Solutions Naive idea: exhaustive search Dobbertins method from the attack on MD4/MD5: –Solving from right to left –Basic Idea: Solutions for the least significant k bit of the equations are extensions of solutions of the least significant k-1 bits –Consider equations bitwise from the right to the left and try to extend the found solutions ( tree of solutions)

32 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family32 Algorithms for Determining/ Representing the Set of Solutions tree of solutions

33 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family33 Algorithms for Determining/ Representing the Set of Solutions tree of solutions Often possible to stop early Faster than exhaustive search For each solution there exists a leaf in the tree Complexity directly related to the number of solutions Problem: We are mainly interested in equations with many solutions.

34 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family34 Algorithms for Determining/ Representing the Set of Solutions Idea: Combine redundant subtrees Problem: Detect redundancy during the construction of the graph Only the carrybit is relevant for the solution for the third bit tree of solutions

35 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family35 Algorithms for Determining/ Representing the Set of Solutions Labeling the vertices with the carrybits makes it possible to detect redundancies Number of needed carrybits gives an upper bound on the width of the graph of solutions

36 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family36 Algorithms for Determining/ Representing the Set of Solutions

37 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family37 Algorithms for Determining/ Representing the Set of Solutions graph of solutions

38 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family38 graph of solutions Algorithms for Determining/ Representing the Set of Solutions Compact representation of the set of solutions Can be simplified even more

39 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family39 Algorithms for Determining/ Representing the Set of Solutions Solution graphs are very similar to so called BDDs (Binary Decision Diagram) Further efficient algorithms from the theory of BDDs deriveable: –further reduction/minimalisation of the size –computing the number of solutions –combining solution graphs (e.g. intersecting two sets of solutions)

40 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family40 Reduction of the size Algorithm gives a graph of minimal size for the represented set Size is in general not really predictable: –Worst-Case: exponential –But much smaller in many cases relevant in this context

41 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family41 Computing the Number of Solutions Counting the ways to reach each of the vertices Complexity: linear in der size of the graph =3 3+3= =9 solutions

42 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family42 Intersection Complexity: mainly Size(L 1 ) ¢ Size(L 2 )

43 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family43 Other Extensions Consider more than one variable at once Use variables, which are not represented explicitly in the graph (allows representing 9 Y...-like statements)

44 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family44 Other Extensions Consider more than one variable at once Use variables, which are not represented explicitly in the graph (allows representing 9 x...-like statements) Consideration of bit rotations by using additional statebits (similar to the carrybits) –Significantly increases the complexity –Can be decreased by fixing some bits (especially those which are rotated over the edge)

45 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family45 Chabaud/Joux Attack on SHA-0

46 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family46 Attack on SHA-0 Chabaud/Joux (Crypto 98): Collisions for SHA-0 can be found with complexity 2 61 Idea: –Differential Attack with XOR-differences –Linearisation of the compression function

47 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family47 Basic Ideas Linear parts: –Differences are propagated deterministically –Behaviour of differences is predictable not modifiable –Usually chosen to cause a strong avalanche effect Non-linear parts: –Propagation of differences not unique but depends on actual contents of the registers –Behaviour is more difficult to predict –Gives freedom to an attacker, e.g. to counteract the avalanche effect

48 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family48 Structure of the Attack (1)Linearisation of the compression function (2)Find a differential pattern that leads to a collision for the linearised function (3)Find actual contents for the registers (from processing one actual message) which fit to the differential pattern found before (-> same differential propagation in the real compression function)

49 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family49 Linearisation of the compression function 3 non-linear parts in SHA-0: –addition modulo 2 32 – – Can all be approximated by bitwise © (linear)

50 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family50 Elementary Collisions each collision of the complete (linearised) compression function is a linear combination of such elementary collisions

51 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family51 Finding a Collision for the Linearised Function M 512 bits W 32R bits contents of the registers 160R bits linear message expansion linearised step operations collision: last 160 bits =0 looking for codewords of small Hammingweight (to simplify last step) consider only differences not messages

