Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg.

Published byMervyn King Modified over 9 years ago

Similar presentations

Presentation on theme: "Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg."— Presentation transcript:

1 Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg

2 Outline  Short description of SHA-256  Difference between SHA-1 and SHA-2  Technique for finding collisions for SHA-256  20-step reduced SHA-256  21-step reduced SHA-256  23-step reduced SHA-256  25-step reduced SHA-256  Conclusions

3 Short description of SHA-256  Merkle-Damgard construction (compression function) Input: 512-bits message block + 256-bits chaining value Output: 256-bits chaining value  64 steps

4 Difference between SHA-1 and SHA-2  Number of internal variables  Additional functions - ∑ 0, ∑ 1  Message expansion W i = W i-3 + W i-8 + W i-14 + W i-16 W i = σ 1 (W i-2 )+ W i-7 + σ 0 (W i-15 )+ W i-16 One step of the compression function Message expansion

5 Difference between SHA-1 and SHA-2 Limit the influence of the new innovations  Additional functions (∑ 0, ∑ 1 ) Find fixed points, i.e. ∑(x)=x. If x,y are fixed points then ∑(x)- ∑(y)=x-y, i.e. ∑ preserves difference.  Message expansion Expanded words don’t use words with differences.

6 Technique for finding collisions for SHA-256 General technique  Introduce perturbation  Use as less differences as possible to correct the perturbation in the following 8 steps  After the perturbation is gone don’t allow any other new perturbations

7 Technique for finding collisions for SHA-256  Perturbation in step i  Correct in the following 8 steps  Require the differences for A and E as shown in the table  Get system of equations with the respect to δi and A i or E i  Solve the system ΔAΔAΔBΔBΔCΔCΔDΔDΔEΔEΔFΔFΔGΔGΔHΔHΔWΔW i000000001 i+110001000δ1δ1 i+20100100δ2δ2 i+30010010δ3δ3 i+400010010 i+500001000 i+6000001000 i+7000000100 i+800000001δ4δ4 i+900000000

8 Technique for finding collisions for SHA-256 From the definition of SHA-256, we have Δ A i+4 - Δ E i+4 = Δ∑ 0 (A i+3 ) + ΔMaj i+3 (ΔA i+3, ΔB i+3,ΔC i+3 )-ΔD i+3 Δ E i+4 = Δ∑ 1 (E i+3 ) +ΔChi i+3 (ΔE i+3,ΔF i+3,ΔG i+3 )+ΔH i+3 +ΔD i+3 +ΔW i+3 From the condition for step i+3, we have ΔD i+3 = 0, ΔH i+3 = 0, Δ∑ 0 (A i+3 ) = 0, Δ∑ 1 (E i+3 ) =0. We require ΔA i+4 = 0, Δ E i+4 = 0. So we deduce: ΔMaj i+3 (0,0,1)= 0 ΔW i+3 =- ΔCh i+3 (0,-1,1) Solution: A i+3 =A i+2 δ 3 =-ΔCh i+3 (0,-1,1) ΔAΔAΔBΔBΔCΔCΔDΔDΔEΔEΔFΔFΔGΔGΔHΔHΔWΔW i+30010010δ3δ3 i+400010010 Example – step i+4

9 Technique for finding collisions for SHA-256 Solution of the system of equations A i-1 = A i+1 = A i+2 = A i+3 A i+1 =-1 E i+3 = E i+4 E i+6 = 0 E i+7 =-1 δ 1 =-1-ΔCh i+1 (1,0,0)- Δ∑ 1 (E i+1 ) δ 2 = Δ∑ 1 (E i+2 ) -ΔCh i+2 (-1,1,0) δ 3 =-ΔCh i+3 (0,-1,1) δ 4 =-1 Unsolved equation (no degrees of freedom left) ΔCh i+3 (0,0,-1)=-1 It holds with probability 1/3.

10 20-step reduced SHA-256 W01234 567891011121314 15 0x 1x 2x 3x 4x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15x 16xx xx 17xx x x 18xxxx xxx 19xxxx xx x 20xxxxx xxxxx 21xxxx xxxxx x 22xxxxx xxxxxxx x Collision  Perturbation in W 5.  Corrections in W 6, W 7, W 8, W 13.  Message expansion after the step 13 doesn’t use any of these words  Complexity = 1/3

11 21-step reduced SHA-256 W678914 0 1 2 3 4 5 6x 7x 8x 9x 10 11 12 13 14x 15 16xx 17 18xx 19 20xx 21xx 22xxxx Collision  Perturbation in W 6.  Corrections in W 7, W 8, W 9, W 14.  Message expansion uses W 9, W 14.  Additional equation is introduced: Δ σ 1 (W 14 ) + Δ W 9 = 0, where Δ W 14 =-1.  Total complexity is 2 19.

