Univerzita Karlova v Praze Matematicko-fyzikální fakulta ÁÈÄÇÅÇÎý ÈÊý Petr Sušil ÆÓÚ Ò ÚÖ Ý õóú ÙÒ Katedra algebry Vedoucí diplomové práce: Doc. RNDr. Jiří Tůma, DrSc. Studijní program: matematické metody informační bezpečnosti 2008
Rád bych poděkoval vedoucímu své práce Doc. RNDr. Jiřímu Tůmovi, DrSc., za odborné vedení během mé práce. Mé poděkování patří též Hlávkově nadaci za její sponzorský příspěvek pro můj studijní pobyt na University of Queensland, kde jsem sepsal některé části této diplomové prace. Vneposlednířaděpatřímůjdíkopětmýmrodičům,kteříměochotněabezpřestání podporují celý můj život. Prohlašuji, že jsem svou diplomovou práci napsal samostatně a výhradně s použitím citovaných pramenů. Souhlasím se zapůjčováním práce a s jejím zveřejňováním. Petr Sušil VPrazedne....... 2
Název práce: Nové návrhy hašovacích funkcí Autor: Petr Sušil Katedra(ústav): Katedra algebry Vedoucí diplomové práce: Doc. RNDr. Jiří Tůma, DrSc. E-mail vedoucího: tuma@karlin.mff.cuni.cz Abstrakt: Hašovací funkce jsou důležitým kryptografickým primitivem. V kryptografiisevyužívajíkprokázánípůvoduzprávy,kdetekcizměnvezprávěa v některých autentizačních protokolech. Tato práce uvádí přehled některých nových generických útoků proti hašovacím funkcím. Podrobně popisuje útok na autentizační hašovací funkci COMP128 využívanou do roku 2002vGSMsíti.Prácedálepoukazujenamožnénedostatkyvnávrhu nové autentizační funkce SQUASH navrhnuté pro využití na RFID čipu. Klíčová slova: hašovací funkce, authentizace typu výzva-odpověď Title: New proposals for hash functions Author: Petr Sušil Department: Department of Algebra Supervisor: Doc. RNDr. Jiří Tůma, DrSc. Supervisor s e-mail address: tuma@karlin.mff.cuni.cz Abstract: Hash functions are an important cryptographic primitive. They are used as message authentication codes, manipulation detection codes and in many cryptographic protocols. This thesis gives an explanation of the recent generic attacks against hash functions. It also explains the attack against authentication hash function COMP128, which was being used till 2002 in GSM network. The thesis also discusses possible flaws in a new authentication hash function SQUASH designed for an RFID chip. Keywords: hash function, challenge-response authentication public-key cryptography, encryption and signature scheme 3
ÓÒØ ÒØ 1.Introductiontohashfunctiontheory....5 1.1.Cryptographicsecureone-wayhashfunction....5 1.1.1.hashfunction....5 1.1.2.cryptographicproperties....5 1.2.Constructionofahashfunction...5 1.2.1.Constructionofacompressionfunction....6 1.2.2.Buildingofahashfunction....6 2.Compressionfunction...8 2.1.RandomOracleModel...8 2.2.Birthdayparadox....8 2.2.1.Generalizedbirthdayparadox...9 2.3.Introductiontocompressionfunctions.....9 2.3.1.Preimageresistance...9 2.3.2.Secondpreimageresistance...10 2.3.3.Collisionresistance....10 2.4.Pseudo-randomnumbergeneratorbasedfunctions...11 2.4.1.Introduction...11 2.4.2.RC4-Hash...11 2.5.Difficultproblembasedcompressionfunctions....13 2.5.1.VSH...13 2.5.2.MQ-HASH....16 3.Authenticationschemes.....18 3.1.COMP-128hashfunction....18 3.1.1.Narrowpipeattack....20 3.1.2.Partitioningattack...24 3.2.SQUASH.....26 3.2.1.SecurityofSQUASH....31 3.3.SQUASH128proposal...41 4.Genericattacksoniterativehashfunctions...43 4.1.Jouxmulticollisionattack...43 4.2.Attackoniterativehashfunction....43 4.3.Attacksonstrengthenconstructions...44 4
4.3.1.Concatenationofdifferenthashfunctions....45 4.3.2.Concatenationandexpansionofamessage....45 4.4.AttackonICEhashfunction....46 4.5.Expandablemessageattack....47 4.6.Expandablemessage....47 4.7.Usageofanexpandablemessage...47 4.8.Exampleofanexpandablemessage.....48 4.9.Buildingofanexpandablemessage....48 4.9.1.Buildingofanexpandableblock...48 4.10.Complexityofbuildinganexpandablemessage.....49 4.11.Preventionoflongmessage2 nd preimageattack....49 4.12.Nostradamus(herding)attack....50 4.13.Motivation.....50 4.14.Attack....50 4.14.1.Buildingofadiamondstructure....51 4.15.UsageofDiamondstructureinanattack...52 4.16.Solution....54 4.16.1.Wide-pipehash....54 5.References....56 5
½º ÁÒØÖÓ ÙØ ÓÒ ØÓ ÙÒØ ÓÒ Ø ÓÖÝ ½º ½º ÖÝÔØÓ Ö Ô ÙÖ ÓÒ ¹Û Ý ÙÒØ ÓÒ 1.1.1.hashfunction Hashfunction hisafunctionthattakesaninputofarbitrarylengthandproducesa fixed length output(digest). A hash function is a deterministic function which produces an output from uniform distribution on any set of random inputs. Hash functions areusedindatastructurestoensureconstantaccesstime(ahashofanelementis used as its address). In cryptography, they are used as message authentication codes (MAC), and manipulation detection codes(mdc), therefore they are required to have additional properties. 1. 1. 2. cryptographic properties preimageresistance(one-wayness):givenadigest Ditishardtofindany M suchthat D=h(M) afunctionisone-wayiff itiseasytocompute,whichmeansthereisaprobabilisticpolynomialtime bounded Turing machine which computes h(m) from M itishardtoinvert,whichmeansgivenadigest D,thereisnoprobabilistic polynomial time bounded Turing machine which computes M such that D = h(m) with satisfactory probability; alternatively every probabilistic polynomial time bounded Turing machine computes M such that D = h(m) with a negligible probability. Theexistenceofone-wayfunctionisnotproved,andaproofofitsexistence wouldbeasolutionofwell-known P= NPproblem[24]. secondpreimageresistance:givenaninput M 1,itishardtofindanotherinput M 2 suchthat h(m 1 )=H(M 2 ). collision-resistance:itishardtofindtwodifferentmessages M 1 and M 2 such that h(m 1 )=h(m 2 ) itishard meansthereisnobetterwaythanabruteforceattack,ideallya hashfunctionisaninstanceofarandomoracle length(oracle(m)) = n, then bruteforceattackonpreimage-resistance:takes2 n queries bruteforceattackonsecondpreimage-resistance:takes2 n queries bruteforceattackoncollision-resistance:takes2 n 2 queries However,wewillshowthatmostwidelyusedhashfunctionsdonotbehavelike a random oracle and a brute force attack requires less computational power. Inthispaperwheneverwerefertoahashfunctionwemeanacryptographicsecure one-way hash function. 6
