Efficient Hash Collision Search Strategies on Special-Purpose Hardware Sven Schäge 20.12.2006 Diplomarbeit Ruhr-Universität Bochum Lehrstuhl für Kommunikationssicherheit Prof. Dr.-Ing. Christof Paar iii Eidesstattliche Erklärung Hiermit erkläre ich an des Eides statt, dass ich die vorliegende Diplomarbeit selbst- ständig durchgeführt habe. Die dabei verwendeten Quellen und Hilfsmittel sind am Ende der Arbeit aufgeführt. Sven Schäge iv Contents 1 Introduction 1 2 Hash Functions 5 2.1 Introduction .................................. 5 2.2 Definitions ................................... 6 3 Hash Function Design 9 3.1 Introduction .................................. 9 3.2 MD Strengthening .............................. 9 3.3 MD Construction ............................... 10 3.4 Design of Compression Functions ...................... 12 3.4.1 The MD4 Family ........................... 12 3.4.2 Hash Functions of the MD4-Family ................. 12 4 Application of Cryptographic Hash Functions: Digital Signatures 21 4.1 Introduction .................................. 21 4.2 Overview .................................... 21 4.3 Digital Signature Schemes .......................... 22 4.4 Digital Signature Schemes with Appendix ................. 22 4.5 Weak Hash Functions and Digital Signature Schemes ........... 22 4.5.1 Preimage Resistance ......................... 22 4.5.2 Collision Resistance .......................... 23 4.6 Poisoned Message Attack ........................... 23 4.6.1 Basic Attack .............................. 23 4.6.2 Extensions ............................... 25 5 Attacks on Cryptographic Hash Functions 27 5.1 Generic Attacks ................................ 27 5.1.1 Introduction .............................. 27 5.1.2 Birthday Collision .......................... 27 5.2 Specific Attacks ................................ 28 5.3 Differential Attacks .............................. 28 5.3.1 Introduction .............................. 28 5.3.2 Differences and Difference Pattern .................. 29 vi Contents 5.3.3 Differential Attacks on MD4-family Hash Functions ........ 30 5.3.4 Finding Difference Patterns ..................... 31 5.3.5 Concrete Message Search and Acceleration Techniques ...... 33 6 Collision Search Algorithm 35 6.1 Introduction .................................. 35 6.2 Algorithm Structure ............................. 35 6.2.1 Introduction .............................. 35 6.2.2 Logical Structure ........................... 35 6.3 Performance .................................. 36 7 Requirements for Collision Generators 39 7.1 Hash Function vs. Collision Search Algorithm ............... 39 7.1.1 Introduction .............................. 39 7.1.2 Reverse Step Operation ....................... 39 7.1.3 For-Loops, Tunnels and the Need for Resource Re-Use ...... 40 7.1.4 Bit Conditions and Tunnel Variations ................ 41 7.1.5 Pseudo-Random Number Generator ................. 42 7.1.6 Summary ............................... 42 7.2 Requirements for Target Hardware ..................... 43 7.2.1 32-bit Data Units ........................... 43 7.2.2 Regularity of Collision Search Algorithm .............. 44 7.3 Hardware Acceleration Techniques ...................... 45 7.3.1 Pipelining ............................... 45 7.3.2 Parallel Execution .......................... 48 7.4 Choice for Microprocessor Design ...................... 48 7.5 Final Design Requirements .......................... 49 7.5.1 Metric for Performance and Price Model .............. 49 7.5.2 Standard PCs ............................. 50 7.5.3 Minimal Microprocessor ....................... 50 7.5.4 Definition of Time T ......................... 51 8 Circuit Design 53 8.1 Introduction .................................. 53 8.2 Development Process ............................. 53 8.3 Microprocessor Design ............................ 54 8.3.1 Design Principle: RISC or CISC ................... 55 8.3.2 Acceleration Techniques ....................... 55 8.3.3 Size and Frequency .......................... 55 8.3.4 Addressing Modes ........................... 56 8.3.5 Input and Output Pins ........................ 56 8.3.6 Hardware Stack and Function Calls ................. 57 Contents vii 8.3.7 Function Parameterization ...................... 57 8.3.8 Instruction Format and Interpretation of Address Field ...... 59 8.3.9 Execution State ............................ 60 8.3.10 Instruction Set ............................ 60 8.3.11 Processor Structure .......................... 61 8.4 Collision Search Unit ............................. 65 8.4.1 Introduction .............................. 65 8.4.2 Input and Output Pins ........................ 65 8.4.3 Communication Protocol ....................... 65 8.4.4 I/O Control .............................. 