12 23-step reduced SHA-256 W9101112 0 1 2 3 4 5 6 7 8 9 x 10 x 11 x 12 x 13 14 15 16 x 17 x 18 xx 19 xx 20 xx 21 xx 22 xx Semi-free start collision  Perturbation in W 9.  Corrections in W 10, W 11, W 12. W 17 is extended word, so it is not possible to control it directly.  Message expansion uses W 9, W 10, W 11, W 12.  In the original differential path there is no difference in W 16. We have to slightly change our differential path. New system of equations is introduced and solved.  In order to control W 17  Additional equations are introduced in order to keep the differences zero after the last step of the path.  Total complexity is 2 21.

13 25-step reduced SHA-256 W9101112 0 1 2 3 4 5 6 7 8 9 x 10 x 11 x 12 x 13 14 15 16 x 17 x 18 xx 19 xx 20 xx 21 xx 22 xx Semi-free start near collision with Hamming distance of 17 bits  Extend semi-free start collision for 23-step reduced SHA-256.  Minimize the Hamming distance of the introduced differences for A and E registers.  Total complexity is 2 34.

14 Conclusions  Technique applicable to SHA-224, SHA-384, and SHA-512.  No real treat for the security of SHA-2.

Download ppt "Collisions for Step-Reduced SHA 256 Ivica Nikolić, Alex Biryukov University of Luxembourg."

Similar presentations

Chapter 17 Multivariable Calculus.

Chapter 17 Multivariable Calculus.
More on Decoders and Muxes

More on Decoders and Muxes
1 The 2-to-4 decoder is a block which decodes the 2-bit binary inputs and produces four output All but one outputs are zero One output corresponding to.

1 The 2-to-4 decoder is a block which decodes the 2-bit binary inputs and produces four output All but one outputs are zero One output corresponding to.
CDA 3100 Recitation Week 10.

CDA 3100 Recitation Week 10.
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
Functions of Several Variables Copyright © Cengage Learning. All rights reserved.

Functions of Several Variables Copyright © Cengage Learning. All rights reserved.
Standardized Test Practice

Standardized Test Practice
EXAMPLE 3 Solve an equation by factoring Solve 2x 2 + 8x = 0. 2x 2 + 8x = 0 2x(x + 4) = 0 2x = 0 x = 0 or x + 4 = 0 or x = – 4 ANSWER The solutions of.

EXAMPLE 3 Solve an equation by factoring Solve 2x 2 + 8x = 0. 2x 2 + 8x = 0 2x(x + 4) = 0 2x = 0 x = 0 or x + 4 = 0 or x = – 4 ANSWER The solutions of.
6.4 Factoring and Solving Polynomial Equations. Review of Factoring 2 nd Degree Polynomials x 2 + 9x + 20 = (x+5)(x+4) x 2 - 11x + 30 = (x-6)(x-5) 3x.

6.4 Factoring and Solving Polynomial Equations. Review of Factoring 2 nd Degree Polynomials x 2 + 9x + 20 = (x+5)(x+4) x x + 30 = (x-6)(x-5) 3x.
4.2 Graphing linear equations Objective: Graph a linear equation using a table of values.

4.2 Graphing linear equations Objective: Graph a linear equation using a table of values.
4.6 Solve Exponential and Logarithmic Equations

4.6 Solve Exponential and Logarithmic Equations
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.

Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Solving Quadratic Equations by Factoring

Solving Quadratic Equations by Factoring
Elimination Day 2. When the two equations don’t have an opposite, what do you have to do? 1.

Elimination Day 2. When the two equations don’t have an opposite, what do you have to do? 1.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
1 2-Hardware Design Basics of Embedded Processors (cont.)

1 2-Hardware Design Basics of Embedded Processors (cont.)
Which is equivalent to x 15 ? a. (x 3 )(x 5 ) b. (x 3 ) 5 c. (3x)(5x) d. (x 2 )(x 4 )/x 21.

Which is equivalent to x 15 ? a. (x 3 )(x 5 ) b. (x 3 ) 5 c. (3x)(5x) d. (x 2 )(x 4 )/x 21.
Linear Equations in Two Variables A Linear Equation in Two Variables is any equation that can be written in the form where A and B are not both zero.

Linear Equations in Two Variables A Linear Equation in Two Variables is any equation that can be written in the form where A and B are not both zero.
3.1 You should be able to solve one-step equations using algebra. Solve for x.

3.1 You should be able to solve one-step equations using algebra. Solve for x.
§ 3.6 Solving Quadratic Equations by Factoring. Martin-Gay, Developmental Mathematics 2 Zero Factor Theorem Quadratic Equations Can be written in the.

§ 3.6 Solving Quadratic Equations by Factoring. Martin-Gay, Developmental Mathematics 2 Zero Factor Theorem Quadratic Equations Can be written in the.

Similar presentations

Ads by Google