SHA1 collision found - PowerPoint PPT Presentation

1 / 19

About This Presentation

Title:

SHA1 collision found

Description:

Christophe De Canni re and Christian Rechberger further improved the attack on ... of CRYPTO 2006, Christian Rechberger and Christophe De Canni re claimed to have ... – PowerPoint PPT presentation

Number of Views:646

Avg rating:3.0/5.0

Slides: 20

Provided by: a6rp

Category:

more less

Transcript and Presenter's Notes

Title: SHA1 collision found

1
SHA-1 collision found

Luká Mino, Richard Bartu

2
Contents

Hash function
Secure Hash Algorithm
Cryptanalysis of SHA-0
Cryptanalysis of SHA-1
SHA-1 algorithm
SHA-2 algorithm
Example hashes

3
Hash function

A hash function is a reproducible method of
turning some kind of data into a (relatively)
small number that may serve as a digital
"fingerprint" of the data.
The algorithm "chops and mixes" (for instance,
substitutes or transposes) the data to create
such fingerprints.

4
Secure Hash Algorithm

The SHA hash functions are five cryptographic
hash functions - SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512.
Hash algorithms compute a fixed-length digital
representation (known as a message digest) of an
input data sequence (the message) of any length.
Any change to a message will, with a very high
probability, result in a different message digest.

5
SHA
6
Cryptanalysis of SHA-0

At CRYPTO 98, two French researchers, Florent
Chabaud and Antoine Joux, presented an attack on
SHA-0 (Chabaud and Joux, 1998) collisions can be
found with complexity 261, fewer than the 280
for an ideal hash function of the same size.
In 2004, Biham and Chen found near-collisions for
SHA-0 two messages that hash to nearly the same
value in this case, 142 out of the 160 bits are
equal. They also found full collisions of SHA-0
reduced to 62 out of its 80 rounds.
Subsequently, on 12 August 2004, a collision for
the full SHA-0 algorithm was announced by Joux,
Carribault, Lemuet, and Jalby. This was done by
using a generalization of the Chabaud and Joux
attack. Finding the collision had complexity 251
and took about 80,000 CPU hours on a
supercomputer with 256 Itanium 2 processors.
On 17 August 2004, at the Rump Session of CRYPTO
2004, preliminary results were announced by Wang,
Feng, Lai, and Yu, about an attack on MD5, SHA-0
and other hash functions. The complexity of their
attack on SHA-0 is 240, significantly better
than the attack by Joux et al.
In February 2005, an attack by Xiaoyun Wang,
Yiqun Lisa Yin, and Hongbo Yu was announced which
could find collisions in SHA-0 in 239 operations.

7
Cryptanalysis of SHA-1

In light of the results on SHA-0, some experts
suggested that plans for the use of SHA-1 in new
cryptosystems should be reconsidered. After the
CRYPTO 2004 results were published, NIST
announced that they planned to phase out the use
of SHA-1 by 2010 in favor of the SHA-2 variants.
In early 2005, Rijmen and Oswald published an
attack on a reduced version of SHA-1 53 out of
80 rounds which finds collisions with a
complexity of fewer than 280 operations.
In February 2005, an attack by Xiaoyun Wang,
Yiqun Lisa Yin, and Hongbo Yu was announced. The
attacks can find collisions in the full version
of SHA-1, requiring fewer than 269 operations.
(A brute-force search would require 280
operations.)
The authors write "In particular, our analysis
is built upon the original differential attack on
SHA0 , the near collision attack on SHA0, the
multiblock collision techniques, as well as the
message modification techniques used in the
collision search attack on MD5. Breaking SHA1
would not be possible without these powerful
analytical techniques.". The authors have
presented a collision for 58-round SHA-1, found
with 233 hash operations. The paper with the
full attack description was published in August
2005 at the CRYPTO conference.
In an interview, Yin states that, "Roughly, we
exploit the following two weaknesses One is that
the file preprocessing step is not complicated
enough another is that certain math operations
in the first 20 rounds have unexpected security
problems."
On 17 August 2005, an improvement on the SHA-1
attack was announced on behalf of Xiaoyun Wang,
Andrew Yao and Frances Yao at the CRYPTO 2005
rump session, lowering the complexity required
for finding a collision in SHA-1 to 263. On 18
December 2007 the details of this result were
explained and verified by Martin Cochran.
Christophe De Cannière and Christian Rechberger
further improved the attack on SHA-1 in "Finding
SHA-1 Characteristics General Results and
Applications,"receiving the Best Paper Award at
ASIACRYPT 2006. A two-block collision for
64-round SHA-1 was presented, found using
unoptimized methods with 235 compression
function evaluations.
As this attack requires the equivalent of about
235 evaluations, it is considered to be a
theoretical break.To find an actual collision,
however, a massive distributed computing effort
or very large parallel supercomputer such as
those possessed by the NSA would be required. To
that end, a collision search for SHA-1 using the
distributed computing platform BOINC is currently
being made.
At the Rump Session of CRYPTO 2006, Christian
Rechberger and Christophe De Cannière claimed to
have discovered a collision attack on SHA-1 that
would allow an attacker to select at least parts
of the message

