Conference PaperPDF Available

Finding Collisions for Round-Reduced SM3

Authors:

Abstract and Figures

In this work, we provide the frst security analysis of reduced SM3 regarding its collision resistance. SM3 is a Chinese hash function standard published by the Chinese Commercial Cryptography Administration Office for the use of electronic authentication service systems and hence, might be used in several cryptographic applications in China. So far only few results have been published for the SM3 hash function. Since the design of SM3 is very similar to the MD4 family of hash functions and in particular to SHA-2, a revaluation of the security of SM3 regarding collision resistance is important taking into account recent advances in the cryptanalysis of SHA-2. In this paper, we extend the methods used in the recent collision attacks on SHA-2 and show how the techniques can be effectively applied to SM3. Our results are a collision attack on the hash function for 20 out of 64 steps and a free-start collision attack for 24 steps of SM3, both with practical complexity.
Content may be subject to copyright.
Finding Collisions for Round-Reduced SM3
Florian Mendel, Tomislav Nad, and Martin Schl¨affer
Institute for Applied Information Processing and Communications (IAIK)
Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria.
tomislav.nad@iaik.tugraz.at
Abstract. In this work, we provide the first security analysis of reduced
SM3 regarding its collision resistance. SM3 is a Chinese hash function
standard published by the Chinese Commercial Cryptography Adminis-
tration Office for the use of electronic authentication service systems and
hence, might be used in several cryptographic applications in China. So
far only few results have been published for the SM3 hash function. Since
the design of SM3 is very similar to the MD4 family of hash functions and
in particular to SHA-2, a revaluation of the security of SM3 regarding
collision resistance is important taking into account recent advances in
the cryptanalysis of SHA-2. In this paper, we extend the methods used
in the recent collision attacks on SHA-2 and show how the techniques
can be effectively applied to SM3. Our results are a collision attack on
the hash function for 20 out of 64 steps and a free-start collision attack
for 24 steps of SM3, both with practical complexity.
Keywords: hash functions, cryptanalysis, collisions, free-start collisions
1 Introduction
A cryptographic hash function Hmaps a message Mof arbitrary length to a
fixed-length hash value h. Informally, a cryptographic hash function has to fulfill
the following security requirements:
Collision resistance: it is practically infeasible to find two messages Mand
M, with M6=M, such that H(M) = H(M).
Second preimage resistance: for a given message M, it is practically infeasible
to find a second message M6=Msuch that H(M) = H(M).
Preimage resistance: for a given hash value h, it is practically infeasible to
find a message Msuch that H(M) = h.
The resistance of a hash function to collision and (second) preimage attacks
depends in the first place on the length nof the hash value. Regardless of how a
hash function is designed, an adversary will always be able to find preimages or
second preimages after trying out about 2ndifferent messages. Finding collisions
requires a much smaller number of trials: about 2n/2due to the birthday paradox.
If the internal structure of a particular hash function allows collisions or (second)
preimages to be found more efficiently than what could be expected based on its
E. Dawson (Ed.): RSA 2013, LNCS 7779, pp. 174–188, 2013.
The original publication is available at http://dx.doi.org/10.1007/978-3-642- 36095-4_12
c
Springer-Verlag Berlin Heidelberg 2013
Finding Collisions for Round-Reduced SM3 175
hash length, then the function is considered to be broken. For a formal treatment
of the security properties of cryptographic hash functions we refer to [10,11].
Most cryptanalytic results on hash functions focus on collision attacks. In the
last years collisions have been shown for many commonly used hash functions. In
particular, the collision attacks of Wang et al. [13,14] on MD5 and SHA-1 have
convinced many cryptographers that these widely deployed hash functions can
no longer be considered secure. As a consequence, NIST proposed the transition
from SHA-1 to the SHA-2 family and many companies and organization are
migrating to SHA-2. Furthermore, researchers are evaluating alternative hash
functions in the SHA-3 initiative organized by NIST [9] to find a new hash
function standard.
In this work, we analyze the Chinese hash function standard SM3. SM3 was
designed by Wang et al. [1] and is published by the Chinese Commercial Cryp-
tography Administration Office for the use of electronic authentication service
systems. The amount of cryptanalytic results on SM3 is low compared to other
hash function standards. Kircanski et al. [4] presented a distinguisher for the
compression function of SM3 up to 35 steps with complexity 2117.1. Moreover,
Zou et al. [15] presented a preimage attack on 30 steps of SM3 with complexity
of 2249.
