# Applications of SAT Solvers to Cryptanalysis of Hash Functions

## Presentation on theme: "Applications of SAT Solvers to Cryptanalysis of Hash Functions"— Presentation transcript:

Applications of SAT Solvers to Cryptanalysis of Hash Functions
Ilya Mironov Lintao Zhang Microsoft Research Silicon Valley Campus

Overview Crash course on hash functions
Collision-finding attacks (Wang et al. ’05) Automation via SAT solvers

Hash functions H: {0,1}*→{0,1}n

Cryptographic hash functions
Several important properties Collision-resistance x, y: H(x) = H(y)

Birthday paradox Finding collision: ~|S| = 2n/2 output H S

Security level hash output 128 bits Insecure: 264 operations 160 bits
Medium-term: 280 Long-term (~20 years): 2128 Paranoid:

Short history of hash functions
1990 Ron Rivest: MD4 (128-bit output) 1992 Ron Rivest: MD5 (128-bit output) 1993 NIST: SHA (Secure Hash Algorithm, 160 bits) 1995 NIST: Oops! SHA1 2003 NIST: SHA-256,384,512

SHA1 SHA1 MD5 MD4 1990 MD4 1991 1992 MD5 1993 SHA0 1994 1995 SHA1 1996
1997 1998 1999 2000 2001 2002 2003 SHA-256,384,512 2004 2005 2006 SHA1 SHA1 MD5 MD4 MD4 is broken theoretical attack on SHA0 MD5, SHA0 broken, theoretical attack on SHA1

MD4 and MD5’s structure - Basic building block: compression function
512 bits 128 bits 48 rounds 128 bits

Compression function’s building block
512 bits = 16  32-bit words M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 w 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b rounds 0-15 rounds 16-31 rounds 31-48 c d 128 bits 128 bits = 4  32-bit words

One round

Internal variables M = (M0,M1,…,M15)  (w0,w1,…,w47) (a0,b0,c0,d0)

Finding a collision [Wang et al’05]
Goal: Find M, M' such that H(M) = H(M') 1. Select message difference M' = M +  2. Select differential path bi' = bi + bi 3. Find sufficient conditions 4. Make them happen!

Disturbance vector M  a b c d 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b rounds 0-15 rounds 16-31 rounds 31-48 c d

Differential path M (a0,b0,c0,d0) b1 b2 … b48 M' (a0,b0,c0,d0) b1' b2'

Sufficient conditions
(ai,bi,ci,di)  (di,(ai+fi(bi,ci,di)+wi+Ki)<<<si,bi,ci,) = (ai+1,bi+1,ci+1,di+1) fi = MAJ and si = 3 and b2,0 = 0 and c2,0 = 0, then for b2,3 = 0 it is sufficient that lsb(b1)=0 and lsb(c1)=0

Sufficient conditions [Wang et al.]
MD4: 122 MD5: first block ― 294; second block ― 309 SHA0: 260

Message modification technique
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b rounds 0-15 rounds 16-31 rounds 31-48 c d

Probabilistic method Conditions satisfied with probability 50%*:
MD4: < 8 MD5: first block ― 37; second block ― 30 SHA0: 42 SHA1: 70 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 * In the original papers (better attacks are currently known)

SAT Solvers! Goal: Find M, M' such that H(M) = H(M')
1. Select message difference M' = M +  2. Select differential path bi' = bi + bi 3. Find sufficient conditions 4. Message modifications

MD4 53K variables, 221K clauses. Success! SatELiteGTI < 500 sec
0xe1c08802 d f3fdc66f df b5c048 06c516c5 b632403a 88e2fdd f8005 3f b fad83a 01d f200a8 94ab dd7d collides with 0xe1c fdc66f df b5c048 06c516c5 b632403a 88e2fdd f8005 3f b fad83a 01d f200a8 94ab dd7d

MD5 Hmm… Truncated MD5? truncated MD5 CNF formula SAT solver filter
solution

Probabilistic method all messages reduced-round solutions
full solutions

Where to truncate? ~100 hours per full solution

Collision in MD5 collides with
0x d685de69 e985b795 b4320c10 cd c014ca29 850b7d6d ad afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf 5e5d5df6 b539a48d fcb488ff adf d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1 73f20086 e000005a 3b6550cc b6cc1c59 0fe9f71a a collides with 0x d685de69 e985b c10 cd c014ca29 850b7d6d ad afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf de5d5df6 b539a48d fcb488ff adf d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1 73f20086 dfff805a 3b6550cc b6cc1c59 0fe9f71a a

Open problems Cryptographic: SAT-solving community: Break SHA-1
Automate the entire attack Other primitives SAT-solving community: No truncation! SAT solvers optimized for cryptographic applications: XOR, multiplication, table look-ups, intuition

Conclusion First serious SAT-solver-aided cryptanalytic effort
Several entries into SAT Race ’06 New applications and challenges

Similar presentations