Preimages for Reduced SHA-0 and SHA-1 Christophe De Cannière and Christian Rechberger ENS Katholieke Universiteit Leuven Graz University of Technology Leiden, 2008 Some properties of hash functions • Efficient to compute • One-way • Collision resistance One-wayness HashHash FunctionFunction One-wayness Applications: Storing a password HashHash Payment schemes FunctionFunction Key derivation Commitment schemes Random number generation … Status of SHA-1 (as of this afternoon) • Differential collision attacks – Wang et al., 2005: 269 – Joux and Peyrin, 2007: claim 25 improvement over x – Wang et al.: 263/262, unpublished – Mendel, Rechberger, Rijmen: 260.x, unpublished • Preimage Attacks – Reuse of collision attacks? – Dedicated attacks? Status of SHA-1 (as of this afternoon) • Differential collision attacks – Wang et al., 2005: 269 – Joux and Peyrin, 2007: claim 25 improvement over x – Wang et al.: 263/262, unpublished – Mendel, Rechberger, Rijmen: 260.x, unpublished http://boinc.iaik.tugraz.at • Preimage Attacks – Reuse of collision attacks? – Dedicated attacks? Status of SHA-1 (as of this afternoon) • Differential collision attacks – Wang et al., 2005: 269 – Joux and Peyrin, 2007: claim 25 improvement over x – Wang et al.: 263/262, unpublished – Mendel, Rechberger, Rijmen: 260.x, unpublished • Preimage Attacks – Reuse of collision attacks? – Dedicated attacks? Preimage Attack Strategies • Collision Differentials (+ Message Modification) – Yu/Wang et al., 2005: MD4 • Multi-Near-Collision Differentials – Biham/Shamir, 1991: Snefru – Dobbertin, 1998: reduced MD4 – Lamberger et al., 2007: SMASH – Leurent, 2008: MD4 – Mendel et al., 2008: GOST hash – SHA-0/SHA-1? Preimage Attack Strategies • Collision Differentials (+ Message Modification) – Yu/Wang et al., 2005: MD4 • Multi-Near-Collision Differentials – Biham/Shamir, 1991: Snefru – Dobbertin, 1998: reduced MD4 – Lamberger et al., 2007: SMASH – Leurent, 2008: MD4 – Mendel et al., 2008: GOST hash • Correcting Impossible Messages – De Cannière/Rechberger, 2008: red. SHA-0 and SHA-1 Outline of MD4-style Hash Functions IV Expanded Message m Message w (48/64/80 words) (16 words) Message Expansion Output o (4/5/8 words) Message Expansions in the MD4 family MD4/5, RIPEMD SHA-0 / SHA-1 SHA-2 members Permutation Linear Recurrence Non-Linear Recurrence Outline of MD4-style Hash Functions IV Expanded Message m Message w (48/64/80 words) (16 words) Message Expansion Output o (4/5/8 words) Evolution of the State Updates in the MD4 Family MD4 SHA-0/SHA-1 SHA-2 members K + + << 5 Σ0 Σ1 + K + f KN+1 + + M W A C + + f + + J H W W << s N+1 + >> 2 + + + AN BN CN DN EN FN GN HN Design Complexity Inverting SHA-1 compress Why is it hard? Inversion problem, reconsidered before new, but equivalent Inversion problem, reconsidered W will not be valid expanded before message, E is error mask Why could it be easier? before new, correcting invalid message Details of new techniques Outline 1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries 2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Outline 1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries 2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai ∗ IV Ei (h − IV )∗ Ai Ei Ai Ei Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Ai Ei R − 16 R − 5 expect 211 solutions Outline 1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries 2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai Ei R − 16 R − 5 7 Ai Ei R − 16 R − 5 7 27·(R−16) trials Outline 1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries 2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai Ei Ai Ei R − 16 R − 5 expect 227−R solutions Ai Ei R − 16 R − 5 expect 227−R solutions Ai Ei R − 16 R − 5 Ai Ei R − 16 R − 5 Ai Ei R − 16 R − 5 Ai Ei R − 16 R − 5 Ai Ei R − 16 R − 5 Ai Ei R − 16 R − 5 Ai Ei R − 16 R − 5 2 Ai Ei R − 16 R − 5 2 22·(R−16)+5·(R−27) trials Outline 1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries 2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai ∗ IV Ei R − 16 R partial preimage 22·(R−16)+5·(R−32) trials C Ai C Ei R − 16 R pseudo preimage 22·(R−16)+5·(R−32) trials (h − C)∗ Outline 1 Compression Function Attack: Correcting Impossible Messages Basic Technique Complexity Getting Rid of Those Carries 2 From attacks on compress function to hash function Using More Blocks: Birthday Using Even More Blocks: P3Graphs Ai C Ei R − 16 R +5 partial pseudo preimage 22·(R−16)+5·(R−37) trials C P3Graph (N nodes) P3Graph (N/4edges) P3Graph (N/2edges) P3Graph (N edges) P3Graph (2 × N edges) P3Graph method Examples of results on reduced SHA-0 and SHA-1 Results on reduced SHA-0 and SHA-1 Preimage attacks on full SHA-1? Collisions Collisions Preimages before 2005 now now #rounds 53/58 >80 44/45 #freedom >200 0 >200 Sensitive to different choices yes no yes for rotation constants Discussion/Summary Two new cryptanalytic techniques • Correcting invalid messages – Inversion problem is larger, but less interconnected – Regular structure of SHA-0/SHA-1 helps to divide/conquer the problem •P3Graphs – Random (directed) graphs as useful object (introduced in the 1950s) in cryptanalysis: – Transfer results for compression function to hash function at cost of: factor 4 (total) factor 1 (having factor 3 precomputation) – Cycles in random graph help with padding problem Preimages for Reduced SHA-0 and SHA-1 Christophe De Cannière and Christian Rechberger Q&A.