Applications of SAT Solvers to Cryptanalysis of Hash Functions
Ilya Mironov Lintao Zhang
Microsoft ResearchSilicon Valley Campus
Overview1. Crash course on hash functions
2. Collision-finding attacks (Wang et al. ’05)
3. Automation via SAT solvers
Hash functions
H: {0,1}*→{0,1}n
Cryptographic hash functions- Several important properties
- Collision-resistance
x, y: H(x) = H(y)
Birthday paradoxFinding collision: ~|S| = 2n/2
outputH
S
Security levelInsecure: 264
operations
Medium-term: 280
Long-term (~20 years): 2128
Paranoid: 2256
hash output128 bits
160 bits
256 bits
512 bits
Short history of hash functions1990 Ron Rivest: MD4 (128-bit output)
1992 Ron Rivest: MD5 (128-bit output)
1993 NIST: SHA (Secure Hash Algorithm, 160 bits)
1995 NIST: Oops! SHA1
2003 NIST: SHA-256,384,512
0
1990 MD4
1991
1992 MD5
1993 SHA0
1994
1995 SHA1
1996
1997
1998
1999
2000
2001
2002
2003 SHA-256,384,512
2004
2005
2006
MD4 is broken
theoretical attack on SHA0
MD5, SHA0 broken, theoretical attack on SHA1
SHA1MD5
MD4
SHA1
MD4 and MD5’s structure- Basic building block:
512 bits
128 bits 128 bits48 rounds
compression function
Compression function’s building block
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
rounds 0-15
abcd
0 1 2 3 4 5 6 7 8 9 101112131415
M
0 4 8 12 1 5 9 13 2 6 1014 3 7 1115
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
rounds 16-31
rounds 31-48
512 bits = 16 32-bit words
128 bits = 4 32-bit words 128 bits
w
One round
ai
bi
ci
di
<<<si ai+1
bi+1
ci+1
di+1
+ + +
fi
wi Ki
Finding a collision [Wang et al’05]Goal: Find M, M' such that H(M) = H(M')
1. Select message difference
M' = M +
2. Select differential path
bi' = bi + bi
3. Find sufficient conditions
4. Make them happen!
Disturbance vector
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
rounds 0-15
abcd
0 1 2 3 4 5 6 7 8 9 101112131415
M
0 4 8 12 1 5 9 13 2 6 1014 3 7 1115
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
rounds 16-31
rounds 31-48
Differential pathM
(a0,b0,c0,d0)
b1
b2
…
b48
M'
(a0,b0,c0,d0)
b1'
b2'
…
b48'
differential path
b1' = b1 + b1
b2' = b2 + b2
…
b48' = b48 + b48
Sufficient conditions(ai,bi,ci,di) (di,(ai+fi(bi,ci,di)+wi+Ki)<<<si,bi,ci,) = (ai+1,bi+1,ci+1,di+1)
fi = MAJ and si = 3 and b2,0 = 0 and c2,0 = 0,then for b2,3 = 0 it is sufficient that lsb(b1)=0 and lsb(c1)=0
ai
bi
ci
di
<<<si ai+1
bi+1
ci+1
di+1
+ + +
fi
wi Ki
Sufficient conditions [Wang et al.]MD4: 122
MD5: first block ― 294; second block ― 309
SHA0: 260
Message modification technique
rounds 0-15
abcd
0 1 2 3 4 5 6 7 8 9 101112131415
0 4 8 12 1 5 9 13 2 6 1014 3 7 1115
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
rounds 16-31
rounds 31-48
0 4 8 12 1 5 9 13 2 6 1014 3 7 1115
0 1 2 3 4 5 6 7 8 9 1011121314150 1 2 3 4 5 6 7 8 9 101112131415
Probabilistic method
0 1 2 3 4 5 6 7 8 9 101112131415 0 4 8 12 1 5 9 13 2 610
14 3 7 1115 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
Conditions satisfied with probability 50%*:MD4: < 8MD5: first block ― 37; second block ― 30SHA0: 42SHA1: 70
* In the original papers (better attacks are currently known)
SAT Solvers!Goal: Find M, M' such that H(M) = H(M')
1. Select message difference
M' = M +
2. Select differential path
bi' = bi + bi
3. Find sufficient conditions
4. Message modifications
MD453K variables, 221K clauses. Success!
SatELiteGTI < 500 sec
0xe1c08802 d0001321 f3fdc66f df600178 46b5c048 06c516c5 b632403a 88e2fdd5 900f8005 3f936800 4b187044 64fad83a 01d79002 68f200a8 94ab2328 2449dd7d
collides with
0xe1c08802 50001321 63fdc66f df600178 46b5c048 06c516c5 b632403a 88e2fdd5 900f8005 3f936800 4b187044 64fad83a 01d69002 68f200a8 94ab2328 2449dd7d
MD5Hmm… Truncated MD5?
truncated MD5
CNF formula
SAT solver
filter
solution
Probabilistic method
all messages
reduced-round solutions
full solutions
0
20000
40000
60000
80000
100000
120000
140000
160000
16 18 20 22 24 26 28 30 32 34 36 38 40 42
rounds
yield
Where to truncate?~100 hours per full solution
Collision in MD50x80000000 98163156 d685de69 e985b795 b4320c10 cd350030 c014ca29 850b7d6d 0934ad59 4871afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf 5e5d5df6 b539a48d
fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1 73f20086 e000005a 3b6550cc b6cc1c59 0fe9f71a a0403064
collides with0x80000000 98163156 d685de69 e985b795 34320c10 cd350030 c014ca29 850b7d6d 0934ad59 4871afd0 aa480edf e4fc0320 7bb68ed1 3b505ddf de5d5df6 b539a48d
fcb488ff adf40003 88d9fda4 d72a8fdc a887f4ca eec4f800 b75f8b20 7f1e9b51 9ab427cc 45c236f1 73f20086 dfff805a 3b6550cc b6cc1c59 0fe9f71a a0403064
Open problems- Cryptographic:
- Break SHA-1- Automate the entire attack- Other primitives
- SAT-solving community:- No truncation!- SAT solvers optimized for cryptographic
applications: XOR, multiplication, table look-ups, intuition
Conclusion- First serious SAT-solver-aided cryptanalytic
effort
- Several entries into SAT Race ’06
- New applications and challenges