1 / 26

Christophe Petit UCL Crypto Group 04/22/09 | CRYP-201 Collisions for hash functions

Hard and easy components of collision search in the Zémor-Tillich hash function: New attacks and reduced variants with equivalent security. C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor. Christophe Petit UCL Crypto Group 04/22/09 | CRYP-201 Collisions for hash functions.

nevan
Download Presentation

Christophe Petit UCL Crypto Group 04/22/09 | CRYP-201 Collisions for hash functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hard and easy components of collision search in the Zémor-Tillich hash function: New attacks and reduced variants with equivalent security C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor Christophe PetitUCL Crypto Group04/22/09 | CRYP-201 Collisions for hash functions

  2. Cryptographic hash functions 2

  3. Graph-based hash functions Most hash functions can be seen as While Zémor-Tillich is more like 3

  4. The Zémor-Tillich hash function Introduction New attacks Reduced variants Conclusion Outline

  5. The Zémor-Tillich hash function

  6. The Zémor-Tillich hash function • Introduced at CRYPTO’94 [TZ94] • Let irreducible over with and let • Let • For a message • Output set has size

  7. The Zémor-Tillich hash function Graph and group interpretations of main properties Representation problem : given a group and a set , find a product Balance problem : find 7

  8. The Zémor-Tillich hash function Previous cryptanalysis: Malleability Invertibility for short messages [SGGB00] Trapdoor attacks on [CP94,AK98,SGGB00] Projection to finite fields [G96] Subgroup attacks for composite [SGGB00] This paper: Generic collision and preimage subgroup attacks in time (instead of and for birthday and exhaustive) 8

  9. New attacks

  10. Generic collision attack Sketch: Find lower triangular matrices with meet-in-the-middle random search Combine lower triangular matrices to have a lower diagonal matrix with ones in the diagonal by solving discrete logarithms The resulting matrix has order 2 In each step, we use 10

  11. Generic collision attack, 1st step If for someThen for some To solve the equation: Compute and on various random messages For each obtained, store the projective point( ) After messages, likely to be done 11

  12. Generic collision attack, 2nd step Combine triangular matrices to get a matrix with ones in the diagonal Use Representation problem in finite fields:Given find Equivalent to Discrete Logarithm [BM97]…that is easy here ! 12

  13. Generic collision attack, 3d step For any , 13

  14. Improvements Preimage attack: A bit more technical, but same ideas Same complexity  Memory-free versions Transform the birthday search in the first step into a cycle detection problem Use standard techniques (distinguished points,…) 14

  15. Hard and easy components Finding a message hashing to a triangular matrix is “nearly’’ as hard asFinding a message hashing to the identity Similarly: Finding a message hashing to a diagonal matrix Given some vector , finding a message hashing to a matrix with left / right eigenvector are nearly as hard asfinding a message hashing to the identity 15

  16. Hard and easy components The output of ZT is bits while its security is bits: how to extract the secure bits ? 16

  17. Reduced variants

  18. Vectorial Zémor-Tillich The output of ZT is bits while its security is bits: how to extract the secure bits ? Vectorial version Outputs bits For a given initial vector , returns If the initial vector is chosen randomly, just as secure as the original matrix version 18

  19. Equivalence between vectorial and matrix versions Suppose there is an algorithm finding collision for the vectorial version… Run it on a randomWe get where and are the ZT hash values of the colliding messages Run it on We get Repeat times 19

  20. Equivalence between vectorial and matrix versions Key observations: « Homomorphism » To find a collision: Let Find such that 20

  21. Equivalence between vectorial and matrix versions Colliding messages: where if The two messages collide to the value 21

  22. Projective version • The output of ZT is bits while its security is bits: how to extract the secure bits ? • Projective version • Outputs bits • Returns if the vectorial version returns • If the initial vector is chosen randomly, « nearly » as secure as the initial matrix version 22

  23. « Quasi » equivalence between projective and vectorial versions • Suppose there is an algorithm finding collision for the projective version… • Run it on to get and • Run it on to get and • After steps, find such that • Complexity of last step • Hard asymptotically ( discrete logarithms problems + one subset sum problem) • Feasible for 23

  24. Conclusion

  25. Conclusion New generic attacks Collision attack in time (instead of ) Preimage attack in time (instead of ) New variants Vectorial variant as secure Projective variant « nearly » as secure Best attack against projective variant is birthday search Zémor-Tillich is not broken is too small Still a very interesting design 25

  26. Questions ?

More Related