The design of SM3 is very similar to the MD4 family in particular SHA-2. New
collision attacks on SHA-2 and similar hash functions have been shown [2, 5–8]
recently. The attacks have in common that they are all of practical complex-
ity and are based on automatic search algorithms to find complex differential
characteristics.
In this paper, we develop the methods by Mendel et al. for SHA-256 [7]
further and apply them on SM3. We show how the technique can be effectively
applied to SM3. Furthermore, we present a collision for 20 steps and a free-
start collision for 24 steps of SM3. These are the first collision attacks on the
step-reduced SM3 hash and compression function.
The remainder of this paper is structured as follows. A description of the hash
function is given in Section 2. In Section 3 we describe the basic attack strategy.
In Section 4 we show how we can find differential characteristics and conforming
message pairs for SM3. Finally, we present a collision and free-start-collision for
step-reduced SM3 in Section 5 and conclude in Section 6.
2 Description of SM3
SM3 is an iterated hash function that processes 512-bit input message blocks
and produces a 256-bit hash value. In the following, we briefly describe the hash
function. It basically consists of two parts: the message expansion and the state
update transformation. A detailed description of the hash function is given in [1].
2.1 Message Expansion
The message expansion of SM3 is linear in GF (2). It splits the 512-bit message
block into 16 words Mi,i= 0,...,15, and expands them into 68 expanded
176 Florian Mendel, Tomislav Nad, and Martin Schl¨affer
message words Wiand 64 expanded message words W0
ias follows:
Wi=Mi0i < 16
σ0(Wi16 Wi9Wi315) Wi13 7Wi616 i < 68
and
W0
i=WiWi+4 0i < 64 .
The functions σ0(X) is given by
σ0(X) = X(X15) (X23)
2.2 State Update Transformation
The state update transformation starts from a (fixed) initial value IV of eight
32-bit words and updates them in 64 steps. In each step the 32-bit words Wi
and W0
iare used to update the eight state variables Ai1, Bi1, . . . , Hi1.
T1= (Ai112 + Ei1+Ki)7
T2=Hi1+f0(Ei1, Fi1, Gi1) + T1+Wi
Ai=Di1+f1(Ai1, Bi1, Ci1)+(T1Ai112) + W0
i
Ei=Σ0(T2)
Bi=Ai1
Ci=Bi19
Di=Ci1
Fi=Ei1
Gi=Fi119
Hi=Gi1
(1)
For the definition of the step constants Kiwe refer to [1]. The bitwise Boolean
functions f0and f1are different for each step. In the first 16 steps fXOR is used
for both f0and f1. After step 16 f0is fIF and f1is fMAJ .
fXOR(X, Y , Z) = XYZ
fIF(X, Y , Z) = XY XZ Z
fMAJ(X, Y , Z) = XY Y Z XZ
(2)
The linear function Σ0is defined as follows:
Σ0(X) = X(X9) (X17) (3)
After the last step of the state update transformation, the initial values are
XORed to the output values of the last four steps (Davies-Meyer construction).
The result is the final hash value or the initial value for the next message block.
Finding Collisions for Round-Reduced SM3 177
3 Basic Attack Strategy
In the following, we first give a brief overview of the attack strategy used in
the recent collision attacks on the MD4-family of hash functions [12, 14]. The
high-level strategy can be summarized as follows:
1. Find a characteristic for the hash function that holds with high probability.
2. Use message modification techniques to fulfill conditions imposed by the
characteristic. This increases the probability of the characteristic.
3. Use random trials to find values for the remaining free message bits such
that the message follows the characteristic.
The most difficult and important part of the attack is to find a good differential
characteristic. The second important part of the attack is to find conforming
inputs for the differential characteristic. For both parts we used the technique
of the recent attack on SHA-2 [7].
4 Automatic Search Tool
The collision attack on SHA-2 [7] can be summarized as follows:
1. Determine a starting point for the search which results in an attack on a
large number of steps. The resulting start characteristic should span over
few steps and only some message words should contain differences.
2. Use an automated search tool to find a differential characteristic for the
unrestricted intermediate steps including the message expansion.
