meet-in-the-middle attack using output truncation in 3...
TRANSCRIPT
Meet‐in‐the‐Middle Attack Using Output Truncation in 3‐Pass HAVAL
Yu Sasaki
NTT Corporation
07/Sep/2009 ISC2009@Pisa
1/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Summary
• HAVAL is a hash function that can produce variable output lengths.
• We present the first analysis on short output sizes of 3‐pass HAVAL.
Output bit‐sizes: 128, 160, 192, 224, 256
Narrow‐pipeWide‐pipe
Already attackedOur target
2/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Motivation• Recently designed hash functions use “wide‐
pipe”
mode. (See, SHA‐3 round2 cands.)– Internal state size is larger than hash value.
• Previous work only analyzes without truncation (narrow‐pipe). We should analyze wide‐pipe.
• It is useful to evaluate SHA‐224/SHA‐384.
HN
Hash
Trunc.
LH0
M0
H1
M1
HN‐1
MN‐1
H2
nn nCF CF CFn n n n
3/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Target of our attacks
• Our attacks generate followings:
• Generic attack will cost 2n
for both attacks.
For given y, find M s.t. HashIV
(M)=y.For given y, find (X, M)
s.t. HashX
(M)=y.
Preimages Pseudo‐preimages
Trunc.
LIVM
nCFny
Hash
Trunc.
LXM
nCFny
Hash
4/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Impact of attackFinding pseudo‐preimages indicates:1.
CF is distinguished from Random Oracle.
(reduction security)2.
eTCR property for Key‐via‐IV are broken.
(keyed‐hash function security)
For given (K, M, y), find (K’, M’) s.t. HashK’
(M’)=y.eTCR:
Trunc.
LKM
nCFny
HashK
5/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Results• We propose 2 approaches to find preimages
or pseudo‐preimages for short output size.
Output Length 256 224 192 160 128
Approach
1
Pseudo‐
preimageNot
target 2192 2160 2144 ‐Preimage
Not
target ‐ ‐ ‐ ‐
Approach
2
Pseudo‐
preimageNot
target 2160 2128 2106 284
PreimageNot
target 2209 ‐ ‐ ‐
First preimage attacks on HAVAL short output6/22
Yu Sasaki, MitM using output truncation of 3‐Haval
HAVAL
• Designed by Zheng, Pieprzyk, Seberry in 1992.
HN
Trunc.
LH0
M0
H1
M1
HN‐1
MN‐1
H2
256256 256CF
1024Executed if
L≠256
Attack focus
CF CF y
7/22
Yu Sasaki, MitM using output truncation of 3‐Haval
HAVAL compression function
• Split Mi‐1
into 32 bit message words (m0
||m1
||…||m31
).
• Set a 256‐bit variable p0
= Hi‐1
.
• Compute step func: pj+1
= Step(pj
, mπ(j)
), j=0,1,…,95.
• Output Hi
= Trunc(p0
+ p96
).
p0
step
mπ(0)
p1
step
mπ(1)
p2
step
mπ(2)
p3 p94
stepmπ(94)
p95
step
mπ(95)
p96 Hi
Note that step function is invertible.
Trunc.
D
8/22
Yu Sasaki, MitM using output truncation of 3‐Haval
HAVAL message schedule
• Message index π
for 96 steps:
• In every 32 steps, each m0
– m31
appears once.
• Each mi
appears 3 times during 96 steps.
• In each round, message order changes.
9/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Idea of MitM preimage attack• Split msg schedule into 2 chunks
of steps so
that each chunk includes independent word.
Ex. 2‐round (64‐step HAVAL)
pj+1
= Step(pj
, mπ(j)
), for j=8,9,…,54
pj
= Step‐1(pj+1
, mπ(j)
), for j=7,6,…,0p64
= y ‐
p0pj
= Step‐1(pj+1
, mπ(j)
), for j=63,62,…,55
function of m9
, independent of m2
function of m2
, independent of m9
10/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Idea of MitM preimage attack• Split msg schedule into 2 chunks
of steps so
that each chunk includes independent word.
Ex. 2‐round (64‐step HAVAL)Start
MitM
pj+1
= Step(pj
, mπ(j)
), for j=8,9,…,54
pj
= Step‐1(pj+1
, mπ(j)
), for j=7,6,…,0p64
= y ‐
p0pj
= Step‐1(pj+1
, mπ(j)
), for j=63,62,…,55
function of m9
, independent of m2
function of m2
, independent of m9
11/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Idea of MitM preimage attack• When we split msg schedule into 2 chunks, up
to 9 consecutive steps can be skipped.
