Preimages for Step-Reduced SHA-2ccrg/documents/SHA2-Slides.pdf · SHA-2 in General IVn Mn IVn+1...
21
Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological University, Singapore Technical University of Denmark NTU, 25 Nov 2009 A merged version with Aoki, Sasaki and Wang will appear in ASIACRYPT 2009 Jian Guo , Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Transcript of Preimages for Step-Reduced SHA-2ccrg/documents/SHA2-Slides.pdf · SHA-2 in General IVn Mn IVn+1...
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
Preimages for Step-Reduced SHA-2
Jian Guo1 Krystian Matusiewicz2
Nanyang Technological University, Singapore
Technical University of Denmark
NTU, 25 Nov 2009
A merged version with Aoki, Sasaki and Wang will appear in ASIACRYPT 2009
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
Table of contents
1 Description of SHA-2General ViewStep FunctionMessage Expansion
2 Description of Preimage Attack
3 Application to SHA-2OverviewMessage StealingMessage CompensationExtended Partial Matching
4 Conclusions
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
General ViewStep FunctionMessage Expansion
SHA-2 in General
IVn Mn
IVn+1
message expansion algorithm
iteration of the step transformation
output state
input state
input message
state feed-forward operation
Step Function: update internal chaining
Message Expansion: expand 16 message words to 64/80
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
General ViewStep FunctionMessage Expansion
SHA-2 Step Function
Σ0
MAJ
Σ1
IF
Ki
Wi
Ai Bi Ci Di Ei Fi Gi Hi
Ai+1Bi+1Ci+1Di+1Ei+1Fi+1Gi+1Hi+1
MAJ(A,B ,C ) = (A ∧ B) ∨ (A ∧ C ) ∨ (B ∧ C ) ,
IF(E ,F ,G ) = (E ∧ F ) ∨ (¬E ∧ G ) ,
Σ0(x) = (x ≫ 2) ⊕ (x ≫ 13) ⊕ (x ≫ 22) ,
Σ1(x) = (x ≫ 6) ⊕ (x ≫ 11) ⊕ (x ≫ 25) .
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
General ViewStep FunctionMessage Expansion
SHA-2 Message Expansion
σ1σ0
W0 W15W16 W63
M0 M15
Wi =
{
Mi for 0 ≤ i < 16 ,
σ1(Wi−2) + Wi−7 + σ0(Wi−15) + Wi−16 for 16 ≤ i < 64 .
Note: any consecutive 16 determine all message words.
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
Preimage Attack - in general
matchsplit
Target
Find pseudo-preimage in 2l , then preimage in 2n+l2
+1
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Result on SHA-2
W11, . . . ,W26 as a basis to generate all message words.
Neutral words: W16 and W19
A
1 19
second chunkfirst chunk
16 340 41
W:
indirect partial matching
splitting point
S17
matching point
S35
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Message Stealing
Σ0
MAJ
Σ1
IF
Ki
Wi
Σ0
MAJ
Σ1
IF
Ki+1
Wi+1
Σ0
MAJ
Σ1
IF
Ki+2
Wi+2
Σ0
MAJ
Σ1
IF
Ki+3
Wi+3
splitting point
0
1
Σ0
MAJ
Σ1
IF
Ki
Σ0
MAJ
Σ1
IF
Ki+1
Wi+1
Σ0
MAJ
Σ1
IF
Ki+2
Wi+2
Σ0
MAJ
Σ1
IF
Ki+3
Wi Wi
Wi+3 Wi
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Result on SHA-2
W11, . . . ,W26 as a basis to generate all message words.
Neutral words: W16 and W19
A
1 19
second chunkfirst chunk
16 340 41
W:
indirect partial matching
splitting point
S17
matching point
S35
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Message Compensation - First Chunk
W10 = W26 − σ1(W24) − W19 − σ0(W11) ,
W9 = W25 − σ1(W23) − W18 − σ0(W10) ,
W8 = W24 − σ1(W22) − W17 − σ0(W9) ,
W7 = W23 − σ1(W21) − W16 − σ0(W8) ,
W6 = W22 − σ1(W20) − W15 − σ0(W7) ,
W5 = W21 − σ1(W19) − W14 − σ0(W6) ,
W4 = W20 − σ1(W18) − W13 − σ0(W5) ,
W3 = W19 − σ1(W17) − W12 − σ0(W4) ,
W2 = W18 − σ1(W16) − W11 − σ0(W3) ,
W1 = W17 − σ1(W15) − W10 − σ0(W2) ,
W0 = W16 − σ1(W14) − W9 − σ0(W1) .
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Message Compensation - First Chunk
W10 = W26 − σ1(W24) − W19 − σ0(W11) ,
W9 = W25 − σ1(W23) − W18 − σ0(W10) ,
W8 = W24 − σ1(W22) − W17 − σ0(W9) ,
W7 = W23 − σ1(W21) − W16 − σ0(W8) ,
W6 = W22 − σ1(W20) − W15 − σ0(W7) ,
W5 = W21 − σ1(W19) − W14 − σ0(W6) ,
W4 = W20 − σ1(W18) − W13 − σ0(W5) ,
W3 = W19 − σ1(W17) − W12 − σ0(W4) ,
W2 = W18 − σ1(W16) − W11 − σ0(W3) ,
W1 = W17 − σ1(W15) − W10 − σ0(W2) ,
W0 = W16 − σ1(W14) − W9 − σ0(W1) .
