Faster multicollisions - Semantic Scholar

Faster multicollisions Jean-Philippe Aumasson

1 / 24

Agenda problem addressed in this talk: computing multicollisions of iterated hash functions

we’ll start with definitions: hash function, multicollision, iterated hash, fixed-point

then we’ll describe multicollision attacks: Joux’s, fixed-point based, Kelsey/Schneier’s, binary

2 / 24

Hash function

M

-

h

-

h(M) = D

mapping h : {0, 1}? 7→ {0, 1}n message M ∈ {0, 1}? (arbitrary-length string) digest D ∈ {0, 1}n (fixed-length string)

3 / 24

Collision

M

-

h

HH

HH j

h(M) = h(M) = D M

-

h

 

* 

pair of distinct messages (M, M) such that h(M) = h(M)

4 / 24

Multicollision M1 -

M2

Mk

-

-

h HH h .. . h

HH HH j XXX XXX z

h(M 1 ) = · · · = H(M k ) = D

1    

M 1 , . . . , M k distinct call (M 1 , . . . , M k ) a k-collision

5 / 24

Iterated hash parse M = M1 kM2 k . . . kML into m-bit blocks use a compression function f : {0, 1}n × {0, 1}m 7→ {0, 1}n compute hIV (M) = D as

IV

-

f

-

f

-

...

-

f

6

6

6

M1

M2

ML

-

D

input of the intitial value (IV)

6 / 24

Collision oracle Ocol IV     9  XXX

XXX



XXX

z X

random (M, M) such that f (IV , M) = f (IV , M) given an IV, returns a random pair of colliding messages

7 / 24

Collision oracle Ocol in practice, Ocol models collision attacks cost of a “query to Ocol ”: I I I I I I

≈ 2n/2 if f is “ideal” 263 for SHA-1 2128 for SHA-256 2256 for SHA-512 a minute for MD5 etc.

8 / 24

Joux’s attack (example) query Ocol with IV , receive f (IV , M1 ) = f (IV , M 1 ) = D1 query Ocol with D1 , receive f (D1 , M2 ) = f (D1 , M 2 ) = D 4-collision (M1 kM2 , M1 kM 2 , M 1 kM2 , M 1 kM 2 )

IV

-

f

-

D1

6

M1 or M 1

f

-

D

6

M2 or M 2

9 / 24

Joux’s attack D

iP P

1    

f 

f    

···

 1

ML−1

ML

f

iP P PP

1  

PP i P

M L−1 f

f

M L−1 f

 

C C

 C

P

ML

CO

···

PP P



···

CO

 C

 C C

 

· ·· · ·

ML−1 OC C

  

C C

···



···

P

CO C C C

···

L queries to Ocol ⇒ 2L -collision 10 / 24

Fixed point

D

-

f

-

D

6

M

D fixed point for M iff f (D, M) = D

11 / 24

Fixed point oracle Ofp M  9

 

XXX

XXX

D

 

XXX

z X

such that f (D, M) = D given M, returns a fixed point (deterministic!) such oracle “exists” for MD5, SHA-1, SHA-256

12 / 24

Multicollision attack

query Ofp to get a fixed-point f (D, M) = D multicollision for hD : M MkM MkMkM MkMkMkM MkMk . . . kMkM intermediate values and digests all equal D

13 / 24

Strengthening the iterated hash (a.k.a. MD-strengthening) given message M apply iterated hash to Mkhbitlength of Mi I I I

defeats the previous attack Joux’s attack still possible collision resistance preservation: f collision resistant ⇒ h collision resistant

14 / 24

Kelsey/Schneier attack

D0

D0

-

-

f

D2

f

D2

f

D2 . . . D2

f

D2

f

6

6

6

6

6

M1

M2

M2

M2

M2

f

D0

f

D2

f

D2 . . . D2

f

D2

f

6

6

6

6

6

M0

M1

M2

M2

M2

-

D2

-

D2

2 fixed points f (D0 , M0 ) = D0 and f (D2 , M2 ) = D2

15 / 24

Kelsey/Schneier attack

D0

D0

-

-

f

D0

f

D0

f

D2

f

D2 . . . D2

f

6

6

6

6

6

M0

M0

M1

M2

M2

f

D0

f

D0

f

D0

f

D2 . . . D2

f

6

6

6

6

6

M0

M0

M0

M1

M2

-

D2

-

D2

2 fixed points f (D0 , M0 ) = D0 and f (D2 , M2 ) = D2

16 / 24

Kelsey/Schneier attack details: I I

ask Ofp for a fixed point f (D0 , M0 ) = D0 meet-in-the-middle to find M1 , M2 , D2 such that f (D0 , M2 ) = D2

I

return messages of the form M0 kM0 . . . kM0 kM1 kM2 kM2 k . . . kMj with #blocks − 1 = (#M0 + #M2 ) constant

17 / 24

Fixed-point collision

D

-

f 6

M

D-

f

-

D

6

M

triplet (D, M, M) such that f (D, M) = f (D, M) = D by birthday paradox, can be found with 2n/2 queries to Ofp

18 / 24

Binary multicollisions find a fixed-point collision f (D, M) = f (D, M) = D

D

-

f 6

M or M

D-

f

D - ...

D-

f

-

D

6

M or M

M or M

L blocks ⇒ 2L -collision costs 2n/2 queries to Ofp (independent of k!) 19 / 24

Binary multicollisions D

iP P

1    

f 

f    

···

PP P

M

 1

M

iP P PP

M

f

M  

CO C C

 

C

···

··· 10000

for SHA-256, 22

1  

f CO

 C

 C C

 

· ·· · ·

M

P

f PP i P

P

f

M

OC C

  

C C

···



···

CO C C C

···

-collisions cost 2128 compressions

(210128 with Joux’s) 20 / 24

Cost of a k-collision Joux I log k queries to Ocol ≡ log k · 2n/2 queries to f ideally Kelsey/Schneier I 2n/2 queries to f + 2n/2 queries to Ofp I memory 2n/2 Binary I 2n/2 queries to Ofp ≡ 2n/2 queries to f for Davies-Meyer schemes ⇒ optimal

21 / 24

Messages length

Joux: log k Kelsey/Schneier: ≈ k Binary: log k

22 / 24

Summary

Binary multicollisions have I I

optimal cost (same as a single collision) short messages

but. . . I I

need easily found fixed points (as in SHA-256) only work for a chosen IV

23 / 24

More in the paper variants on Kelsey/Schneier and “convergence” to Joux’s application to concatenated hash functions distinct-length multicollisions countermeasures

24 / 24

More in the paper variants on Kelsey/Schneier and “convergence” to Joux’s application to concatenated hash functions distinct-length multicollisions countermeasures

Dhanyabad / Thank you !

24 / 24