Meet-in-the-Middle Attack Using Output Truncation in 3 ...isc09.di.unimi.it/slides/isc09_Session2_2.pdf · Meet‐in‐the‐Middle Attack Using Output Truncation in 3‐Pass HAVAL

Meet‐in‐the‐Middle Attack Using Output Truncation in 3‐Pass HAVAL

Yu Sasaki

NTT Corporation

07/Sep/2009 ISC2009@Pisa

1/22

Yu Sasaki, MitM using output truncation of 3‐Haval

Summary

• HAVAL is a hash function that can produce variable output lengths.

• We present the first analysis on short output sizes of 3‐pass HAVAL.

Output bit‐sizes: 128, 160, 192, 224, 256

Narrow‐pipeWide‐pipe

Already attackedOur target

2/22


Motivation• Recently designed hash functions use “wide‐

pipe”

mode. (See, SHA‐3 round2 cands.)– Internal state size is larger than hash value.

• Previous work only analyzes without truncation (narrow‐pipe). We should analyze wide‐pipe.

• It is useful to evaluate SHA‐224/SHA‐384.

HN

Hash

Trunc.

LH0

M0

H1

M1

HN‐1

MN‐1

H2

nn nCF CF CFn n n n

3/22


Target of our attacks

• Our attacks generate followings:

• Generic attack will cost 2n

for both attacks.

For given y, find M s.t. HashIV

(M)=y.For given y, find (X, M)

s.t. HashX

(M)=y.

Preimages Pseudo‐preimages

Trunc.

LIVM

nCFny

Hash

Trunc.

LXM

nCFny

Hash

4/22


Impact of attackFinding pseudo‐preimages indicates:1.

CF is distinguished from Random Oracle.

(reduction security)2.

eTCR property for Key‐via‐IV are broken.

(keyed‐hash function security)

For given (K, M, y), find (K’, M’) s.t. HashK’

(M’)=y.eTCR:

Trunc.

LKM

nCFny

HashK

5/22


Results• We propose 2 approaches to find preimages

or pseudo‐preimages for short output size.

Output Length 256 224 192 160 128

Approach

1

Pseudo‐

preimageNot

target 2192 2160 2144 ‐Preimage

Not

target ‐ ‐ ‐ ‐

Approach

2

Pseudo‐

preimageNot

target 2160 2128 2106 284

PreimageNot

target 2209 ‐ ‐ ‐

First preimage attacks on HAVAL short output6/22


HAVAL

• Designed by Zheng, Pieprzyk, Seberry in 1992.

HN

Trunc.

LH0

M0

H1

M1

HN‐1

MN‐1

H2

256256 256CF

1024Executed if

L≠256

Attack focus

CF CF y

7/22


HAVAL compression function

• Split Mi‐1

into 32 bit message words (m0

||m1

||…||m31

).

• Set a 256‐bit variable p0

= Hi‐1

.

• Compute step func: pj+1

= Step(pj

, mπ(j)

), j=0,1,…,95.

• Output Hi

= Trunc(p0

+ p96

).

p0

step

mπ(0)

p1

step

mπ(1)

p2

step

mπ(2)

p3 p94

stepmπ(94)

p95

step

mπ(95)

p96 Hi

Note that step function is invertible.

Trunc.

D

8/22


HAVAL message schedule

• Message index π

for 96 steps:

• In every 32 steps, each m0

– m31

appears once.

• Each mi

appears 3 times during 96 steps.

• In each round, message order changes.

9/22


Idea of MitM preimage attack• Split msg schedule into 2 chunks

of steps so

that each chunk includes independent word.

Ex. 2‐round (64‐step HAVAL)

pj+1

= Step(pj

, mπ(j)

), for j=8,9,…,54

pj

= Step‐1(pj+1

, mπ(j)

), for j=7,6,…,0p64

= y ‐

p0pj

= Step‐1(pj+1

, mπ(j)

), for j=63,62,…,55

function of m9

, independent of m2

function of m2

, independent of m9

10/22


Idea of MitM preimage attack• Split msg schedule into 2 chunks

of steps so

that each chunk includes independent word.

