Controlling Half the Output of SHA-256 Mellila Bouam, Charles Bouillaguet, Claire Delaplace, Camille Noûs

Controlling Half the Output of SHA-256 Mellila Bouam, Charles Bouillaguet, Claire Delaplace, Camille Noûs

Computational Records with Aging Hardware: Controlling Half the Output of SHA-256 Mellila Bouam, Charles Bouillaguet, Claire Delaplace, Camille Noûs To cite this version: Mellila Bouam, Charles Bouillaguet, Claire Delaplace, Camille Noûs. Computational Records with Aging Hardware: Controlling Half the Output of SHA-256. Parallel Computing, Elsevier, In press, pp.102804. 10.1016/j.parco.2021.102804. hal-02306904v3 HAL Id: hal-02306904 https://hal.archives-ouvertes.fr/hal-02306904v3 Submitted on 26 Jun 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Computational Records with Aging Hardware: Controlling Half the Output of SHA-256 Mellila Bouama, Charles Bouillaguetb,∗, Claire Delaplacec, Camille Noûsd aEcole Superieure d’Informatique, Alger, Algeria bSorbonne Université, CNRS, LIP6, F-75005 Paris, France cMIS Laboratory, Université de Picardie Jules Verne, 14 quai de la Somme, 80080 Amiens, France dLaboratoire Cogitamus; https://www.cogitamus.fr/ Abstract SHA-256 is a secure cryptographic hash function. As such, its output should not have any detectable property. This paper describes three bit strings whose hashes by SHA-256 are nevertheless correlated in a non-trivial way: the first half of their hashes XORs to zero. They were found by “brute-force”, without exploiting any cryptographic weakness in the hash function itself. This does not threaten the security of the hash function and does not have any cryptographic implication. This is an example of a large “combinatorial” computation in which at least 8:7 × 1022 integer operations have been performed. This was made possible by the combination of: 1) recent progress on algorithms for the underlying problem, 2) creative use of “dedicated” hardware accelerators, 3) adapted implementations of the relevant algorithms that could run on massively parallel machines. The actual computation was done on aging hardware. It required seven calendar months using two obsolete second-hand bitcoin mining devices converted into “useful” computational devices. A second step required 570 CPU-years on an 8-year old IBM BlueGene/Q computer, a few weeks before it was scrapped. To the best of our knowledge, this is the first practical 128-bit collision-like result obtained by brute-force, and it is the first bitcoin miner-accelerated computation. Keywords: 3XOR, Generalized Birthday Paradox, Brute-force, Implementation, Hardware, ASIC, bitcoin hardware 1. Introduction of computing discrete logarithms in some groups (usually the multiplicative group of integers modulo a large prime number Cryptography is an ubiquitous component of information or the group of points on an elliptic curve). security. Cryptographic algorithms are used to enforce secu- Cryptanalysis is the art of breaking the security properties rity properties such as secrecy, integrity and authenticity. A that are supposed to be guaranteed by cryptographic schemes. few cryptographic algorithms are widely deployed, and ensure Research in cryptanalysis is both of a theoretical and practical the secure operations of several key economic sectors. The nature; on the theoretical side, weaknesses in some cryptogra- RSA signature algorithm guarantees the authenticity of all Eu- phic schemes can be found “on paper”: given enough resources, ropean credit cards and enables end-user to digitally sign elec- an algorithm could potentially break the security properties of- tronic mail. Both RSA and variants of the Diffie-Hellman key- fered by a cryptographic scheme faster than expected. On the exchange protocol (DH) are present in the majority of “secure” other hand, when the break is practical, consequences are usu- network connection in the world, because they are the main ally more dramatic, especially if it is widely deployed; this puts components of the TLS secure network layer. They secure more pressure on industrial actors to update their products. connections to emails accounts, allow web-browsers to authen- Cryptographic hash function play an important yet special ticate banking, e-commerce or governmental websites, enable role in cryptology: as opposed to encryption or data authentica- remote connections to “Virtual Private Networks”, etc. tion schemes, their security does not depend on the confidential- Public-key cryptographic algorithms rely on the hardness of ity of any secret data (such as an encryption key). While formal- well-defined computational problems. Concretely, the security izing the expected security properties of hash function families of RSA relies on the hardness of factoring large integers, while is fairly straightforward, precisely defining the security of fixed that of the Diffie-Hellman