Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Finding...

Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik

Informationssicherheit und KryptologieInformationssicherheit und Kryptologie

Finding Differential Patterns Finding Differential Patterns

for the Wang Attackfor the Wang Attack

CITS – Cryptology and IT-SecurityCITS – Cryptology and IT-Security

Faculty of MathematicsFaculty of Mathematics

Ruhr University BochumRuhr University Bochum

Magnus Daum

23.06.2005 Daum - Finding Differential Patterns for the Wang Attack 2



M1: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb80634ad55 02b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780

d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 0cfdebf0 66f12930 8fb109d1797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35

M1‘: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e580440 897ffbb80634ad55 02b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780

d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 0cfdebf0 66f12930 8fb109d1797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35

MotivationMotivation

• Crypto ’04 (Wang et al.):actual collisions for various hash functions

• E.g. for MD5:

M2: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb80634ad55 02b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780

313e82d8 5b8f3456 d4ac6dae c619c936 b4e253dd fd03da87 06633902 a0cd48d242339fe9 e87e570f 70b654ce 1e0da880 bc2198c6 9383a8b6 2b65f996 702af76f

M2‘: 02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e580440 897ffbb80634ad55 02b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780

313e82d8 5b8f3456 d4ac6dae c619c936 34e253dd fd03da87 06633902 a0cd48d242339fe9 e87e570f 70b654ce 1e0d2880 bc2198c6 9383a8b6 ab65f996 702af76f




42e7b9ca 8726b6c4 24a51ab9 c1056b84 13fb9588 9fa6e965 ff920348 793f3b2c0634ad41 03b4adff 7a844bdf 4f01b74d cb8332db a86fd419 33c665a7 30bf16f0

2e7cff6a 9b687357 15b83319 f5e7ab64 4566cfb9 0c79fee4 367d04ee aeb077cc307f085d 88eb60b5 404d72b3 2d65f867 676484d8 809bbd7d cff29e98 a30e2eb8

42e7b9ca 8726b6c4 24a51ab9 c1056b84 93fb9588 9fa6e965 ff920348 793f3b2c0634ad41 03b4adff 7a844bdf 4f01374d cb8332db a86fd419 b3c665a7 30bf16f0

2e7cff6a 9b687357 15b83319 f5e7ab64 c566cfb9 0c79fee4 367d04ee aeb077cc307f085d 88eb60b5 404d72b3 2d667867 676484d8 809bbd7d 4ff29e98 a30e2eb8


• Lenstra/Wang/de Weger:colliding (w.r.t. MD5) X.509 certificates

• Differing part:





• Other actual collisions published (Klima, Lucks/D.) show the same characteristics

• Reason: Attack applies a special differential pattern with fixed input differences (0,…,15) = (0,0,0,0,231,…,§ 215,…,231,0)

• Considered bytewise these are only differences in the most significant bit

• May be a problem in certain applications,e.g. when trying to find colliding ASCII texts

► Possible to use other input difference patterns?




Wang‘s AttackWang‘s Attack




Wang‘s AttackWang‘s Attack

• Differential attack with modular differences(i.e. differences with respect to addition modulo 232)

• Starts from a given/chosen message and modifies its bits to produce a collision

• Two main parts:– Choosing the differential pattern (done by hand)– Single-Step and Multi-Step Modifications

?




Choosing Choosing the Differential Patternthe Differential Pattern

• Not much is known about how Wang actually found this pattern used in all the implementations

• Wang: „intuitively“ and „by hand“• Some ideas can be reconstructed by looking

at what is happening during the attack




Attack on MD5Attack on MD5

• Construction of the pattern starts in last rounds

• design of MD5 allows differential pattern for round 3+4 which leads to a useful near-collision

• Input differences are chosen such that this difference propagation happens with high probability

• Look for conditions on register values which make the difference propagation in first two rounds possible

W34-215

W35231

W36W37231

W61-215

W50231

W60231

W15-215

W4231

W14231

W18-215

W23231

W25231




Step Operation in MD5Step Operation in MD5




MD5MD5

• Message expansion by roundwise permutations of the Mi (four rounds)

• Step operation:




MD5MD5

Kt,st: constants

Wt: message words

f: bitwise definedBoolean function

Rt: new content of registerchanged in step t

• Step operation:




Step OperationStep Operation

• Advantage of considering modular differences:

• Most operations used in the step operation have a deterministic propagation of modular differences

• Analyse the other parts:– Bit rotations– Bitwise defined functions




Difference PropagationDifference Propagation




Various DifferencesVarious Differences

bitwise (XOR) differences: modular differences:?

signed bitwise differences:

• differences usually low weight:

uniquely

determined




Various DifferencesVarious Differences

modular differencessigned bitwise differences

• Special case:

• Depends on actual value of x:

• Can be generalized to other differences

• For fixed +x=[k]:




Difference Propagation:Difference Propagation: Bitwise FunctionsBitwise Functions

• f is applied bitwise

-> modular differences are not very useful• transform to signed bitwise diff.• propagation of signed bitwise differences can be

analysed easily

?





• f is applied bitwise

-> modular differences are not very useful• transform to signed bitwise diff.• propagation of signed bitwise differences can be

analysed easily

-> possible values for together with corresponding conditions for each of the cases

• corresponding modular differencesare uniquely determined

?




Bit RotationBit Rotation and Modular Additionand Modular Addition




Bit RotationBit Rotation and Modular Additionand Modular Addition

A random, B fixed:




Difference Propagation:Difference Propagation: Bit RotationsBit Rotations

• Register R with a fixed difference +R =[t]

• A=R, B=+R:

• Applying the Theorem described earlier yields

for t<n-s:

for t¸n-s:




Example: Analysis ofExample: Analysis of Difference PropagationDifference Propagation

• taken from first round of MD4




Automated SearchingAutomated Searchingof such Differential Patternsof such Differential Patterns




• Bit 31:

Degrees of FreedomDegrees of Freedom

• Choices when constructing such patterns:– (Input differences Wi)

– Bitwise function: 1-3 choices per nonzero bit

• Bits 22,25:• Bit 29:







– Bit rotation: 4 choices in general (but usually one dominant case)

– Assumptions on bitwise differences (“expand“ differences)




Example: Analysis ofExample: Analysis of Difference PropagationDifference Propagation

• taken from first round of MD4







– Bit rotation: 4 choices in general (but usually one dominant case)

– Assumptions on bitwise differences (“expand“ differences)




SearchingSearching for Differential Patternsfor Differential Patterns

• Idea: build trees of difference patterns• Each vertex represents a possible state of

differences, e.g. • Possible differences resulting after following step are

computable– Leads to several new vertices -> pruning necessary

• For the pruning use a cost function depending on the following properties:– Probability that this difference state is actually achieved– Weights of the differences– Distance from the root of the tree




Finding Useful PatternsFinding Useful Patterns

• Additional constraints for useful patterns,e.g. start and end with zero differences

a)Trivial solution: take root with zero differences and add new vertices till a vertex with zero differences is found

b)Build two trees, one goind foreward, one going backwardFix a layer corresponding to some step and look for common vertices

c) Two trees as above, but stop some steps before fixed layer, find connection by solving additional equations

• Has not been fully tested up to now




ConclusionConclusion

• Some analysis of background of Wang‘s attack

• Theoretical basis for analysing the propagation of modular differences

• Ideas for automatically finding useful difference patterns




Thank you!Thank you!

Questions???Questions???

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Finding...

Documents

Transcript of Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Finding...