Hard and easy components of
collision search in the ZémorTillich hash function:
New attacks and reduced
variants with equivalent
security
C. Petit, J.J. Quisquater,
J.P. Tillich, G. Zémor
Christophe Petit
UCL Crypto Group
04/22/09 | CRYP-201
Collisions for hash functions
Cryptographic hash functions
2
Graph-based hash functions
• Most hash functions
can be seen as
• While Zémor-Tillich is more like
3
Outline
Introduction
The Zémor-Tillich hash function
New attacks
Reduced variants
Conclusion
4
The ZémorTillich hash
function
The Zémor-Tillich hash function
• Introduced at CRYPTO’94 [TZ94]
• Let
and let
irreducible over
• Let
• For a message
• Output set has size
6
with
The Zémor-Tillich hash function
• Graph and group interpretations of main
properties
• Representation problem : given a group
and a set
, find a product
• Balance problem : find
7
The Zémor-Tillich hash function
• Previous cryptanalysis:
– Malleability
– Invertibility for short messages
[SGGB00]
– Trapdoor attacks on
[CP94,AK98,SGGB00]
– Projection to finite fields
[G96]
– Subgroup attacks for composite
[SGGB00]
• This paper:
– Generic collision and preimage subgroup attacks in time
(instead of
and
for birthday and exhaustive)
8
New
attacks
Generic collision attack
•
Sketch:
1. Find lower triangular matrices
with meet-in-the-middle random search
2. Combine lower triangular matrices
to have a lower diagonal matrix with ones in the diagonal
by solving discrete logarithms
3. The resulting matrix has order 2
•
In each step, we use
10
Generic collision attack, 1st step
•
If
for some
Then
•
for some
To solve the equation:
– Compute
and
on various random messages
– For each
(
– After
obtained, store the projective point
)
messages, likely to be done
11
Generic collision attack, 2nd step
•
Combine triangular matrices to get a matrix
with ones in the diagonal
Use
•
Representation problem in finite fields:
Given
•
find
Equivalent to Discrete Logarithm [BM97]…
that is easy here !
12
Generic collision attack, 3d step
•
For any
,
13
Improvements
•
Preimage attack:
– A bit more technical, but same ideas
– Same complexity 
•
Memory-free versions
– Transform the birthday search in the first step into a
cycle detection problem
– Use standard techniques (distinguished points,…)
14
Hard and easy components
• Finding a message hashing to a triangular
matrix is “nearly’’ as hard as
Finding a message hashing to the identity
• Similarly:
– Finding a message hashing to a diagonal matrix
– Given some vector , finding a message hashing to a matrix
with left / right eigenvector
are nearly as hard as
finding a message hashing to the identity
15
Hard and easy components
• The output of ZT is
bits while its security is
bits: how to extract the secure bits ?
16
Reduced
variants
Vectorial Zémor-Tillich
• The output of ZT is
bits while its security is
bits: how to extract the secure bits ?
• Vectorial version
– Outputs
bits
– For a given initial vector
, returns
• If the initial vector is chosen randomly,
just as secure as the original matrix version
18
Equivalence between
vectorial and matrix versions
• Suppose there is an algorithm finding collision
for the vectorial version…
– Run it on a random
We get
where
and
messages
are the ZT hash values of the colliding
– Run it on
We get
– Repeat
times
19
Equivalence between
vectorial and matrix versions
• Key observations:
–
– « Homomorphism »
• To find a collision:
– Let
– Find
such that
20
Equivalence between
vectorial and matrix versions
• Colliding messages:
–
–
where
• The two messages collide to the value
21
if
Projective version
• The output of ZT is
bits while its security is
bits: how to extract the secure bits ?
• Projective version
– Outputs
– Returns
bits
if the vectorial version returns
• If the initial vector is chosen randomly,
« nearly » as secure as the initial matrix version
22
« Quasi » equivalence between
projective and vectorial versions
• Suppose there is an algorithm finding collision
for the projective version…
– Run it on
to get
and
– Run it on
to get
and
– After
steps, find
such that
• Complexity of last step
– Hard asymptotically
(
discrete logarithms problems + one subset sum problem)
– Feasible for
23
Conclusion
Conclusion
• New generic attacks
– Collision attack in time
(instead of
)
– Preimage attack in time
(instead of
)
• New variants
– Vectorial variant as secure
– Projective variant « nearly » as secure
– Best attack against projective variant is birthday search
• Zémor-Tillich is not broken
–
is too small
– Still a very interesting design
25
Questions
?