½º ¾º ÓÒ ØÖÙØ ÓÒ Ó ÙÒØ ÓÒ One-wayness requires the function to be easily computable. Therefore a hash function is often constructed from a compression function, which takes fixed length input and produces fixed output; and the compression function is iterated. A compression function with cryptographic properties can be used to build a secure hash function. However,thefactthatahashfunctionisbasedonasecurecompressionfunctionis notsufficientforahashfunctiontobesecure[1]. 1. 2. 1. Construction of a compression function Compression function can be constructed from a block cipher[2]. Davies-Meyer Miyaguchi-Preneel modification of Davies-Meyer construction These constructions are widely used, however, they are not secure enough, because they rely on properties, which a block cipher does not quarantee. For further information on block cipher based hash/compression function the reader is referred to [25]. Merkle-Damgard[3] 1.2.2.Buildingofahashfunction iteration of random oracle using a chaining value(intermediate vector). Message is padded with zeros. thedigestisthelastchainingvalue Merkle-Damgard strenghtening[3] Merkle and Damgard found independently a construction of a hash function fromarandomoracle.theoracletakesaninputoffixedlengthandproduces an output of fixed length. The oracle is parametrized by chaining value. The first chaining value is called initialization vector(iv) and is publicly known. Thedigestisthelastchainingvalue.Theoracletakesachainingvalue,anda message block and produces a new chaining value. This way, the computation isiterateduntiltheendofmessageisreached.themessageispaddedwitha block containing the message length. paddingblockcontainsamessagelengthtoprevent2 nd preimagelongmessage attack. 7
thedigestisthelastchainingvalue Merkle-Damgard with fixed offset[35] thelastbutonechainingvalueisxoredwithpubliclyknownvalue c thedigestisthelastchainingvalue Enveloped Merkle-Damgard[1] Merkle-Damgard for all blocks save the last one, which produces a chaining value C thedigestisobtainedfromaquerytoarandomoracle(adifferentrandom oracle from the one used in Merkle-Damgard iteration). The oracle is initializedusingpubliclyknownvalue IV 2 (thisissufficientfortheoracle tobedifferent),andthequeryblockisobtainedbyconcatenationof C, lastmessageblock M last,andthemessagelength. 8
¾º ÓÑÔÖ ÓÒ ÙÒØ ÓÒ ¾º ½º Ê Ò ÓÑ ÇÖ Ð ÅÓ Ð Random oracle is a black-box supporting a query operation. For a new query it outputs arandomreplyfromauniformdistribution,andforarepeatedqueryitoutputsthe previous reply. Some explain this as an Elf with a notepad sitting inside the black-box performing the following operation. Everytimeanewquerycomes,helooksitupinhisnotepad.Ifhefindsthequery, hereplieswiththevaluecorrespondingtothequery.ifhedoesnotfindthequery,he flipsacoinforeverybitoftheoutput,replieswithsuchanoutput,andwritesthe pairquery outputintohisnotepad. ¾º ¾º ÖØ Ý Ô Ö ÓÜ Birthday paradox states that at least two numbers in a collection of n random integers drawn from a uniform distribution with range(1, N) are the same with probability p(n;n). Thenameisderivedfromthefollowingspecialcase:Inagroupofatleast23randomly chosenpeople,theprobabilitythatsomepairwillhavethesamedayofbirthdayis more than 50%. Inthisthesis,thebirthdayparadoxwillalsobereferredtoasanevent,thatthere isanon-emptyintersectionoftwosetsofintegersofsize nand mwithprobability p(n;m;n). Thiswouldbeaprobabilitythatinagrouplargeenoughthereisamaleandafemale having birthday the same day. The picture shows a difference between one collection and two sets. Intheonecollectioncase,theprobability p(n;n)=1 É n 1 k=1 (1 n (n 1) k N ) 1 e 2N. 1 k N isaprobabilitythatanewintegerdiffersfromall(k)integersinthecollection. For n= Ô 2N, p(n;n) 1 e 1 2 0.4 Inthetwosetscase,theprobability p(n;m;n)=1 p(n;m;n)=e nm N, p(n;n;n) 1 e n 2. É n k=1 (1 1 m )=1 (1 1 m )n, 9
1 1 m isaprobabilitythatanewintegerinfirstsetdiffersfromallintegersinthe other set. For n=m= Ô N, p(n;n;n) 1 e 1 0.63 Anextendedresultsonbirthdayattackcanbefoundin[9]. 2. 2. 1. Generalized birthday paradox This attack was introduced by Wagner in[30]. It is a generalization of birthday paradoxfortwosets.notethatthecasefortwosetsexplainedabovecanbeinterpretedas finding s 1 ¾ X 1,and s 2 ¾ X 2,suchthat s 1 s 2 =0.Thethesolution(s 1,...,s k )can befoundinθ(2 n 2 )steps,anditexistswithagoodprobabilityiff X1 X 2 2 n. Generalizedbirthdayparadoxfor ksetsisfinding s 1 ¾ X 1,..., s k ¾ X k,suchthat s 1... s k =0.Thesolutionexistsfor X 1... X k 2 n withagoodprobability, howeveranalgorithmthanwouldmakelessthanθ(2 n 2 )stepswasanopenproblem. Wagnershowedin[30]analgorithm,whichfindsasolutionof s 1 ¾ X 1,s 2 ¾ X 2,s 3 ¾ X 3,s 4 ¾ X 4 for X i =2 n n 3 in O(2 3 )steps. The algorithm can be constructed for + operation as well. Such an algorithm solves so called k-sum problem, which can be used to solve a discrete logarithm problem. The reader should refer to[30] for further details. Attack using generalized birthday paradox can be found in[32]. ¾º º ÁÒØÖÓ ÙØ ÓÒ ØÓ ÓÑÔÖ ÓÒ ÙÒØ ÓÒ Idealcompressionfunctionisapseudo-randomfunction2 m 2 h withrandomoracle properties. In praxis only indistinguishability from random oracle is required. The concept of indistinguishability and author s contribution can be found in the following chapter. Let us concentrate on requirements, which any compression function should meet, and howcanwebuiltsuchafunction. The compression function should meet the following function is surjective x ¾ Rng: y:c(y)=x =2 m h,where mismessageblocklength, hisa length of hash value, and C is the compression function. 2. 3. 1. Preimage resistance This property is called one-way ness in complexity theory. The existence of one-way functionisanopenproblem,whichisequivalentto P= NP.Theproofcanbefound in[24]. fisone-wayiff forevery x ¾ Dom, f(x)canbecomputedinpolynomialtime 10
forany y ¾ Rnganypolynomialtimeboundedalgorithm Awilloutput xsuch that y = f(x) with negligible probability. Forarandomoracle,itholdsthatthepreimagecanbefoundonlybymakingacorrect query.thiseventoccurswithprobability2 h,andsuchapropertyisalsorequired from any compression function. 2. 3. 2. Second preimage resistance Foranyrandomoracleitholds,thatasecondpreimagecanonlybefoundbymaking acorrectquery.thiseventoccurswithprobability2 h,andsuchapropetyisalso required from any compression function. 2. 3. 3. Collision resistance Foranyrandomoracleitholdsthatcollisioncanbefoundusingbirthdayparadoxin 2 h 2 querieswithapproximately50%probability. Compression functions are usually based on a block cipher, pseudo-random generator or some difficult problem in information theory. Block cipher based compression function are the most usual, and they are described in many other papers. They are often divided as follows: ÜÔÐ Ø ÓÒ ØÖÙØ ÓÒ Ó ÓÑÔÖ ÓÒ ÙÒØ ÓÒ Most common constructions are: Davies-Meyer construction IV M E Miyaguchi-Preneel construction M IV E Thelistofallsecureconstructionsbasedonblockciphercanbefoundin[2]. These constructions are secure in the random oracle model, which follows from [21].ThiswaspointedoutbyKlimain[34]thatusinganordinaryblockcipherin any of these constructions is not secure. Further explanation of these principles canbefoundin[25],andin[26]. 11
