Introduction Solving AX systems BMW analysis Conclusion

pages

English

Documents

Écrit par
Gaëtan Leurent

Publié par
pefav

Lire un extrait

Obtenez un accès à la bibliothèque pour le consulter en ligne En savoir plus

Découvre YouScribe et accède à tout notre catalogue !

Je m'inscris

Découvre YouScribe et accède à tout notre catalogue !

Je m'inscris

pages

English

Documents

Lire un extrait

Obtenez un accès à la bibliothèque pour le consulter en ligne En savoir plus

Publié par

pefav

Nombre de lectures

Langue

English

Introduction Solving AX systems BMW analysis Conclusion Practical Near-Collisions on the Compression Function of BMW Gaëtan Leurent and Søren S. Thomsen University of Luxembourg Technical University of Denmark FSE 2011 G. Leurent, S. Thomsen (Uni.lu & DTU) Practical Near-Collisions on the Compression Function of BMW FSE 2011 1 / 24

fist results

compression function

start collision

rogue certificate

practical near-collisions

Voir

Publié par

pefav

Langue

English

nIt.GorLdeuucrteoinn,t.ShTmoesnoSvlnigXAystsmesMBWnalasysiPracticalNear-Collisions
ontheCompressionFunctionofBMW

U(inl.uGaëtanLeurentandSørenS.Thomsen

&TD)UPUniversityofLuxembourg
TechnicalUniversityofDenmark

artccilaeNra-FSE2011

oCllsioisnnohteoCpmerssoinuFcnitnofoMBWSFE021C1nolcsu1oi/n42
42/21102ESFWMBfonoitcnuFnoisserpmoCehtnosnoisilloC-raeNlacitcarP)UTD&ul.inU(nesmohT.S,tnerueL.GTheSHA-3competition

I
Notselectedforthethirdround

I
BMWwasthe
fastest
second-roundcandidateinsoftware

I
Winnerin2012?

I
5ﬁnalistsinDecember2010

I
51validsubmissions

I
14inthesecondround(July2009)

TheSHA-3competition

noisulcnoCsisylanaWMBsmetsysXAgnivloSnoitcudortnI
nIt.GorLudtcoinoSvlnigXAystsmesMBWnaaHashFunctionDesign

ylsI
Buildasmall
compressionfunction
,and
iterate
.

ueertn,.SI
Cutthemessageinchunks
M
0
,...
M
k
I
H
i
=
f
(
M
i
,
H
i
−
1
)
I
F
(
M
)=
Ω
(
H
k
)

hTmoMM01

sVI

neU(inl.u&f

TD)UH0

rPcaitclaeNf

raC-loilisM2

nosnohteoCf

pmerssoinM3

uFcnitnosifof

MBWH3

SFE021C1nolcsu3oi/n42
42/41102ESFWMBfonoitcnuFnoisserpmoCehtnosnoisilloC-raeNlacitcarP)UTD&ul.inU(nesmohT.S,tnerueL.GCompressionFunctionAttacks

I
Becausegoodcompressionimplygoodhashfunction

I
Becauseit’seasier:moredegreesoffreedom

Fistresultsusuallytargetthe
compressionfunction

Wang’sandStevens’sattacksare
basedonthedBBpath

treceugoR:9002etacﬁi

noisilloC:5002s

I
1996:Semi-free-startcollisions

I
1993:Free-startcollisions

MD5cryptanalysis

[denBoerandBosselaers]

[Dobbertin]

[Wang
et.al
]

[Stevens
et.al
]

IInoisulcnoCsisylanaWMBsmetsysXAgnivloSnoitcudortnI
noisulcnoCsisylanaWMBsmetsysXAgnivloSnoitcudortnICompressionFunctionAttacks

