Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

14
Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg

Transcript of Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Page 1: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Collisions for Step-Reduced SHA 256

Ivica Nikolić, Alex BiryukovUniversity of Luxembourg

Page 2: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Outline

Short description of SHA-256

Difference between SHA-1 and SHA-2

Technique for finding collisions for SHA-256

20-step reduced SHA-256

21-step reduced SHA-256

23-step reduced SHA-256

25-step reduced SHA-256

Conclusions

Page 3: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Short description of SHA-256

Merkle-Damgard construction (compression function) Input: 512-bits message block + 256-bits chaining value

Output: 256-bits chaining value 64 steps

Page 4: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Difference between SHA-1 and SHA-2

Number of internal variables Additional functions - ∑0, ∑1

Message expansion

Wi = Wi-3 + Wi-8+ Wi-14+ Wi-16 Wi = σ1(Wi-2)+ Wi-7+ σ0(Wi-15)+ Wi-16

One step of the compression function

Message expansion

Page 5: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Difference between SHA-1 and SHA-2

Limit the influence of the new innovations

Additional functions (∑0, ∑1)

Find fixed points, i.e. ∑(x)=x. If x,y are fixed points then ∑(x)- ∑(y)=x-y, i.e. ∑ preserves

difference. Message expansion

Expanded words don’t use words with differences.

Page 6: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Technique for finding collisions for SHA-256

General technique

Introduce perturbation

Use as less differences as possible to correct the perturbation in the following 8 steps

After the perturbation is gone don’t allow any other new perturbations

Page 7: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Technique for finding collisions for SHA-256

Perturbation in step i Correct in the following 8 steps Require the differences for A and E as shown in the table Get system of equations with the respect to δi and Ai or Ei Solve the system

ΔA ΔB ΔC ΔD ΔE ΔF ΔG ΔH ΔW

i 0 0 0 0 0 0 0 0 1

i+1 1 0 0 0 1 0 0 0 δ1

i+2 0 1 0 0 -1 1 0 0 δ2

i+3 0 0 1 0 0 -1 1 0 δ3

i+4 0 0 0 1 0 0 -1 1 0

i+5 0 0 0 0 1 0 0 -1 0

i+6 0 0 0 0 0 1 0 0 0

i+7 0 0 0 0 0 0 1 0 0

i+8 0 0 0 0 0 0 0 1 δ4

i+9 0 0 0 0 0 0 0 0

Page 8: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Technique for finding collisions for SHA-256

From the definition of SHA-256, we haveΔ Ai+4 - Δ Ei+4 = Δ∑0(Ai+3) + ΔMaji+3 (ΔAi+3,ΔBi+3,ΔCi+3 )-ΔDi+3 Δ Ei+4 = Δ∑1(Ei+3) +ΔChii+3 (ΔEi+3,ΔFi+3,ΔGi+3)+ΔHi+3+ΔDi+3+ΔWi+3

From the condition for step i+3, we haveΔDi+3 = 0, ΔHi+3 = 0, Δ∑0(Ai+3) = 0, Δ∑1(Ei+3) =0.

We require ΔAi+4 = 0, Δ Ei+4 = 0.

So we deduce:ΔMaji+3 (0,0,1)= 0ΔWi+3 =- ΔChi+3 (0,-1,1)

Solution:Ai+3 =Ai+2

δ3 =-ΔChi+3 (0,-1,1)

ΔA ΔB ΔC ΔD ΔE ΔF ΔG ΔH ΔW

i+3 0 0 1 0 0 -1 1 0 δ3

i+4 0 0 0 1 0 0 -1 1 0

Example – step i+4

Page 9: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Technique for finding collisions for SHA-256

Solution of the system of equations

Ai-1 = Ai+1= Ai+2= Ai+3

Ai+1=-1

Ei+3 = Ei+4

Ei+6= 0

Ei+7=-1

δ1 =-1-ΔChi+1 (1,0,0)- Δ∑1(Ei+1)

δ2 = Δ∑1(Ei+2) -ΔChi+2 (-1,1,0)

δ3 =-ΔChi+3 (0,-1,1)

δ4 =-1

Unsolved equation (no degrees of freedom left)ΔChi+3(0,0,-1)=-1It holds with probability 1/3.

Page 10: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

20-step reduced SHA-256

W 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 x

1 x

2 x

3 x

4 x

5 x

6 x

7 x

8 x

9 x

10 x

11 x

12 x

13 x

14 x

15 x

16 x x x x

17 x x x x

18 x x x x x x x

19 x x x x x x x

20 x x x x x x x x x x

21 x x x x x x x x x x

22 x x x x x x x x x x x x x

Collision

Perturbation in W5.

Corrections in W6, W7, W8, W13.

Message expansion after the step 13 doesn’t use any of these words

Complexity = 1/3

Page 11: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

21-step reduced SHA-256W 6 7 8 9 14

0

1

2

3

4

5

6 x

7 x

8 x

9 x

10

11

12

13

14 x

15

16 x x

17

18 x x

19

20 x x

21 x x

22 x x x x

Collision

Perturbation in W6.

Corrections in W7, W8, W9, W14.

Message expansion uses W9, W14.

Additional equation is introduced: Δ σ1(W14) + Δ W9 = 0, where Δ W14=-1.

Total complexity is 219.

Page 12: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

23-step reduced SHA-256

W 9 10 11 12

0

1

2

3

4

5

6

7

8

9 x

10 x

11 x

12 x

13

14

15

16 x

17 x

18 x x

19 x x

20 x x

21 x x

22 x x

Semi-free start collision

Perturbation in W9.

Corrections in W10, W11, W12. W17 is extended word, so it is not possible to control it directly.

Message expansion uses W9, W10, W11, W12 .

In the original differential path there is no difference in W16. We have to slightly change our differential path. New system of equations is introduced and solved.

In order to control W17

Additional equations are introduced in order to keep the differences zero after the last step of the path.

Total complexity is 221.

Page 13: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

25-step reduced SHA-256

W 9 10 11 12

0

1

2

3

4

5

6

7

8

9 x

10 x

11 x

12 x

13

14

15

16 x

17 x

18 x x

19 x x

20 x x

21 x x

22 x x

Semi-free start near collision with Hamming distance of 17 bits

Extend semi-free start collision for 23-step reduced SHA-256.

Minimize the Hamming distance of the introduced differences for A and E registers.

Total complexity is 234.

Page 14: Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Conclusions

Technique applicable to SHA-224, SHA-384, and SHA-512. No real treat for the security of SHA-2.