ÁÑÔÐ Ø ÓÒ ØÖÙØ ÓÒ Ó ÓÑÔÖ ÓÒ ÙÒØ ÓÒ These constructions are usually based on Davies-Meyer, or Miyaguchi-Preneel construction.theunderlyingbuildingblockiseithersimilartoablockcipheroritisa block cipher build only for the use in the compression function. MD5/SHA Whirlpool, Maelstrom-0 Radio-Gatun HashDoubleNet(whichisbasedonprinciplesofSpecialBlockCipherfrom [34]) ¾º º È Ù Ó¹Ö Ò ÓÑ ÒÙÑ Ö Ò Ö ØÓÖ ÙÒØ ÓÒ 2. 4. 1. Introduction Some proposals for a new hash function are based on pseudo-random number generator. The general construction is to initialize a pseudo-random number generator with anivandmessageblock.makeafewsteps,applyaone-wayfunctionandtrimthe output. 2.4.2.RC4-Hash Basic properties ThishashfunctionisbasedonRC4keyschedulealgorithm,andwasproposedin[17]. RC4algorithmanditskeyschedulingisstudiedforalongtime.Sincetheattack againsthashfunctionbasedonrc4willleadtoanattackagainstrc4algorithm,we have a good security analysis. RC4-hash is a wide-pipe hash introduced by Lucks in[15]. Therefore it resists to generic attacks such as[4][5][6][7]. The key schedule algorithm in RC4: Kisasecretkeyoflength κbytes. SisastatevectorofRC4oflength2 8 bytes, itisapermutation S S N procedure RC4-KSA(K): RC4 Key Schedule algorithm fori=0to2 8 1 S[i] = i fori=0to2 8 1 j= j+ S[i]+K[i mod κ] swap(s[i], S[j]) κisthesizeofthesecretkeyinbits 12
S S N isastatevectorofrc4oflength2 8 bytes. i=0 j=0 procedure RC4-PRBG(): RC4 Pseudo-Random Bit Generator i = i + 1 modn j = j + S[i] modn swap(s[i], S[j]) return S[(S[i]+S[j])] Therefore the inner state of RC4 random byte generator is log 2 ( S i j ) = log 2 (2 8! (2 8 ) 2 ) 1700. The key schedule algorithm seems to be a good pseudo random generator. RC4-hash algorithm The hash algorithm consists of 3 steps. padding iteration post-processing Iteration The compression function of RC4-hash is based on RC4-KSA. Xisamessageblock (S,j) is initialization vector procedure C((S,j), X): RC4-Hash Compression function fori=0to2 8 1 j= j+ S[i]+X[r(i)] swap(s[i], S[j]) return(s, j) r : 2 256 2 64 r [i,i+63] : 2 64 2 64 isbijectionfor i {0,64,128,192} Post-processingLet(S t,j t )bethelastchainingvalue.weproduceahashbyapplying two functions. RC4 hash l = HBG l (OWT(S 0 S j, j)) Where OWT is believed to be a one-way transformation procedure OWT((S,j)): One-Way Transformation of RC4-Hash perm 1 = S fori=0to2 9 1 13
j= j+ S[i] swap(s[i], S[j]) perm 2 = S return(perm 1 perm 2 perm 1, j) procedurehbg l ((S,j)):HashByteGenerationAlgorithm fori=0to l j= j+ S[i] swap(s[i], S[j]) out[i] = S[S[i]+S[j]] return out RCH l (M 1, M 2,..., M n ) = HBG l (OWT(C(...(C(C(S IV, M 1 ), M 2 ),...), M n ))) RC4-hash- choice of initialization vector SinceRC4cipherhassomeweakkeys,whichwouldreducethesizeofinternalstate, thechosenivshouldnotbeoneofthem.formoreinformationrefertotheoriginal article. ¾º º ÆÙÐØ ÔÖÓ Ð Ñ ÓÑÔÖ ÓÒ ÙÒØ ÓÒ 2.5.1.VSH Very smooth hash was proposed by Contini, Lenstra, and Steinfield at Eurocrypt 2006. This function is designed to be provably secure against finding collisions under an assumption factoring of big integers is difficult. The VSH function cannot be used as an instance of random oracle, and therefore strictly speaking it is not a hash function. VSH algorithm procedure VSH(m): l = m lengthofthemessageininbits k = blocklength m i is i th bitofmessage L = l k numberofblocksofmessage l i {0,1}suchthat l= k l=1 l i2 i 1 m i =0for l < i < Lkpaddingoflastblock define m Lk+i = l i for1 i kpaddingwithmessagelength x 0 = 1 forj=0tol x j+1 = x 2 j return x L+1 k i=1 pm jk+i i mod n 14
Collision resistance of VSH VSHwasbuiltonahardproblemwhicharisesinfactoringoflargenumbersusing NFS(Number Field Sieve) algorithm. procedure QS basic(n): find x 2 y 2 mod N,where x 2 and y 2 arenon-trivial gcd(x 2 y 2, N) / N Thereisnoefficientalgorithmtofindsuch x 2 and y 2,anditissupposedthereis noprobabilisticpolynomialtimealgorithmwhichwouldfindsuchpair x 2, y 2 witha non-negligible probability. Definition 2.1: VSSR- Very Smooth number nontrivial modular Square Let N be theproductoftwounknownprimesandlet k <(log n) c. VSSRproblem:Given N,find x ¾ Z Nsuchthat x 2 É k i=0 pe i i. Theorem 2.2: Collision resistance of VSH FindingacollisioninVSHisashardassolvingVSSR. Proof:Let m, m beacollisioninvsh. l, l bitlengths,and L, L numberofblocks of m, m. Since mand m collide m = m and x L+1 = x L +1= digest Let m[j]bethe m[j]=(m jk+i ) k i=1,and t Listhelargestindexsuchthat(x t,m[t]) = (x t,m [t]),ie.(x j,m[j])=(x j,m [j])for t < j < L+1. 1. l=l (x t ) 2 É k i=1 pm tk+i i (x t ) 2 É k i=1 pm tk+i i mod N Denote = i:m tk+i = m tk+i,1 i k 10 = i:m tk+i =1,m tk+i=0,1 i k Then x t x É 2 i t 10 p i Éi p imod N = µcollisiongivesasolutiontovssr. = µ x 2 t x 2 t mod NSince m = m,weknow t 1 x t x tmod N,VSSRissolvedbyfactoring N, gcd(x 2 t x 2 t,n)isafactorofn. x t x tmod N µ x t x tmod N, andfromthedefinitionof t x t = x t. From x t x tmod N µ xt x t 1mod N 1 É i 10 p i 2 1mod N µitsolvesvssr 15
2 2. l = l,since x L+1 = x x L É L +1, x k L i=1 pl i l i i Since l i l i =1foratleastone i,itsolvesvssr Creating collisions Finding collisions is difficult if and only if the factorization of N is unknown. Denote e i = È L j=0 m jk+i2 L j for1 i k,thenvsh(m)= É k i=1 pe i i. Let φ(n)beaneulerfunction.thenforany a, t,itholds a tφ(n) 1mod N. VSH(m)= É k i=1 pe i i = É k i=1 pe i+t i φ(n) i =VSH(m ) But such collisions reveals φ(n), and therefore it reveals the factorization of N. Preimage resistance of VSH Sincethefunctioniscollisionresistant,theattackerisrequiredtomakeatleastΩ(2 n 2 ) computations.thefollowingalgorithmforfindingapreimage,whichrequiresθ(2 n 2 ), makes use of multiplicative property in time-memory trade-off attack. H(x y)h(x y) H(x)H(y)mod n H(y) = H(x) 1 H(x y) H(m) mod n;wewillchoosex,ysuchthat x y = 00...0, thisholdsfor x=x 00...0,and y=00...0 y,where 00...0 = n 2 procedure Preimage(H(m)): for0 x < 2 n 2 x=x 00...0 insertintotable H(x) 1 H(x y)h(m) for0 y < 2 n 2 y=00...0 y search in table H(y) ifmatchfoundreturn x y Theattackhasbothtimeandspacecomplexityof O(2 n 2 ),andsinceweknowthe attackhasacomplexityofatleastω(2 n 2 )thepreimageattackhascomplexityof Θ(2 n n 2 )-undertheassumptionvssrproblemhasacomplexityofatleastω(2 2 ). VSH-DL: Discrete Logarithm variant of VSH Definition2.3: VSDL-VerySmoothnumberDiscreteLogLet p,qbeprimeswith p=2q+1andlet k (log p) c. VSDLproblem:Given p,findintegers e 1,e 2,...,e k suchthat2 e 1 É k i=2 pe i i mod p with e i < qfor i=1,2,...,kandatleastoneof e i =0. 16