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Message Compensation - First Chunk
W10 = W26 − σ1(W24) − W19 − σ0(W11) ,
W9 = W25 − σ1(W23) − W18 − σ0(W10) ,
W8 = W24 − σ1(W22) − W17 − σ0(W9) ,
W7 = W23 − σ1(W21) − W16 − σ0(W8) ,
W6 = W22 − σ1(W20) − W15 − σ0(W7) ,
W5 = W21 − σ1(W19) − W14 − σ0(W6) ,
W4 = W20 − σ1(W18) − W13 − σ0(W5) ,
W3 = W19 − σ1(W17) − W12 − σ0(W4) ,
W2 = W18 − σ1(W16) − W11 − σ0(W3) ,
W1 = W17 − σ1(W15) − W10 − σ0(W2) ,
W0 = W16 − σ1(W14) − W9 − σ0(W1) .
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Message Compensation - First Chunk
W10 = W26 − σ1(W24) − W19 − σ0(W11) ,
W9 = W25 − σ1(W23) − W18 − σ0(W10) ,
W8 = W24 − σ1(W22) − W17 − σ0(W9) ,
W7 = W23 − σ1(W21) − W16 − σ0(W8) ,
W6 = W22 − σ1(W20) − W15 − σ0(W7) ,
W5 = W21 − σ1(W19) − W14 − σ0(W6) ,
W4 = W20 − σ1(W18) − W13 − σ0(W5) ,
W3 = W19 − σ1(W17) − W12 − σ0(W4) ,
W2 = W18 − σ1(W16) − W11 − σ0(W3) ,
W1 = W17 − σ1(W15) − W10 − σ0(W2) ,
W0 = W16 − σ1(W14) − W9 − σ0(W1) .
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Result on SHA-2
W11, . . . ,W26 as a basis to generate all message words.
Neutral words: W16 and W19
A
1 19
second chunkfirst chunk
16 340 41
W:
indirect partial matching
splitting point
S17
matching point
S35
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Message Compensation - Second Chunk
W27 = σ1(W25) + W20 + σ0(W12) + W11 ,
W28 = σ1(W26) + W21 + σ0(W13) + W12 ,
W29 = σ1(W27) + W22 + σ0(W14) + W13 ,
W30 = σ1(W28) + W23 + σ0(W15) + W14 ,
W31 = σ1(W29) + W24 + σ0(W16) + W15 ,
W32 = σ1(W30) + W25 + σ0(W17) + W16 ,
W33 = σ1(W31) + W26 + σ0(W18) + W17 ,
W34 = σ1(W32) + W27 + σ0(W19) + W18 .
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Result on SHA-2
A
1 19
second chunkfirst chunk
16 340 41
W:
indirect partial matching
splitting point
S17
matching point
S35
W0 =W16 − σ1(W14) − W9 − σ0(W1)
W34 =σ1(W32) + W27 + σ0(W19) + W18
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Extended Partial Matching
Bac
kwar
d
For
war
dB
ackw
ard
Σ0
MAJ
Σ1
IFK40
W40
Σ0
MAJ
Σ1
IFK39
W39
Σ0
MAJ
Σ1
IFK38
W38
TargetΣ0
MAJ
Σ1
IFK0
W0
Σ0
MAJ
Σ1
IFK41
W41
A35 Match?
Σ0
MAJ
Σ1
IFK37
W37
Σ0
MAJ
Σ1
IFK36
W36
Σ0
MAJ
Σ1
IFK35
W35
Σ0
MAJ
Σ1
IFK34
W34
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
OverviewMessage StealingMessage CompensationExtended Partial Matching
Extended Partial Matching
ψ(W16) + σ0(W19) = µ(W19) − W16
⇐⇒ ψ(W16) + W16 = µ(W19) − σ0(W19)
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
Result on SHA-2
A
1 19
second chunkfirst chunk
16 340 41
W:
indirect partial matching
splitting point
S17
matching point
S35
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
Conclusions
We find preimages for 42 out of 64 (66%) step-reducedSHA-256 with complexity 2251.7 and memory requirement oforder 212 bits
The same attack applies to SHA-512 with complexity 2502.3
and memory requirement of order 222
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
-
Description of SHA-2Description of Preimage Attack
Application to SHA-2Conclusions
END
THANK YOU!
QUESTIONS?
Jian Guo, Krystian Matusiewicz Preimages for Step-Reduced SHA-2
Description of SHA-2General ViewStep FunctionMessage Expansion
Description of Preimage AttackApplication to SHA-2OverviewMessage StealingMessage CompensationExtended Partial Matching
Conclusions
