Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Collisions for Step-Reduced SHA 256

Ivica Nikolić, Alex BiryukovUniversity of Luxembourg

Outline

Short description of SHA-256

Difference between SHA-1 and SHA-2

Technique for finding collisions for SHA-256

20-step reduced SHA-256




Conclusions

Short description of SHA-256

Merkle-Damgard construction (compression function) Input: 512-bits message block + 256-bits chaining value

Output: 256-bits chaining value 64 steps


Number of internal variables Additional functions - ∑0, ∑1

Message expansion

Wi = Wi-3 + Wi-8+ Wi-14+ Wi-16 Wi = σ1(Wi-2)+ Wi-7+ σ0(Wi-15)+ Wi-16

One step of the compression function

Message expansion


Limit the influence of the new innovations

Additional functions (∑0, ∑1)

Find fixed points, i.e. ∑(x)=x. If x,y are fixed points then ∑(x)- ∑(y)=x-y, i.e. ∑ preserves

difference. Message expansion

Expanded words don’t use words with differences.


General technique

Introduce perturbation

Use as less differences as possible to correct the perturbation in the following 8 steps

After the perturbation is gone don’t allow any other new perturbations


Perturbation in step i Correct in the following 8 steps Require the differences for A and E as shown in the table Get system of equations with the respect to δi and Ai or Ei Solve the system

ΔA ΔB ΔC ΔD ΔE ΔF ΔG ΔH ΔW

i 0 0 0 0 0 0 0 0 1

i+1 1 0 0 0 1 0 0 0 δ1

i+2 0 1 0 0 -1 1 0 0 δ2

i+3 0 0 1 0 0 -1 1 0 δ3

i+4 0 0 0 1 0 0 -1 1 0

i+5 0 0 0 0 1 0 0 -1 0

i+6 0 0 0 0 0 1 0 0 0

i+7 0 0 0 0 0 0 1 0 0

i+8 0 0 0 0 0 0 0 1 δ4

i+9 0 0 0 0 0 0 0 0


From the definition of SHA-256, we haveΔ Ai+4 - Δ Ei+4 = Δ∑0(Ai+3) + ΔMaji+3 (ΔAi+3,ΔBi+3,ΔCi+3 )-ΔDi+3 Δ Ei+4 = Δ∑1(Ei+3) +ΔChii+3 (ΔEi+3,ΔFi+3,ΔGi+3)+ΔHi+3+ΔDi+3+ΔWi+3

From the condition for step i+3, we haveΔDi+3 = 0, ΔHi+3 = 0, Δ∑0(Ai+3) = 0, Δ∑1(Ei+3) =0.

We require ΔAi+4 = 0, Δ Ei+4 = 0.

So we deduce:ΔMaji+3 (0,0,1)= 0ΔWi+3 =- ΔChi+3 (0,-1,1)

Solution:Ai+3 =Ai+2

δ3 =-ΔChi+3 (0,-1,1)

ΔA ΔB ΔC ΔD ΔE ΔF ΔG ΔH ΔW

i+3 0 0 1 0 0 -1 1 0 δ3

i+4 0 0 0 1 0 0 -1 1 0

Example – step i+4


Solution of the system of equations

Ai-1 = Ai+1= Ai+2= Ai+3

Ai+1=-1

Ei+3 = Ei+4

Ei+6= 0

Ei+7=-1

δ1 =-1-ΔChi+1 (1,0,0)- Δ∑1(Ei+1)

δ2 = Δ∑1(Ei+2) -ΔChi+2 (-1,1,0)

δ3 =-ΔChi+3 (0,-1,1)

δ4 =-1

Unsolved equation (no degrees of freedom left)ΔChi+3(0,0,-1)=-1It holds with probability 1/3.


W 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 x

1 x

2 x

3 x

4 x

5 x

6 x

7 x

8 x

9 x

10 x

11 x

12 x

13 x

14 x

15 x

16 x x x x

17 x x x x

18 x x x x x x x

19 x x x x x x x

20 x x x x x x x x x x

21 x x x x x x x x x x

22 x x x x x x x x x x x x x

Collision

Perturbation in W5.

Corrections in W6, W7, W8, W13.

Message expansion after the step 13 doesn’t use any of these words

Complexity = 1/3

21-step reduced SHA-256W 6 7 8 9 14

0

1

2

3

4

5

6 x

7 x

8 x

9 x

10

11

12

13

14 x

15

16 x x

17

18 x x

19

20 x x

21 x x

22 x x x x

Collision

Perturbation in W6.

Corrections in W7, W8, W9, W14.

Message expansion uses W9, W14.

Additional equation is introduced: Δ σ1(W14) + Δ W9 = 0, where Δ W14=-1.

Total complexity is 219.


W 9 10 11 12

0

1

2

3

4

5

6

7

8

9 x

10 x

11 x

12 x

13

14

15

16 x

17 x

18 x x

19 x x

20 x x

21 x x

22 x x

Semi-free start collision

Perturbation in W9.

Corrections in W10, W11, W12. W17 is extended word, so it is not possible to control it directly.

Message expansion uses W9, W10, W11, W12 .

In the original differential path there is no difference in W16. We have to slightly change our differential path. New system of equations is introduced and solved.

In order to control W17

Additional equations are introduced in order to keep the differences zero after the last step of the path.



W 9 10 11 12

0

1

2

3

4

5

6

7

8

9 x

10 x

11 x

12 x

13

14

15

16 x

17 x

18 x x

19 x x

20 x x

21 x x

22 x x

Semi-free start near collision with Hamming distance of 17 bits

Extend semi-free start collision for 23-step reduced SHA-256.

Minimize the Hamming distance of the introduced differences for A and E registers.


Conclusions

Technique applicable to SHA-224, SHA-384, and SHA-512. No real treat for the security of SHA-2.

Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Documents

Transcript of Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.