Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology.

Slides:



Advertisements
Similar presentations
Finding Differential Patterns for the Wang Attack
Advertisements

Which Hash Functions will survive?
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving Systems of Equations with Incompatible Operations CITS.
Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.
Applications of SAT Solvers to Cryptanalysis of Hash Functions
Hashes and Message Digests
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Lecture 5: Cryptographic Hashes
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
1 Cryptanalysis on Hash Functions Xiaoyun Wang 10/28/2005.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
SHA-1 collision found Lukáš Miňo, Richard Bartuš.
Digital Signatures and Hash Functions. Digital Signatures.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash and MAC Algorithms
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Cryptography and Network Security Hash Algorithms.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Code and Decoder Design of LDPC Codes for Gbps Systems Jeremy Thorpe Presented to: Microsoft Research
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Improved results for a memory allocation problem Rob van Stee University of Karlsruhe Germany Leah Epstein University of Haifa Israel WADS 2007 WAOA 2007.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
HASH Functions.
Fixed Parameter Complexity Algorithms and Networks.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
CSCI 172/283 Fall 2010 Hash Functions, HMACs, and Digital Signatures.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions.
Cryptographic Hash Functions and Protocol Analysis
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 11 – Hash Functions.
Decision Trees Binary output – easily extendible to multiple output classes. Takes a set of attributes for a given situation or object and outputs a yes/no.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology On the Security of HFE, HFEv- and Quartz Nicolas T. CourtoisMagnus DaumPatrick.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology An Algorithm for Checking Normality of Boolean Functions Magnus DaumHans.
Ruhr University Bochum Faculty of Mathematics Information-Security and Cryptology Some new aspects concerning the Analysis of HFE type Cryptosystems Magnus.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Chapter 12 – Hash Algorithms
Introduction to Randomized Algorithms and the Probabilistic Method
Cryptographic Hash Functions Part I
ICS 454 Principles of Cryptography
How to Break MD5 and Other Hash Functions
ICS 454 Principles of Cryptography
Cryptographic Hash Functions Part I
Cryptographic Hash Functions
Cryptography Lecture 18.
Seyed Amir Hossain Naseredini
Presentation transcript:

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology and Information Security Faculty of Mathematics Ruhr University Bochum Magnus Daum

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family2 Overview Hash Functions: Properties and Applications The MD4-Family –Design Principles –Historical Overview Attack Techniques –Dobbertins Attacks on MD4, MD5 and RIPEMD Improvements of Dobbertins Methods –Chabaud/Joux and Biham/Chen Attacks on SHA-0/1 –Wang et al. Attacks on MD4, MD5 HAVAL and RIPEMD Conclusions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family3 Properties and Applications

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family4 What is a Hash Function? A hash function –is efficiently computable –compresses information of arbitrary length to some information of fixed length (digital fingerprint) message Hash function

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family5 Application in Digital Signature Schemes Bob Alice Signature okay? ?=?= h h

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family6 Properties of Cryptographic Hashfunctions preimage-resistance: Given V, find M such that h(M)=V is infeasible 2 nd -preimage-resistance: Given M, find M M such that h(M)=h(M) is infeasible collision-resistance: Find M M such that h(M)=h(M) is infeasible

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family7 Application in Digital Signature Schemes Bob Alice ?=?= Eve 10k 50k h h Alice, please sign this contract! 10k Bob, Alice signed this contract! 50k Alice h h Okay, I will sign the contract about 10k. Alice signed the contract about 50k. Signature is okay ! Collision!

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family8 Hash Functions of the MD4 Family

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family9 MD4-Family Hash Functions Hash functions of practical interest: –Hash functions based on blockciphers: Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel MDC-2, MDC-4 –Dedicated hash functions: MD4, MD5 RIPEMD-{0,128,160,256,320} SHA-{0,1,224,256,384,512} HAVAL Tiger Whirlpool

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family10 General Structure Iterated Compression Functions collision-resistance of the compression function collision-resistance of the hash function

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family11 Common Structure of the Compression Functions Message Expansion

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family12 Different Message Expansions MD / RIPEMD roundwise permu- tations of the M i SHA recursive definition e.g. SHA-1:

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family13 Step Operation SHA-0/1:MD5: Only 1 register changed per step Mixture of different kinds of operations

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family14 SHA-224 SHA-256 SHA-384 SHA-512 (NIST, 02/04) SHA-0 (NIST, 93) Overview MD4-Family MD4 (Rivest 90) Ext. MD4 (Rivest 90) RIPEMD-0 (RIPE, 92) MD5 (Rivest 92) RIPEMD-128 RIPEMD-160 RIPEMD-256 RIPEMD-320 (Dobbertin, Bosselaers, Preneel 96) SHA-1 (NIST, 95) HAVAL (Zheng, Pieprzyk, Seberry 93) Dobbertin 95/96 Kasselman/ Penzhorn 2000 Chabaud/Joux 98 van Rompay/ Preneel/??? 2003 Biham/Chen 2004 Joux 2004 Wang/Feng/ Lai/Yu 2004

