Finding Collisions in SHA0,1

1
Finding Collisions in SHA-0,1

• Presented by Bryan Parno
• Carnegie Mellon University

Based on Efficient Collision Search Attacks on
SHA-0, Wang, Yu, Yin Finding Collisions in
the Full SHA-1, Wang, Yin, Yu
2
Hash Function Refresher

• Provides a fingerprint of an arbitrary block of
  data
• H 0,1 ? 0,1L
• Desirable properties
• Preimage Resistance (? 2L)
• Given y ? 0,1L, find x such that H(x)
  y
• 2nd Preimage Resistance (? 2L)
• Given x, find x such that H(x) H(x)
• Collision Resistance (? 2L/2)
• Find x and x such that H(x) H(x)

3
Hash Function Caveats

• Collision Resistance ?2nd Preimage Resistance ?
  Preimage Resistance
• Converse is not true!
• A break in collision resistance does not
  necessarily imply a break in (2nd) preimage
  resistance
• A hash function is not necessarily a good PRF

4
Outline

• Hash Function Refresher
• Brief Hash Function History
• SHA-0 Refresher
• Previous Attacks on SHA-0
• New Search Techniques for SHA-0
• SHA-1 Refresher
• Previous Attacks on SHA-1
• New Search Techniques for SHA-1

5
Hash Function Genealogy
MD2, 1989
MD4, 1990
MD5, 1991
SHA-0, 1993
SHA-1, 1995
All (except MD2) have same basic structure
SHA-2 (224, 256, 384, 512), 2001
6
Damgård-Merkle Hash Functions

• Divide message M into chunks
• M M1 M2 Mk
• Define compression function g
• If g is collision resistant, so is the hash

h

IV
7
SHA-0 Definition

• Maps 0,1 ? 0,1160
• Divide message M into 512-bit chunks
• M M1 M2 Mk
• IV (0x67452301, 0xefcdab89, 0x98badcfe,
  0x10325476, 0xc3d2e1f0) 230(?2, ?3, ?5, ?10)
• g 0,1512 x 0,1160 ? 0,1160

h

IV
8
SHA-0 Compression Function g

• Maps Mj?0,1512 x v?0,1160 ? v ?0,1160
• Outline
• Message Expansion
• Break message into 32-bit chunks Mj
  m0m1m15
• Expand those 16 chunks into 80
• Mix the message m with the chaining variable v
• Expand v into five 32-bit chunks v
  a0b0c0d0e0
• Iterate 80 times v F(mi, v)

9
SHA-0 Message Expansion

• Break message into 32-bit chunks Mj
  m0m1m15
• Create an additional 64 chunks (for a total of
  80) using
• mi mi-3 ? mi-8 ? mi-14 ? mi-16

16
17
18
10
SHA-0 Message Mixing

• Mix the message m with the chaining variable v
• Message has been expanded into m m m0m79
• Expand v into five 32-bit chunks v
  a0b0c0d0e0
• For i 1, 2, , 80
• ai (ai-1 ltlt 5) Fi(bi-1, ci-1, di-1)
  ei-1 mi-1 ki-1
• bi ai-1
• ci bi-1 ltlt 30
• di ci-1
• ei di-1
• Return
• v a80b80c80d80e80

11
SHA-0 Message Mixing
ai-1 bi-1 ci-1 di-1 ei-1
ltlt5
ltlt30
F
mi-1
ki
ai bi ci di ei
12
Previous Attacks on SHA-0

• Local collision attacks
• A collision within a few steps of the hash
  function
• SHA-0 has a 6-step local collision that can start
  at any step
• Differential paths
• A series of (possibly overlapping) local
  collisions
• Message modification
• Derive conditions on message words based on a
  differential path, then modify messages
  accordingly

13
SHA-0 Local Collision
Collision!
14
SHA-0 Differential Paths

• A series of (possibly overlapping) local
  collisions
• A disturbance vector specifies starting points
  for local collision
• x (x0, x1, , x79), xi ? 0,1
• If xi 1, start a local collision at step i
• Vector must satisfy xi xi-3 ? xi-8 ? xi-14 ?
  xi-16
• Previous work establishes additional constraints
• Complexity of the attack proportional to Hamming
  weight ( of 1s) of x
• Previous work used a vector with weight 27 for an
  attack of complexity 258

15
SHA-0 Disturbance Vector Conditions

• These conditions also constrain the other xi
• Since any 16 consecutive xi define x, these
  constraints reduce 216 space to 3 choices for 6
  free variables

16
Message Modification

• The core of the MD4-family of hash functions is
• ai F(input chaining vars, mi-1)
• An update of chaining variable ai based on
  previous chaining variables and the current
  message block
• Given a differential path, we can generate
  sufficient conditions on the ai (e.g., a2 1 or
  a5 ? a3)
• Basic technique If ai,j ? v, flip the jth bit of
  mi-1
• If the differential path constrains mi-1 may have
  to flip additional message bits
• Works for i 16, since we can modify the mi
  directly
• Advanced technique
• Needed for i gt 16 A change in mi changes some
  earlier mt for t 16
• Corrects this change by constructing a local
  collision

17
Message Modification vs. SHA-0

• Given a differential path, basic technique
  applies
• Only helps with the first 16 steps
• Effectiveness of advanced technique depends on
  distribution of constraints
• For MD5, concentrated on steps 17 and 18
• Due to local collisions and message expansion,
  SHA-0 constraints are spread out
• Message modification still helps, but other known
  attacks are more effective