3. Continue the search to find a conforming message pair. If no message pair
can be found, adjust the differential characteristic accordingly.
Due to the linearity of the message expansion, finding a good starting point is
rather simple. The most difficult and important part of the attack is to find a
good differential characteristic. Due to the increased complexity of SM3 com-
pared to hash functions like SHA-1 and MD5, finding good differential charac-
teristics by hand is almost impossible. Therefore, we use an automatic tool to
find complex nonlinear differential characteristics. The tool is also used for solv-
ing nonlinear equations involving conditions on state words and free message
bits, i.e. to find confirming message pairs. The tool is based on the approach
of Mendel et al. [7] to find nonlinear differential characteristics and conforming
message pairs for SHA-2.
4.1 Generalized Conditions
The tool and search algorithm is based on the concept of generalized conditions
introduced in [2]. Generalized conditions are inspired by signed-bit differences
and take all 16 possible conditions on a pair of bits into account. Table 1 lists
all these possible conditions and introduces the notation for the various cases.
178 Florian Mendel, Tomislav Nad, and Martin Schl¨affer
Table 1. Notation for possible generalized conditions on a pair of bits [2].
(Xi, Xi
) (0,0) (1,0) (0,1) (1,1)
?X X X X
-X- - X
x-X X -
0X- - -
u-X- -
n- - X-
1- - - X
#- - - -
(Xi, X
i) (0,0) (1,0) (0,1) (1,1)
3X X - -
5X-X-
7XXX -
A-X-X
BX X -X
C- - X X
DX-X X
E-X X X
Using these generalized conditions and propagating them in a bitsliced man-
ner, we can construct complex differential characteristics in an efficient way. The
basic idea of the search algorithm is to randomly pick a bit from a set of bit
positions with predefined conditions, impose a more restricted condition and
compute how this new condition propagates. This is repeated until an inconsis-
tency is found or all unrestricted bits from the set are eliminated. Note that this
general approach can be used for both, finding differential characteristics and
conforming message pairs. There are three important aspects of the automated
tool: using a good starting point, using an efficient condition propagation and
using a sophisticated search strategy. We discuss each aspect in the following
sections.
4.2 Defining a Starting Point
Similar to the attack on SHA-256 [7] we construct a local collision with differ-
ences in a few steps which results in a attack on a large number of steps. Since
the message expansion of SM3 is linear finding a starting point is easier than for
SHA-256.
To find a good starting point for SM3, a system of linear equations repre-
senting the message expansion is constructed. Afterwards, linear constraints are
added and the system is solved. In that way several good starting points for up
to 24 steps have been found. The starting points for 20 and 24 steps are given
in the Appendix in Table 5 and Table 7.
Note that unlike in most hash function attacks so far, the non-linear part
for 24 steps is placed at the end instead of the beginning. This has several
reasons. First of all the differential characteristic for the message expansion is
more sparse. Furthermore, after step 16 the Boolean function IF and M AJ
instead of XOR are used. This again results in more sparse characteristic. In
general the more sparse a characteristic the easier it is to find conforming message
pairs.
Finding Collisions for Round-Reduced SM3 179
4.3 Efficient Condition Propagation
The efficient propagation of new conditions is crucial for the performance of the
algorithm, since it is the most often needed operation in the search algorithm.
Due to the nature of the search algorithm where changes to the characteristic
(using generalized conditions) are done on bit-level, we perform the propagation
of conditions also on bit-level. At the beginning of the search every bit has at
least one of the 16 generalized conditions (see Table 1). During the search we
impose conditions on specific bits. These bits are inputs or outputs of functions.
If a bit in the output is changed then all bits which are used to determine this
output bit are updated. We call such a set of bits a bit-slice. If the changed bit
is an input of a function then all other bits of the corresponding bit-slice are
updated. The following example illustrates this process.
Example 1 (Condition Propagation). Let f:F3
32 F32 be the Boolean IF func-
tion operating on 32-bit words and defined as follows:
f(x, y, z) = (xy)(¬xz) = o.
Then the output bit oidepends on the bits {xi, yi, zi}and {xi, yi, zi, oi}forms
a bit-slice. If the generalized condition xichanges then the conditions of the
set {∇xi,yi,zi,oi}are updated.