key-exchange relies on the hardness and public cryptographic hash function such as SHA-256 is a long-standing problem (see e.g. [Rog06]). Informally speaking, ∗Corresponding author a cryptographic hash function is a fixed, public function with- Email addresses: [email protected] (Mellila Bouam), out structure: given an arbitrary input, its output should appear [email protected] (Charles Bouillaguet ), indistinguishable from a random bit string, i.e. it should appear [email protected] (Claire Delaplace), completely decorrelated from the input. It follows that it should [email protected] (Camille Noûs) Preprint submitted to Elsevier June 26, 2021 not be possible to construct inputs such that their hashes exhibit Recent Improvements. Advances on the 3XOR problem in the a detectable correlation. At the very minimum, a cryptographic cryptographic community aimed at reducing the total computa- hash function should be one-way and collision-resistant — a tional load while ignoring potential memory and hardware con- collision for a function f is a pair x , y such that f (x) = f (y), straints. Joux proposed an incremental improvementp in [Jou09], and f is collision-resistant if finding such a pair is intractable. which reduces the computational load by n at the expense SHA-256 is presently considered to be a secure cryptogra- of using an exponential amount of memory and increasing the phic hash function, and it is widely used. It was designed by number of queries to the random functions. Motivated by the the NSA in 2001, and it is one of the few cryptographic hash potential cryptanalytic applications, several new algorithms were functions standardized by the government of the United States discovered by Nikolic´ and Sasaki [NS14] and then later by Bouil- of America for its own use [oST15]. laguet, Delaplace and Fouque [BDF18]. 1.1. Context of this Work 1.2. Objectives and Results In the cryptographic community, the “3XOR problem” con- The attacks that use 3XOR computations as a sub-component sists in finding three n-bit strings x, y and z such that f (x) ⊕ have not been implemented. Previous work on the 3XOR prob- g(y) ⊕ h(z) = 0, where ⊕ denotes the XOR operation and f; g; h lem is also of a mostly theoretical nature. What is the practical are random functions from f0; 1gn to f0; 1gn. This problem has efficiency of the five algorithms listed in Table 1? If someone recently seen a renewed interest because of its potential use actually wanted to solve an instance of the 3XOR problem in in cryptanalysis: it is used as a building block in a generic practice, what would they do? Seeking to answer these ques- attack [Nan15] against the COPA [ABL+13] mode of opera- tions, we set up a large instance of the 3XOR problem and tried tion for authenticated encryption. Another recent attack [LS19] to solve it. against the two-round single-key Even-Mansour cipher [EM91] We settled for n = 128, a significant milestone: it it the also works by reducing it to a 3XOR computation. An instance smallest power of two for which the computation is not obvi- of the 3XOR problem can be solved by several algorithms sum- ously easy at the present time. In addition, this size is crypto- marized in Table 1. The first two, which are described be- graphically meaningful: the MD5 cryptographic hash function low, are folklore and serve as a meaningful baseline to compare produces 128-bit digests and was once vastly deployed1 ; 128- against. bit is currently a standard key size for symmetric encryption. We used a contemporary cryptographic hash function (SHA- The Quadratic Algorithm. It is possible to build three arrays 256), truncated to 128 bits, as f; g and h (using different input A; B and C such that A[i] = f (i), B[i] = g(i) and C[i] = h(i); prefixes to distinguish the three functions): because it is con- the task then consists in finding (x; y; z) 2 A × B × C such that sidered secure, it should mimic reasonably well the behavior of x ⊕ y ⊕ z = 0. This can be done by trying all pairs (x; y) 2 A × B random functions. and checking if x ⊕ y belongs to C. Because there are 2n triplets Solving this instance of 3XOR would mean being able to in total, we expect to find one such that the n-bit equality holds. “control” the first half of the output of SHA-256. This would This is the quadratic algorithm. In this form, it requires have no immediate cryptographic consequences and would not n · 2n=3 bits of memory, and performs O 22n=3 operations. Note threaten the security of any known cryptographic protocol. But that the random functions f; g; h only have to be evaluated 2n=3 this has not been done before and it is assumed to be difficult. times. The inputs to the random functions can be arbitrary, as We were able to solve this large instance of the 3XOR prob- long as they are all distinct.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us