52 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family52 Conditions Returning to original (non-linearized) compression function leads to conditions on register values, e.g.: list of conditions for each step in the computation zero differences cause no conditions number of conditions corresponds to number of nonzero bits in found difference vector ( look for small hamming weights)

53 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family53 Finding the actual collision Step by step (from step k 2 {1,..15}) choose random values for M k until a value for M k is found such that all conditions for step k are fulfilled Test random values for M 16 until –all conditions for steps 16,…,80 are fulfilled Collision found !!! –some limit on the number of tries is reached start again with different values for M 1,…M 15 Complexity depends mainly on the number of conditions for steps 16,…,80

54 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family54 Biham/Chen: Neutral Bits Improvement of Chabaud/Joux attack: –Find a message that fulfills the conditions up to some step r>15 –Look for bits of the message that can be changed without changing the differential behaviour up to step r (neutral bits) –These bits allow to produce a large number of messages which fulfill the conditions up to step r automatically

55 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family55 Biham/Chen: Neutral Bits Improvement of Chabaud/Joux attack: reduces number of conditions that have to be fulfilled (only for steps r+1,…,80) increases probability of success –choose r such that ratio of number of producable messages to increased probability is optimal

56 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family56 Attacks on MD4, MD5, RIPEMD and HAVAL by Wang et al.

57 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family57 Wang et al. Attack Differential attack with modular differences Starts from a given message and modifies some/many of its bits to produce a collision Two main parts: –Choose differential pattern (done by hand) –Basic and Advanced Modifications

58 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family58 Example: Attack on MD4 Input differences chosen to produce an elementary collision in Round 3: Choose M 12 = W 35 =2 16, M 2 = W 36 = , M 1 = W 40 =2 31, M i = 0 for i {1,2,12}

59 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family59 Example: Attack on MD4 similar situation as in Dobbertins attack look for appropriate output differences in round 1 and 2 Now W i also fixed, but some freedom in choosing XOR-differences: but depends on the actual values of and leads to conditions similar as in Chabaud/Joux attack

60 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family60 Basic Modifications Start with an arbitrary message M and compute the register values R i up to some step k, for which one of the conditions for R k is not fulfilled if 0 · k · 15, correct bit by a basic modification: –Correct all wrong bits in R k –Change message word M k by step by step that way all conditions for round 1 (steps 0-15) can be fulfilled

61 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family61 Advanced Modifications if k>15, correct bit by an advanced modification: –find a message bit which can be used to correct the wrong bit in R k –change some (usually five) message words M i such that as few bits as possible in R 0,…, R 15 are changed –e.g. to change R 16,i we may change M 0,i-3 : –this can be done by changing R 0,i : –also influences M 1, M 2, M 3, M 4 : –check whether other conditions are still fulfilled

62 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family62 Attack on MD5 design of MD5 allows differential pattern for round 3+4 which leads to near-collision attack uses two applications of the compression function with two different but related differential patterns: (0,0,0,0)(2 31, , , ) (2 31, , , )(2 31, , , ) addition of IV at the end of compression function causes differences to cancel

63 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family63 Wang et al. Attacks similar attacks on RIPEMD-0, HAVAL method allows to attack about 3 rounds in general more than this depends on special weaknesses: –MD5: propagation of 2 31 difference because of step operation –RIPEMD: 2 £ 3 rounds possible because of parallelism claim to have an attack on SHA-0 in 2 40, but not yet implemented

64 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family64 Conclusions Presented methods of attacks on collision resistance of different hash functions: –not collision-resistant: MD4, MD5, HAVAL, RIPEMD-0, SHA-0 –seem to be still secure (at least for some time): RIPEMD-{160,256,320}, SHA-{1,224,256,384,512} Possible to improve or combine techniques? Attacks on (second) preimage resistance?

65 Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family65 Thank you! Questions???


Download ppt "Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology."

Similar presentations


Ads by Google