8
SHA-1 algorithm

Note All variables are unsigned 32 bits and wrap
modulo 232 when calculating
Initialize variables
h0 0x67452301
h1 0xEFCDAB89
h2 0x98BADCFE
h3 0x10325476
h4 0xC3D2E1F0
Pre-processing
append the bit '1' to the message
append k bits '0', where k is the minimum number
0 such that the resulting message
length (in bits) is congruent to 448 (mod
512)
append length of message (before pre-processing),
in bits, as 64-bit big-endian integer
Process the message in successive 512-bit chunks
break message into 512-bit chunks
for each chunk
break chunk into sixteen 32-bit big-endian
words wi, 0 lt i lt 15

9
SHA-1 algorithm

Main loop
for i from 0 to 79
if 0 i 19 then
f (b and c) or ((not b) and d)
k 0x5A827999
else if 20 i 39
f b xor c xor d
k 0x6ED9EBA1
else if 40 i 59
f (b and c) or (b and d) or (c and
d)
k 0x8F1BBCDC
else if 60 i 79
f b xor c xor d
k 0xCA62C1D6
temp (a leftrotate 5) f e k
wi
e d
d c
c b leftrotate 30

10
SHA-2 algorithm

Initialize variables
(first 32 bits of the fractional parts of the
square roots of the first 8 primes 2..19)
h0 0x6a09e667
h1 0xbb67ae85
h2 0x3c6ef372
h3 0xa54ff53a
h4 0x510e527f
h5 0x9b05688c
h6 0x1f83d9ab
h7 0x5be0cd19
Initialize table of round constants
(first 32 bits of the fractional parts of the
cube roots of the first 64 primes 2..311)
k0..63
0x428a2f98, 0x71374491, 0xb5c0fbcf,
0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4,
0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be,
0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7,
0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6,
0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc,
0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8,
0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351,
0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc,
0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e,
0x92722c85,

11
SHA-2 algorithm

Process the message in successive 512-bit chunks
break message into 512-bit chunks
for each chunk
break chunk into sixteen 32-bit big-endian
words w0..15
Extend the sixteen 32-bit words into
sixty-four 32-bit words
for i from 16 to 63
s0 (wi-15 rightrotate 7) xor
(wi-15 rightrotate 18) xor (wi-15 rightshift
3)
s1 (wi-2 rightrotate 17) xor (wi-2
rightrotate 19) xor (wi-2 rightshift 10)
wi wi-16 s0 wi-7 s1
Initialize hash value for this chunk
a h0
b h1
c h2
d h3
e h4
f h5
g h6

12
SHA-2 algorithm

Main loop
for i from 0 to 63
s0 (a rightrotate 2) xor (a
rightrotate 13) xor (a rightrotate 22)
maj (a and b) xor (a and c) xor (b and
c)
t2 s0 maj
s1 (e rightrotate 6) xor (e
rightrotate 11) xor (e rightrotate 25)
ch (e and f) xor ((not e) and g)
t1 h s1 ch ki wi
h g
g f
f e
e d t1
d c
c b
b a
a t1 t2
Add this chunk's hash to result so far

13
SHA-1

One iteration within the SHA-1 compression
function. A, B, C, D and E are 32-bit words of
the state F is a nonlinear function that varies
n denotes a left bit rotation by n places n
varies for each operation. denotes addition
modulo 232. Kt is a constant.

14
SHA-2
15
Example hashes

SHA1("The quick brown fox jumps over the lazy
dog")
2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12
SHA1("The quick brown fox jumps over the lazy
cog")
de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3
The hash of the zero-length message is
SHA1("")
da39a3ee 5e6b4b0d 3255bfef 95601890 afd80709

16
Example hashes

SHA1("The quick brown fox jumps over the lazy
dog")
2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12
SHA-256
SHA256("The quick brown fox jumps over the lazy
dog")
d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb7
62d02d0bf37c9e592
SHA-512
SHA512("The quick brown fox jumps over the lazy
dog")
07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d78
8a309d785436bbb64
2e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0
538f3db854fee6

17
Applications

SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are
the secure hash algorithms required by law for
use in certain U. S. Government applications,
including use within other cryptographic
algorithms and protocols, for the protection of
sensitive unclassified information. FIPS PUB
180-1 also encouraged adoption and use of SHA-1
by private and commercial organizations.
A prime motivation for the publication of the
Secure Hash Algorithm was the Digital Signature
Standard, in which it is incorporated.
The SHA hash functions have been used as the
basis for the SHACAL block ciphers.

18
References