Collisions for Step-Reduced SHA 256 - PowerPoint PPT Presentation

About This Presentation
Title:

Collisions for Step-Reduced SHA 256

Description:

Collisions for Step-Reduced SHA 256 Ivica Nikoli , Alex Biryukov University of Luxembourg Outline Short description of SHA-256 Difference between SHA-1 and SHA-2 ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 15
Provided by: IVI94
Category:
Tags: sha | collisions | reduced | step

less

Transcript and Presenter's Notes

Title: Collisions for Step-Reduced SHA 256


1
Collisions for Step-Reduced SHA 256
  • Ivica Nikolic, Alex Biryukov
  • University of Luxembourg

2
Outline
  • Short description of SHA-256
  • Difference between SHA-1 and SHA-2
  • Technique for finding collisions for SHA-256
  • 20-step reduced SHA-256
  • 21-step reduced SHA-256
  • 23-step reduced SHA-256
  • 25-step reduced SHA-256
  • Conclusions

3
Short description of SHA-256
  • Merkle-Damgard construction (compression
    function)
  • Input 512-bits message block 256-bits
    chaining value
  • Output 256-bits chaining value
  • 64 steps

4
Difference between SHA-1 and SHA-2
One step of the compression function
Message expansion
Wi Wi-3 Wi-8 Wi-14 Wi-16
Wi s1(Wi-2) Wi-7 s0(Wi-15) Wi-16
  • Number of internal variables
  • Additional functions - ?0, ?1
  • Message expansion

5
Difference between SHA-1 and SHA-2
  • Limit the influence of the new innovations
  • Additional functions (?0, ?1)
  • Find fixed points, i.e. ?(x)x.
  • If x,y are fixed points then ?(x)- ?(y)x-y,
    i.e. ? preserves difference.
  • Message expansion
  • Expanded words dont use words with differences.

6
Technique for finding collisions for SHA-256
  • General technique
  • Introduce perturbation
  • Use as less differences as possible to correct
    the perturbation in the following 8 steps
  • After the perturbation is gone dont allow any
    other new perturbations

7
Technique for finding collisions for SHA-256
?A ?B ?C ?D ?E ?F ?G ?H ?W
i 0 0 0 0 0 0 0 0 1
i1 1 0 0 0 1 0 0 0 d1
i2 0 1 0 0 -1 1 0 0 d2
i3 0 0 1 0 0 -1 1 0 d3
i4 0 0 0 1 0 0 -1 1 0
i5 0 0 0 0 1 0 0 -1 0
i6 0 0 0 0 0 1 0 0 0
i7 0 0 0 0 0 0 1 0 0
i8 0 0 0 0 0 0 0 1 d4
i9 0 0 0 0 0 0 0 0
  • Perturbation in step i
  • Correct in the following 8 steps
  • Require the differences for A and E as shown in
    the table
  • Get system of equations with the respect to di
    and Ai or Ei
  • Solve the system

8
Technique for finding collisions for SHA-256
Example step i4
?A ?B ?C ?D ?E ?F ?G ?H ?W
i3 0 0 1 0 0 -1 1 0 d3
i4 0 0 0 1 0 0 -1 1 0
  • From the definition of SHA-256, we have
  • ? Ai4 - ? Ei4 ??0(Ai3) ?Maji3
    (?Ai3,?Bi3,?Ci3 )-?Di3
  • ? Ei4 ??1(Ei3) ?Chii3 (?Ei3,?Fi3,?Gi3)?H
    i3?Di3?Wi3
  • From the condition for step i3, we have
  • ?Di3 0, ?Hi3 0, ??0(Ai3) 0, ??1(Ei3)
    0.
  • We require ?Ai4 0, ? Ei4 0.
  • So we deduce
  • ?Maji3 (0,0,1) 0
  • ?Wi3 - ?Chi3 (0,-1,1)
  • Solution
  • Ai3 Ai2
  • d3 -?Chi3 (0,-1,1)

9
Technique for finding collisions for SHA-256
  • Solution of the system of equations
  • Ai-1 Ai1 Ai2 Ai3
  • Ai1-1
  • Ei3 Ei4
  • Ei6 0
  • Ei7-1
  • d1 -1-?Chi1 (1,0,0)- ??1(Ei1)
  • d2 ??1(Ei2) -?Chi2 (-1,1,0)
  • d3 -?Chi3 (0,-1,1)
  • d4 -1
  • Unsolved equation (no degrees of freedom left)
  • ?Chi3(0,0,-1)-1
  • It holds with probability 1/3.

10
20-step reduced SHA-256
  • Collision
  • Perturbation in W5.
  • Corrections in W6, W7, W8, W13.
  • Message expansion after the step
  • 13 doesnt use any of these words
  • Complexity 1/3

W 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 x
1 x
2 x
3 x
4 x
5 x
6 x
7 x
8 x
9 x
10 x
11 x
12 x
13 x
14 x
15 x
16 x x x x
17 x x x x
18 x x x x x x x
19 x x x x x x x
20 x x x x x x x x x x
21 x x x x x x x x x x
22 x x x x x x x x x x x x x
11
21-step reduced SHA-256
W 6 7 8 9 14
0
1
2
3
4
5
6 x
7 x
8 x
9 x
10
11
12
13
14 x
15
16 x x
17
18 x x
19
20 x x
21 x x
22 x x x x
  • Collision
  • Perturbation in W6.
  • Corrections in W7, W8, W9, W14.
  • Message expansion uses W9, W14.
  • Additional equation is introduced
  • ? s1(W14) ? W9 0, where ? W14-1.
  • Total complexity is 219.

12
23-step reduced SHA-256
  • Semi-free start collision
  • Perturbation in W9.
  • Corrections in W10, W11, W12. W17 is extended
    word, so it is not possible to control it
    directly.
  • Message expansion uses W9, W10, W11, W12 .
  • In the original differential path there is no
    difference in W16. We have to slightly change our
    differential path. New system of equations is
    introduced and solved.
  • In order to control W17
  • Additional equations are introduced in order to
    keep the differences zero after the last step of
    the path.
  • Total complexity is 221.

W 9 10 11 12
0
1
2
3
4
5
6
7
8
9 x
10 x
11 x
12 x
13
14
15
16 x
17 x
18 x x
19 x x
20 x x
21 x x
22 x x
13
25-step reduced SHA-256
  • Semi-free start near collision with Hamming
    distance of 17 bits
  • Extend semi-free start collision for 23-step
    reduced SHA-256.
  • Minimize the Hamming distance of the introduced
    differences for A and E registers.
  • Total complexity is 234.

W 9 10 11 12
0
1
2
3
4
5
6
7
8
9 x
10 x
11 x
12 x
13
14
15
16 x
17 x
18 x x
19 x x
20 x x
21 x x
22 x x
14
Conclusions
  • Technique applicable to SHA-224, SHA-384, and
    SHA-512.
  • No real treat for the security of SHA-2.
Write a Comment
User Comments (0)
About PowerShow.com