Presentation is loading. Please wait.

Presentation is loading. Please wait.

Message Modification for Step on SHA-0

Published byJuho-Matti Turunen Modified over 5 years ago

Similar presentations

Presentation on theme: "Message Modification for Step on SHA-0"— Presentation transcript:

1 Message Modification for Step 21-23 on SHA-0
Yusuke Naito1, Yu Sasaki1, Takeshi Shimoyama2, Jun Yajima2, NoboruKunihiro1 and Kazuo Ohta1 1The University of Electro-Communications Chofugaoka 1-5-1, Chofu-shi, Tokyo, , Japan 2FUJITSU LABORATORIES LTD , Kamikodanaka, Nakahara-ku, Kawasaki, , Japan Abstract. In CRYPTO 2005, Xiaoyun Wang, Hongbo Yu and Yiqun Lisa Yin proposed an efficient collision attack on SHA-0. Collision messages are found with complexity 239 SHA-0 operations by using their method. Collision messages can be obtained when a message satisfying all sufficient conditions is found. In their paper, they proposed message modifications that can satisfy all sufficient conditions of step However, they didn’t propose message modifications for sufficient conditions after step 21. In this paper, we propose message modifications for sufficient conditions of step By using our message modifications, collision messages are found with complexity 236 SHA-0 operations. 1 Introduction In CRYPTO 2005, Wang et al. proposed an efficient collision attack on SHA-0 [1]. This attack is a differential attack using modular subtraction. The complexity of their attack is 239 SHA-0 operations. One important parts of their attack is “sufficient condition”. Sufficient conditions are conditions for finding collision messages. A procedure of the collision search is as follows. Procedure 1. Find messages (m0, ..., m15) satisfying all sufficient conditions of step 1-16 by using message modifications. Procedure 2. Modify a message m15 by using message modifications in order to satisfy all sufficient con-ditions of step Procedure 3. If message produced in procedure 1, 2 satisfies all sufficient conditions, go to procedure 4. Otherwise, go to procedure 1. However, messages m0, ..., m13 is not changed and messages m14, m15 is changed. Procedure 4. Calculate M' as M' = M + ΔM where M is the message produced in procedure 1, 2, 3, and ΔM is a message differential. Then M and M' are collision messages. Message modifications in these procedures can find messages satisfying sufficient conditions of step 1-20 with probability 1. In the method of Wang et al., they proposed message modifications for sufficient conditions of step However, message modifications for sufficient conditions after step 21 were not proposed. In this paper, we propose message modifications for sufficient conditions from step By using our message modifications, we can find collision messages with complexity 236 SHA-0 operations. 2 Message Modifications for Sufficient Conditions of Step 21-23 In the method of Wang et al., all sufficient conditions of step 1-20 can be satisfied with probability 1. However, they didn’t propose message modifications for sufficient conditions after step 21. In this section, we propose message modifications for sufficient conditions of step

2 Differential of Chaining Values Extra Conditions 6 m5 ← m5 ⊕ 25
Step Message Modification Differential of Chaining Values Extra Conditions 6 m5 ← m5 ⊕ 25 Δa6 = ±25 a6,6 = m5,6 7 m6 ← m6 ⊕ 210 Δb7 = ±25 m6,11 =6 m5,6 8 m7 ← m7 ⊕ 25 Δc8 = ±23 m7,6 = m5,6 9 Δd9 = ±23 a7,4 = 0 10 Δe10 = ±23 a8,4 = 1 11 m10 ← m10 ⊕ 23 m10,4 =6 m5,6 Table 1. Modification for “a21,4 = a20,4 (or a21,4 =6 a20,4)” 2.1 Message Modification for Sufficient Condition “a21,4 = a20,4 (or a21,4 =6 a20,4)” of Step 21 A sufficient condition “a21,4 = a20,4 (or a21,4 =6 a20,4)” exists in step 21. We correct this condition by using a modification in Table 1. By this modification, differentials Δm18 = ±23, Δm19 = ±25, and Δm20 = ±210 are appeared from the message expansion. If we consider a situation where carry is not caused, following differentials are caused by these differentials . a19 = (a18 ≪ 5) + f(b18, c18, d18) + e18+ m18 +k18 23 23 a20 = ( a19 ≪ 5) + f(b19, c19, d19) + e19+ m19 +k19 25 a21 = ( a20 ≪ 5) + f( b20,c20, d20) + e20+ m20 +k20 210 25 23 A meaning of 23, 28, ... in an above figure is a differential caused by this message modification. For simplicity, we ignore signs for these differentials. This sufficient condition can be corrected from a differential Δa21 = ±23. Moreover, we confirmed that this sufficient condition can be corrected with probability almost 100% by a computer experiment if we consider a situation where carry is caused. 2.2 Message Modification for Sufficient Condition “a22,2 = m21,2” of Step 22 A sufficient condition “a22,2 = m21,2” exists in step 22. We correct this condition by using a modification described in Table 2. Step Message Modification Differential of Chaining Values Extra Conditions 11 m10 ← m10 ⊕ 220 Δa11 = ±220 a11,21 = m10,21 12 m11 ← m11 ⊕ 225 Δb12 = ±220 m11,26 =6 m10,21 13 Δc13 = ±218 a10,23 = a9,23 14 Δd14 = ±218 a12,19 = 0 15 Δe15 = ±218 a13,19 = 1 16 m15 ← m15 ⊕ 218 m15,19 =6 m10,21 Table 2. Modification for “a22,2 = m21,2”