procedure VSH DL(m): pis S-bitprime p=2q+1,for qprime k fixed integer, number of small primes L S 2 l = m lengthofthemessageininbits m is Lk-bit message m i is i th bitofmessage, i {1,..., Lk} x 0 = 1 forj=0to L 1 x j+1 = x 2 j k i=1 pm jk+i i return x L mod p Thissectioncontainsasummaryof[16]and[22].Themainpurposeforthissection was presenting a hash function with some provable secure properties. 2.5.2.MQ-HASH The security of this hash function is based on the difficulty of solving randomly chosen set of multivariate quadratic equations. Such a function is supposed to be preimage resistant, because solving of multivariate quadratic equations is an NP-hard problem. Theorem 2.4: collisions in MQ equations(from[10]) Let Qbeatupleof equadraticequations f 1,...,f e in uvariablesoverafinitefield F. Foreveryvalue δ=(δ 1,...,δ u ),itispossibletogive,withtimecomplexity O(eu 2 ), aparametrizeddescriptionofthesetofinputs x=(x 1,...,x u )and y=(y 1,...,y u ) collidingthough Qandsuchthat y x=δ,ifany. Proof: Given δ,onecomputesalinearsystem L δ (z)=0intheindeterminatez,where L δ istheaffinemappingdefinedby L δ : z Q(z+ δ) Q(z).Thus,anycollidingpair (x,y)=(x,x+δ)for Qwithprescribeddifference δtranslatesintoasolution xofa linear system, and any standard algorithm for solving linear system recovers the set ofsolutionsofthecollisionequation Q(z)=Q(z+ δ) 17
Algorithm for collision in MQ equation Eq 1 : f 1 (z 1 + δ 1,z 2 + δ 2,...,z u + δ u ) f 1 (z 1,z 2,...,z u )=0 = È u È u i=1 j=1 a È 1,i,j(z i + δ i )(z j + δ j ) u È u i=1 j=1 a 1,i,j(z i )(z j ) = È u È u i=1 j=1 a 1,i,jδ j z i + È u i=1 a 1,i,jδ i δ j Eq 2 : f 2 (z 1 + δ 1,z 2 + δ 2,...,z u + δ u ) f 2 (z 1,z 2,...,z u )=0 = È u È u i=1 j=1 a 2,i,jδ j z i + È u i=1 a 2,i,jδ i δ j. Eq e : f e (z 1 + δ 1,z 2 + δ 2,...,z u + δ u ) f e (z 1,z 2,...,z u )=0 = È u È u i=1 j=1 a e,i,jδ j z i + È u i=1 a e,i,jδ i δ j Itgivesus eequationsof uvariables,whichcanbesolvedusinggausseliminationin O(eu 2 ). Setting(x,y)=(z,z+ δ)givesacollision(f 1 (x),...,f e (x))=(f 1 (y),...,f e (y)). ¼ È u j=0 a È u 1,1,jδ j j=0 a È 1,2,jδ j... u j=0 a ½ ¼ ½ ¼ È u È 1,u,jδ j u j=0 a È u 2,1,jδ j j=0 a È z 1 2,2,jδ j... u j=0 a i=1 a ½ È 1,i,jδ i δ j 2,u,jδ j z 2..... È.. = u i=1 a 2,i,jδ i δ j. u j=0 a È u e,1,jδ j j=0 a È e,2,jδ j... u j=0 a È e,u,jδ j z u e i=1 a e,i,jδ i δ j Using Gauss elimination algorithm, we can find z, such that the equations hold. Gauss eliminationalgorithmrunintime O(eu 2 ),andreturnsasetofsolutionsforsuch δ. Thesetisempty,ifacollisionforsuch δdoesnotexist. Compression function of MQ-HASH Aswehaveseeninprevioustheorem,MQ-Hashhastobebuiltsothatitisnota plain multivariate quadratic equation. If we have a hash function containing a plain multivariate quadratic equation for each bit of an output, the hash function itself does not contain any message expansion. The expansion function for MQ-Hash is another multivariate quadratic equation. TheMQ-HASHcompressionfunctioncanbedefinedas g Æ f,where f: F m+n F r ; x=(c 1,...,c n,b 1,...,b m ) f(x)=(f(x 1 ),...,f(x r )) g: F r F n ; η=(η 1,...,η r ) g(η)=(g 1 (η),...,g n (η)) MQ-HASH: v i = g Æ f(v i 1,M i ) MQ-HASH(M 1 M 2... M n )=gæ f(...(g Æ f(g Æ f(v 0,M 1 ),M 2 ))...,M n ) This section presented a hash function with some provable secure properties. The only sourceforthissectionwas[10].thereaderisencouragedtoreferto[18],and[11]to understand preimage attacks against some constructions. 18
º ÙØ ÒØ Ø ÓÒ Ñ º ½º ÇÅȹ½¾ ÙÒØ ÓÒ GSM authentication is a standard challenge-response protocol. Authentication serversendsviabasestation(bs)arandomchallengetoanewmobilestation(ms). Both authentication server and mobile station compute a response using so called A3 algorithm, the challenge, and secret key. Mobile station sends the response to the authentication server. The server compares the received value with the computed value, and authenticates the mobile station if and only if values are same. The A3 algorithm must not leak any information about the secret key. A3 algorithm was not required to be collision resistant, because in general a collision is not an attack against authentication protocol. A3 algorithm is performed on SIM card so that the secret key never leaves the chip. A3 and A8 algorithms in GSM were implemented using COMP-128 hash function. The COMP-128 algorithm was not publicly known until 1997, when an incomplete specification appeared on Usenet. The remaining parts were reversed engineered soon. After that cryptologists pointed out there is a flaw(called narrow pipe) in the algorithm.theattackercanproducecollisionsbychangingonlyafewbytesofaninput, and such collisions leaks information about the secret key. The occurrence of a specific collision at the beginning of the algorithm, and such collision propagates into the digest. Since the collision in hash implies with high probabilityacollisioninthenarrowpipeforspecificinputs,onecanuseacollisionin narrow pipe to reconstruct two bytes of the secret key. Secret Key = 128 bits Challenge = 128 bits procedure A3(Secret Key, Challenge): algorithm on SIM card Y = COMP128(Secret Key, Challenge) return[y] 31 0 Secret Key = 128 bits Challenge = 128 bits procedure A8(Secret Key, Challenge): algorithm on SIM card Y = COMP128(Secret Key, Challenge) return[y] 96 32 Challenge = 128 bits procedure Authenticate Mobile(Challenge): authentication algorithm interface 19
