Applications of SAT Solvers to Cryptanalysis of Hash Functions - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Applications of SAT Solvers to Cryptanalysis of Hash Functions

Description:

Applications of SAT Solvers to Cryptanalysis of Hash Functions – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 27
Provided by: miro9
Category:

less

Transcript and Presenter's Notes

Title: Applications of SAT Solvers to Cryptanalysis of Hash Functions


1
Applications of SAT Solvers to Cryptanalysis of
Hash Functions
  • Ilya Mironov Lintao Zhang
  • Microsoft ResearchSilicon Valley Campus

2
Overview
  • Crash course on hash functions
  • Collision-finding attacks (Wang et al. 05)
  • Automation via SAT solvers

3
Hash functions
  • H 0,1?0,1n

4
Cryptographic hash functions
  • Several important properties
  • Collision-resistance
  • x, y H(x) H(y)

5
Birthday paradox
  • Finding collision ?S 2n/2

output
H
S
6
Security level
hash output 128 bits 160 bits 256 bits 512
bits
  • Insecure 264 operations
  • Medium-term 280
  • Long-term (20 years) 2128
  • Paranoid 2256

7
Short history of hash functions
  • 1990 Ron Rivest MD4 (128-bit output)
  • 1992 Ron Rivest MD5 (128-bit output)
  • 1993 NIST SHA (Secure Hash Algorithm, 160
    bits)
  • 1995 NIST Oops! SHA1
  • 2003 NIST SHA-256,384,512

0
8
SHA1
SHA1
MD5
MD4
MD4 is broken
theoretical attack on SHA0
MD5, SHA0 broken, theoretical attack on SHA1
9
MD4 and MD5s structure
  • - Basic building block

compression function
512 bits
48 rounds
128 bits
128 bits
10
Compression functions building block
512 bits 16 ? 32-bit words
M
w
a
b
rounds 0-15
rounds 16-31
rounds 31-48
c
d
128 bits
128 bits 4 ? 32-bit words
11
One round
12
Internal variables
  • M (M0,M1,,M15) ? (w0,w1,,w47)
  • (a0,b0,c0,d0)
  • (a1,b1,c1,d1)
  • (a2,b2,c2,d2)
  • (a48,b48,c48,d48)

13
Finding a collision Wang et al05
  • Goal Find M, M' such that H(M) H(M')
  • 1. Select message difference
  • M' M ?
  • 2. Select differential path
  • bi' bi ?bi
  • 3. Find sufficient conditions
  • 4. Make them happen!

14
Disturbance vector
?
M
a
b
rounds 0-15
rounds 16-31
rounds 31-48
c
d
15
Differential path
  • M
  • (a0,b0,c0,d0)
  • b1
  • b2
  • b48

M' (a0,b0,c0,d0) b1' b2' b48'
differential path b1' b1 ?b1 b2' b2
?b2 b48' b48 ?b48
16
Sufficient conditions
  • (ai,bi,ci,di) ? (di,(aifi(bi,ci,di)wiKi)ltltltsi,b
    i,ci,)
    (ai1,bi1,ci1,di1)

fi MAJ and si 3 and ?b2,0 0 and ?c2,0
0, then for ?b2,3 0 it is sufficient that
lsb(b1)0 and lsb(c1)0
17
Sufficient conditions Wang et al.
  • MD4 122
  • MD5 first block ? 294 second block ? 309
  • SHA0 260

18
Message modification technique
a
b
rounds 0-15
rounds 16-31
rounds 31-48
c
d
19
Probabilistic method
Conditions satisfied with probability 50 MD4
lt 8 MD5 first block ? 37 second block ?
30 SHA0 42 SHA1 70
In the original papers (better attacks are
currently known)
20
SAT Solvers!
  • Goal Find M, M' such that H(M) H(M')
  • 1. Select message difference
  • M' M ?
  • 2. Select differential path
  • bi' bi ?bi
  • 3. Find sufficient conditions
  • 4. Message modifications

21
MD4
  • 53K variables, 221K clauses. Success!
  • SatELiteGTI lt 500 sec

0xe1c08802 d0001321 f3fdc66f df600178 46b5c048
06c516c5 b632403a 88e2fdd5 900f8005 3f936800
4b187044 64fad83a 01d79002 68f200a8 94ab2328
2449dd7d collides with 0xe1c08802 50001321
63fdc66f df600178 46b5c048 06c516c5 b632403a
88e2fdd5 900f8005 3f936800 4b187044 64fad83a
01d69002 68f200a8 94ab2328 2449dd7d
22
MD5
  • Hmm Truncated MD5?

truncated MD5
CNF formula
SAT solver
filter
solution
23
Probabilistic method
all messages
reduced-round solutions
full solutions
24
Where to truncate?
100 hours per full solution
25
Collision in MD5
  • 0x80000000 98163156 d685de69 e985b795 b4320c10
    cd350030 c014ca29 850b7d6d 0934ad59 4871afd0
    aa480edf e4fc0320 7bb68ed1 3b505ddf 5e5d5df6
    b539a48d
  • fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca
    eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1
    73f20086 e000005a 3b6550cc b6cc1c59 0fe9f71a
    a0403064
  • collides with
  • 0x80000000 98163156 d685de69 e985b795 34320c10
    cd350030 c014ca29 850b7d6d 0934ad59 4871afd0
    aa480edf e4fc0320 7bb68ed1 3b505ddf de5d5df6
    b539a48d
  • fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca
    eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1
    73f20086 dfff805a 3b6550cc b6cc1c59 0fe9f71a
    a0403064

26
Open problems
  • Cryptographic
  • Break SHA-1
  • Automate the entire attack
  • Other primitives
  • SAT-solving community
  • No truncation!
  • SAT solvers optimized for cryptographic
    applications XOR, multiplication, table
    look-ups, intuition

27
Conclusion
  • First serious SAT-solver-aided cryptanalytic
    effort
  • Several entries into SAT Race 06
  • New applications and challenges
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Applications of SAT Solvers to Cryptanalysis of Hash Functions" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!