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family15 Attack Methods

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family16 Find M M such that h(M)=h(M) Three different kinds of (successfull) attacks: –Dobbertin (1995/96) –Chabaud/Joux (1998), Biham/Chen(2004), Joux(2004) –Wang/Feng/Lai/Yu (2004) all attacks use some kind of differential pattern –input differential output differential –modular differentials XOR differentials Collision Attacks

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family17 Dobbertins Attack on MD4, MD5, RIPEMD

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family18 General Principle Idea: Describe the whole Compression functions by the means of a huge system of equations Variables: –Message words –Contents of the registers Equations: –Step operation –Message Expansion –Collision

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family19 General Principle Properties of these systems of equations: –Strongly underdefined Many degrees of freedom May consider highly specialised cases in order to simplify the system and avoid the avalanche effect –Equations include many very different kinds of operations, e.g. F 2 -linear, modulo 2 32 operations and bitwise defined Boolean functions Hard to solve with algebraic means Special methods are needed

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family20 Try to find with Message expansion by roundwise permutation in MD5: –Each M i is used in exactly four steps in the computation –Choose especially 15 =1 and i =0 for all other i Computations for and differ only in 4 Steps Example: Attack on MD5

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family21 Attack on MD5 Computations run in parallel to each other up to the first appearance of i 0 Another special restriction: Require Inner Collisions ( further step operations which run in parallel) i =0 15 0

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family22 Main steps in the attack: Choose Find 2 inner Collisions Connect inner Collisions Connect IV and first inner Collision How to do this ? By solving systems of equations i = Attack on MD5

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family23 Setting up the Systems of Equations By the example of the step operation of SHA-1: R t : new content of register changed in step t K t : constants W t : message words f bitwise defined Boolean function f 2 {MAJ,ITE,XOR}

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family24 Setting up the Systems of Equations Two Equations for each Step: Inner Collision after Step t: Message expansion:

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family25 Overview Situation in SHA-1 For the steps with t =0: Both equations identical Equations in the last part can be ignored completely

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family26 Setting up the Systems of Equations Simplify equations for the steps with t 0 by considering differences: Elimination of the W t

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family27 Overview Systems of Equations for SHA-1

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family28 Specialized Algorithms for Solving such Systems of Equations

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family29 Specialized Algorithms Equations include different kinds of operations: –addition/subtraction modulo 2 n –bitwise defined functions –bitrotations / -shifts Two kinds of auxiliary means: –for transforming the equations –for determining/representing the set of solutions of such equations

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family30 Examples for Transformation

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family31 Algorithms for Determining/ Representing the Set of Solutions Naive idea: exhaustive search Dobbertins method from the attack on MD4/MD5: –Solving from right to left –Basic Idea: Solutions for the least significant k bit of the equations are extensions of solutions of the least significant k-1 bits –Consider equations bitwise from the right to the left and try to extend the found solutions ( tree of solutions)

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family32 Algorithms for Determining/ Representing the Set of Solutions tree of solutions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family33 Algorithms for Determining/ Representing the Set of Solutions tree of solutions Often possible to stop early Faster than exhaustive search For each solution there exists a leaf in the tree Complexity directly related to the number of solutions Problem: We are mainly interested in equations with many solutions.

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family34 Algorithms for Determining/ Representing the Set of Solutions Idea: Combine redundant subtrees Problem: Detect redundancy during the construction of the graph Only the carrybit is relevant for the solution for the third bit tree of solutions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family35 Algorithms for Determining/ Representing the Set of Solutions Labeling the vertices with the carrybits makes it possible to detect redundancies Number of needed carrybits gives an upper bound on the width of the graph of solutions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family36 Algorithms for Determining/ Representing the Set of Solutions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family37 Algorithms for Determining/ Representing the Set of Solutions graph of solutions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family38 graph of solutions Algorithms for Determining/ Representing the Set of Solutions Compact representation of the set of solutions Can be simplified even more

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family39 Algorithms for Determining/ Representing the Set of Solutions Solution graphs are very similar to so called BDDs (Binary Decision Diagram) Further efficient algorithms from the theory of BDDs deriveable: –further reduction/minimalisation of the size –computing the number of solutions –combining solution graphs (e.g. intersecting two sets of solutions)

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family40 Reduction of the size Algorithm gives a graph of minimal size for the represented set Size is in general not really predictable: –Worst-Case: exponential –But much smaller in many cases relevant in this context

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family41 Computing the Number of Solutions Counting the ways to reach each of the vertices Complexity: linear in der size of the graph =3 3+3= =9 solutions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family42 Intersection Complexity: mainly Size(L 1 ) ¢ Size(L 2 )

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family43 Other Extensions Consider more than one variable at once Use variables, which are not represented explicitly in the graph (allows representing 9 Y...-like statements)

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family44 Other Extensions Consider more than one variable at once Use variables, which are not represented explicitly in the graph (allows representing 9 x...-like statements) Consideration of bit rotations by using additional statebits (similar to the carrybits) –Significantly increases the complexity –Can be decreased by fixing some bits (especially those which are rotated over the edge)

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family45 Chabaud/Joux Attack on SHA-0

