1 / 14

Collisions for Step-Reduced SHA 256

Outline. Short description of SHA-256Difference between SHA-1 and SHA-2Technique for finding collisions for SHA-25620-step reduced SHA-25621-step reduced SHA-25623-step reduced SHA-25625-step reduced SHA-256Conclusions. Short description of SHA-256. Merkle-Damgard construction (compres

ursala
Download Presentation

Collisions for Step-Reduced SHA 256

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Collisions for Step-Reduced SHA 256 Ivica Nikolic, Alex Biryukov University of Luxembourg

    2. Outline Short description of SHA-256 Difference between SHA-1 and SHA-2 Technique for finding collisions for SHA-256 20-step reduced SHA-256 21-step reduced SHA-256 23-step reduced SHA-256 25-step reduced SHA-256 Conclusions

    3. Short description of SHA-256 Merkle-Damgard construction (compression function) Input: 512-bits message block + 256-bits chaining value Output: 256-bits chaining value 64 steps

    4. Difference between SHA-1 and SHA-2 Number of internal variables Additional functions - ?0, ?1 Message expansion

    5. Difference between SHA-1 and SHA-2 Limit the influence of the new innovations Additional functions (?0, ?1) Find fixed points, i.e. ?(x)=x. If x,y are fixed points then ?(x)- ?(y)=x-y, i.e. ? preserves difference. Message expansion Expanded words dont use words with differences.

    6. Technique for finding collisions for SHA-256 General technique Introduce perturbation Use as less differences as possible to correct the perturbation in the following 8 steps After the perturbation is gone dont allow any other new perturbations

    7. Technique for finding collisions for SHA-256 Perturbation in step i Correct in the following 8 steps Require the differences for A and E as shown in the table Get system of equations with the respect to di and Ai or Ei Solve the system

    8. Technique for finding collisions for SHA-256 From the definition of SHA-256, we have ? Ai+4 - ? Ei+4 = ??0(Ai+3) + ?Maji+3 (?Ai+3,?Bi+3,?Ci+3 )-?Di+3 ? Ei+4 = ??1(Ei+3) +?Chii+3 (?Ei+3,?Fi+3,?Gi+3)+?Hi+3+?Di+3+?Wi+3 From the condition for step i+3, we have ?Di+3 = 0, ?Hi+3 = 0, ??0(Ai+3) = 0, ??1(Ei+3) =0. We require ?Ai+4 = 0, ? Ei+4 = 0. So we deduce: ?Maji+3 (0,0,1)= 0 ?Wi+3 =- ?Chi+3 (0,-1,1) Solution: Ai+3 =Ai+2 d3 =-?Chi+3 (0,-1,1)

    9. Technique for finding collisions for SHA-256 Solution of the system of equations Ai-1 = Ai+1= Ai+2= Ai+3 Ai+1=-1 Ei+3 = Ei+4 Ei+6= 0 Ei+7=-1 d1 =-1-?Chi+1 (1,0,0)- ??1(Ei+1) d2 = ??1(Ei+2) -?Chi+2 (-1,1,0) d3 =-?Chi+3 (0,-1,1) d4 =-1 Unsolved equation (no degrees of freedom left) ?Chi+3(0,0,-1)=-1 It holds with probability 1/3.

    10. 20-step reduced SHA-256

    11. 21-step reduced SHA-256

    12. 23-step reduced SHA-256

    13. 25-step reduced SHA-256

    14. Conclusions

More Related