Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir.

Slides:



Advertisements
Similar presentations
Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/ I was born at the Big Bang. Cool! We have the same birthday.
Advertisements

Lecture 5: Cryptographic Hashes
Incremental Linear Programming Linear programming involves finding a solution to the constraints, one that maximizes the given linear function of variables.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Recursively Defined Functions
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Deterministic Selection and Sorting Prepared by John Reif, Ph.D. Analysis of Algorithms.
Noga Alon Institute for Advanced Study and Tel Aviv University
Counting Techniques: Combinations
Generalized Derangements Anthony Fraticelli Missouri State University REUJuly 30, 2009 Advisor: Dr. Les Reid.
Lecture 3 Lower envelopes Computational Geometry, 2005/06 Prof.Dr.Th.Ottmann 1 The Lower Envelope The Pointwise Minimum of a Set of Functions.
Hashing Techniques.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Lower Envelopes (Cont.) Yuval Suede. Reminder Lower Envelope is the graph of the pointwise minimum of the (partially defined) functions. Letbe the maximum.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Counting II: Pascal, Binomials, and Other Tricks Great Theoretical Ideas In Computer Science A. Gupta D. Sleator CS Fall 2010 Lecture 8Sept. 16,
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Variable-Length Codes: Huffman Codes
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
Recursive Definitions Rosen, 3.4 Recursive (or inductive) Definitions Sometimes easier to define an object in terms of itself. This process is called.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Ch. 8 & 9 – Linear Sorting and Order Statistics What do you trade for speed?
Applied Discrete Mathematics Week 9: Relations
Exam 1 Review 5.1, , 8.1, 8.2.
Merkle-Hellman Knapsack Cryptosystem Merkle offered $100 award for breaking singly - iterated knapsack Singly-iterated Merkle - Hellman KC was broken by.
Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Alternative Wide Block Encryption For Discussion Only.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Modern Cryptography.
Chapter 5: Hashing Part I - Hash Tables. Hashing  What is Hashing?  Direct Access Tables  Hash Tables 2.
COMPSCI 102 Discrete Mathematics for Computer Science.
Counting Discrete Mathematics. Basic Counting Principles Counting problems are of the following kind: “How many different 8-letter passwords are there?”
Lecture 4 Sorting Networks. Comparator comparator.
+ David Kauchak cs312 Review. + Midterm Will be posted online this afternoon You will have 2 hours to take it watch your time! if you get stuck on a problem,
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
1 Security through complexity Ana Nora Sovarel. 2 Projects Please fill one slot on the signup sheet. One meeting for each group. All members must agree.
1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
Aids to Formulating and Answering Key Questions NameWhen to use u Construction Methodproving “there exists” u Choose Method proving “for every” u Math.
Theory of Computational Complexity Probability and Computing Ryosuke Sasanuma Iwama and Ito lab M1.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Theory of Computational Complexity Probability and Computing Chapter Hikaru Inada Iwama and Ito lab M1.
Recursive Definitions
Lecture 4 Sorting Networks
Chapter 5 Induction and Recursion
Cryptographic Hash Functions Part I
Some Rules for Expectation
Cryptographic Hash Functions Part I
Cryptography Lecture 10.
Cryptography Lecture 15.
Hash Function Requirements
Presentation transcript:

Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir

Slide - 2 Overview Definitions Previous results Our results Proof of the 3-permutations case

Slide - 3 Overview Definitions Previous results Our results Proof of the 3-permutations case

Slide - 4 Preimage resistance: given y it’s computationally infeasible to find a value x s.t. h(x)=y 2-nd preimage resistance: given x it’s computationally infeasible to find a value x’  x s.t. h(x’)=h(x) collision resistance: it’s computationally infeasible to find any two distinct values x’,x s.t. h(x’)=h(x) Classical Properties hh h n – the output size of h O(2 n ) O(2 n/2 )

Slide - 5 K(multi)-preimage resistance: given y it’s computationally infeasible to find k values x i s.t. h(x 1 )=…=h(x k )=y K(multi)-collision resistance: it is computationally infeasible to find a k values x i s.t. h(x 1 )=…=h(x k ) More properties… h n – the output size of h O(2 n(k-1)/k ) O(k2 n ) h

