Hard and easy components of collision search in the Zémor-Tillich hash function: New attacks and reduced variants with equivalent security

Christophe PetitUCL Crypto Group04/22/09 | CRYP-201

Collisions for hash functions

C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor

2

Cryptographic hash functions

3

Graph-based hash functions

• Most hash functions can be seen as

• While Zémor-Tillich is more like

4

Outline

The Zémor-Tillich hash function

Introduction

New attacks

Reduced variants

Conclusion

The Zémor-Tillich hash function

6

The Zémor-Tillich hash function

• Introduced at CRYPTO’94 [TZ94]

• Let irreducible over with and let

• Let

• For a message

• Output set has size

7

The Zémor-Tillich hash function

• Graph and group interpretations of main properties

• Representation problem : given a group and a set , find a product

• Balance problem : find

8

The Zémor-Tillich hash function

• Previous cryptanalysis:– Malleability

– Invertibility for short messages [SGGB00]

– Trapdoor attacks on [CP94,AK98,SGGB00]

– Projection to finite fields [G96]

– Subgroup attacks for composite [SGGB00]

• This paper:– Generic collision and preimage subgroup attacks in time

(instead of and for birthday and exhaustive)

New attacks

10

Generic collision attack

• Sketch:1. Find lower triangular matrices

with meet-in-the-middle random search

2. Combine lower triangular matrices to have a lower diagonal matrix with ones in the diagonal by solving discrete logarithms

3. The resulting matrix has order 2

• In each step, we use

11

Generic collision attack, 1st step

• If for some

Then for some

• To solve the equation:– Compute and

on various random messages

– For each obtained, store the projective point( )

– After messages, likely to be done

12

Generic collision attack, 2nd step

• Combine triangular matrices to get a matrix with ones in the diagonal

Use

• Representation problem in finite fields:

Given find

• Equivalent to Discrete Logarithm [BM97]…that is easy here !

13

Generic collision attack, 3d step

• For any ,

14

Improvements

• Preimage attack: – A bit more technical, but same ideas

– Same complexity

• Memory-free versions– Transform the birthday search in the first step into a

cycle detection problem

– Use standard techniques (distinguished points,…)

15

Hard and easy components

• Finding a message hashing to a triangular matrix is “nearly’’ as hard as Finding a message hashing to the identity

• Similarly:– Finding a message hashing to a diagonal matrix

– Given some vector , finding a message hashing to a matrix with left / right eigenvector

are nearly as hard as finding a message hashing to the identity

16

Hard and easy components

• The output of ZT is bits while its security is bits: how to extract the secure bits ?

Reduced variants

18

Vectorial Zémor-Tillich

• The output of ZT is bits while its security is bits: how to extract the secure bits ?

• Vectorial version – Outputs bits

– For a given initial vector , returns

• If the initial vector is chosen randomly, just as secure as the original matrix version

19

Equivalence between vectorial and matrix versions

• Suppose there is an algorithm finding collision for the vectorial version…

– Run it on a randomWe get where and are the ZT hash values of the colliding messages

– Run it on We get

– Repeat times

20

Equivalence between vectorial and matrix versions

• Key observations:–

– « Homomorphism »

• To find a collision:– Let

– Find such that

21

Equivalence between vectorial and matrix versions

• Colliding messages:–

– where if

• The two messages collide to the value

22

Projective version

• The output of ZT is bits while its security is bits: how to extract the secure bits ?

• Projective version – Outputs bits

– Returns if the vectorial version returns

• If the initial vector is chosen randomly, « nearly » as secure as the initial matrix version

23

« Quasi » equivalence between projective and vectorial versions

• Suppose there is an algorithm finding collision for the projective version…– Run it on to get and

– Run it on to get and

– After steps, find such that

• Complexity of last step– Hard asymptotically

( discrete logarithms problems + one subset sum problem)

– Feasible for

Conclusion

25

Conclusion

• New generic attacks– Collision attack in time (instead of )

– Preimage attack in time (instead of )

• New variants– Vectorial variant as secure

– Projective variant « nearly » as secure

– Best attack against projective variant is birthday search

• Zémor-Tillich is not broken– is too small

– Still a very interesting design

Questions ?