Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir."— Presentation transcript:

1 Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir

2 Slide - 2 Overview Definitions Previous results Our results Proof of the 3-permutations case

3 Slide - 3 Overview Definitions Previous results Our results Proof of the 3-permutations case

4 Slide - 4 Preimage resistance: given y it’s computationally infeasible to find a value x s.t. h(x)=y 2-nd preimage resistance: given x it’s computationally infeasible to find a value x’  x s.t. h(x’)=h(x) collision resistance: it’s computationally infeasible to find any two distinct values x’,x s.t. h(x’)=h(x) Classical Properties hh h n – the output size of h O(2 n ) O(2 n/2 )

5 Slide - 5 K(multi)-preimage resistance: given y it’s computationally infeasible to find k values x i s.t. h(x 1 )=…=h(x k )=y K(multi)-collision resistance: it is computationally infeasible to find a k values x i s.t. h(x 1 )=…=h(x k ) More properties… h n – the output size of h O(2 n(k-1)/k ) O(k2 n ) h

6 Slide - 6 Iterated Hash Functions A standard way to construct hash functions is as follows: Start from an initial hash value h 0 Calculate h i =f(h i-1,m i ) Output the last hash value h t h0h0 h1h1 m1m1 h2h2 m2m2 … htht mtmt f:{0,1} 2n  {0,1} n

7 Slide - 7 Concatenated Hash Functions Concatenate the outputs of a number of independent hash functions H(M)=F(M)||G(M) Want to enlarge the output size – to protect against birthday attacks Immunize the construction against discovery of an attack in one of the hash functions Secure against collisions if F and G are random oracles O(2 n ) F,G:{0,1} *  {0,1} n H:{0,1}*  {0,1) 2n

8 Slide - 8 Overview Definitions Previous results Our results Proof of the 3-permutations case

9 Slide - 9 Joux Multicollisions in Iterated Hash Functions Use iterated structure to create large multicollisions h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht mt0mt0 mt1mt1 Time = O(t2 n/2 ) 2 t multicollision

10 Slide - 10 Form a 2 n/2 multicollision in the first hash function We expect to find a collision in the second function among the 2 n/2 colliding messages The attack can be generalized to attack  multiple concatenations  produce multi-preimages (in time 2 n ) Attacking a concatenated construction M i F(M i ) G(M i ) M 1 X Y 1 M 2 X Y 2 … … … H(M)=F(M)||G(M) H:{0,1}*  {0,1} 2n

11 Slide - 11 Possible Countermeasures Larger internal state - Lucks’ proposition of a double width pipe Expansion - Using message blocks more than once M=m 1 m 2 …m t M=m 1 m 2 m 1 m 5 m 1 …m t m 2 m 5 m t-1 …

12 Slide - 12 Problem Statement Given a hash function H – find a 2 k multicollision in H Iterated and Concatenated – solved by Joux Iterated, Concatenated and Expanded – a special case solved by Nandi & Stinson Iterated, Concatenated and Expanded (by any constant factor)–solved in this presentation

13 Slide - 13 Example of an ICE Hash function

14 Slide - 14 Some warm up examples Can have a fixed value for some message blocks h0h0 h1h1 m10m10 m11m11 h2h2 m2m2 … htht mt0mt0 mt1mt1

15 Slide - 15 Some warm up examples Can have consecutive stretches of the same message block h0h0 h1h1 m10m10 m11m11 h2h2 m10m10 m11m11 … htht mt0mt0 mt1mt1 h1h1

16 Slide - 16 Some warm up examples Can have consecutive stretches of the same message block h0h0 h1h1 m10m10 m11m11 h3h3 m10m10 m11m11 … htht mt0mt0 mt1mt1 h1h1 h2h2 h2h2 m2m2 m2m2

17 Slide - 17 Some warm up examples Message expansion takes a message M and outputs M||M Find a 2 k multicollision in the iterated hash function based on the expanded message

18 Slide - 18 Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht mt0mt0 mt1mt1 h m10m10 m11m11 h’

19 Slide - 19 Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) m 1 ? m 2 ?...m n/2 ? h t+n/2 m 1 ? m 2 ?...m n/2 ? h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 … h n/2 h n/2+1 m 0 n/2+1 m 1 n/2+1 m 0 n/2+2 m 1 n/2+2

