Preimages of Reduced SHA-0 and SHA-1

Preimages for Reduced SHA-0 and SHA-1

Christophe De Cannière and Christian Rechberger

ENS Katholieke Universiteit Leuven Graz University of Technology

Leiden, 2008 Some properties of hash functions

• Efficient to compute

• One-way

• Collision resistance One-wayness

HashHash FunctionFunction One-wayness

Applications:

Storing a password HashHash Payment schemes FunctionFunction Key derivation Commitment schemes Random number generation … Status of SHA-1 (as of this afternoon) • Differential collision attacks – Wang et al., 2005: 269 – Joux and Peyrin, 2007: claim 25 improvement over x

– Wang et al.: 263/262, unpublished – Mendel, Rechberger, Rijmen: 260.x, unpublished

• Preimage Attacks – Reuse of collision attacks? – Dedicated attacks? Status of SHA-1 (as of this afternoon) • Differential collision attacks – Wang et al., 2005: 269 – Joux and Peyrin, 2007: claim 25 improvement over x

– Wang et al.: 263/262, unpublished – Mendel, Rechberger, Rijmen: 260.x, unpublished http://boinc.iaik.tugraz.at • Preimage Attacks – Reuse of collision attacks? – Dedicated attacks? Status of SHA-1 (as of this afternoon) • Differential collision attacks – Wang et al., 2005: 269 – Joux and Peyrin, 2007: claim 25 improvement over x

– Wang et al.: 263/262, unpublished – Mendel, Rechberger, Rijmen: 260.x, unpublished

• Preimage Attacks – Reuse of collision attacks? – Dedicated attacks? Preimage Attack Strategies

SHA-0/SHA-1? Preimage Attack Strategies

• Collision Differentials (+ Message Modification) – Yu/Wang et al., 2005: MD4 • Multi-Near-Collision Differentials – Biham/Shamir, 1991: Snefru – Dobbertin, 1998: reduced MD4 – Lamberger et al., 2007: SMASH – Leurent, 2008: MD4 – Mendel et al., 2008: GOST hash • Correcting Impossible Messages – De Cannière/Rechberger, 2008: red. SHA-0 and SHA-1 Outline of MD4-style Hash Functions IV

Expanded Message m Message w (48/64/80 words) (16 words) Message Expansion

Output o (4/5/8 words) Message Expansions in the MD4 family

MD4/5, RIPEMD SHA-0 / SHA-1 SHA-2 members Permutation Linear Recurrence Non-Linear Recurrence Outline of MD4-style Hash Functions IV

Expanded Message m Message w (48/64/80 words) (16 words) Message Expansion

Output o (4/5/8 words) Evolution of the State Updates in the MD4 Family

MD4 SHA-0/SHA-1 SHA-2 members

K + + << 5 Σ0 Σ1 + K + f KN+1 + + M W A C + + f + + J H W W << s N+1 + >> 2 +

+ +

AN BN CN DN EN FN GN HN

Design Complexity Inverting SHA-1 compress Why is it hard? Inversion problem, reconsidered

before new, but equivalent Inversion problem, reconsidered

W will not be valid expanded before message, E is error mask Why could it be easier? before new, correcting invalid message Details of new techniques Outline

1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries

2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Outline

1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries

2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai ∗ IV Ei

(h − IV )∗ Ai

Ei Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Ai

R − 16 R − 5

expect 211 solutions Outline

1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries

2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai

R − 16 R − 5

7 Ai

R − 16 R − 5

27·(R−16) trials Outline

1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries

2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai

Ei Ai

R − 16 R − 5

expect 227−R solutions Ai

R − 16 R − 5

expect 227−R solutions Ai

R − 16 R − 5 Ai

R − 16 R − 5

2 Ai

R − 16 R − 5

22·(R−16)+5·(R−27) trials Outline

1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries

2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai ∗ IV Ei

R − 16

partial preimage

22·(R−16)+5·(R−32) trials C Ai

C Ei

R − 16 R

pseudo preimage

22·(R−16)+5·(R−32) trials (h − C)∗ Outline

1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries

2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai

C Ei

R − 16 R +5

partial pseudo preimage

22·(R−16)+5·(R−37) trials C P3Graph (N nodes) P3Graph (N/4edges) P3Graph (N/2edges) P3Graph (N edges) P3Graph (2 × N edges) P3Graph method Examples of results on reduced SHA-0 and SHA-1 Results on reduced SHA-0 and SHA-1 Preimage attacks on full SHA-1?

Collisions Collisions Preimages before 2005 now now #rounds 53/58 >80 44/45 #freedom >200 0 >200 Sensitive to different choices yes no yes for rotation constants Discussion/Summary Two new cryptanalytic techniques

• Correcting invalid messages – Inversion problem is larger, but less interconnected – Regular structure of SHA-0/SHA-1 helps to divide/conquer the problem •P3Graphs – Random (directed) graphs as useful object (introduced in the 1950s) in cryptanalysis: – Transfer results for compression function to hash function at cost of: factor 4 (total) factor 1 (having factor 3 precomputation) – Cycles in random graph help with padding problem Preimages for Reduced SHA-0 and SHA-1

Christophe De Cannière and Christian Rechberger Q&A