3 a19 = (a18 <<< 5) + f(b18, c18, d18) + e18+ m18 +k18
By this modification, differentials Δm18 = ±218±220, Δm19 = ±225, andΔm21= ±218±220 are appeared from the message expansion. If we consider a situation where carry is not caused, following differentials are caused by these differentials. a19 = (a18 <<< 5) + f(b18, c18, d18) + e18+ m18 +k18 a20 = ( a19 <<< 5) + f(b19, c19, d19) + e19+ m19 +k19 218 a21 = ( a20 <<< 5) + f( b20 , c20, d20) + e20+ m20 +k20 a22 = ( a21 <<< 5) + f( b21 , c21 , d21) + e21+ m21 +k21 2 228 223 218 220 225 216 ... Then, we add an extra condition “m19,26 =6 m18,21” in order to cancel a differential “Δa19 = ±220” by a differential “Δm19 = ±225”. This sufficient condition can be corrected by a differential Δa22 = ±2. Moreover, we confirmed that this sufficient condition can be corrected with probability 97.5 % by a computer experiment if we consider a situation where carry is caused. 2.3 Message Modification for Sufficient Condition “a22,4 = a21,4 (or a22,4 =6 a21,4)” of Step 22 A sufficient condition “a22,4 = a21,4 (or a22,4 =6 a21,4)” exists in step 22. We correct this condition by using a modification described in Table 3. Step Message Modification Differential of Chaining Values Extra Conditions 11 m10 ← m10 ⊕ 27 Δa11 = ±27 a11,8 = m10,8 12 m11 ← m11 ⊕ 212 Δb12 = ±27 m11,13 =6 m10,8 13 Δc13 = ±25 a10,10 = a9,10 14 Δd14 = ±25 a12,6 = 0 15 Δe15 = ±25 a13,6 = 1 16 m15 ← m15 ⊕ 25 m15,6 =6 m10,8 Table 3. Modification for “a22,4 = a21,4 (or a22,4 =6 a21,4)” By this modification, differentials Δm18 = ±25 ± 27, Δm19 = ±212, and Δm21 = ±25 ± 27 are appeared from the message expansion. If we consider a situation where carry is not caused, following differentials are caused by these differentials. a19 = (a18 <<< 5) + f(b18, c18, d18) + e18+ m18 +k18 27 25 a20 = ( a19 <<< 5) + f(b19, c19, d19) + e19+ m19 +k19 210 212