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family46 Attack on SHA-0 Chabaud/Joux (Crypto 98): Collisions for SHA-0 can be found with complexity 2 61 Idea: –Differential Attack with XOR-differences –Linearisation of the compression function

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family47 Basic Ideas Linear parts: –Differences are propagated deterministically –Behaviour of differences is predictable not modifiable –Usually chosen to cause a strong avalanche effect Non-linear parts: –Propagation of differences not unique but depends on actual contents of the registers –Behaviour is more difficult to predict –Gives freedom to an attacker, e.g. to counteract the avalanche effect

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family48 Structure of the Attack (1)Linearisation of the compression function (2)Find a differential pattern that leads to a collision for the linearised function (3)Find actual contents for the registers (from processing one actual message) which fit to the differential pattern found before (-> same differential propagation in the real compression function)

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family49 Linearisation of the compression function 3 non-linear parts in SHA-0: –addition modulo 2 32 – – Can all be approximated by bitwise © (linear)

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family50 Elementary Collisions each collision of the complete (linearised) compression function is a linear combination of such elementary collisions

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family51 Finding a Collision for the Linearised Function M 512 bits W 32R bits contents of the registers 160R bits linear message expansion linearised step operations collision: last 160 bits =0 looking for codewords of small Hammingweight (to simplify last step) consider only differences not messages

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family52 Conditions Returning to original (non-linearized) compression function leads to conditions on register values, e.g.: list of conditions for each step in the computation zero differences cause no conditions number of conditions corresponds to number of nonzero bits in found difference vector ( look for small hamming weights)

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family53 Finding the actual collision Step by step (from step k 2 {1,..15}) choose random values for M k until a value for M k is found such that all conditions for step k are fulfilled Test random values for M 16 until –all conditions for steps 16,…,80 are fulfilled Collision found !!! –some limit on the number of tries is reached start again with different values for M 1,…M 15 Complexity depends mainly on the number of conditions for steps 16,…,80

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family54 Biham/Chen: Neutral Bits Improvement of Chabaud/Joux attack: –Find a message that fulfills the conditions up to some step r>15 –Look for bits of the message that can be changed without changing the differential behaviour up to step r (neutral bits) –These bits allow to produce a large number of messages which fulfill the conditions up to step r automatically

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family55 Biham/Chen: Neutral Bits Improvement of Chabaud/Joux attack: reduces number of conditions that have to be fulfilled (only for steps r+1,…,80) increases probability of success –choose r such that ratio of number of producable messages to increased probability is optimal

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family56 Attacks on MD4, MD5, RIPEMD and HAVAL by Wang et al.

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family57 Wang et al. Attack Differential attack with modular differences Starts from a given message and modifies some/many of its bits to produce a collision Two main parts: –Choose differential pattern (done by hand) –Basic and Advanced Modifications

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family58 Example: Attack on MD4 Input differences chosen to produce an elementary collision in Round 3: Choose M 12 = W 35 =2 16, M 2 = W 36 = , M 1 = W 40 =2 31, M i = 0 for i {1,2,12}

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family59 Example: Attack on MD4 similar situation as in Dobbertins attack look for appropriate output differences in round 1 and 2 Now W i also fixed, but some freedom in choosing XOR-differences: but depends on the actual values of and leads to conditions similar as in Chabaud/Joux attack

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family60 Basic Modifications Start with an arbitrary message M and compute the register values R i up to some step k, for which one of the conditions for R k is not fulfilled if 0 · k · 15, correct bit by a basic modification: –Correct all wrong bits in R k –Change message word M k by step by step that way all conditions for round 1 (steps 0-15) can be fulfilled

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family61 Advanced Modifications if k>15, correct bit by an advanced modification: –find a message bit which can be used to correct the wrong bit in R k –change some (usually five) message words M i such that as few bits as possible in R 0,…, R 15 are changed –e.g. to change R 16,i we may change M 0,i-3 : –this can be done by changing R 0,i : –also influences M 1, M 2, M 3, M 4 : –check whether other conditions are still fulfilled

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family62 Attack on MD5 design of MD5 allows differential pattern for round 3+4 which leads to near-collision attack uses two applications of the compression function with two different but related differential patterns: (0,0,0,0)(2 31, , , ) (2 31, , , )(2 31, , , ) addition of IV at the end of compression function causes differences to cancel

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family63 Wang et al. Attacks similar attacks on RIPEMD-0, HAVAL method allows to attack about 3 rounds in general more than this depends on special weaknesses: –MD5: propagation of 2 31 difference because of step operation –RIPEMD: 2 £ 3 rounds possible because of parallelism claim to have an attack on SHA-0 in 2 40, but not yet implemented

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family64 Conclusions Presented methods of attacks on collision resistance of different hash functions: –not collision-resistant: MD4, MD5, HAVAL, RIPEMD-0, SHA-0 –seem to be still secure (at least for some time): RIPEMD-{160,256,320}, SHA-{1,224,256,384,512} Possible to improve or combine techniques? Attacks on (second) preimage resistance?

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Daum - Cryptanalysis of Hash Functions of the MD4-Family65 Thank you! Questions???

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.