20 Slide - 20 Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) m 1 ? m 2 ?...m n/2 ? h t+n/2 m 1 ? m 2 ?...m n/2 ? h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 … h n/2 h n/2+1 m 0 n/2+1 m 1 n/2+1 m 0 n/2+2 m 1 n/2+2

21 Slide - 21 Works for any fixed number of repetitions Example I H(M)=F(M||M)=F(m 1 m 2 m 3 …m t m 1 m 2 …m t ) h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 m 1 ? m 2 ?...m n/2 ? … h t+n/2 m 1 ? m 2 ?...m n/2 ? … h 2t 2 2t/n multicollision

22 Slide - 22 Example II - 2 successive permutations Message expansion adds a permutation of the original message blocks E(M) = m 1 m 2 …m t m  (1) m  (2) …m  (t) Use the same procedure as before h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 m  (1) ? m  (1) ?... m  (n/2) ? … h t+n/2 … h 2t m  (1) ? m  (1) ?... m  (n/2) ?

23 Slide - 23 Previous results (Nandi & Stinson) If the message expansion contains each message block at most twice, can find a 2 k multicollision in time 2 n/2 C(n,k) where C(n,k) is polynomial in n, k

24 Slide - 24 Overview Definitions Previous results Our results Proof of the 3-permutations case

25 Slide - 25 Our results If the message expansion expands by a constant factor e (by duplicating message blocks) can find a 2 k multicollision in time time 2 n/2 C(n,k,e) where C(n,k,e) is polynomial in n, k (but exponential in e)

26 Slide - 26 Example III - 3 successive copies h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 … h 3t m 1 ? m 2 ?... m n^2/4 ? h 2t h 2t+n^2/ 4 … … … h t+n/2 h 2t htht …

27 Slide - 27 Example IV - 3 successive permutations E(M) =  1 (M)  2 (M)  3 (M) h0h0 h1h1 m10m10 m11m11 h2h2 m20m20 m21m21 … htht m n/2 0 m n/2 1 m  (1) ? m  (1) ?... m  (n/2) ? … h t+n/2 … h 2t m  (1) ? m  (1) ?... m  (n/2) ?

28 Slide - 28 Example IV - 3 successive permutations E(M) =  1 (M)  2 (M)  3 (M)  1 (M)  2 (M)  3 (M) 1 2 3 4 5 6 7 8 ….. 1 n/2 n 3n/2.. 2 n/2+1 n+1…..

29 Slide - 29 Overview Definitions Previous results Our results Proof of the 3-permutations case

30 Slide - 30 Getting started Lemma 1: Let B and C be two permuted sequences of [L]. Divide B into k consecutive groups B 1,...,B k and C into C 1,...,C k of size n/k. Then for x>0 and L ¸ k 3 x there exists a perfect matching of B i 's and C j 's such that |B i  C j | ¸ x

31 Slide - 31 Lemma 1 B1B1 B2B2 B3B3 C1C1 C3C3 2 9 8 7 6 16 15 11 1 3 14 17 5 12 13 10 4 18 12 9 1 11 6 17 13 2 10 14 5 18 8 3 15 7 4 16 BC C2C2 Given large sets - we expect the intersection between them to be large

32 Slide - 32 Lemma 1 BC B1B1 B2B2 BkBk C1C1 CkCk

33 Slide - 33 (t-1) k 2 x tk 2 x Lemma 1 BC B1B1 B2B2 BkBk C1C1 CkCk tL/k (t-1)L/k (k-t+1)tx L=k 3 x

34 Slide - 34 Lemma 1 B1B1 B2B2 B3B3 C1C1 C3C3 2 9 8 7 6 16 15 11 3 1 14 17 5 12 13 10 4 18 12 1 9 11 6 17 15 2 10 14 5 18 8 3 13 7 4 16  2 (M) - B  3 (M) - C C2C2

35 Slide - 35 3 consecutive permutations Find a matching for x=n 2 /4 in the last two permutations Set all non active message blocks to 0 Build the multi-collision in 3 stages using larger blocks in each stage Requires a message of length O(k 3 n 2 )

