applications of sat solvers to cryptanalysis of hash functions
Download
Skip this Video
Download Presentation
Applications of SAT Solvers to Cryptanalysis of Hash Functions

Loading in 2 Seconds...

play fullscreen
1 / 26

Applications of SAT Solvers to Cryptanalysis of Hash Functions - PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on

Applications of SAT Solvers to Cryptanalysis of Hash Functions. Ilya Mironov Lintao Zhang Microsoft Research Silicon Valley Campus. Overview. Crash course on hash functions Collision-finding attacks (Wang et al. ’05) Automation via SAT solvers. Hash functions. H : {0,1}*→{0,1} n.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Applications of SAT Solvers to Cryptanalysis of Hash Functions' - hallam


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
applications of sat solvers to cryptanalysis of hash functions

Applications of SAT Solvers to Cryptanalysis of Hash Functions

Ilya Mironov Lintao Zhang

Microsoft ResearchSilicon Valley Campus

overview
Overview
  • Crash course on hash functions
  • Collision-finding attacks (Wang et al. ’05)
  • Automation via SAT solvers
hash functions
Hash functions
  • H: {0,1}*→{0,1}n
cryptographic hash functions
Cryptographic hash functions
  • Several important properties
  • Collision-resistance
  • x, y: H(x) = H(y)
birthday paradox
Birthday paradox
  • Finding collision: ~|S| = 2n/2

output

H

S

security level
Security level

hash output

128 bits

160 bits

256 bits

512 bits

  • Insecure: 264operations
  • Medium-term: 280
  • Long-term (~20 years): 2128
  • Paranoid: 2256
short history of hash functions
Short history of hash functions
  • 1990 Ron Rivest: MD4 (128-bit output)
  • 1992 Ron Rivest: MD5 (128-bit output)
  • 1993 NIST: SHA (Secure Hash Algorithm, 160 bits)
  • 1995 NIST: Oops! SHA1
  • 2003 NIST: SHA-256,384,512

0

slide8

SHA1

SHA1

MD5

MD4

MD4 is broken

theoretical attack on SHA0

MD5, SHA0 broken, theoretical attack on SHA1

md4 and md5 s structure
MD4 and MD5’s structure
  • - Basic building block:

compression function

512 bits

48 rounds

128 bits

128 bits

compression function s building block
Compression function’s building block

512 bits = 16  32-bit words

M

w

a

b

rounds

0-15

rounds

16-31

rounds

31-48

c

d

128 bits

128 bits = 4  32-bit words

finding a collision wang et al 05
Finding a collision [Wang et al’05]
  • Goal: Find M, M\'such that H(M) = H(M\')
  • 1. Select message difference
  • M\' = M + 
  • 2. Select differentialpath
  • bi\' = bi + bi
  • 3. Find sufficient conditions
  • 4. Make them happen!
disturbance vector
Disturbance vector

M

a

b

rounds

0-15

rounds

16-31

rounds

31-48

c

d

differential path
Differential path
  • M
  • (a0,b0,c0,d0)
  • b1
  • b2
  • b48
  • M\'
  • (a0,b0,c0,d0)
  • b1\'
  • b2\'
  • b48\'
  • differential path
  • b1\' = b1 + b1
  • b2\' = b2 + b2
  • b48\' = b48 + b48
sufficient conditions
Sufficient conditions
  • (ai,bi,ci,di)  (di,(ai+fi(bi,ci,di)+wi+Ki)<<<si,bi,ci,) = (ai+1,bi+1,ci+1,di+1)

fi = MAJ and si = 3 and b2,0 = 0 and c2,0 = 0,

then for b2,3 = 0 it is sufficient that lsb(b1)=0 and lsb(c1)=0

sufficient conditions wang et al
Sufficient conditions [Wang et al.]
  • MD4: 122
  • MD5: first block ― 294; second block ― 309
  • SHA0: 260
message modification technique
Message modification technique

a

b

rounds

0-15

rounds

16-31

rounds

31-48

c

d

probabilistic method
Probabilistic method

Conditions satisfied with probability 50%*:

MD4: < 8

MD5: first block ― 37; second block ― 30

SHA0: 42

SHA1: 70

* In the original papers (better attacks are currently known)

sat solvers
SAT Solvers!
  • Goal: Find M, M\'such that H(M) = H(M\')
  • 1. Select message difference
  • M\' = M + 
  • 2. Select differential path
  • bi\' = bi + bi
  • 3. Find sufficient conditions
  • 4. Message modifications
slide20
MD4
  • 53K variables, 221K clauses. Success!
  • SatELiteGTI < 500 sec

0xe1c08802 d0001321 f3fdc66f df600178 46b5c048 06c516c5 b632403a 88e2fdd5900f8005 3f936800 4b187044 64fad83a 01d79002 68f200a8 94ab2328 2449dd7d

collides with

0xe1c08802 50001321 63fdc66f df600178 46b5c048 06c516c5 b632403a 88e2fdd5900f8005 3f936800 4b187044 64fad83a 01d69002 68f200a8 94ab2328 2449dd7d

slide21
MD5
  • Hmm… Truncated MD5?

truncated MD5

CNF formula

SAT solver

filter

solution

probabilistic method1
Probabilistic method

all messages

reduced-round solutions

full solutions

where to truncate
Where to truncate?

~100 hours per full solution

collision in md5
Collision in MD5
  • 0x80000000 98163156 d685de69 e985b795 b4320c10 cd350030 c014ca29 850b7d6d0934ad59 4871afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf 5e5d5df6 b539a48d
  • fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b519ab427cc 45c236f1 73f20086 e000005a 3b6550cc b6cc1c59 0fe9f71a a0403064
  • collides with
  • 0x80000000 98163156 d685de69 e985b795 34320c10 cd350030 c014ca29 850b7d6d0934ad59 4871afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf de5d5df6 b539a48d
  • fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b519ab427cc 45c236f1 73f20086 dfff805a 3b6550cc b6cc1c59 0fe9f71a a0403064
open problems
Open problems
  • Cryptographic:
    • Break SHA-1
    • Automate the entire attack
    • Other primitives
  • SAT-solving community:
    • No truncation!
    • SAT solvers optimized for cryptographic applications: XOR, multiplication, table look-ups, intuition
conclusion
Conclusion
  • First serious SAT-solver-aided cryptanalytic effort
  • Several entries into SAT Race ’06
  • New applications and challenges
ad