Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology.

Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik

Informationssicherheit und KryptologieInformationssicherheit und Kryptologie

CryptanalysisCryptanalysis

of Hash Functionsof Hash Functions

of the MD4-Familyof the MD4-Family

CITS – Cryptology and Information SecurityCITS – Cryptology and Information Security

Faculty of MathematicsFaculty of Mathematics

Ruhr University BochumRuhr University Bochum

Magnus Daum

16.11.2004 Daum - Cryptanalysis of Hash Functions of the MD4-Family 2



OverviewOverview

• Hash Functions: Properties and Applications• The MD4-Family

– Design Principles– „Historical“ Overview

• Attack Techniques– Dobbertin‘s Attacks on MD4, MD5 and RIPEMD

• Improvements of Dobbertin‘s Methods

– Chabaud/Joux and Biham/Chen Attacks on SHA-0/1– Wang et al. Attacks on MD4, MD5 HAVAL and RIPEMD

• Conclusions




Properties and ApplicationsProperties and Applications




What is a Hash Function?What is a Hash Function?

• A hash function – is efficiently computable– compresses information of arbitrary length to

some information of fixed length („digital fingerprint“)

messageHash function




ApplicationApplication in Digital Signature Schemesin Digital Signature Schemes

BobAlice

Alice

Alice

Alice

Alice

Signature okay?

?=

h h




Properties ofProperties of Cryptographic HashfunctionsCryptographic Hashfunctions

• preimage-resistance:„Given V, find M such that h(M)=V“ is infeasible

• 2nd-preimage-resistance:„Given M, find M‘M such that h(M‘)=h(M)“

is infeasible

• collision-resistance:„Find M‘M such that h(M‘)=h(M)“ is infeasible




ApplicationApplication in Digital Signature Schemesin Digital Signature Schemes

BobAlice

AliceAlice

?=

Eve

€ 10k € 50k

h h

Alice, please sign this contract!

€ 10k

Bob, Alice signed this contract!

€ 50k

Alice

h h

Okay, I will sign the contract about €10k.

Alice signed the contract about

€50k.

Signature is okay !

Collision!




Hash Functions of the MD4 FamilyHash Functions of the MD4 Family




MD4-Family

Hash FunctionsHash Functions

• Hash functions of practical interest:– Hash functions based on blockciphers:

• Matyas-Meyer-Oseas, Davies-Meyer, Miyaguchi-Preneel• MDC-2, MDC-4

– Dedicated hash functions:• MD4, MD5• RIPEMD-{0,128,160,256,320}• SHA-{0,1,224,256,384,512}• HAVAL• Tiger• Whirlpool




General StructureGeneral Structure

• Iterated Compression Functions

collision-resistance of the compression function

collision-resistance of the hash function




Common Structure of theCommon Structure of the Compression FunctionsCompression Functions

Message Expansion




Different Message ExpansionsDifferent Message Expansions

MD / RIPEMD• roundwise permu-

tations of the Mi

SHA• recursive definition

e.g. SHA-1:




Step OperationStep Operation

SHA-0/1:MD5:

• Only 1 register changed per step• Mixture of different kinds of operations




SHA-224SHA-256SHA-384SHA-512 (NIST, ’02/04)

SHA-0 (NIST, ’93)

Overview MD4-FamilyOverview MD4-Family

MD4 (Rivest ‚‘90)Ext. MD4

(Rivest ‚‘90)

RIPEMD-0 (RIPE, ‘92) MD5

(Rivest ‚‘92)

RIPEMD-128RIPEMD-160RIPEMD-256RIPEMD-320 (Dobbertin, Bosselaers, Preneel ‘96)

SHA-1 (NIST, ’95)HAVAL

(Zheng, Pieprzyk, Seberry ‚‘93)

Dobbertin ‚’95/96Kasselman/ Penzhorn‚ 2000

Chabaud/Joux‚ ‘98

van Rompay/ Preneel/???‚ 2003

Biham/Chen‚ 2004

Joux‚ 2004

Wang/Feng/ Lai/Yu‚ 2004




Attack MethodsAttack Methods




• „Find M‘M such that h(M‘)=h(M)“• Three different kinds of (successfull) attacks:

– Dobbertin (1995/96)– Chabaud/Joux (1998),

Biham/Chen(2004),Joux(2004)

– Wang/Feng/Lai/Yu (2004)• all attacks use some kind of differential pattern

– input differential output differential– modular differentials XOR differentials

Collision AttacksCollision Attacks




Dobbertin‘s AttackDobbertin‘s Attackon MD4, MD5, RIPEMDon MD4, MD5, RIPEMD




General PrincipleGeneral Principle

• Idea: Describe the whole Compression functions by the means of a huge system of equations