66 8.4.5 Structure ............................... 69 8.4.6 Address Space ............................. 69 8.5 Parallelization ................................. 70 8.5.1 Introduction .............................. 70 8.5.2 Count Unit (CNT) .......................... 70 8.5.3 Protocol ................................ 70 9 Analysis Results 73 9.1 Introduction .................................. 73 9.2 Area Analysis ................................. 73 9.3 Timing Analysis ................................ 73 9.3.1 Introduction .............................. 73 9.3.2 Frequency ............................... 74 9.3.3 Cycles per Collision .......................... 74 9.4 Performance Results ............................. 75 9.5 Parallelization ................................. 76 9.6 Estimations for SHA-1 ............................ 78 10 Discussion 81 10.1 Summary ................................... 81 10.2 Outlook .................................... 81 A Bibliography 83 viii Contents List of Figures 3.1 The inner structure of a MD4-family hash function ............ 11 3.2 The inner structure of a MD4-family compression function ........ 14 3.3 The step function of MD5 .......................... 17 3.4 The step function of SHA-1 ......................... 20 7.1 Linear feedback shift register ......................... 43 7.2 Implementation in a single hardware unit ................. 45 7.3 Pipelined implementation with four stages ................. 46 8.1 Microprocessor: overview ........................... 57 8.2 Instruction format .............................. 59 8.3 Default implementation of RL1 ....................... 59 8.4 Default implementation of NOT ....................... 60 8.5 Default implementation of RET ....................... 60 8.6 Inner structure of processor ......................... 64 8.7 Collision generator: overview ......................... 65 8.8 LFSR with full period ............................ 68 8.9 Structure of collision generator ........................ 69 8.10 A single CNT unit .............................. 71 8.11 Parallelized application of collision search unit ............... 72 9.1 Costs for equipment to find a MD5 collision in a predefined time ..... 78 x List of Figures List of Tables 3.1 MD5’s addition constants .......................... 16 3.2 MD5’s rotation constants ........................... 16 3.3 MD5’s non-linear round functions ...................... 18 3.4 SHA-1’s non-linear round functions ..................... 18 4.1 Message 1 in Poisoned Message Attack ................... 24 4.2 Message 2 in Poisoned Message Attack ................... 24 6.1 Tunnels .................................... 36 8.1 Instruction set ................................. 62 8.2 Commands for controlling pseudo-number generation and I/O communi- cation ..................................... 67 8.3 Virtual and physical address space ..................... 70 9.1 Time analysis - average time to find a collision ............... 75 9.2 Processor performance ............................ 75 9.3 Performance of collision search units .................... 76 9.4 Performance (P) compared to Pentium 4 .................. 76 9.5 Cost overview ................................. 77 9.6 Performance (R) compared to Pentium 4 .................. 77 xii List of Tables 1 Introduction Today, cryptography is an essential part of Information Technology (IT). In most IT ap- plications one or more security objectives have to be fulfilled to ensure expected behavior and to avoid illegal or malicious exploitation. Modern cryptography offers a wide variety of mechanisms to guarantee such security requirements. Most of these mechanisms can be reduced to elementary building blocks called cryptographic primitives. This work will focus on a cryptographic primitive called cryptographic hash function. Many basic and complex cryptographic applications make extensive use of cryptographic hash functions. They offer valuable security properties and good efficiency. In combi- nation, these features are particularly interesting for accelerating asymmetric crypto- graphic protocols. Usually, the security of a cryptographic protocol is dependent on all its elements. If just one primitive can be found with security flaws, the whole protocol might become insecure. Finding successful attacks against widespread cryptographic hash functions would affect a variety of popular security protocols and have unforesee- able impact on their overall security. In February 2005 Wang et al. presented a new attack method against the popular Se- cure Hash Algorithm (SHA-1). It reduces the computational attack complexity to find a collision from O(280) to approximately O(269) leading to the announcement that SHA-1 has been broken in theory. Soon it was