1,430 research outputs found
Logical Reasoning to Detect Weaknesses About SHA-1 and MD4/5
In recent years, studies about the SATisfiability Problem (short for SAT) were more and more numerous because of its conceptual simplicity and ability to express a large set of various problems. Within a practical framework, works highlighting SAT impli- cations in real world problems had grown significantly. In this way, a new field called logical cryptanalysis appears in the 2000s and consists in an algebraic cryptanalysis in a binary context thanks to SAT solving. This paper deals with this concept applied to cryptographic hash functions. We first present the logical cryptanalysis principle, and provide details about our encoding approach. In a second part, we put the stress on the contribution of SAT to analyze the generated problem thanks to the discover of logical inferences and so simplifications in order to reduce the computational complexity of the SAT solving. This is mainly realized thanks to the use as a preprocessor of learning and pruning techniques from the community. Third, thanks to a probabilistic reasoning applied on the formulas, we present a weakness based on the use of round constants to detect probabilistic relations as implications or equivalences between certain vari- ables. Finally, we present a practical framework to exploit these weaknesses through the inversions of reduced-step versions of MD4, MD5, SHA-0 and SHA-1 and open some prospects
Practical free-start collision attacks on 76-step SHA-1
In this paper we analyze the security of the compression function
of SHA-1 against collision attacks, or equivalently free-start collisions
on the hash function. While a lot of work has been dedicated to the analysis
of SHA-1 in the past decade, this is the first time that free-start collisions
have been considered for this function. We exploit the additional
freedom provided by this model by using a new start-from-the-middle
approach in combination with improvements on the cryptanalysis tools
that have been developed for SHA-1 in the recent years. This results in
particular in better differential paths than the ones used for hash function
collisions so far. Overall, our attack requires about evaluations
of the compression function in order to compute a one-block free-start
collision for a 76-step reduced version, which is so far the highest number
of steps reached for a collision on the SHA-1 compression function.
We have developed an efficient GPU framework for the highly branching
code typical of a cryptanalytic collision attack and used it in an optimized
implementation of our attack on recent GTX 970 GPUs. We report
that a single cheap US\$ 350 GTX 970 is sufficient to find the collision in
less than 5 days. This showcases how recent mainstream GPUs seem to
be a good platform for expensive and even highly-branching cryptanalysis
computations. Finally, our work should be taken as a reminder that
cryptanalysis on SHA-1 continues to improve. This is yet another proof
that the industry should quickly move away from using this function
- …