Secret Key= readfromsim(doesnotleavesimcard) return A3(Secret Key, Challenge)... computed by SIM card procedure Authenticate Provider(): authentication algorithm at a provider Secret Key = read from database Challenge = Random() if Authenticate Mobile(Challenge) = A3(Secret Key, Challenge) return ok else return failure COMP-128 algorithm. Secret Key = 128 bits Challenge = 128 bits Xisaninputarrayoflength32bytes procedure COMP128(Secret Key, Challenge): cryptographic part of the algorithm X[16...31] = Challenge for j = 0to7 X[0...15] = Secret Key COM P 128 Compress(X) Formbitsfrombytes=convert324-bitnumbersto168-bitnumbers if j 7Permutation Y = compressed16bytesoutputof COMP128(X)into12bytes return Y table T 0 isafunction T 0 : 2 9 2 8 table T 1 isafunction T 1 : 2 8 2 7 table T 2 isafunction T 2 : 2 7 2 6 table T 3 isafunction T 3 : 2 6 2 5 table T 4 isafunction T 4 : 2 5 2 4 Xisaninputarrayoflength32bytes procedure COMP128 Compress(X): cryptographic part of the algorithm for j = 0to4 for k=0to2 j 1 for l=0to2 4 j 1 m = l+k 2 5 j n = m+2 4 j y =( X[m] + 2 X[n])mod2 9 j z =(2 X[m] + X[n])mod2 9 j 20
X[m] = T j [y] X[n] = T j [z] 3.1.1.Narrowpipeattack Thenameoftheattacksuggeststhereisatrailinthealgorithm,suchthatonlya fewbitsoftheoutputmaycauseacollisiononafewbits(somewhere)duringthe algorithm.iftheattackersetsbitsoutsidethenarrowpipesameforbothinputs,a collision in the narrow pipe propagates throughout the algorithm into the digest. ThenarrowpipeinCOMP128isatthebeginningofCOMP128Compress.TheattackerforcesacollisioninthefirstrunofCOMP128Compress(whichisrepeated8 times). The collision propagates to the digest, and the attacker finds the secret key (using brute force search on bits of narrow pipe), which leads to this collision. Graphical representation of COMP128 Compress the algorithm. procedure COMP128 Compress(X): cryptographic part of the algorithm level 0 : for l=0to15 m = l n = m+2 4 X[m] = T 0 [( X[m] + 2 X[n])mod2 9 ] X[n] = T 0 [(2 X[m] + X[n])mod2 9 ] level 1 : for k=0to1 for l=0to7 m = l+k 2 4 n = m+2 3 X[m] = T 1 [( X[m] + 2 X[n])mod2 8 ] X[n] = T 1 [(2 X[m] + X[n])mod2 8 ] 21
level 2 : for k=0to3 for l=0to3 m = l+k 2 3 n = m+2 2 X[m] = T 2 [( X[m] + 2 X[n])mod2 7 ] X[n] = T 2 [(2 X[m] + X[n])mod2 7 ] level 3 : for k=0to7 for l=0to1 m = l+k 2 2 n = m+2 1 X[m] = T 3 [( X[m] + 2 X[n])mod2 6 ] X[n] = T 3 [(2 X[m] + X[n])mod2 6 ] level 4 : for k=0to15 m = k 2 n = m+1 X[m] = T 4 [( X[m] + 2 X[n])mod2 5 ] X[n] = T 4 [(2 X[m] + X[n])mod2 5 ] 22
COMP128 Compress the algorithm. Graphical representation of narrow pipe. Bytes i, i+8, i+16, i+24in level 1 functiondependsonlyonbytes i, i+8, i+16, i+24oftheinputarrayx.bytes i, i+8arebytesofasecretkey,bytes i+16,and i+24arebytesofachallenge.bytes i+16,and i+24arevarieduntilacollisionis found. Other bytes in the challenge are fixed(but random). Since T 1 functionis T 1 :2 8 2 7 therearecollisions.theprobabilityofacollision canbecomputedusingaformulaforbirthdayparadox.ifallbuttwobytes: i+16, i+24arefixed(a=16bits),thenallbut4outputs i, i+8, i+16, i+24offunction level 1 areconstant,theoutputof T 1 tableisa7-bitnumber.thereforethelength 23
ofthepipe(numberofbitsthatcanbevaried)is b=4 7=28bits.Accordingto birthdayparadox,theprobabilityofacollisionis1 e n2 2 m,where n=2 a and m=2 b. Andaftersubstitution1 e (2 16 ) 2 2 2 28 =0,9997.Anaveragenumberoftestsrequiredto obtainacollisionis E= Ô Õ π m 2, E= π 228 2 =214.326 =20538.Sincewecanonly seethecollisionattheendofcomputation,weneedtoknowwhatistheprobability acollisionfromcomp128isthecollisionin level 2.Theprobabilityofacollisionin A3hashfunctionafter Equeriesis1 e (2 14.326 ) 2 2 2 32 =0,0479.Thisgivesusenough confidence,thecollisionisat level 2.Formoreconfidence,wecanusetheoutputfrom A8algorithm.Itgivesus1 e (2 14.326 ) 2 2 2 32+64 3 10 21 0probabilityofacollision. Onceacollisionisfounditiseasytorecoverthesecretkeyusingbruteforcesearch. procedurecollisionsearch(i):searchforacollisionfor i th byte fort=0to127 challenge new [t] = Random()-heldfixedforallbytesbut i th and i+8 th forj=0to255 fork=0to255 challenge new [i] = j challenge new [i+8] = k response=comp128(challenge new,key) challenge old =searchindatabase(response) if challenge old null return(challenge new, challenge old ) else addtodatabase((response, challenge new )) procedurekeysearch(chall 1, chall 2,i):recover i th byteofsecretkeyfromcollision fort=0to127 key[t] = 0-onlybytes iand i+8areimportantforkeyrecovery forj=0to255 fork=0to255 key[i] = j key[i+8] = k ifcomp128(chall 1 key)=comp128(chall 2 key) return(key[i], key[i + 8]) return failure collision was not in the second round procedure CloneSim(): recover the secret key from SIM fori=0to7 (challenge new, challenge old )=CollisionSearch(i) (key[i], key[i+8]) =KeySearch(chall 1, chall 2,i) 24
return key 3. 1. 2. Partitioning attack Thereisalsoasidechannelattack(calledpartitioningattack)whichrequires 2 10 queries in non-adaptive version and 8 queries in adaptive version. Theattackisquitesimple.Thetable T 0 hassize2 9.Sinceaddressingisoften8-bit,the table T 0 isimplementedas T 00 and T 01.Onecandistinguishwhichtableisaccessed using side-channel such as differential power analysis or electromagnetic emission. Sincetheaccesstothetabledependsdirectlyonbytesofsecretkeyandchallenge, onecandistinguish,whether x[i] 2 8 or x[i] >2 8.Usingbinarysearch(adaptively chosenqueries),onecandistinguishthevalueofbyte x[i]in8=log 2 2 8 queries.nonadaptive mode requires much more queries, so that the probability one can distinguish thebitishighenough.moreover,wecanperformsuchsearchinparallelonallbitsof the secret key. Table T 0 isafunction T 0 :2 9 2 8,whichisoftenimplementedusing T 00 :2 8 2 8, T 01 :2 8 2 8 level 0 : for l=0to15 m = l n = m+2 4 M = ( X[m] + 2 X[n]) mod 2 9 N = (2 X[m] + X[n]) mod 2 9 // X[m] = T 0 [M] if(m <2 8 ) X[m] = T 00 [M mod 2 8 ] else X[m] = T 01 [M mod 2 8 ] // X[n] = T 0 [N] if(n <2 8 ) X[m] = T 00 [N mod 2 8 ] else X[n] = T 01 [N mod 2 8 ] Using side channel, one can distinguish whether if, or else branch was executed. Let lbefixed. X[m]isanunknownbyteofsecretkey, X[n]=Bisaknownbyteof thechallenge.sidechannelgivestheattackerinformation X[m]+2 Bmod2 9 <2 8, 2 X[m]+B <2 8 mod2 9.Theattackerwantstodistinguishthechallengebyte B, sothat(2 X[m]+B)mod2 9 <2 8 and(x[m]+2 B)mod2 9 2 8 ortheotherway round. f(s,r):0 S+2 Rmod2 9 <2 8 0 :256 S+2 Rmod2 9 <512 1 25