Slide - 6 Iterated Hash Functions A standard way to construct hash functions is as follows: Start from an initial hash value h 0 Calculate h i =f(h i-1,m i ) Output the last hash value h t h0h0 h1h1 m1m1 h2h2 m2m2 … htht mtmt f:{0,1} 2n  {0,1} n

Slide - 7 Concatenated Hash Functions Concatenate the outputs of a number of independent hash functions H(M)=F(M)||G(M) Want to enlarge the output size – to protect against birthday attacks Immunize the construction against discovery of an attack in one of the hash functions Secure against collisions if F and G are random oracles O(2 n ) F,G:{0,1} *  {0,1} n H:{0,1}*  {0,1) 2n

Slide - 8 Overview Definitions Previous results Our results Proof of the 3-permutations case

Slide - 9 Joux Multicollisions in Iterated Hash Functions Use iterated structure to create large multicollisions h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht mt0mt0 mt1mt1 Time = O(t2 n/2 ) 2 t multicollision

Slide - 10 Form a 2 n/2 multicollision in the first hash function We expect to find a collision in the second function among the 2 n/2 colliding messages The attack can be generalized to attack  multiple concatenations  produce multi-preimages (in time 2 n ) Attacking a concatenated construction M i F(M i ) G(M i ) M 1 X Y 1 M 2 X Y 2 … … … H(M)=F(M)||G(M) H:{0,1}*  {0,1} 2n

Slide - 11 Possible Countermeasures Larger internal state - Lucks’ proposition of a double width pipe Expansion - Using message blocks more than once M=m 1 m 2 …m t M=m 1 m 2 m 1 m 5 m 1 …m t m 2 m 5 m t-1 …

Slide - 12 Problem Statement Given a hash function H – find a 2 k multicollision in H Iterated and Concatenated – solved by Joux Iterated, Concatenated and Expanded – a special case solved by Nandi & Stinson Iterated, Concatenated and Expanded (by any constant factor)–solved in this presentation

Slide - 13 Example of an ICE Hash function

Slide - 14 Some warm up examples Can have a fixed value for some message blocks h0h0 h1h1 m10m10 m11m11 h2h2 m2m2 … htht mt0mt0 mt1mt1

Slide - 15 Some warm up examples Can have consecutive stretches of the same message block h0h0 h1h1 m10m10 m11m11 h2h2 m10m10 m11m11 … htht mt0mt0 mt1mt1 h1h1

Slide - 16 Some warm up examples Can have consecutive stretches of the same message block h0h0 h1h1 m10m10 m11m11 h3h3 m10m10 m11m11 … htht mt0mt0 mt1mt1 h1h1 h2h2 h2h2 m2m2 m2m2

Slide - 17 Some warm up examples Message expansion takes a message M and outputs M||M Find a 2 k multicollision in the iterated hash function based on the expanded message

Slide - 18 Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht mt0mt0 mt1mt1 h m10m10 m11m11 h’

Slide - 19 Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) m 1 ? m 2 ?...m n/2 ? h t+n/2 m 1 ? m 2 ?...m n/2 ? h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 … h n/2 h n/2+1 m 0 n/2+1 m 1 n/2+1 m 0 n/2+2 m 1 n/2+2

Slide - 20 Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) m 1 ? m 2 ?...m n/2 ? h t+n/2 m 1 ? m 2 ?...m n/2 ? h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 … h n/2 h n/2+1 m 0 n/2+1 m 1 n/2+1 m 0 n/2+2 m 1 n/2+2

Slide - 21 Works for any fixed number of repetitions Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 m 1 ? m 2 ?...m n/2 ? … h t+n/2 m 1 ? m 2 ?...m n/2 ? … h 2t 2 2t/n multicollision

Slide - 22 Example II - 2 successive permutations Message expansion adds a permutation of the original message blocks E(M) = m 1 m 2 …m t m  (1) m  (2) …m  (t) Use the same procedure as before h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 m  (1) ? m  (1) ?... m  (n/2) ? … h t+n/2 … h 2t m  (1) ? m  (1) ?... m  (n/2) ?