I
Becausegoodcompressionimplygoodhashfunction

I
Becauseit’seasier:moredegreesoffreedom

Fistresultsusuallytargetthe
compressionfunction

Wang’sandStevens’sattacksare
basedonthedBBpath

cﬁitreceugoR:9002eta

C:5002snoisillo

I
1996:Semi-free-startcollisions

I
1993:Free-startcollisions

MD5cryptanalysis

[denBoerandBosselaers]

[Dobbertin]

[Wang
et.al
]

[Stevens
et.al
]

42/41102ESFWMBfonoitcnuFnoisserpmoCehtnosnoisilloC-raeNlacitcarP)UTD&ul.inU(nesmohT.S,tnerueL.GII
nIt.GorLudtcoinM

oSvlnigXAystsmesMBWaBlueMidnightWish

xPyf
0
Q
a

AddElement
f
1

anlf2

syiI
Widepipe:eachlineis16words(32or64bits)

I
Mostofthediffusionhappensin
f
1
I
ARX
:Addition,Rotations,Xors

ueertn,.ShTmoesnU(inl.u&TD)UrPcaitclaeNraC-loilisnosnohteoCpmerssoinuFcnitnosfoMBWH

SFE2oCcnulisseedetails

1015o/n42
noisulcnoCsisylanaWMBsmetsysXAgnivloSnoitcudortnISolvingAXSystems

x
⊕
Δ
=
x

δ

I
Onaverageonesolution
I
Easy
tosolvebecauseit’saT-function.
I
GuessLSB,check,andmovetonextbit

I
Forrandom
δ
,
Δ
,mostofthetimethesystemis
inconsistent

I
Howeasyexactly?

I
Backtrackingis
exponential
intheworstcase:
x
⊕
0x80000000
=
x

ImportantExample

42/61102ESFWMBfonoitcnuFnoisserpmoCehtnosnoisilloC-raeNlacitcarP)UTD&ul.inU(nesmohT.S,tnerueL.G
42/61102ESFWMBfonoitcnuFnoisserpmoCehtnosnoisilloC-raeNlacitcarP)UTD&ul.inU(nesmohT.S,tnerueL.GSolvingAXSystems

x
⊕
Δ
=
x
δ

I
Onaverageonesolution
I
Easy
tosolvebecauseit’saT-function.
I
GuessLSB,check,andmovetonextbit

I
Forrandom
δ
,
Δ
,mostofthetimethesystemis
inconsistent

I
Howeasyexactly?

I
Backtrackingis
exponential
intheworstcase:
x
⊕
0x80000000
=
x

ImportantExample

noisulcnoCsisylanaWMBsmetsysXAgnivloSnoitcudortnI
CsisylanaWMBsmetsysXAgnivloSnoitcudortnISolvingAXSystems

x
⊕
Δ
=
x
δ

I
Onaverageonesolution
I
Easy
tosolvebecauseit’saT-function.
I
GuessLSB,check,andmovetonextbit

I
Forrandom
δ
,
Δ
,mostofthetimethesystemis
inconsistent

I
Howeasyexactly?

I
Backtrackingis
exponential
intheworstcase:
x
⊕
0x80000000
=
x

ImportantExample

42/61102ESFWMBfonoitcnuFnoisserpmoCehtnosnoisilloC-raeNlacitcarP)UTD&ul.inU(nesmohT.S,tnerueL.Gnoisulcno
42/61102ESFWMBfonoitcnuFnoisserpmoCehtnosnoisilloC-raeNlacitcarP)UTD&ul.inU(nesmohT.S,tnerueL.GSolvingAXSystems

x
⊕
Δ
=
x
δ

I
Onaverageonesolution
I
Easy
tosolvebecauseit’saT-function.
I
GuessLSB,check,andmovetonextbit

I
Forrandom
δ
,
Δ
,mostofthetimethesystemis
inconsistent

I
Howeasyexactly?

I
Backtrackingis
exponential
intheworstcase:
x
⊕
0x80000000
=
x

ImportantExample

noisulcnoCsisylanaWMBsmetsysXAgnivloSnoitcudortnI

Voir