g(s,r):0 2 S+ Rmod2 9 <2 8 0 :256 2 S+ Rmod2 9 <512 1 Functions f(s,.), g(s,.)areconnectedfunctionsavefortwopoints. procedure distinguishpartition l (R):using f R=X[l+2 4 ]-byteofrandomchallenge S= X[l]-byteofsecretkey // X[m] = T 0 [M] if((s + 2 R mod 2 9 ) < 2 8 ) return 0 else return 1 proceduredistinguishkey l ():using f R orig = Random()-byteofrandomchallenge R = R orig -byteofrandomchallenge prev 8 = distinguishpartition l (R) if(prev 8 = 0) low=0, high=2 8 else low=2 8, high=2 9 for i=7 downto0 prev i 1 = distinguishpartition l (R+( 1) previ+1 previ 2 i ) R=R+( 1) previ+1 previ 2 i if(prev i = prev i 1 ) high=high 2 i else(prev i prev i 1 ) low=low+2 i low 2S + R orig < highholdsinbothcases,and high low = 2 i After the algorithm, we have either distinguishpartition l (R) = distinguishpartition l (R 1),or distinguishpartition l (R) = distinguishpartition l (R+1) Havingsuch R,wecandistinguish S.Letusconsideronlyonecase,therestissimilar. proceduredistinguishkey l (R):using f part = distinguishpartition l (R) if(part = 0) 0 2S+ R < 256 mod 2 9 256 2S+ R+1 < 512 mod 2 9 256 2S+ R+1 < 257 mod 2 9 255 R 2 S < 256 R 2 mod 2 8 26
S = 255 R 2 mod 2 8 if(part = 1) 0 2S+ R+1 < 256 mod 2 9 256 2S+ R < 512 mod 2 9 0 2S+ R+1 < 1 mod 2 9 1 R 2 S < R 2 mod 2 8 S= 1 R 2 mod 2 8 Weused8adaptivequeriesindistinguishKey l ().Sincewecandothemeasurement parallelonallthebytesofsecretkey,weneedonly8adaptivequeriestorecover S. For graphs and details on both adaptive and non-adaptive version of attack, the reader should refer to[12]. º ¾º ËÉÍ ËÀ ThishashfunctionwasproposedbyAdiShamiratFCE2008[14].Thefunction istobeusedonrfidchipsandotherconstraineddevicesinachallengeresponse authentication protocol. Since the response is being computed on a constrained device, thefunctionitselfhastobefast,easytoimplement,anditshouldhaveaslowmemory requirements as possible. SQUASH is to be used in a challenge response protocol only, therefore the only hash function property important for this application is a preimage resistance. Security of any challenge response authentication scheme requires it is impossible to deduce a key using a set of pairs(challenge, response), where challenges can be chosen adaptively. SQUASH is based on squaring modulo a composite number N. The motivation comes from the Rabin encryption scheme. Nisapublicparameter, N= pq, p, qprimenumbers misamessagetobeencrypted procedure Rabin encrypt(m, N): c = m 2 mod N return c p, qprimenumbers-privateparameters, N= pq cisamessagetobedecrypted procedure Rabin decrypt(c, p, q): m = c mod pq return m Rabin encryption scheme is provably secure against cipher-text only attack under the assumption that factoring of a composite N is difficult. 27
Algorithmforcomputingsquarerootmoduloacompositenumber N= É p e i i,where p i sareknowndifferentprimenumbers,consistsofshanks-tonellialgorithmforcomputingsquarerootmoduloprimenumber(i.e.solvingthecongruence x 2 amod p i ). Then thehensel lifting is used to lift thesolution of x 2 amod p i to modulo x 2 amod p e i i,andchineseremaindertheoremtocombinesolutionsfordifferent p e i is to obtain a solution x 2 a (mod É p e i i). The reader can refer to chapter 12.5 of[31] for further information. The difficulty of square rooting modn is equivalenttofactoringof N.Thealgorithmwouldbegeneratingarandomnumber x andcomputing y= Ô x 2 mod Nmod N,if x = y,thenitholdsthat(x y)/n because x 2 y 2 mod N,i.e. x 2 y 2 0mod N,(x y)(x+y) 0mod N µ (x y)(x+y) an. Let S beasecretkeyknownonlybythechipandanauthenticationcenter,and Rbearandomchallengesentbytheauthenticationcentertothechip.SQUASH algorithmconsistsofafunction M = Mix(S,R),andoutputsasectionofbitsof number M 2 mod N. The NinSQUASHischosenasacompositenumberwithanunknownfactorization. Everyone cancompute M 2 mod N toproduceadigest, butnoonecancompute Ô Mmod N. Notation: n=log N. For X=(x n 1,...,x 0 ),0 j < k ndenote[x] k j=(x k 1,...,x j 1 ). Challenge response protocols usually use a secret key of length 64 bits and a challenge ofthesamelength.theyare securely mixedsothatitisdifficulttocomputethe secret key from adaptive challenges. Thechallengeandthesecretkeyaremixedtogetherusingafunction Mix(S,R).The authenticationresponseissquash S =[Mix(S,R) 2 ] k j,for k j=64and j= n 2 k j 2. Squaringoperationmod Nensuresnon-invertibility,butitsalgebraicnature(a+b) 2 = a 2 +2ab+b 2,(ab) 2 = a 2 b 2 createsweaknesses.theseweaknessesshouldbeovercome by a good choice of the Mix function. Various choices of Mix will be discussed later in this section. Speedups Usingagoodchoiceofmodulus Nonecanlowerthetimeandmemoryrequirements onthecomputationalpowerofthechip.thisisveryimportant,sincealowcostdevice such as RFID chip usually suffers from having enough memory, computational power, or energy to execute the algorithm. α) choiceofaneasytostoremodulus N 28
1.consideraMersennenumber N =2 n 1,thisnumbercontains n 1 onesandnozero.thereforeweneedtostoreonlythenumber n,andthis requiresstoringlog n=loglog Ninsteadof lognasusual. 2.consideranumber N=2 n +1,thisnumbercontainstwoones,oneatthe beginning,andtheotherattheendofthenumber,andtherestof n 2 digits are zeroes. Therefore we can store n 2 instead of N, which requires requiresonlyloglog Nbits. 3.consideranumber N=2 n + c,and cisfixed.theminimumnumberof bitsrequiredtostoresuchnumberislog n+log c=loglog N+log c,which islessthanlog Nforasmall c. β) choiceofamodulus NsuchthatmodNiseasytocompute 1. Forthechoiceofamodulus N = 2 n 1,consider anumber inthe form a2 n + b(mod2 n 1),where b <2 n.since2 n 1mod2 n 1, a2 n + b a+b(mod2 n 1). 2. Forthechoiceofamodulus N = 2 n +1,consider anumber inthe form a2 n + b(mod2 n +1),where b <2 n.since2 n 1(mod2 n +1), a2 n + b a+b(mod2 n +1). The SQUASH proposal composite Mersenne numbers were suggested as a good choice of N-both α1)and β1)areusedtospeedupthecomputation.thenumber n=1277 wasselected,because N=2 1277 1isacompositenumberforwhichthefactorization is not known. Inthissection Xisan-bitnumber. squaring operation in natural numbers Square(X) is an algorithm for multiplying of integer taught at basic school. input X=(x n 1,..., x 0 ) procedure Square(x): square in Z carry=0 for i=0 to k for j=0 to i carry = carry + x i x j out i = carry mod 2 carry = carry/2 return out 29
Theresultofthisalgorithmisanumber a 2 n + bforsome a,b.nowweneedto perform the squaring operation modn. operationmodulo2 n 1 Letustakeacloserlookonthesquaringoperationmodulo N=2 n 1,thenwebuild an algorithm that performs squaring modulo N. squaringmodulo2 n 1 input x=(x n 1,..., x 0 ) proceduresquashsquare(x):squarein Z 2n 1 carry=0 for j=0 to n 1 for v=0 to n 1 carry = carry + x v x j v mod n out j = carry mod 2 carry = carry/2 return out 30