In our approach the update process is done exhaustively by computing all
possible conditions of a bit-slice. This seems at first to be inefficient but we are
using two techniques to significantly speed up the process. The first one splits the
state update in smaller functions and the second one utilizes a cache. However,
the update process for a modular addition is done in a slightly different way.
The bit-slices of a modular addition contain also input carry and output carry.
Hence, the bit-slices are connected through the carry bits. If the condition for a
carry bit changes, then the connected bit-slice is updated as well. Furthermore,
the whole update process is iterative and updates bits until conditions do not
change any more.
4.4 Increasing the Propagation Performance
In the state update transformation of SM3, only two state variables are updated
in each step, namely Aiand Ei. Therefore, we can redefine the state update
such that only these two variables are involved. In this case, we get the following
mapping between the original and new state variables:
AiBiCiDiEiFiGiHi
AiAi1Ai2Ai3EiEi1Ei2Ei3
Hence, only two state variables need to be stored. Furthermore, the complexity
of propagating generalized conditions increases exponentially with the number
of input bits and additions. Similar as in SHA-2 the number of input bits in
the update of Ai,Eiand Wiis high. To reduce the computational complexity of
180 Florian Mendel, Tomislav Nad, and Martin Schl¨affer
the propagation, we further split the update of Wi,Eiand Aiinto sub-steps.
The decision where to split need to be done carefully. If too many sub-steps are
introduced we are losing too much information resulting in a worse propagation
and late detection of contradictions. If too few sub-steps are introduced the per-
formance of the propagation is too slow. Therefore, we found the following sepa-
ration of the SM3 state update which leads to a good performance/propagation
ratio:
Si=Wi16 Wi9Wi315,
Pi=SiSi15 Si23,
Wi=PiWi13 7Wi6,
W0
i=WiWi+4,
Li=Ai112 + Ei1+Ki7,
Fi=Ai1Ai2Ai39,
Ai=Fi+W0
i+Ai49+(Li7Ai112),
Gi=Ei1Ei2Ei319,
Ri=Ei419 + Li7 + Wi+Gi,
Ei=RiRi9Ri17.
By carefully analyzing the state update and message expansion we have split up
the computations such that one step does not have more than 5 inputs. Using
this representation of SM3 we can use a cache during the propagation efficiently.
Furthermore, for those steps with only three inputs we are able to compute all
possibilities beforehand, changing the propagation of this steps to a simple table
lookup.
4.5 Search Strategy
To reduce the complexity of the system and eventually find a solution, random
additional conditions are introduced. In other words, some variables are guessed.
Even the most efficient method to propagate information may not result in
a solution if we make poor guesses. We need a guessing strategy, which can
efficiently use the new information generated by the propagation of information
introduced by previous guesses. The goal of a good guessing strategy is to discard
invalid solutions and to find a valid solution as soon as possible. The guessing
strategy depends in first place on the shape of the equations and the storeable
information propagated. Furthermore, external knowledge of the structure of the
attacked cryptographic system can help to improve the guessing strategy.
Our guessing strategy is similar to the one used by Mendel et al. in the
attack on SHA-256 reduced to 32 steps [7]. However, there are some small but
important modifications. In our approach for SM3 we further refine the search
strategy for SM3 by considering specific output words for guessing. As in the
attack of [7], our search strategy consists of several stages and each stage can
basically be divided into three parts: decision, deduction and backtracking. Note
Finding Collisions for Round-Reduced SM3 181
that the same separation is done in many other fields, like SAT solvers [3]. In the
decision part, we decide which bit is chosen and which constraints are imposed
at its position. In the deduction part we compute the propagation of the new
information and check for consistence. In the case of an inconsistency we need
to backtrack and undo previous decisions, which is the third and last part.
Let Ube a set of generalized conditions. Repeat the following until Uis empty:
Decision
1. Pick according to some heuristic (or randomly) a bit in U.
2. Impose new constraints on this bit according to Table 2.
Deduction
3. Propagate the Information to the other variables and equations as de-
scribed in Section 4.3.
4. If an inconsistency is detected start backtracking, else continue with step
1.
Backtracking
5. Try the second choice for the decision bit.
6. If this still results in an inconsistency mark this bit as critical.
7. Jump back until the critical bit can be resolved.
8. Continue with step 1.
Note that in each stage different bits are chosen (guessed). In total we have
two stages which can be summarized as follows.