• Variables:– Message words– Contents of the registers

• Equations:– Step operation– Message Expansion– Collision




General PrincipleGeneral Principle

• Properties of these systems of equations:– Strongly underdefined

Many degrees of freedom May consider highly specialised cases in order to

simplify the system and avoid the avalanche effect

– Equations include many very different kinds of operations, e.g. F2-linear, „modulo 232“ operations and bitwise defined Boolean functions

Hard to solve with algebraic means Special methods are needed




• Try to find with

• Message expansion by roundwise permutation in MD5:

– Each Mi is used in exactly four steps in the computation

– Choose especially 15=1 and i=0 for all other i

Computations for and differ only in 4 Steps

Example: Attack on MD5Example: Attack on MD5

fM M

fMM

M 6 fM hM h fM




Attack on MD5Attack on MD5

• Computations run in parallel to each other up to the first appearance of i 0

• Another special restriction:Require Inner Collisions(► further step operations which run in parallel)

i=0

i=0

i=0

150

150

150

150




Main steps in the attack:• Choose • Find 2 inner Collisions• Connect inner

Collisions • Connect IV and first

inner Collision

How to do this ?► By solving

systems of equations

i=0

i=0

i=0

150

150

150

150





Setting up theSetting up the Systems of EquationsSystems of Equations

• By the example of the step operation of SHA-1:

Rt: new content of register changed in step t

• Kt: constants

• Wt: message words

• f bitwise defined Boolean functionf2{MAJ,ITE,XOR}




Setting up theSetting up the Systems of EquationsSystems of Equations

• Two Equations for each Step:

• Inner Collision after Step t:

• Message expansion:




Specialized AlgorithmsSpecialized Algorithmsfor Solvingfor Solving

such Systems of Equationssuch Systems of Equations




Specialized AlgorithmsSpecialized Algorithms

• Equations include different kinds of operations:– addition/subtraction modulo 2n

– bitwise defined functions– bitrotations / -shifts

• Two kinds of auxiliary means:– for transforming the equations– for determining/representing the set of solutions of

such equations




Examples for TransformationExamples for Transformation




Algorithms for Determining/ Algorithms for Determining/ Representing the Set of SolutionsRepresenting the Set of Solutions

• Naive idea: exhaustive search• Dobbertin‘s method from the attack on

MD4/MD5:– Solving „from right to left“– Basic Idea: Solutions for the least significant k bit

of the equations are extensions of solutions of the least significant k-1 bits

– Consider equations bitwise from the right to the left and try to extend the found solutions( tree of solutions)





x

x

x

x

tree of solutions





x

x

x

x

tree of solutions

• Often possible to stop early• Faster than exhaustive

search• For each solution there

exists a leaf in the tree• Complexity directly related

to the number of solutions• Problem: We are mainly

interested in equations with many solutions.





x

x

x

x

• Idea:Combine redundant subtrees

• Problem: Detect redundancy during the construction of the graph

• Only the carrybit is relevant for the

solution for the third bit

tree of solutions





• Labeling the vertices with the carrybits makes it possible to detect redundancies

• Number of needed carrybits gives an upper bound on the width of the graph of solutions





x

x

x

x




x


xx

x

x

graph of solutions

1100 1001

1100 1001

1100 1001

00

x

x

x




graph of solutions


x

x

x

x

• Compact representation of the set of solutions

• Can be simplified even more





• Solution graphs are very similar to so called BDDs (Binary Decision Diagram)

• Further efficient algorithms from the theory of BDDs deriveable:– further reduction/minimalisation of the size– computing the number of solutions– combining solution graphs (e.g. intersecting two

sets of solutions)




Chabaud/Joux Chabaud/Joux Attack on SHA-0Attack on SHA-0




Attack on SHA-0Attack on SHA-0

• Chabaud/Joux (Crypto ’98):Collisions for SHA-0 can be found with complexity 261

• Idea:– Differential Attack with XOR-differences– Linearisation of the compression function




Basic IdeasBasic Ideas• Linear parts:

– Differences are propagated deterministically– Behaviour of differences is

• predictable• not modifiable

– Usually chosen to cause a strong avalanche effect

• Non-linear parts:– Propagation of differences not unique but depends

on actual contents of the registers– Behaviour is more difficult to predict– Gives freedom to an attacker, e.g. to counteract

the avalanche effect




Structure of the AttackStructure of the Attack

(1) Linearisation of the compression function

(2) Find a differential pattern that leads to a collision for the linearised function

(3) Find actual contents for the registers (from processing one actual message) which fit to the differential pattern found before(-> same differential propagation in the real compression function)




Linearisation of theLinearisation of the compression functioncompression function

• 3 non-linear parts in SHA-0:– addition modulo 232

– –

• Can all be approximated by bitwise © (linear)

X ;Y;Z X Y ©X Z ©Y Z X ;Y;Z X Y ©X Z




Elementary CollisionsElementary Collisions

A B C D E

• each collision of the complete (linearised) compression function is a linear combination of such elementary collisions