Ex. 2‐round (64‐step HAVAL)Start

MitM

pj+1

= Step(pj

, mπ(j)

), for j=8,9,…,54

pj

= Step‐1(pj+1

, mπ(j)

), for j=7,6,…,0p64

= y ‐

p0pj

= Step‐1(pj+1

, mπ(j)

), for j=63,62,…,55

function of m9

, independent of m2

function of m2

, independent of m9

11/22


Idea of MitM preimage attack• When we split msg schedule into 2 chunks, up

to 9 consecutive steps can be skipped.

Ex. 3‐round (96‐step HAVAL)

Skip

Start

This strategy doesn’t work for truncated output. (in other words, wide‐pipe mode)

12/22


Problem of previous work

p0

step

mπ(0)

p1

step

mπ(1)

p2

step

mπ(2)

p3 p94

step

mπ(94)

p95

step

mπ(95)

p96 y

Trunc.

D256 256 256 256 256 256 256 256 224

Ex.

• Hash value is truncated, hence, cost for brute‐ force attack is reduced. (this case: 2224).

• MitM on a 256‐bit variable with 32 free‐bits is the same cost as brute force attack.

• If each chunk includes more than 1 independent words, the attack works. But, it unlikely occurs.

13/22


Attack outline

• Approach 1–Use unbalanced free bits in two chunks.

– Increasing free bits by finding all inverse images in the truncated function.

• Approach 2–Perform the match of MitM on the input for

truncated function.

14/22


Approach 1: unbalanced free bits• Consider the 224‐bit output (1‐word truncation).• It unlikely occurs that both chunks have 2 free words.• The following situation often occurs:

15/22

A chunk includes 2 free words, but the other includes 1.


Previous MitM: unbalanced free bits

ygiven

Even if a chunk has 64 free bits, the attackers advantage is limited to only 32 bits

as long as the other chunk has only 32 free bits.

p0 m5 m5p88fix

MitM

32‐bit 64‐bit

(m27

, m28

)

step 0 step 95

16/22


Attack on 224‐bit output

p0given

m5 m5p88fix

MitM

32‐bit 64‐bit

(m27

, m28

)

Red chunk is now including 64 free‐bits; (m5

, D). Pseudo‐preimages are found by (2256 * 2‐64).

D

Trunc.

224256

Invert Trunc.

Find all 232

D s.t. Trunc(D)=y.

32‐bit

step 0 step 95

y

17/22


Split steps into 2 chunks so that the match is performed on this

variable.

Approach 2 (match at input of Trunc.)

p0

step

mπ(0)

p1

step

mπ(1)

p2

step

mπ(2)

p3 p94step

mπ(94)

p95

stepmπ(95)

p96

Trunc.

D256 256 256 256 256 256 256

256224

Ex.

y

Perform the match of MitM on the variable which is input of Truncation.

18/22


Attack idea

Qj‐7 Qj‐6 Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj

Qj‐7 Qj‐6 Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj

Qj‐5 Qj‐4 Qj‐3 Qj‐2 Qj‐1 Qj

Truncate

Efficient matchRandomly satisfy

Efficient matchRandomly satisfyDiscard

(1)

(2)

Randomly searched space is reduced.The attack efficiency does not change.

19/22

y

y

D


Chunk separation for approach 2

20/22

The match is performed between Step 0 and 95.

Note: Truncation of HAVAL is more complicated. More detailed analysis is necessary.


Results

21/22

Output length 256 224 192 160 128

Approach

1

Pseudo‐

preimageNot

target 2192 2160 2144 ‐Preimage

Not

target ‐ ‐ ‐ ‐

Approach

2

Pseudo‐

preimageNot

target 2160 2128 2106 284

PreimageNot

target 2209 ‐ ‐ ‐

Approach 2 is prevented with small tweak of Trunc.

Approach 1 works as long as Trunc‐1

is easily computed.


Summary

• Two approaches of finding preimages and pseudo‐preimages against wide‐pipe hash with MitM attack.

• First results on short ouput 3‐pass HAVAL.

• This technique can be also applied to reduced SHA‐224 and SHA‐384:

Kazumaro Aoki, Jian Guo, Kristian Matusiewicz, Yu Sasaki, Lei Wang.

Preimages for Step Reduced SHA‐2, Asiacrypt’09.22/22


23

Thank you for your attention!!

Documents

Meet-in-the-Middle Attack Using Output Truncation in 3 ...isc09.di.unimi.it/slides/isc09_Session2_2.pdf · Meet‐in‐the‐Middle Attack Using Output Truncation in 3‐Pass HAVAL