Notethatweneedonly n-bitoutputbuffer,insteadof2n-bitbufferwhichwouldbe required by squaring operation in Z. GenericproposalforSQUASHis[Mix(S,R) 2 ] k jforasecuremixingfunction Mix(S,R). Sinceonlysomebitsofsquaringoperationareusedasaresponse,wewouldliketo compute only the necessary bits of the response to save computational power of the chip. Ifweknewthecorrectcarryatposition jthesquashsquarealgorithmcouldberun forbitsusedinthedigestonly.moreoverwecanguessthecarrywithprobability2 s ifwerunthealgorithmfor ssocalledsafeguardbitsbeforethedigestwindow.see the diagram below. This gives us the complete SQUASH algorithm Sisasecretkey R is a random challenge jisalowerindexofoutput kisahigherindexofoutput lisalengthofoutputwindow s is a length of carry safeguard nissuchthat2 n 1isahardtofactorcompositenumber procedure SQUASHS n(r):squarein Z 2 n 1 X = Mix(S, R) j = n 2 l 2 k = n 2 + l 2 carry=0 for q=j s to k for v=0 to n 1 carry = carry + x v x q v mod n x = carry mod 2 carry = carry/2 31
if q low output x Algoritmus 3.1: Observation 3.1: SQUASH S (R)outputs Mix(S,R) 2 mod N k j withprobability1 1 2 l, and Mix(S,R) 2 mod N k j 1withprobability 1 2 l 3.2.1.SecurityofSQUASH Theattackercanseeonly[Mix(S,R) 2 mod N] k j,while Mix(S,R) 2 =n k j. Iffactorizationof Nisknown,itiseasytofindasquareroot.However,sinceonly afewbitsofthenumber Mix(S,R) 2 mod N isknowntoanattacker,theycannot perform square root algorithm. Foranumber a=[mix(s,r) 2 mod N] k j,thereare2 n k+j 1 numbers b,suchthat [b 2 ] k j= a.and b=mix(s,r)onlyforoneofthem. Therefore when factorization of N is found, the security of SQUASH relies on the difficulty of guessing the correct b. Note:theattackerneedsatleast S k j differentpairs(challenge,response)tohave enough information to distinguish the correct S. SQUASH, SQUASH 128 The paper[14] contained two proposals. SQUASH is a generic method to construct a securehashfunctionforauthenticationschemes.thisfunctionusesamodulus2 1277 1. Itisacompositenumberofanunknownfactorization.The Mix(S,R)functionisnot specified for SQUASH. SQUASH 128 isconstructedthesameway.howeveritsmodulusisonly2 128 1the factorization of which is easy to find using the advanced factoring algorithms such asnumberfieldsieve. SQUASH 128 usesfor Mix(S,R)anonlinearfeedbackshift registerfrom GRAIN 128 cipher. Motivation for attacks. Rabin encryption scheme is provably secure against cipher-text only attack. But the attack model for SQUASH is different. The attacker can deduce the secret key from multiple pairs(challenge, response). They can wiretap not only a response but also the challenge. Usually they can also communicate with the chip and send their own challenges. Insecure mix functions This section explains an attack based on algebraic properties of squaring operation in SQUASH.Theattackispreventedbyagoodchoiceofthemixfunction. 32
Let us start an analysis using simple insecure mix functions. 1. Mix + (S,R)=S+ R SQUASH + (R) = [ Mix + (S, R) 2 mod N ] k j = [ (S + R) 2 mod N ] k j Thesecretkeyrecoveryalgorithmisbasedonthefactthat(S+ R) 2 S 2 = 2SR+R 2.Therefore,theattackerdoesnothavetoperformsquarerooting, andtheyextractinformationaboutthesecretkey Sfromthedifferenceoftwo responses. The following sections gives guidelines how to implement an easy algorithm to distinguish the secret key S, and gives the proof of correctness of such algorithm. Therequirementofthealgorithmisthefact,thattheadversaryisallowedto send challenges to the chip. Thechallengessentbytheadversaryare0,and2 i for i ¾[0,...,n 1].Weshall recoverbitsofthesecretkeyfromthedifferenceofresponses SQUASH + (2 i ) SQUASH + (0). Auxiliary theorems Theorem3.2: [A] k j=[amod2 k+1 ] k j,forevery A ¾ Z + Theorem3.3: [A] k j=[a] k jmod2 k j+1,forevery A ¾ Z + Definition3.4: [A] k j=[amod2 k+1 ] k j,forevery A ¾ Z Theorem3.5: [A+B] k j= [A] k j+[b] k j+ a mod2 k j+1,forevery A,B ¾ Z 0 + forsome a ¾ 0,1 Proof: Denoteby a i the i-thbitof A, b i i-thbitof B, d i i-thbitof A+B.Then d i = a i +b i +c i 1 2c i,forsome c i ¾ 0,1 issuchthat d i ¾ 0,1 and c 1 =0. Thezerobitof[A+B] k jequalsto a j + b j + c j 1 2c j. Thezerobitof [A] k j+[b] k j+ a equalsto a j + b j + a 2c j. Letuschoose a=c j 1.Then,thezerobitof[A+B] k jequalsto a j +b j +c j 1 2c j, thezerobitof [A] k j+[b] k j+ a equalsto a j + b j + c j 1 2c j,whichgivesus thesamecarry c j inbothcases. Thenumber[A+B] k jhas k j+1bits(includingleadingzeros),thenumber [A] k j+[b] k j+ a canhavemorethan k j+1bits. Thereforewetake [A] k j+[b] k j+ a mod2 k j+1 toobtainthenumberwith k j+1bits. Theorem3.6:[A an] k j=[a+a] k j,forevery A ¾ Z 0 +,andforevery a ¾ 0,1,2 Proof: 33
[A an] k j = (A an)mod2 k+1 k = (A a(2 n 1))mod2 k+1 k j j =[ A a(2 n 1)+a2 n k 1 2 k+1 mod2 k+1 ] k j =[(A a(2 n 1)+a2 n )mod2 k+1 ] k j=[(a+a)mod2 k+1 ] k j=[a+a] k j Proof of correctness and explanation of the attack Notation3.7: i = SQUASH + (2 i ) SQUASH + (0) The following theorem allows the attacker to recover bits of the secret key from thedifferenceoftwoqueriestothechip. Theorem3.8: Forall i ¾ Z,wehave 2 i+1 Smod N k = j i 2 2i mod N k c j i mod2 k j+1, forsome c i ¾ 0,1,2,3 Proof:Thefollowingcomputationisperformedin Z 2 k j+1 i = SQUASH + (2 i ) SQUASH + (0) [ (S+2 i = ) ] 2 k mod N j [( S 2 mod N )] k j = [ ( ( S 2 mod N ) + ( 2 i+1 Smod N ) + ( 2 2i mod N ) mod N ) ] k j = [ ( S 2 mod N ) + ( 2 i+1 Smod N ) + ( 2 2i mod N ) an ] k j forsome a {0,1,2} = [ S 2 mod N ] k j [ ( S 2 mod N ) ] k j [ ( S 2 mod N ) ] k j, + [( 2 i+1 Smod N ) + ( 2 2i mod N ) an ] k j [ ( S 2 mod N ) ] k j + b, forsome a {0,1,2}, b {0,1},using(3.5). = [( 2 i+1 Smod N ) + ( 2 2i mod N ) an ] k j + b, forsome a {0,1,2}, b {0,1} = [( 2 i+1 Smod N )] k + [( 2 2i mod N ) an ] k j j + b+c, forsome a {0,1,2}, b, c {0,1},using(3.5). = [( 2 i+1 Smod N )] k + [( 2 2i mod N ) + a ] k j j + b+c, forsome a {0,1,2}, b, c {0,1},using(3.6). = [( 2 i+1 Smod N )] k + [( 2 2i mod N )] k +[a] k j j j + b+c+d, forsome a {0,1,2}, b, c, d {0,1},using(3.5). = [( 2 i+1 Smod N )] k j + [( 2 2i mod N )] k j + b+c+d, forsome b, c, d {0,1},since[a] k j =0for a {0,1,2}. = [( 2 i+1 Smod N )] k + [( 2 2i mod N )] k + c j j i, forsome c i {0,1,2,3}. Observation 3.9: Ifweusethealgorithm(3.1)insteadofsquaring,wehave 2 i+1 Smod N k = j i 2 2i mod N k c j i mod2 k j+1, forsome c i ¾ 1,0,1,2,3,4 Proof: From(3.1),itholds SQUASH + (2 i ) SQUASH + (0)= S+2 i 2 k mod N j c 1 S 2 mod N k + c j 2, c 1,c 2 ¾ 0,1. 34
