View
217
Download
2
Category
Tags:
Preview:
Citation preview
Hard and easy components of collision search in the Zémor-Tillich hash function: New attacks and reduced variants with equivalent security
Christophe PetitUCL Crypto Group04/22/09 | CRYP-201
Collisions for hash functions
C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor
3
Graph-based hash functions
• Most hash functions can be seen as
• While Zémor-Tillich is more like
6
The Zémor-Tillich hash function
• Introduced at CRYPTO’94 [TZ94]
• Let irreducible over with and let
• Let
• For a message
• Output set has size
7
The Zémor-Tillich hash function
• Graph and group interpretations of main properties
• Representation problem : given a group and a set , find a product
• Balance problem : find
8
The Zémor-Tillich hash function
• Previous cryptanalysis:– Malleability
– Invertibility for short messages [SGGB00]
– Trapdoor attacks on [CP94,AK98,SGGB00]
– Projection to finite fields [G96]
– Subgroup attacks for composite [SGGB00]
• This paper:– Generic collision and preimage subgroup attacks in time
(instead of and for birthday and exhaustive)
10
Generic collision attack
• Sketch:1. Find lower triangular matrices
with meet-in-the-middle random search
2. Combine lower triangular matrices to have a lower diagonal matrix with ones in the diagonal by solving discrete logarithms
3. The resulting matrix has order 2
• In each step, we use
11
Generic collision attack, 1st step
• If for some
Then for some
• To solve the equation:– Compute and
on various random messages
– For each obtained, store the projective point( )
– After messages, likely to be done
12
Generic collision attack, 2nd step
• Combine triangular matrices to get a matrix with ones in the diagonal
Use
• Representation problem in finite fields:
Given find
• Equivalent to Discrete Logarithm [BM97]…that is easy here !
14
Improvements
• Preimage attack: – A bit more technical, but same ideas
– Same complexity
• Memory-free versions– Transform the birthday search in the first step into a
cycle detection problem
– Use standard techniques (distinguished points,…)
15
Hard and easy components
• Finding a message hashing to a triangular matrix is “nearly’’ as hard as Finding a message hashing to the identity
• Similarly:– Finding a message hashing to a diagonal matrix
– Given some vector , finding a message hashing to a matrix with left / right eigenvector
are nearly as hard as finding a message hashing to the identity
16
Hard and easy components
• The output of ZT is bits while its security is bits: how to extract the secure bits ?
18
Vectorial Zémor-Tillich
• The output of ZT is bits while its security is bits: how to extract the secure bits ?
• Vectorial version – Outputs bits
– For a given initial vector , returns
• If the initial vector is chosen randomly, just as secure as the original matrix version
19
Equivalence between vectorial and matrix versions
• Suppose there is an algorithm finding collision for the vectorial version…
– Run it on a randomWe get where and are the ZT hash values of the colliding messages
– Run it on We get
– Repeat times
20
Equivalence between vectorial and matrix versions
• Key observations:–
– « Homomorphism »
• To find a collision:– Let
– Find such that
21
Equivalence between vectorial and matrix versions
• Colliding messages:–
– where if
• The two messages collide to the value
22
Projective version
• The output of ZT is bits while its security is bits: how to extract the secure bits ?
• Projective version – Outputs bits
– Returns if the vectorial version returns
• If the initial vector is chosen randomly, « nearly » as secure as the initial matrix version
23
« Quasi » equivalence between projective and vectorial versions
• Suppose there is an algorithm finding collision for the projective version…– Run it on to get and
– Run it on to get and
– After steps, find such that
• Complexity of last step– Hard asymptotically
( discrete logarithms problems + one subset sum problem)
– Feasible for
25
Conclusion
• New generic attacks– Collision attack in time (instead of )
– Preimage attack in time (instead of )
• New variants– Vectorial variant as secure
– Projective variant « nearly » as secure
– Best attack against projective variant is birthday search
• Zémor-Tillich is not broken– is too small
– Still a very interesting design
Recommended