4 a21 = ( a20 <<< 5) + f( b20 , c20, d20) + e20+ m20 +k20
27 25 25 a22 = ( a21 <<< 5) + f( b21 , c21 , d21) + e21+ m21 +k21 23 215 210 25 27 220 ... Then, we add an extra condition “m19,13 =6 m18,8” in order to cancel a differential “Aa19 = ±27” by a differential “Am19 = ±212”. This sufficient condition can be corrected by a differential Aa22 = ±23. Moreover, we confirmed that this sufficient condition can be corrected with probability almost 100% by a computer experiment if we consider a situation where carry is caused. 2.4 Message Modification for Sufficient Condition “a23,2 = m22,2” of Step 23 A sufficient condition “a23,2 = m22,2” exists in step 23. We correct this condition by using a modification described in Table 4. Step Message Modification Differential of Chaining Values Extra Conditions 11 m10 ← m10 ED 215 Δa11 = ±215 a11,16 = m10,16 12 m11 ← m11 ED 220 Δb12 = ±215 m11,21 =6 m10,16 13 m12 ← m12 ED 215 Δc13 = ±213 m12,16 =6 m10,16 14 Δd14 = ±213 a12,14 = 0 15 Δe15 = ±213 a13,14 = 1 16 m15 ← m15 ED 213 m15,14 =6 m10,16 Table 4. Modification for “a23,2 = m22,2” By this modification, differentials Am18 = ±213 ±215, Am19 = ±220, Am20 = ±215, Am21 = ±213±215, and Am22 = ±220 are appeared from the message expansion. If we consider a situation where carry is not caused, following differentials are caused by these differentials. a19 = (a18 <<< 5) + f(b18, c18, d18) + e18+ m18 +k18 215 213 a20 = ( a19 <<< 5) + f(b19, c19, d19) + e19+ m19 +k19 218 220 a21 = ( a20 <<< 5) + f( b20 , c20, d20) + e20+ m20 +k20 a22 = ( a21 <<< 5) + f( b21 , c21 ,d21) + e21+ m21 +k21 228 223 218 213 215 220 211 ...

5 3 Conclusion References
a23 = ( a22 ≪ 5) + f( b22 , c22 , d22 ) + e22+ m22 +k22 2 228 223 216 213 220 225 215 211 ... Then, we add an extra condition “m19,21 =6 m18,16” in order to cancel a differential “Δa19 = ±215” by a differential “Δm19 = ±220”. This sufficient condition can be corrected by a differential Δa23 = ±2. Moreover, we confirmed that this sufficient condition can be corrected with probability 97% by a computer experiment if we consider a situation where carry is caused. 3 Conclusion We propose message modifications for sufficient conditions of step By combining our message modifi- cations and the method of Wang et al., we can find collisions with complexity 236 SHA-0 operations. References X. Wang, H. Yu and Y. Lisa Yin. Efficient Collision Search Attack on SHA-0. CRYPTO’05,LNCS 3621, pp1–16, Springer-Verlag, 2005. NIST. Secure hash standard. Federal Information Processing Standard, FIPS-180, May 1993.

Download ppt "Message Modification for Step on SHA-0"

Similar presentations

Which Hash Functions will survive?

Which Hash Functions will survive?
Announcements: Choosing presentation dates (at end) Choosing presentation dates (at end)Questions? This week: Hash functions, SHA Hash functions, SHA Birthday.

Announcements: Choosing presentation dates (at end) Choosing presentation dates (at end)Questions? This week: Hash functions, SHA Hash functions, SHA Birthday.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
SHA-1 collision found Lukáš Miňo, Richard Bartuš.

SHA-1 collision found Lukáš Miňo, Richard Bartuš.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
H OW TO S ELECT THE A PPROPRIATE T YPE OF C ONTROL C HART IN M ETROLOGY 2014 NCSL International Workshop and Symposium Author: Chen-Yun Hung, Gwo-Sheng.

H OW TO S ELECT THE A PPROPRIATE T YPE OF C ONTROL C HART IN M ETROLOGY 2014 NCSL International Workshop and Symposium Author: Chen-Yun Hung, Gwo-Sheng.
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.

MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
“Chinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.“Chinese” collision attacks 3.Results for MD4 and MD5.

“Chinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.“Chinese” collision attacks 3.Results for MD4 and MD5.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
By: Matthew Ng. SHA stands for Secure Hash Algorithm It is based off the Merkle-Dangard hash function There are 3 versions of it with one coming in 2012.

By: Matthew Ng. SHA stands for Secure Hash Algorithm It is based off the Merkle-Dangard hash function There are 3 versions of it with one coming in 2012.
Chapter 6 The Normal Distribution

Chapter 6 The Normal Distribution
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.

Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.
RESEARCH WRITING. OVERVIEW Before Writing Start Now Outline Execute.

RESEARCH WRITING. OVERVIEW Before Writing Start Now Outline Execute.
A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.

MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Attacking MD5: Tunneling & Multi- Message Modification Team Short Bus: Daniel Liu John Floren Tim Sperr.

Attacking MD5: Tunneling & Multi- Message Modification Team Short Bus: Daniel Liu John Floren Tim Sperr.

Similar presentations

Ads by Google