Slide - 23 Previous results (Nandi & Stinson) If the message expansion contains each message block at most twice, can find a 2 k multicollision in time 2 n/2 C(n,k) where C(n,k) is polynomial in n, k

Slide - 24 Overview Definitions Previous results Our results Proof of the 3-permutations case

Slide - 25 Our results If the message expansion expands by a constant factor e (by duplicating message blocks) can find a 2 k multicollision in time time 2 n/2 C(n,k,e) where C(n,k,e) is polynomial in n, k (but exponential in e)

Slide - 26 Example III - 3 successive copies h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 … h 3t m 1 ? m 2 ?... m n^2/4 ? h 2t h 2t+n^2/ 4 … … … h t+n/2 h 2t htht …

Slide - 27 Example IV - 3 successive permutations E(M) =  1 (M)  2 (M)  3 (M) h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 m  (1) ? m  (1) ?... m  (n/2) ? … h t+n/2 … h 2t m  (1) ? m  (1) ?... m  (n/2) ?

Slide - 28 Example IV - 3 successive permutations E(M) =  1 (M)  2 (M)  3 (M)  1 (M)  2 (M)  3 (M) ….. 1 n/2 n 3n/2.. 2 n/2+1 n+1…..

Slide - 29 Overview Definitions Previous results Our results Proof of the 3-permutations case

Slide - 30 Getting started Lemma 1: Let B and C be two permuted sequences of [L]. Divide B into k consecutive groups B 1,...,B k and C into C 1,...,C k of size n/k. Then for x>0 and L ¸ k 3 x there exists a perfect matching of B i 's and C j 's such that |B i  C j | ¸ x

Slide - 31 Lemma 1 B1B1 B2B2 B3B3 C1C1 C3C BC C2C2 Given large sets - we expect the intersection between them to be large

Slide - 32 Lemma 1 BC B1B1 B2B2 BkBk C1C1 CkCk

Slide - 33 (t-1) k 2 x tk 2 x Lemma 1 BC B1B1 B2B2 BkBk C1C1 CkCk tL/k (t-1)L/k (k-t+1)tx L=k 3 x

Slide - 34 Lemma 1 B1B1 B2B2 B3B3 C1C1 C3C  2 (M) - B  3 (M) - C C2C2

Slide consecutive permutations Find a matching for x=n 2 /4 in the last two permutations Set all non active message blocks to 0 Build the multi-collision in 3 stages using larger blocks in each stage Requires a message of length O(k 3 n 2 )

Slide successive permutations

Slide - 37 Many successive permutations E(M) =  1 (M)  2 (M)…  q (M)  q-1 (M)  q (M)

Slide - 38 q consecutive permutations Find a matching for x=O(n 3(q-3)+2 ) in the last two permutations Set all non active message blocks to 0 Find a matching for x=O(n 3(q-6)+2 ) in the two second to last permutations … Build the multi-collision in q stages using larger blocks in each stage Requires a message of length O(k 3 n 3(q-3)+2 )

Slide - 39 Reduction from the general case So far proved for any constant number of permutations Reduction from general case to succesive permutations:  Choose a set of active message indices such that the resulting sequence is in successive permutations form

Slide - 40 Case of expansion factor 2 At least half the indices appear at most twice Given a sequence in which each index appears at most twice either  There exists a subset of variables which ‘appears’ once  There exists a subset of variables which are in successive permutation form

Slide - 41 Case of expansion factor 2 Lemma: for any 2-sequence over 1..l where l=MN either  There exists a subset of M variables which ‘appears’ once  There exists a subset of N variables which are in successive permutation form

Slide - 42 Case of expansion factor 2 Proof: by induction on l=MN … N … (M-1)N If each element appears at most once we are done!! 7 does not appear now! Case 1 : M-1 elements appear only once Case 2 : N elements appear in concatenated permutation form

Slide - 43 General Case At least half the indices appear at most twice the expansion rate e Given a sequence in which each index appears at most 2e either  There exists a subset of variables which ‘appears’ once  There exists a subset of variables which are in successive permutation form We already solved the successive permutation case

Slide - 44 General Case If the message expansion expands by a constant factor e (by duplicating message blocks) can find a 2 k multicollision in time 2 n/2 C(n,k,e) where C(n,k,e) is polynomial in n, k but exponential in e)

Slide - 45 Example of an Tree Based Hash function

Slide - 46 Further research Other message expansion procedures  Linear combinations  LFSRs  … Keyed hash functions Tree based hash functions Other uses of multicollisions