Stage 1: In the first stage we search for a consistent differential characteristic
in the state words. Therefore, we add all unconstrained bits of AiandEi
that are ?or xto the set U. Furthermore, we add bits of Lias well to U.
Experience has shown that guessing the output of modular additions first
provides a significant speed up. Due to the additional freedom added by
the carry bits, the propagation of conditions is slow towards the output of
modular additions if these bits are not included in U.
Stage 2: In the second stage we search for conforming inputs. Therefore, we pick
decision bits with many two-bit conditions, since this ensures that bits which
influence a lot of other bits are guessed first. Furthermore, many other bits
propagate by defining the value of a single bit. Hence, this way inconsistent
characteristics are discarded earlier and valid solutions are found faster. The
concept of two-bit conditions was introduced in [7] .
Note that we dynamically switch between the two stages. Additionally, we restart
the search from scratch after a certain amount of inconsistencies to terminate
branches which appear to be stuck because of exploring a search space far from
a solution.
5 Results for Reduced SM3
To find collisions for reduced SM3 we apply the techniques described in Sec-
tion 4. We first construct a differential characteristic with low Hamming weight
182 Florian Mendel, Tomislav Nad, and Martin Schl¨affer
Table 2. Decision rules of our guessing strategy with r∈ {0,1}a random value.
Decision bit rChoice 1 Choice 2
?1,0 - x
x0u n
1n u
-00 1
11 0
in the message expansion which functions as starting point for the automatic
search algorithm. Next the search algorithm is applied. Running on a cluster
with 72 nodes, the algorithm finds a differential characteristic in less than 1
hour. Afterwards, we continue the search for a conforming message pair which
can be found in several seconds.
5.1 Collision Attack
Using the starting point given in Table 5 and our automatic search algorithm
described in Section 4, we are able to construct collisions for up to 20 steps
of SM3. The differential characteristic is given Table 6. In Table 3 we present
colliding message pairs. Note that we have used an additional first message block
to generate several different initial values for the second message block. These
degrees of freedom were needed for the attack to work, otherwise we could not
find a confirming message pair.
Table 3. Collision for 20 steps of SM3.
h07380166f 4914b2b9 172442d7 da8a0600 a96f30bc 163138aa e38dee4d b0fb0e4e
m0
03c98f41 a8bda164 709a299c d76610eb 26b351ac 53547024 8efdff59 7e818400
4188b7f1 954faf0e a32f9984 6e5d8975 dc3b528a 973480e4 f6be9d9b cf07f13e
h15e801aac 4b8c7a46 c8f34646 3b2420c1 97e775ae e3a6c399 83a05d40 6a257995
m1
559654cd 8d4f9e94 8ca64e4a b85d989c 8c185880 b51caad1 03eca739 be66a265
ca21ab71 9c341028 2c043967 d4617038 bf6744ca d8772f12 a58e12c0 35f4f9f2
m
1
559654cd 8d1f9e84 8ca64e5a b85d989c 8c185880 950cbad1 03eca739 be66a265
ca71ab61 9c341028 2c043967 d4617038 bf6744ca d8772f12 a58e12c0 35f4f9f2
∆m1
00000000 00500010 00000010 00000000 00000000 20101000 00000000 00000000
00500010 00000000 00000000 00000000 00000000 00000000 00000000 00000000
h2b2033829 677c16d2 a6de9db9 fd898668 a9119d20 476364d6 a0838adc 08d3833d
5.2 Free-Start Collision
Using the starting point given in Table 7 and our automatic search algorithm
described in Section 4, we are able to construct free-start collisions for up to
24 steps of SM3. The differential characteristic is given in Table 8. In Table 4
Finding Collisions for Round-Reduced SM3 183
we present a colliding message pair and IV pair resulting in a collision after 24
steps. Again this attack has practical complexity. The main difference in this
attack to previous attack is, that we had to place the non-linear part at the end
to get sparse characteristics.
