PRACTICAL COLLISIONS FOR WIDEA-8 Kerem Varıcı KU Leuven / COSIC Session ID: CRYP-R31 Session Classification: Advanced OUTLINE ► Introduction ► Collisions for the WIDEA-8 ► Results and Remarks ▶ Presenter Logo OUTLINE ► Introduction ► Collisions for the WIDEA-8 ► Results and Remarks ▶ Presenter Logo Introduction ( WIDEA ) ► Widea - a family of block ciphers ► Inspired by IDEA block cipher ► Designed by Junod and Macchetti ► Presented in FSE’09 ► Suggested to use as compression function for hash function in Davies - Mayer mode ► Competitive efciency with most of the hash functions ▶ Presenter Logo IDEA X1 X2 X3 X4 (1) (1) (1) (1) Z1 Z2 Z3 Z4 ► Designed by Lai and Massey in 1991 (1) Z5 ► 64-bit block size (1) Z6 ► 128-bit key size ► 8.5 rounds ► Widely implemented ► 20+ security analysis ( 7 more rounds ) ► Secure except weak keys (9) (9) (9) (9) Z1 Z2 Z3 Z4 Y1 Y2 Y3 Y4 ▶ Presenter Logo (i) (i) (i) (i) x0,1 x1,1 x2,1 x3,1 WIDEA-n (i) (i) (i) (i) x0,n x1,n x2,n x3,n Z0,1 Z1,1 Z2,1 Z3,1 ► Composed of n parallel Z0,n Z1,n Z2,n Z3,n applications of IDEA connected with an MDS matrix. Z4,1 MA-Box Z4,n ► 64×n bits block size MDS Z5,1 ► 64×2n key size Z5,n ► 8.5 rounds (i+1) (i+1) x2,1 x3,1 (i+1) (i+1) (i+1) (i+1) x0,n x1,n x2,n x3,n ▶ Presenter Logo Davies-Meyer Mode ► Proposed to construct hash functions from block ciphers ► Most widely used hash functions, including MD5, SHA-1 and mi SHA-2 use this construction hi 1 hi − ▶ Presenter Logo OUTLINE ► Introduction ► Collisions for the WIDEA-8 ► Attack strategy ► Application of theory to practice ► Extending the attack to full WIDEA-8 ► Results and Remarks ▶ Presenter Logo Attack strategy - I I I 0 I ▶ Presenter Logo Attack strategy - II Characteristic Z1 Z4 Z5 Z6 (0,0,0,△) ⇒ (△,△,△,0) - ±1 - ±1 X1 X2 X3 X4 (0,0,△,0) ⇒ (△,0,0,0) - - ±1 ±1 (1) (1) (1) (1) (0,0,△,△) ⇒ (0,△,△,0) - ±1 ±1 - Z1 Z2 Z3 Z4 (0,△,0,0) ⇒ (△,△,0,△) - - - ±1 (0,△,0,△) ⇒ (0,0,△,△) - ±1 - - (0,△,△,0) ⇒ (0,△,0,△) - - ±1 - (1) Z5 (0,△,△,△) ⇒ (△,0,△,△) - ±1 ±1 ±1 (△,0,0,0) ⇒) (0,△,0,0) ±1 - ±1 ±1 Z(1) 6 (△,0,0,△) ⇒ (△,0,△,0) ±1 ±1 ±1 - (△,0,△,0) ⇒ (△,△,0,0) ±1 - - - (△,0,△,△) ⇒ (0,0,△,0) ±1 ±1 - ±1 (△,△,0,0) ⇒ (△,0,0,△) ±1 - ±1 - (△,△,0,△) ⇒ (0,△,△,△) ±1 ±1 ±1 ±1 ( 7 more rounds ) (△,△,△,0) ⇒ (0,0,0,△) ±1 - - ±1 (△,△,△,△) ⇒ (△,△,△,△) ±1 ±1 - - ▶ Presenter (9) (9) (9) (9) Z1 Z2 Z3 Z4 Logo Y1 Y2 Y3 Y4 Attack strategy - III Observation 1 The parallel instances of IDEA are only connected by the MDS matrix in the MA- box and hence if we can find a characteristic for one lane where the MA-box is never active, the attack is reduced of attacking only MDS one lane instead of all eight. Observation 2 Given any eight consecutive subkeys {Zi+1, Zi+2, ..., Zi+8} it is possible to construct the whole set of subkeys. ▶ Presenter Logo Theory to practice ∆ ∆ ∆ ∆ Z0,1 Z1,1 Z2,1 Z3,1 Z0,n Z1,n Z2,n Z3,n Z4,1 Z4,n MDS Z5,1 Z5,n ∆ ∆ ∆ ∆ ▶ Presenter Logo Extending the attack to full WIDEA-8 ∆ ∆ ∆ ∆ Z0,1 Z1,1 Z2,1 Z3,1 Z0,n Z1,n Z2,n Z3,n Z4,1 Z4,n MDS Z5,1 Z5,n ∆ ∆ ∆ ∆ ▶ Presenter Logo Extending the attack to full WIDEA-8 ▶ Presenter Logo Collision Example ▶ Presenter Logo Results target rounds time attack type comp. function 7 1 free-start collision comp. function 8.5 (full) 1 free-start near-collision comp. function 8.5 (full) 213.53 free-start collision ▶ Presenter Logo ANY QUESTIONS ? Finding Collisions for Round-Reduced SM3 Florian Mendel, Tomislav Nad, Martin Schlaffer¨ Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria [email protected] CT-RSA 2013 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 1 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 2 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 3 / 30 The MD4 Family of Hash Functions MD4 MD5 SHA-0 HAVAL RIPEMD SHA-1 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 SM3 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-1287 RIPEMD-1603 SHA-2243 SHA-2563 SHA-3843 SHA-5123 SM3 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions 7MD4 7MD5 SHA-07 HAVAL7 RIPEMD7 SHA-17 RIPEMD-1287 RIPEMD-1603 SHA-2243 SHA-2563 SHA-3843 SHA-5123 ?SM3 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 5 / 30 Hash Functions Some arbitrary length input message. H(M) 19BDAF403B3 Protect short hash value instead of long text. Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 6 / 30 Main Security Requirements Preimage Resistance given h(m) find m generic complexity:2 n Second-Preimage Resistance given m; h(m) find m0 with m = m0 and h(m) = h(m0) generic complexity:2 n 6 Collision Resistance find m; m0 with m = m0 and h(m) = h(m0) generic complexity:6 2 n=2 No non-random properties Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 7 / 30 Iterated Hash Function Construction M1 M2 M3 Mt IV f f f f g H(m) w w w w n Most hash functions use some kind of iteration compression function f output transformation g chaining value size w n ≥ Strength depends on f , g, w smaller w needs stronger f Analyze building blocks collision resistance of f non-random properties of f Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 8 / 30 free-start collision: attacker can choose difference and value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi0 1); Mi = Mi0; Hi 1 = Hi0 1 − − 6 − 6 − Collisions on the Compression Function M = M0 i 6 i f Hi 1 Hi − semi-free-start collision: attacker can choose value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi 1); Mi = Mi0 − − 6 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 9 / 30 Collisions on the Compression Function M = M0 i 6 i f Hi 1 = Hi0 1 Hi − 6 − semi-free-start collision: attacker can choose value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi 1); Mi = Mi0 − − 6 free-start collision: attacker can choose difference and value of chaining input Hi 1 − f (Mi ; Hi 1) = f (Mi0; Hi0 1); Mi = Mi0; Hi 1 = Hi0 1 − − 6 − 6 − Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 9 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 10 / 30 Collision Attacks m = m 6 ∗ H H H(m) = H(m∗) Find two different messages which result in the same hash value: m = m∗ with H(m) = H(m∗) 6 Birthday effect applies: 2n=2 Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 11 / 30 Collision Attacks (Differential View) m = m ∆m = 0 6 ∗ 6 H H ⇐⇒ H H(m) = H(m∗) H(∆m) = 0 Find two different messages which result in the same hash m; ∆m with ∆m = 0 and H(∆m) = 0 6 Usually XOR differences are used: ∆m = m m∗ and H(∆m) = H(m) H(m∗) ⊕ ⊕ Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 12 / 30 Differential Characteristic How to find m, ∆m? Find differential characteristic (trail, path) using (semi-) automatic tools determines ∆m holds with high probability P try 1=P random messages How to find m more efficiently? we can choose m according to characteristic invert equations in first steps of hash function called message modification Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 13 / 30 Outline 1 Motivation 2 Cryptographic Hash Functions 3 Differential Cryptanalysis 4 Description of SM3 5 Differential Collision Attacks on SM3 6 Summary Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 14 / 30 SM3: too complex to draw :-( Design Complexity of the MD4 Family Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 15 / 30 Design Complexity of the MD4 Family SM3: too complex to draw :-( Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 15 / 30 The Hash Function SM3 Chinese hash function standard [Chi] (Chinese Commercial Cryptography Administration Office) Designed by Wang et al.