I

I

I

I

I

I

¡

I

I ¡

I

I ¡ I ¡

I ¡

I ¡

I ¡

I ¡

I ¡




Finding a Collision forFinding a Collision for the Linearised Functionthe Linearised Function

M512 bits

W32R bits

contents of the registers

160R bits

linearmessage expansion

linearised step operations

collision:last 160 bits =0

looking for codewords of small

Hammingweight(to simplify last step)

• consider only differences not messages




ConditionsConditions

• Returning to original (non-linearized) compression function leads to conditions on register values, e.g.:

► list of conditions for each step in the computation

• zero differences cause no conditions

► number of conditions corresponds to number of nonzero bits in found difference vector

( look for small hamming weights)

X ;Y;Z X Y ©X Z

X ©Y ©Z © X ©Y © ©Z X ;Y;Z X ;Y ©; Z © , X




Finding the actual collisionFinding the actual collision

• Step by step (from step k2{1,..15}) choose random values for Mk until a value for Mk is found such that all conditions for step k are fulfilled

• Test random values for M16 until– all conditions for steps 16,…,80 are fulfilled

► Collision found !!!– some limit on the number of tries is reached

► start again with different values for M1,…M15

► Complexity depends mainly on the number of conditions for steps 16,…,80




Biham/Chen: Neutral BitsBiham/Chen: Neutral Bits

• Improvement of Chabaud/Joux attack:– Find a message that fulfills the conditions up to

some step r>15– Look for bits of the message that can be changed

without changing the „differential behaviour“ up to step r („neutral bits“)

– These bits allow to produce a large number of messages which fulfill the conditions up to step r automatically




Biham/Chen: Neutral BitsBiham/Chen: Neutral Bits

• Improvement of Chabaud/Joux attack:

►reduces number of conditions that have to be fulfilled (only for steps r+1,…,80)

►increases probability of success

– choose r such that ratio of number of producable messages to increased probability is optimal




Attacks on MD4, MD5, Attacks on MD4, MD5, RIPEMD and HAVALRIPEMD and HAVAL

by Wang et al.by Wang et al.




Wang et al. AttackWang et al. Attack

• Differential attack with modular differences• Starts from a given message and modifies

some/many of its bits to produce a collision

• Two main parts:– Choose differential pattern (done by hand)– Basic and Advanced Modifications





• Input differences chosen to produce an elementary collision in Round 3:

► Choose M12= W35=216, M2= W36=231+228,M1= W40=231, Mi= 0 for i{1,2,12}





• similar situation as in Dobbertin‘s attack

• look for appropriate output differences in round 1 and 2

• Now Wi also fixed, but some freedom in choosing XOR-differences:

but depends on the actual values of and

• leads to conditions similar as in Chabaud/Joux attack




Basic ModificationsBasic Modifications

• Start with an arbitrary message M and compute the register values Ri up to some step k, for which one of the conditions for Rk is not fulfilled

• if 0·k·15, correct bit by a „basic modification“:– Correct all „wrong“ bits in Rk

– Change message word Mk by

• step by step that way all conditions for round 1 (steps 0-15) can be fulfilled




Advanced ModificationsAdvanced Modifications

• if k>15, correct bit by an „advanced modification“:– find a message bit which can be used to correct the

wrong bit in Rk

– change some (usually five) message words Mi such that as few bits as possible in R0,…, R15 are changed

– e.g. to change R16,i we may change M0,i-3:

– this can be done by changing R0,i:

– also influences M1, M2, M3, M4:

– check whether other conditions are still fulfilled





• design of MD5 allows differential pattern for round 3+4 which leads to near-collision

• attack uses two applications of the compression function with two different but related differential patterns:

(0,0,0,0) (231, 231 -225, 231 -225, 231 -225)

(231,231-225,231-225,231-225) (231, 231+225, 231+225, 231+225)

• addition of IV at the end of compression function causes differences to cancel




Wang et al. AttacksWang et al. Attacks

• similar attacks on RIPEMD-0, HAVAL• method allows to attack about 3 rounds in

general• more than this depends on special

weaknesses:– MD5: propagation of 231 difference because of step

operation– RIPEMD: 2£3 rounds possible because of

parallelism

• claim to have an attack on SHA-0 in 240, but not yet implemented




ConclusionsConclusions

• Presented methods of attacks on collision resistance of different hash functions:– not collision-resistant:

MD4, MD5, HAVAL, RIPEMD-0, SHA-0– seem to be still secure (at least for some time):

RIPEMD-{160,256,320}, SHA-{1,224,256,384,512}

• Possible to improve or combine techniques?• Attacks on (second) preimage resistance?




Thank you!Thank you!

Questions???Questions???

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology.

Documents

md4family8 hash functions

dedicated hash functions

daum cryptanalysis

md4 family slide

md4family14 sha

overview md4family md4

md4family3 properties

infeasible slide