Hard and easy components of collision search in the ZémorTillich hash function: New attacks and reduced variants with equivalent security C. Petit, J.J. Quisquater, J.P. Tillich, G. Zémor Christophe Petit UCL Crypto Group 04/22/09 | CRYP-201 Collisions for hash functions Cryptographic hash functions 2 Graph-based hash functions • Most hash functions can be seen as • While Zémor-Tillich is more like 3 Outline Introduction The Zémor-Tillich hash function New attacks Reduced variants Conclusion 4 The ZémorTillich hash function The Zémor-Tillich hash function • Introduced at CRYPTO’94 [TZ94] • Let and let irreducible over • Let • For a message • Output set has size 6 with The Zémor-Tillich hash function • Graph and group interpretations of main properties • Representation problem : given a group and a set , find a product • Balance problem : find 7 The Zémor-Tillich hash function • Previous cryptanalysis: – Malleability – Invertibility for short messages [SGGB00] – Trapdoor attacks on [CP94,AK98,SGGB00] – Projection to finite fields [G96] – Subgroup attacks for composite [SGGB00] • This paper: – Generic collision and preimage subgroup attacks in time (instead of and for birthday and exhaustive) 8 New attacks Generic collision attack • Sketch: 1. Find lower triangular matrices with meet-in-the-middle random search 2. Combine lower triangular matrices to have a lower diagonal matrix with ones in the diagonal by solving discrete logarithms 3. The resulting matrix has order 2 • In each step, we use 10 Generic collision attack, 1st step • If for some Then • for some To solve the equation: – Compute and on various random messages – For each ( – After obtained, store the projective point ) messages, likely to be done 11 Generic collision attack, 2nd step • Combine triangular matrices to get a matrix with ones in the diagonal Use • Representation problem in finite fields: Given • find Equivalent to Discrete Logarithm [BM97]… that is easy here ! 12 Generic collision attack, 3d step • For any , 13 Improvements • Preimage attack: – A bit more technical, but same ideas – Same complexity • Memory-free versions – Transform the birthday search in the first step into a cycle detection problem – Use standard techniques (distinguished points,…) 14 Hard and easy components • Finding a message hashing to a triangular matrix is “nearly’’ as hard as Finding a message hashing to the identity • Similarly: – Finding a message hashing to a diagonal matrix – Given some vector , finding a message hashing to a matrix with left / right eigenvector are nearly as hard as finding a message hashing to the identity 15 Hard and easy components • The output of ZT is bits while its security is bits: how to extract the secure bits ? 16 Reduced variants Vectorial Zémor-Tillich • The output of ZT is bits while its security is bits: how to extract the secure bits ? • Vectorial version – Outputs bits – For a given initial vector , returns • If the initial vector is chosen randomly, just as secure as the original matrix version 18 Equivalence between vectorial and matrix versions • Suppose there is an algorithm finding collision for the vectorial version… – Run it on a random We get where and messages are the ZT hash values of the colliding – Run it on We get – Repeat times 19 Equivalence between vectorial and matrix versions • Key observations: – – « Homomorphism » • To find a collision: – Let – Find such that 20 Equivalence between vectorial and matrix versions • Colliding messages: – – where • The two messages collide to the value 21 if Projective version • The output of ZT is bits while its security is bits: how to extract the secure bits ? • Projective version – Outputs – Returns bits if the vectorial version returns • If the initial vector is chosen randomly, « nearly » as secure as the initial matrix version 22 « Quasi » equivalence between projective and vectorial versions • Suppose there is an algorithm finding collision for the projective version… – Run it on to get and – Run it on to get and – After steps, find such that • Complexity of last step – Hard asymptotically ( discrete logarithms problems + one subset sum problem) – Feasible for 23 Conclusion Conclusion • New generic attacks – Collision attack in time (instead of ) – Preimage attack in time (instead of ) • New variants – Vectorial variant as secure – Projective variant « nearly » as secure – Best attack against projective variant is birthday search • Zémor-Tillich is not broken – is too small – Still a very interesting design 25 Questions ?
© Copyright 2024 Paperzz