36 Slide - 36 3 successive permutations

37 Slide - 37 Many successive permutations E(M) =  1 (M)  2 (M)…  q (M)  q-1 (M)  q (M)

38 Slide - 38 q consecutive permutations Find a matching for x=O(n 3(q-3)+2 ) in the last two permutations Set all non active message blocks to 0 Find a matching for x=O(n 3(q-6)+2 ) in the two second to last permutations … Build the multi-collision in q stages using larger blocks in each stage Requires a message of length O(k 3 n 3(q-3)+2 )

39 Slide - 39 Reduction from the general case So far proved for any constant number of permutations Reduction from general case to succesive permutations:  Choose a set of active message indices such that the resulting sequence is in successive permutations form

40 Slide - 40 Case of expansion factor 2 At least half the indices appear at most twice Given a sequence in which each index appears at most twice either  There exists a subset of variables which ‘appears’ once  There exists a subset of variables which are in successive permutation form

41 Slide - 41 Case of expansion factor 2 Lemma: for any 2-sequence over 1..l where l=MN either  There exists a subset of M variables which ‘appears’ once  There exists a subset of N variables which are in successive permutation form

42 Slide - 42 Case of expansion factor 2 Proof: by induction on l=MN 1 7 4 9 8 3 6 5 4 2 9 13… N 1 7 4 9 8 3 7 5 4 2 9 13… (M-1)N If each element appears at most once we are done!! 7 does not appear now! Case 1 : M-1 elements appear only once Case 2 : N elements appear in concatenated permutation form

43 Slide - 43 General Case At least half the indices appear at most twice the expansion rate e Given a sequence in which each index appears at most 2e either  There exists a subset of variables which ‘appears’ once  There exists a subset of variables which are in successive permutation form We already solved the successive permutation case

44 Slide - 44 General Case If the message expansion expands by a constant factor e (by duplicating message blocks) can find a 2 k multicollision in time 2 n/2 C(n,k,e) where C(n,k,e) is polynomial in n, k but exponential in e)

45 Slide - 45 Example of an Tree Based Hash function

46 Slide - 46 Further research Other message expansion procedures  Linear combinations  LFSRs  … Keyed hash functions Tree based hash functions Other uses of multicollisions

Download ppt "Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir."

Similar presentations

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/0111102 I was born at the Big Bang. Cool! We have the same birthday.

Quantum Lower Bound for the Collision Problem Scott Aaronson 1/10/2002 quant-ph/ I was born at the Big Bang. Cool! We have the same birthday.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Incremental Linear Programming Linear programming involves finding a solution to the constraints, one that maximizes the given linear function of variables.

Incremental Linear Programming Linear programming involves finding a solution to the constraints, one that maximizes the given linear function of variables.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Recursively Defined Functions

Recursively Defined Functions
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Deterministic Selection and Sorting Prepared by John Reif, Ph.D. Analysis of Algorithms.

Deterministic Selection and Sorting Prepared by John Reif, Ph.D. Analysis of Algorithms.
Noga Alon Institute for Advanced Study and Tel Aviv University

Noga Alon Institute for Advanced Study and Tel Aviv University
Counting Techniques: Combinations

Counting Techniques: Combinations
Generalized Derangements Anthony Fraticelli Missouri State University REUJuly 30, 2009 Advisor: Dr. Les Reid.

Generalized Derangements Anthony Fraticelli Missouri State University REUJuly 30, 2009 Advisor: Dr. Les Reid.
Lecture 3 Lower envelopes Computational Geometry, 2005/06 Prof.Dr.Th.Ottmann 1 The Lower Envelope The Pointwise Minimum of a Set of Functions.

Lecture 3 Lower envelopes Computational Geometry, 2005/06 Prof.Dr.Th.Ottmann 1 The Lower Envelope The Pointwise Minimum of a Set of Functions.
Hashing Techniques.

Hashing Techniques.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Lower Envelopes (Cont.) Yuval Suede. Reminder Lower Envelope is the graph of the pointwise minimum of the (partially defined) functions. Letbe the maximum.

Lower Envelopes (Cont.) Yuval Suede. Reminder Lower Envelope is the graph of the pointwise minimum of the (partially defined) functions. Letbe the maximum.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :

Similar presentations

Ads by Google