Applications of SAT Solvers to Cryptanalysis of Hash Functions

Slides:



Advertisements
Similar presentations
Circle size indicates number of sets Tamaño del círculo indica el número de lances % dolphin sets with olive ridley capture – % lances sobre.
Advertisements

Which Hash Functions will survive?
Learning technologies in language teaching where are we? Where do we go from here? Pete Sharma Kevin Westbrook Dubrovnik Croatia.
PRESENTED BY RTN PP PHF RANJAN ALLES
Network Security Md. Kamrul Hasan Assistant Professor and Chairman
Keyed, symmetric block cipher Designed in Can be used as a drop-in replacement for DES.
Wedding Picture 8/21/1941. The War Years
© 2000 JN Natural Gas Outlook & Issues AB 1890 Implementation Group Annual Meeting November 14, 2000 ®
World LP Gas Forum 2009 Brazil Launch 17th December 2008 São Paulo.
Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology.
Symmetric Encryption Prof. Ravi Sandhu.
PKI Introduction Ravi Sandhu 2 © Ravi Sandhu 2002 CRYPTOGRAPHIC TECHNOLOGY PROS AND CONS SECRET KEY SYMMETRIC KEY Faster Not scalable No digital signatures.
Hashes and Message Digests
July 11, 2006 Council of Graduate Schools 1 Ph.D. Completion Project: Using the Baseline Data 2006 CGS Summer Workshop Technical Workshop.
1 -The Second in a Special Series- A Brief History of National and Community Service Originally Developed by: Fred Sanguiliano, Executive Director, Florida.
The Way of KNSO MicroData Provision KNSO Ji Eun Lee.
Prevalence of Obesity* among U.S. Adults BRFSS, 1992 Source: Mokdad AH, et al. J Am Med Assoc 1999;282:16. 15% no data.
HEART-LUNG TRANSPLANTATION Overall ISHLT 2006 J Heart Lung Transplant 2006;25:
A-46 Table 6.1: Number of Full-time and Part-time Hospital Employees, 1993 – 2006 Source: Avalere Health analysis of American Hospital Association Annual.
Table 6.1: Number of Full-time and Part-time Hospital Employees, 1993 – 2010 Source: Avalere Health analysis of American Hospital Association Annual Survey.
The big picture A tough decade has come to an end and there now is an opportunity to strengthen the quality of education.
Toulouse, May 2011, Slide 1 20 x 20. Toulouse, May 2011, Slide 2 20 x 20.
Presenter Name(s) Issue date National Student.
First cases of AIDS identified.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Mark Levene, An Introduction to Search Engines and Web Navigation © Pearson Education Limited 2005 Slide 1.1 Chapter 1 : Introduction The World-Wide-Web.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
A. Steffen, , KSy_Auth.ppt 1 Zürcher Hochschule Winterthur Kommunikationssysteme (KSy) - Block 9 Secure Network Communication Part III Authentication.
Through the years… JUNIATA COLLEGE FIELD HOCKEY. SeasonCoachRecord 1973Unknown Jo Reilly Alexa Fultz Alexa Fultz Nancy Harden-Latimore4-4-1.
Block Cipher Modes of Operation and Stream Ciphers
Lect. 8 : Advanced Encryption Standard
A ten-year monitoring record of the western prairie fringed orchid at Pipestone National Monument Gary D. Willson, Craig C. Young, and F. Adnan Akyuz.
1 Epidemiology and clinical relevance. 2 World (thousands) cases: 204 Deaths 125 Europe cases: 63 Deaths 40.
Sequence Quickies 1  ORB Education. Visit for the other resources in this pack.
Hit and Miss: A Study of Post-Release Support Brendan Quinn and Amy Kirwan 23 rd June 2009.
COMPUTER B Y : L K. WINDOWS INFORMATION B Y : L K.
Source: Financial Times of London Global Banks 1999 – 2009 “Changing of the Guard”
Pennsylvania Sports Hall of Fame Washington-Greene Chapter
CAP CAVSARP: Clearwater Facility. CAP (Central Arizona Project) In 1980, Arizona overdraft: 2.5 million acre feet year (afy) groundwater deficit due to.
Landings by Species Group and Year. Revenue by Species Group.
Lecture 5: Cryptographic Hashes
Isabelle Stanton Chalermpong Worawannotai
Your Security in the IT Market Beyond the MD5 Collisions Daniel Joščák, S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
SHA (secure hash algorithm) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
HASH Functions.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Brand-New Hash Function   BeeM A. Satoh SCIS2006 SHA-1 Broken! Prof. Xiaoyun Wang.
Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez.
Cryptography Chapter 7 Part 3 Pages 812 to 833. Symmetric Cryptography Security Services – Only confidentiality, not authentication or non- repudiation.
Week 4 - Friday.  What did we talk about last time?  Snow day  But you should have read about  Key management.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Information Security and Management 11. Cryptographic Hash Functions Chih-Hung Wang Fall
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
SHA: Secure Hash Algorithm
Seyed Amir Hossain Naseredini
Presentation transcript:

Applications of SAT Solvers to Cryptanalysis of Hash Functions Ilya Mironov Lintao Zhang Microsoft Research Silicon Valley Campus

Overview Crash course on hash functions Collision-finding attacks (Wang et al. ’05) Automation via SAT solvers

Hash functions H: {0,1}*→{0,1}n

Cryptographic hash functions Several important properties Collision-resistance x, y: H(x) = H(y)

Birthday paradox Finding collision: ~|S| = 2n/2 output H S

Security level hash output 128 bits Insecure: 264 operations 160 bits Medium-term: 280 Long-term (~20 years): 2128 Paranoid: 2256

Short history of hash functions 1990 Ron Rivest: MD4 (128-bit output) 1992 Ron Rivest: MD5 (128-bit output) 1993 NIST: SHA (Secure Hash Algorithm, 160 bits) 1995 NIST: Oops! SHA1 2003 NIST: SHA-256,384,512

SHA1 SHA1 MD5 MD4 1990 MD4 1991 1992 MD5 1993 SHA0 1994 1995 SHA1 1996 1997 1998 1999 2000 2001 2002 2003 SHA-256,384,512 2004 2005 2006 SHA1 SHA1 MD5 MD4 MD4 is broken theoretical attack on SHA0 MD5, SHA0 broken, theoretical attack on SHA1

MD4 and MD5’s structure - Basic building block: compression function 512 bits 128 bits 48 rounds 128 bits

Compression function’s building block 512 bits = 16  32-bit words M 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 w 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b rounds 0-15 rounds 16-31 rounds 31-48 c d 128 bits 128 bits = 4  32-bit words

One round

Internal variables M = (M0,M1,…,M15)  (w0,w1,…,w47) (a0,b0,c0,d0)

Finding a collision [Wang et al’05] Goal: Find M, M' such that H(M) = H(M') 1. Select message difference M' = M +  2. Select differential path bi' = bi + bi 3. Find sufficient conditions 4. Make them happen!

Disturbance vector M  a b c d 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b rounds 0-15 rounds 16-31 rounds 31-48 c d

Differential path M (a0,b0,c0,d0) b1 b2 … b48 M' (a0,b0,c0,d0) b1' b2'

Sufficient conditions (ai,bi,ci,di)  (di,(ai+fi(bi,ci,di)+wi+Ki)<<<si,bi,ci,) = (ai+1,bi+1,ci+1,di+1) fi = MAJ and si = 3 and b2,0 = 0 and c2,0 = 0, then for b2,3 = 0 it is sufficient that lsb(b1)=0 and lsb(c1)=0

Sufficient conditions [Wang et al.] MD4: 122 MD5: first block ― 294; second block ― 309 SHA0: 260

Message modification technique 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 a b rounds 0-15 rounds 16-31 rounds 31-48 c d

Probabilistic method Conditions satisfied with probability 50%*: MD4: < 8 MD5: first block ― 37; second block ― 30 SHA0: 42 SHA1: 70 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 * In the original papers (better attacks are currently known)

SAT Solvers! Goal: Find M, M' such that H(M) = H(M') 1. Select message difference M' = M +  2. Select differential path bi' = bi + bi 3. Find sufficient conditions 4. Message modifications

MD4 53K variables, 221K clauses. Success! SatELiteGTI < 500 sec 0xe1c08802 d0001321 f3fdc66f df600178 46b5c048 06c516c5 b632403a 88e2fdd5 900f8005 3f936800 4b187044 64fad83a 01d79002 68f200a8 94ab2328 2449dd7d collides with 0xe1c08802 50001321 63fdc66f df600178 46b5c048 06c516c5 b632403a 88e2fdd5 900f8005 3f936800 4b187044 64fad83a 01d69002 68f200a8 94ab2328 2449dd7d

MD5 Hmm… Truncated MD5? truncated MD5 CNF formula SAT solver filter solution

Probabilistic method all messages reduced-round solutions full solutions

Where to truncate? ~100 hours per full solution

Collision in MD5 collides with 0x80000000 98163156 d685de69 e985b795 b4320c10 cd350030 c014ca29 850b7d6d 0934ad59 4871afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf 5e5d5df6 b539a48d fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1 73f20086 e000005a 3b6550cc b6cc1c59 0fe9f71a a0403064 collides with 0x80000000 98163156 d685de69 e985b795 34320c10 cd350030 c014ca29 850b7d6d 0934ad59 4871afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf de5d5df6 b539a48d fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1 73f20086 dfff805a 3b6550cc b6cc1c59 0fe9f71a a0403064

Open problems Cryptographic: SAT-solving community: Break SHA-1 Automate the entire attack Other primitives SAT-solving community: No truncation! SAT solvers optimized for cryptographic applications: XOR, multiplication, table look-ups, intuition

Conclusion First serious SAT-solver-aided cryptanalytic effort Several entries into SAT Race ’06 New applications and challenges

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.