The SHA Family of Hash Functions: Recent Results Christian Rechberger and Vincent Rijmen SPI 2007, Brno

Motivation

Motivation How ? x x x x x x x x

Agenda The MD4 and SHA family Basic attack on SHA Advanced methods for fast collision search (example SHA-1) SHA-2? Conclusions

Outline of MD4-style Hash Functions

Message Expansions in the MD4 family MD4/5, RIPEMD SHA / SHA-1 SHA-2 members

Outline of MD4-style Hash Functions

Evolution of the State Updates in the MD4 Family SHA/SHA-1 SHA-2 members Design Complexity

How to produce a collision? o1=SHA(M1) o2=SHA(M2) Goal: Find any M1 and M2 such that o1 = o2

Propagation of a small difference Flip a bit in m0 Message Expansion

Propagation of a small difference - 1 B C D E + f << 5 >> 2 DW D AN Step N Flipping a bit Die Notation 2^j wird hier verwendet um eine Differenz in der Bitposition j zu beschreiben. J kann Werte zwischen 0 und 31 annehmen. Flip a bit

Propagation of a small difference

Propagation of a small difference

Propagation of a small difference

Propagation of a small difference Das ist der Zwischenstand nach nur ein paar Schritten. Nun kann man sich ungefähr vorstellen was passiert, wenn man das ganze Spiel über 80 Runden betreibt. Und das ist nun genau eine Eigenschaft die von einer Hash funktion erwartet wird. Selbst bei kleinsten Änderungen des Eingangs (hier haben wir nur ein einziges Bit geändert) ändert sich der Ausgangswert komplett.

Perturbation Step N ∆ E D C B A + << 5 ∆ K = + + f W = 2 + - 1 N - 1 N - 1 N - 1 N - 1 + << 5 ∆ K = + + f ∆ W = 2 j N + >> 2 E E D D C C B B ∆ A A = 2 j N + N 1 N + N 1 N + N 1 N + N 1 N N + 1

Correction 1

Correction 2

Correction 3

Correction 4

Correction 5

Outline of SHA – Message Expansion If too much time: illustrate the ME better

Building a collision for SHA Perturbation pattern Low weight Last 5 words are zero

A collision-producing difference pattern Apply 5 corrections with the same pattern displaced over steps rotated over bit positions That was one correction Note that all these corrections follow the Message Expansion Rule as well.

A collision-producing expanded-message difference pattern Completed difference pattern consisting of 1 perturbation pattern 5 correction patterns

Conditions imposed by nonlinear elements Boolean function f Modular addition

Results of CJ98 Low- weight patterns exist for SHA => break For SHA-1: weight is too high

Improvements Better characteristics 1-block  multi-block Better suited for hash functions Better ways to construct right pairs Message modification

2-block attack Two related near-collisions give a 2-block collision Work effort of two blocks is only sum of them

Key properties of new approach [DR06] Generalized conditions: Looks for (parts of) the colliding pair and characteristic at the same time Type Possibilities XOR 2 Signed-bit 4-6 Generalized: 16

Result of Improvements

Problem of optimization Message difference Enough freedom left for search? Characteristic Speed-up method

Problem of optimization Message difference Enough freedom left for search? Real workfactor of attack Characteristic Speed-up method

Some results SHA SHA-1 1998: 261 [CJ98] 2004: 251 [BCJ+05] 2005: 239 [WYY05a] 2006: 236 [N+06] 2007: 100-fold improvement? ongoing work SHA-1 2005: 58 steps 233 [WYY05b] 2006: 64 steps 235 [DR06] 2007: 70 steps 244 [DMR06] Full SHA-1 (80 steps): ongoing work

Example: Collision for 64-step SHA-1 I hereby solemnly promise to finish my PhD thesis by the end of 2005 [Garbage] Same Hash I hereby solemnly promise to finish my PhD thesis by the end of 2006’ [different Garbage]

What about SHA-2 members?

Probabilities of local collisions SHA/SHA-1: 2-2 to 2-5 SHA-2: 2-38 to 2-41 Strategy: cancel differences as soon as possible with corrective differences

Comparing the message expansions of the SHA family (linearized)

Conclusions How ? x x x x x x x x

x x x x x x x x 1) Special characteristics Conclusions 1) Special characteristics 2) Clever ways of solving equations (fast) x x x x x x x x

Conclusions Collision for full (80-step) SHA-1 is getting closer Optimization is ongoing 2006: 262 * x (unpublished work, estimates) Automated techniques can exploit degrees of freedom in a more efficient way 2007: ? Improved Attacks on NMAC/HMAC? Results on (2nd-)preimage resistance? Analysis and design of new hash function proposals important

Hash Function Workshop Barcelona, May 24-25, 2007 events.iaik.tugraz.at/hashworkshop07

The SHA Family of Hash Functions: Recent Results Q&A Christian Rechberger and Vincent Rijmen SPI 2007, Brno