18
New Search Techniques

• Remove Conditions 2 3 on disturbance vector
• Creates larger search space, so we can find
  vectors with lower hamming weights (HWs)
• Makes constructing a differential path from the
  disturbance vector harder
• Use new techniques to construct differential path
• Apply some implementation optimizations

19
Finding Disturbance Vectors with Low HW

• Current approach eliminates low-weight vectors
• Partly a result of the difference between IF
  (used for Fi in round 1) and XOR (rounds 2 and 4)
• If c and d both change, IF always changes, XOR
  never changes (MAJ changes with probability ½)
• Treating round 1 separately allows us to relax
  Condition 3
• Focus search on vectors with small HW in rounds
  2-4
• Basic message modification can deal with round 1
• Selected vector has much smaller hamming weight
  (19 vs 27)
• Hamming weight of only 3 in round 3

20
Path Construction Techniques

• Necessary to convert disturbance vector into a
  differential path
• Use subtraction (not xor) to measure difference
• Take advantage of IF
• Can preserve or absorb input difference
• Take advantage of carry effect
• Convert 2j 2j 2j1 2jk-12jk
• Expand one bit difference into multiple

21
Specific Path Construction

• Use IF to absorb differences in b,c,d
• Carefully control a,e with focus on a
• Introduce differences in a
• To deal with the truncated local collisions
• As dictated by disturbance vector
• To cancel e differences
• Plus a few more tweaks

22
Derive Conditions on mi and ai

• Conditions on mi arise from
• Constraints for the local collisions dictated by
  disturbance vector
• Conditions on ai arise from
• Differential path constructed
• Total of 45 conditions
• Tweak messages to eliminate 3 conditions from
  steps 17-20

23
Final Complexity

• Given 42 conditions, appears to need 242 hashes
• Each constraint fixes a bit, implying 42 bits
  must be correct to generate a collision
• Implementation optimizations
• Precompute some of the initial message chunks
• Stop early if conditions are not satisfied
• Reduces complexity to less than 239 hashes
• Speculate that multi-block collisions can be
  found in under 233 hashes

24
SHA-1 Refresher

• Exactly the same as SHA-0 except for message
  expansion tweak
• Tweak introduced by the NSA to correct a
  technical flaw that made the standard less secure
  than had been thought.
• Message Expansion
• Break message into 32-bit chunks Mj
  m0m1m15
• Create an additional 64 chunks (for a total of
  80) using
• mi (mi-3 ? mi-8 ? mi-14 ? mi-16) ltlt 1

Tweak!
25
Previous Attacks on SHA-1

• Local collision attacks
• SHA-0 local collision does not depend on the
  message expansion, so it applies to SHA-1 as well
• Differential paths
• Due to tweak, disturbance vector entries xi are
  32-bit (not one bit)
• Same conditions apply, but much larger search
  space (makes it harder to find a vector with low
  HW)
• Previous work focused on reduced round versions
  of SHA-1
• Message modification
• Similar to SHA-0, but must adjust for tweak

26
New Search Techniques

• Remove all Conditions (1, 2 3) on disturbance
  vector
• Creates larger search space, so we can find
  vectors with lower hamming weights (HWs)
• Makes constructing a differential path from the
  disturbance vector harder
• Use new techniques to construct differential path
• Apply some implementation optimizations

27
Finding Disturbance Vectors with Low HW

• Eliminate all three Conditions
• Unlike SHA-0, we have 16 32-bit free variables
• Creates 2512 search space
• Use heuristics to narrow search space to 238
• Matrices with low HW will concentrate non-zero
  entries in consecutive columns
• Hence, consider two 16-bit columns at a time

0 1 2 31
x0 x1 x79
0 1 0 1 0 0 0 1
xij-1 xij
Vary through all 232 values and all 64 choices of
i
16
28
Finding Disturbance Vectors with Low HW

• Keep computing more vectors past step 80
• Search for any consecutive 80 steps with small HW
• Wang et al. found 12 candidate vectors
• Select disturbance vector that minimizes number
  of conditions

29
Path Construction Techniques

• Necessary to convert disturbance vector into a
  differential path
• Similar to SHA-0 techniques
• Derive conditions on mi and ai
• Due to tweak, number of conditions can explode
• Use two consecutive disturbances in the same step
  i to produce one 6-step local collision (reduces
  conditions from 6 to 4)
• Resulting path has 71 conditions and produces
  near collisions

30
Near Collisions ? Full Collisions

• Combine near collisions on two message blocks
  into a multi-block collision
• Let ?h1 H(M0, IV) - H(M0, IV)
• ?h2 H(M1, h1) - H(M1, h1)
• Use construction techniques to absorb ?h1 during
  first 16 steps of second hash
• Set conditions on M1 so that ?h2 - ?h1
• Thus, complexity of second near collision is same
  as complexity of the first near collision
• Can apply to MD5 to reduce search from 237 to 232

31
Final Complexity

• There are 70 conditions on steps 23-77
• Similar implementation optimizations
• Precompute some of the initial message chunks
• Stop early if conditions are not satisfied
• Reduces complexity to less than 268 hashes
• Adding time for 2nd near collision gives 269
  hashes

32
Conclusions

• An improvement on SHA-1 attack to 263 hashes
  announced at Crypto 2005
• SHAs step function includes Boolean functions
  (IF and carry) that facilitate differential
  attacks
• Only affects certain operations (be wary of
  signing a preselected document)
• Moving to other members of the SHA family may not
  be a good long term solution

33
Thank you!
parno_at_cmu.edu