Observation 3.10: 2 i+1 (a+2 n i 1 b)mod N = b+2 i+1 amod N,for N=2 n 1 The following theorem shows, the attacker can recover bit at any position q, becausetheycanchoose isuchthat q ¾[j i 1mod n,...,k i 1mod n] Theorem3.11: 2 i+1 Smod N= S <<<i+1 Thefollowingtheoremshows,thatifweforgetlastfewbitsin(3.8),wecan reducethedifferenceto 0,1.Moreover,ifthedifferenceiseitherzeroorone, and the attacker knows a bit of the result, they can distinguish the difference. Theorem 3.12: Forall i ¾ Z,wehave 2 i+1 Smod N k = j+m i a 2 2i mod N k k j +1 mod2 k j+1 j m mod2 k j m+1,for a ¾ 0,1,and3 m < k j Proof: From(3.8), we have 2 i+1 Smod N k = j i forsome c i ¾ 1,0,1,2,3,4 Therefore 2 i+1 Smod N k j k j m k j And since [A] k j = m k 2 i+1 Smod N = j+m = 2 2i mod N k j c i mod2 k j+1, i 2 2i mod N k j k c j i mod2 k j+1, forsome c i ¾ 1,0,1,2,3,4 k A i j+m 2 2i mod N k j m k j +1 c i mod2 k j+1, m k 2 i+1 Smod N j+m = forsome c i ¾ 0,1,2,3,4,5 i 2 2i mod N k +1 mod2 k j+1 c j i forsome c i ¾ 0,1,2,3,4,5 k j m, 2 i+1 Smod N k j+m = i Since[c i] k j m [c i] k j 3 a 2 2i mod N k k j +1 mod2 k j+1 j m mod2 k j m+1, forsome c i ¾ 0,1,2,3,4,5, a ¾ 0,1 =0,forevery c i ¾ 0,1,2,3,4 and m 3,wehave 35
2 i+1 Smod N k = j+m i a 2 2i mod N k k j +1 mod2 k j+1 j m mod2 k j m+1, a ¾ 0,1 Thefollowingtheoremswillbeusedtorecoverasinglebitormultiplebitsof secret key. Theorem 3.13: Denote δmthe i,c m-thbitof i 2 2i mod N k c,andlet C= 1,0,1,2,3 be j thesetofallpossibledifferences.thenifthereis b ¾ 0,1,suchthat δm i,c = b forall c ¾ C,then s j+m i 1mod n = b Proof: Oneofdifferences c i ¾ 1,0,1,2,3,4 isthecorrectone.ifallofthemleadto thesamevalueofthe m-thbit,thenthecorrectoneleadstothisvalueaswell. Fromtheorem(3.8),the m-thbitof i 2 2i mod N k c j iisthe m-thbit of 2 i+1 Smod N k.the m-thbitof 2 i+1 Smod N k isthe(m+j)-thbitof j j 2 i+1 Smod N.Andfrom(3.11)thisisthe(m+j i 1mod n)-thbitof S.If the m-thbitof i 2 2i mod N k c j iisconstantforall c i ¾ 1,0,1,2,3,4, thenitequalstothe m-thbitof 2 i+1 Smod N k j Thetheorem(3.13)isusedtorecoverabitofthesecretkeyonlyonce.Thevalue of the recovered bit is then used in the following query to distinguish difference. Therefore, the attacker can avoid usage of(3.13), and try all possible value of bit s q.onlyoneofthemwouldleadtothecorrect S. Oncetheattackerrecoversasinglebit s q,theycanrecoverbits s q+1,...,s k using (3.12), and the following theorem. Theorem 3.14: Denote δmthe i,c m-thbitof i 2 2i mod N k k j +1 mod2 k j+1 c,and j 3 let C= 0,1 bethesetofallpossibledifferences.thenifthereis b ¾ 0,1, suchthat δm= i,c bforall c ¾ C,then s j+m i 1mod n = b Proof: The proof follows the proof of(3.13). Oncetheattackerknowsthebit s q,theycanusethisbittodistinguishthe difference c j q+3 (ofanotherquery)usingthefollowingtheorems. Theorem 3.15: Proof: [S] k i j i [S] k i j i k j 1 0 k j 1 0 =[S] k i 1 j i = [S] k i 1 j i 1 k j 1 and [S] k i 1 j i 1. k j 1 =[S] k i 1 j i 36
Theorem3.16: [ [S] k i Proof: [S] k i j i j i ] k j m k j m =[S] k m 0 j i 0 =[ [S] k i m j i m ] m k j. k j and [S] k m j i m m =[S]k m j i Theorem 3.17: Let s q,the q-thbitofsecretkey S,beknown.Thenbits[q+1mod n,...,q+ k j 3mod n]canberecoveredfrom j q+3 Proof: First,letusfind i,suchthat j i 1 = q 3 (mod n),whichholdsfor i=j q+2(mod n),i.e.theknownbitofsecretkeyisatindexthreein i 2 2i mod N k c j i mod2 k j+1,forsome c i ¾ 1,0,1,2,3,4.Itmeans, itisatindexzeroin i 2 2i mod N k k j +1 mod2 k j+1 c j i,forsome c i ¾ 0,1. 3 Since the attacker knows the bit at position zero, they also know the difference c i.bitsofsecretkeycanthereforeberecoveredusing(3.12). Theorem(3.14)canbeusedtorecoveratleastonebitofsecretkey,if i 2 2i mod N k k j +1 mod2 k j+1 =0,or j 3 i 2 2i mod N k k j +1 mod2 k j+1 =2 k j 3. j In the following observations, we will discuss the remaining cases. Observation 3.18: Ifitholdsforevery i,that i 2 2i mod N k k j +1 mod2 k j+1 =0, j m for3 m < k j,theattackerknowsthat S=000...00. Proof: Lettheattackertry s q =1,thiswillhelpthemtorecover c j q+3 = 1.This leadsto s i = 1forall i ¾ j q+3,...,k q,since c j q+3 = 1and i 2 2i mod N k k j +1 mod2 k j+1 =0. j m Using(3.15)wecanusetherecoveredbitsofthesecretkeytodistinguishanother difference c m = 1.Attheendofthealgorithm,wewillrecover S=111...11= 000...00mod N. Lettheattackertry s q =0,thiswillleadto S =000...00usingthesame technique as above. 3 Observation 3.19: Ifthereisan lsuchthat X l =2 k j 3,then X l+1 =2 k j 3,and X l+1 =0. Proof: If X l =2 k j 3 then s k l 1mod n = s k l 2mod n.thiswillcause X l+1 =0,and X l =2 k j 3. 37
Secret key recovery Forevery i,letuscompute X i = i 2 2i mod N k k j +1 mod2 k j+1,andstoretheminthe j 3 database.letusfind X l indatabase, X l =0&X l =2 k j 3.Using(3.14)letus recoversomebitsof S.Using(3.15),and(3.12)for l+1mod n,l+2mod n,... theattackerrecoversallbitsof S. Theonlyspecialcase(3.18),whichdoesnotallowtodistinguishanybitofsecret key for certain, can easily be tested. Thenumber X l,suchthat X l =0&X l =2 k j 3,isusedtorecoveratleastone bitofthesecretkey.using(3.15),and(3.12)for l 1theattackercanrecover another bit of secret key. ThealgorithmtorecoverthesecretkeycanbefoundonanenclosedCD. The algorithm is based on an active adversary. However, sometimes only a passiveadversaryisallowed.thisattackcanbeextendedeventothepassiveadversary,however,itisnolongersuchaneasytasktoobtainbitsofthesecret key Sfromthe SQUASH + (R a ) SQUASH + (R b ). 2. Mix (S,R)=S R SQUASH (R) = [ Mix (S, R) 2 mod N ] k j = [ (S R) 2 mod N ] k j Thetechniqueofsecretkeyrecoveryalgorithmisthesameasfor SQUASH +. However,theattackerwillrecovereither S,or(Sxor111...11). Thechallengesare0,and2 i for i ¾[0,...,n 1].Weshallrecoverbitsofthe secretkeyfromdifferenceofresponses SQUASH (2 i ) SQUASH (0). Thealgorithmisbasedontwofacts Itholdseither S 2 i = S+2 i,or S 2 i = S 2 i. Itholds(S+ R) 2 S 2 =2SR+R 2. Itmeansthat(S 2 i ) 2 S 2 =2 i+1 S+2 2i,or(S 2 i ) 2 S 2 = 2 i+1 S+2 2i. Therefore,theadversarycandeduceasequenceofbitsofeither Sor Sfrom thedifference SQUASH (2 i ) SQUASH (0). The following theorems form, together with the theorems from the previous section,theproofofcorrectnessofthekeyrecoveryalgorithmfor SQUASH. Notation3.20: i = SQUASH (2 i ) SQUASH (0) Notation3.21: X= Xxor111...11 Observation3.22: Let m > k,fornumbers[amod(2 m 1)] k j,[ Amod(2 m 1)] k jitholds[amod(2 m 1)] k jxor([ Amod(2 m 1)] k j)=111...11, 38