Finding Differential Patterns for the Wang Attack Magnus Daum CITS – Cryptology and IT-Security Faculty of Mathematics Ruhr University Bochum

Daum - Finding Differential Patterns for the Wang Attack Motivation Crypto ’04 (Wang et al.): actual collisions for various hash functions E.g. for MD5: M2: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb8 0634ad55 02b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780 313e82d8 5b8f3456 d4ac6dae c619c936 b4e253dd fd03da87 06633902 a0cd48d2 42339fe9 e87e570f 70b654ce 1e0da880 bc2198c6 9383a8b6 2b65f996 702af76f M1: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb8 0634ad55 02b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780 d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 0cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35 kurz M2‘: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e580440 897ffbb8 0634ad55 02b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780 313e82d8 5b8f3456 d4ac6dae c619c936 34e253dd fd03da87 06633902 a0cd48d2 42339fe9 e87e570f 70b654ce 1e0d2880 bc2198c6 9383a8b6 ab65f996 702af76f M1‘: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e580440 897ffbb8 0634ad55 02b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780 d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 0cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Motivation Lenstra/Wang/de Weger: colliding (w.r.t. MD5) X.509 certificates Differing part: 42e7b9ca 8726b6c4 24a51ab9 c1056b84 93fb9588 9fa6e965 ff920348 793f3b2c 0634ad41 03b4adff 7a844bdf 4f01374d cb8332db a86fd419 b3c665a7 30bf16f0 2e7cff6a 9b687357 15b83319 f5e7ab64 c566cfb9 0c79fee4 367d04ee aeb077cc 307f085d 88eb60b5 404d72b3 2d667867 676484d8 809bbd7d 4ff29e98 a30e2eb8 kurz 42e7b9ca 8726b6c4 24a51ab9 c1056b84 13fb9588 9fa6e965 ff920348 793f3b2c 0634ad41 03b4adff 7a844bdf 4f01b74d cb8332db a86fd419 33c665a7 30bf16f0 2e7cff6a 9b687357 15b83319 f5e7ab64 4566cfb9 0c79fee4 367d04ee aeb077cc 307f085d 88eb60b5 404d72b3 2d65f867 676484d8 809bbd7d cff29e98 a30e2eb8 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Motivation Other actual collisions published (Klima, Lucks/D.) show the same characteristics Reason: Attack applies a special differential pattern with fixed input differences (M0,…,M15) = (0,0,0,0,231,…,§ 215,…,231,0) Considered bytewise these are only differences in the most significant bit May be a problem in certain applications, e.g. when trying to find colliding ASCII texts Possible to use other input difference patterns? kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Wang‘s Attack 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Wang‘s Attack Differential attack with modular differences (i.e. differences with respect to addition modulo 232) Starts from a given/chosen message and modifies its bits to produce a collision Two main parts: Choosing the differential pattern (done by hand) Single-Step and Multi-Step Modifications ? 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Choosing the Differential Pattern Not much is known about how Wang actually found this pattern used in all the implementations Wang: „intuitively“ and „by hand“ Some ideas can be reconstructed by looking at what is happening during the attack kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Attack on MD5 attack uses two applications of the compression function with two different but related differential patterns: (0,0,0,0) (231, 231 -225, 231 -225, 231 -225) (231,231-225,231-225,231-225) (231, 231+225, 231+225, 231+225) addition of IV at the end of compression function causes differences to cancel Here: only look at one application of the compression function 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Attack on MD5 Construction of the pattern starts in last rounds design of MD5 allows differential pattern for round 3+4 which leads to a useful near-collision Input differences are chosen such that this difference propagation happens with high probability Look for conditions on register values which make the difference propagation in first two rounds possible W15=-215 W4= 231 W14= 231 W18=-215 W23= 231 W25= 231 W34=-215 W35= 231 W36= 0 W37= 231 W61=-215 W50= 231 W60= 231 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Step Operation in MD5 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Structure of the Compression Function kurz Message Expansion 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack MD5 Message expansion by roundwise permutations of the Mi (four rounds) Step operation: wichtig !!! 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack MD5 Step operation: Kt,st: constants Wt: message words f: bitwise defined Boolean function Rt: new content of register changed in step t wichtig !!! 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Step Operation Advantage of considering modular differences: Most operations used in the step operation have a deterministic propagation of modular differences Analyse the other parts: Bit rotations Bitwise defined functions kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Difference Propagation 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Various Differences ? bitwise (XOR) differences: modular differences: uniquely determined kurz signed bitwise differences: differences usually low weight: 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Various Differences signed bitwise differences modular differences Special case: kurz Depends on actual value of x: For fixed +x=[k]: Can be generalized to other differences 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Difference Propagation: Bitwise Functions ? f is applied bitwise -> modular differences are not very useful transform to signed bitwise diff. propagation of signed bitwise differences can be analysed easily kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Difference Propagation: Bitwise Functions kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Difference Propagation: Bitwise Functions ? f is applied bitwise -> modular differences are not very useful transform to signed bitwise diff. propagation of signed bitwise differences can be analysed easily -> possible values for together with corresponding conditions for each of the cases corresponding modular differences are uniquely determined kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Bit Rotation and Modular Addition 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Bit Rotation and Modular Addition A random, B fixed: 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Difference Propagation: Bit Rotations Register R with a fixed difference +R =[t] A=R, B=+R: kurz Applying the Theorem described earlier yields for t<n-s: for t¸n-s: 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Example: Analysis of Difference Propagation taken from first round of MD4 kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Automated Searching of such Differential Patterns 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Degrees of Freedom Choices when constructing such patterns: (Input differences Wi) Bitwise function: 1-3 choices per nonzero bit kurz Bit 29: Bits 22,25: Bit 31: 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Degrees of Freedom Choices when constructing such patterns: (Input differences Wi) Bitwise function: 1-3 choices per nonzero bit Bit rotation: 4 choices in general (but usually one dominant case) Assumptions on bitwise differences (“expand“ differences) kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Example: Analysis of Difference Propagation taken from first round of MD4 kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Degrees of Freedom Choices when constructing such patterns: (Input differences Wi) Bitwise function: 1-3 choices per nonzero bit Bit rotation: 4 choices in general (but usually one dominant case) Assumptions on bitwise differences (“expand“ differences) kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Searching for Differential Patterns Idea: build trees of difference patterns Each vertex represents a possible state of differences, e.g. Possible differences resulting after following step are computable Leads to several new vertices -> pruning necessary For the pruning use a cost function depending on the following properties: Probability that this difference state is actually achieved Weights of the differences Distance from the root of the tree kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Finding Useful Patterns Additional constraints for useful patterns, e.g. start and end with zero differences Trivial solution: take root with zero differences and add new vertices till a vertex with zero differences is found Build two trees, one goind foreward, one going backward Fix a layer corresponding to some step and look for common vertices Two trees as above, but stop some steps before fixed layer, find connection by solving additional equations Has not been fully tested up to now kurz 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Conclusion Some analysis of background of Wang‘s attack Theoretical basis for analysing the propagation of modular differences Ideas for automatically finding useful difference patterns 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack

Daum - Finding Differential Patterns for the Wang Attack Thank you! Questions??? 23.06.2005 Daum - Finding Differential Patterns for the Wang Attack