Ex. 3‐round (96‐step HAVAL)
Skip
Start
This strategy doesn’t work for truncated output. (in other words, wide‐pipe mode)
12/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Problem of previous work
p0
step
mπ(0)
p1
step
mπ(1)
p2
step
mπ(2)
p3 p94
step
mπ(94)
p95
step
mπ(95)
p96 y
Trunc.
D256 256 256 256 256 256 256 256 224
Ex.
• Hash value is truncated, hence, cost for brute‐ force attack is reduced. (this case: 2224).
• MitM on a 256‐bit variable with 32 free‐bits is the same cost as brute force attack.
• If each chunk includes more than 1 independent words, the attack works. But, it unlikely occurs.
13/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Attack outline
• Approach 1–Use unbalanced free bits in two chunks.
– Increasing free bits by finding all inverse images in the truncated function.
• Approach 2–Perform the match of MitM on the input for
truncated function.
14/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Approach 1: unbalanced free bits• Consider the 224‐bit output (1‐word truncation).• It unlikely occurs that both chunks have 2 free words.• The following situation often occurs:
15/22
A chunk includes 2 free words, but the other includes 1.
Yu Sasaki, MitM using output truncation of 3‐Haval
Previous MitM: unbalanced free bits
ygiven
Even if a chunk has 64 free bits, the attackers advantage is limited to only 32 bits
as long as the other chunk has only 32 free bits.
p0 m5 m5p88fix
MitM
32‐bit 64‐bit
(m27
, m28
)
step 0 step 95
16/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Attack on 224‐bit output
p0given
m5 m5p88fix
MitM
32‐bit 64‐bit
(m27
, m28
)
Red chunk is now including 64 free‐bits; (m5
, D). Pseudo‐preimages are found by (2256 * 2‐64).
D
Trunc.
224256
Invert Trunc.
Find all 232
D s.t. Trunc(D)=y.
32‐bit
step 0 step 95
y
17/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Split steps into 2 chunks so that the match is performed on this
variable.
Approach 2 (match at input of Trunc.)
p0
step
mπ(0)
p1
step
mπ(1)
p2
step
mπ(2)
p3 p94step
mπ(94)
p95
stepmπ(95)
p96
Trunc.
D256 256 256 256 256 256 256
256224
Ex.
y
Perform the match of MitM on the variable which is input of Truncation.
18/22
Yu Sasaki, MitM using output truncation of 3‐Haval
Attack idea
Qj‐7 Qj‐6 Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj
Qj‐7 Qj‐6 Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj
Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj
Truncate
Efficient matchRandomly satisfy
Efficient matchRandomly satisfyDiscard
(1)
(2)
Randomly searched space is reduced.The attack efficiency does not change.
19/22
y
y
D
Yu Sasaki, MitM using output truncation of 3‐Haval
Chunk separation for approach 2
20/22
The match is performed between Step 0 and 95.
Note: Truncation of HAVAL is more complicated. More detailed analysis is necessary.
Yu Sasaki, MitM using output truncation of 3‐Haval
Results
21/22
Output length 256 224 192 160 128
Approach
1
Pseudo‐
preimageNot
target 2192 2160 2144 ‐Preimage
Not
target ‐ ‐ ‐ ‐
Approach
2
Pseudo‐
preimageNot
target 2160 2128 2106 284
PreimageNot
target 2209 ‐ ‐ ‐
Approach 2 is prevented with small tweak of Trunc.
Approach 1 works as long as Trunc‐1
is easily computed.
Yu Sasaki, MitM using output truncation of 3‐Haval
Summary
• Two approaches of finding preimages and pseudo‐preimages against wide‐pipe hash with MitM attack.
• First results on short ouput 3‐pass HAVAL.
• This technique can be also applied to reduced SHA‐224 and SHA‐384:
Kazumaro Aoki, Jian Guo, Kristian Matusiewicz, Yu Sasaki, Lei Wang.
Preimages for Step Reduced SHA‐2, Asiacrypt’09.22/22
Yu Sasaki, MitM using output truncation of 3‐Haval
23
Thank you for your attention!!