260 likes | 392 Vues
Hard and easy components of collision search in the Zémor-Tillich hash function: New attacks and reduced variants with equivalent security. C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor. Christophe Petit UCL Crypto Group 04/22/09 | CRYP-201 Collisions for hash functions.
E N D
Hard and easy components of collision search in the Zémor-Tillich hash function: New attacks and reduced variants with equivalent security C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor Christophe PetitUCL Crypto Group04/22/09 | CRYP-201 Collisions for hash functions
Graph-based hash functions Most hash functions can be seen as While Zémor-Tillich is more like 3
The Zémor-Tillich hash function Introduction New attacks Reduced variants Conclusion Outline
The Zémor-Tillich hash function • Introduced at CRYPTO’94 [TZ94] • Let irreducible over with and let • Let • For a message • Output set has size
The Zémor-Tillich hash function Graph and group interpretations of main properties Representation problem : given a group and a set , find a product Balance problem : find 7
The Zémor-Tillich hash function Previous cryptanalysis: Malleability Invertibility for short messages [SGGB00] Trapdoor attacks on [CP94,AK98,SGGB00] Projection to finite fields [G96] Subgroup attacks for composite [SGGB00] This paper: Generic collision and preimage subgroup attacks in time (instead of and for birthday and exhaustive) 8
Generic collision attack Sketch: Find lower triangular matrices with meet-in-the-middle random search Combine lower triangular matrices to have a lower diagonal matrix with ones in the diagonal by solving discrete logarithms The resulting matrix has order 2 In each step, we use 10
Generic collision attack, 1st step If for someThen for some To solve the equation: Compute and on various random messages For each obtained, store the projective point( ) After messages, likely to be done 11
Generic collision attack, 2nd step Combine triangular matrices to get a matrix with ones in the diagonal Use Representation problem in finite fields:Given find Equivalent to Discrete Logarithm [BM97]…that is easy here ! 12
Generic collision attack, 3d step For any , 13
Improvements Preimage attack: A bit more technical, but same ideas Same complexity Memory-free versions Transform the birthday search in the first step into a cycle detection problem Use standard techniques (distinguished points,…) 14
Hard and easy components Finding a message hashing to a triangular matrix is “nearly’’ as hard asFinding a message hashing to the identity Similarly: Finding a message hashing to a diagonal matrix Given some vector , finding a message hashing to a matrix with left / right eigenvector are nearly as hard asfinding a message hashing to the identity 15
Hard and easy components The output of ZT is bits while its security is bits: how to extract the secure bits ? 16
Vectorial Zémor-Tillich The output of ZT is bits while its security is bits: how to extract the secure bits ? Vectorial version Outputs bits For a given initial vector , returns If the initial vector is chosen randomly, just as secure as the original matrix version 18
Equivalence between vectorial and matrix versions Suppose there is an algorithm finding collision for the vectorial version… Run it on a randomWe get where and are the ZT hash values of the colliding messages Run it on We get Repeat times 19
Equivalence between vectorial and matrix versions Key observations: « Homomorphism » To find a collision: Let Find such that 20
Equivalence between vectorial and matrix versions Colliding messages: where if The two messages collide to the value 21
Projective version • The output of ZT is bits while its security is bits: how to extract the secure bits ? • Projective version • Outputs bits • Returns if the vectorial version returns • If the initial vector is chosen randomly, « nearly » as secure as the initial matrix version 22
« Quasi » equivalence between projective and vectorial versions • Suppose there is an algorithm finding collision for the projective version… • Run it on to get and • Run it on to get and • After steps, find such that • Complexity of last step • Hard asymptotically ( discrete logarithms problems + one subset sum problem) • Feasible for 23
Conclusion New generic attacks Collision attack in time (instead of ) Preimage attack in time (instead of ) New variants Vectorial variant as secure Projective variant « nearly » as secure Best attack against projective variant is birthday search Zémor-Tillich is not broken is too small Still a very interesting design 25