Table 4. Free-Start-Collision for 24 steps of SM3.
h0898991b0 8de47668 6e54847c 9167ff5e 3c7d51fe e2101301 6c53d522 7b3809df
h
0898991b0 8da47668 ee54847c 1127ff5e 3c7d51fe e2100301 ec53d522 fb3819df
∆h000000000 00400000 80000000 80400000 00000000 00001000 80000000 80001000
m07595c54 e01e0245 facd449a 07ca096d 510445e8 4e1d0dff 97f2a3c0 79f02f14
2ebfac50 48cdde2d e88f68e1 2b5032d1 3aa9a79f 656d1380 693417c1 ce82a62a
m07595c54 e01e0245 7acd449a 07ca096d 510445e8 4e1d0dff 97f2a3c0 79f02f14
2ebfac50 48cdde2d e88f68e1 2b5032d1 3aa9a79f 656d1380 693417c1 ce82a62a
∆m 00000000 00000000 80000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
h1a83d45dc 9eda869d 48baa718 78ccd026 25696682 d0be9f4a e70babf3 f4852e70
6 Conclusions
Since the collision attacks of Wang et al. [13, 14] on MD5 and SHA-1 many
cryptographers are convinced that these widely deployed hash functions can no
longer be considered secure. As a consequence, NIST proposed the transition
from SHA-1 to the SHA-2 family and many companies and organization are
migrating to SHA-2. Furthermore, researchers are evaluating alternative hash
functions in the SHA-3 initiative. In this work, we analyze the Chinese hash
function standard SM3. SM3 was designed by Wang et al [1] and is published
by the Chinese Commercial Cryptography Administration Office for the use of
electronic authentication service systems. The amount of cryptanalytic results
on SM3 is low compared to other hash function standards.
The design of SM3 is very similar to the MD4 family, in particular to SHA-256.
Since new collision attacks on SHA-256 and similar hash functions have been
shown recently, a revaluation of the security of similar hash functions such as
SM3 seems to be necessary. The attacks are based on a the concept of generalized
conditions and an automatic search algorithm. Recently, Mendel et al. improved
and extended the technique such that it can be applied on more complex ARX
based hash function. In this paper we develop the methods by Mendel et al. for
SHA-256 [7] further and apply them on SM3. We show how the technique can
be effectively applied to SM3. Furthermore, we present a collision for 20 steps
and a free-start collision for 24 steps of SM3. These are the first collision attacks
on step-reduced SM3 and both attacks have practical complexity.
Acknowledgments. Part of this work was done while Florian Mendel was with
KU Leuven. The work has been supported in part by the Austrian Science Fund
184 Florian Mendel, Tomislav Nad, and Martin Schl¨affer
(FWF), project P21936-N23 and by the European Commission under contract
ICT-2007-216646 (ECRYPT II).
References
1. Specification of SM3 cryptographic hash function (In Chinese). http://www.
oscca.gov.cn/UpFile/20101222141857786.pdf.
2. C. De Canni`ere and C. Rechberger. Finding SHA-1 Characteristics: General Re-
sults and Applications. In X. Lai and K. Chen, editors, ASIACRYPT, volume 4284
of LNCS, pages 1–20. Springer, 2006.
3. J. Gu, P. W. Purdom, J. Franco, and B. W. Wah. Algorithms for the Satisfi-
ability (SAT) Problem: A Survey. In DIMACS Series in Discrete Mathematics
and Theoretical Computer Science, pages 19–152. American Mathematical Society,
1996.
4. A. Kircanski, Y. Shen, G. Wang, and A. Youssef. Boomerang and Slide-Rotational
Analysis of the SM3 Hash Function. In L. R. Knudsen and H. Wu, editors, Selected
Areas in Cryptography, LNCS. Springer, 2012. to appear.
5. F. Mendel, T. Nad, S. Scherz, and M. Schl¨affer. Differential Attacks on Reduced
RIPEMD-160. In D. Gollmann and F. C. Freiling, editors, ISC, volume 7483 of
LNCS, pages 23–38. Springer, 2012.
6. F. Mendel, T. Nad, and M. Schl¨affer. Cryptanalysis of Round-Reduced HAS-160.
In H. Kim, editor, ICISC, volume 7259 of LNCS, pages 33–47. Springer, 2011.
7. F. Mendel, T. Nad, and M. Schl¨affer. Finding SHA-2 Characteristics: Searching
through a Minefield of Contradictions. In D. H. Lee and X. Wang, editors, ASI-
ACRYPT, volume 7073 of LNCS, pages 288–307. Springer, 2011.
8. F. Mendel, T. Nad, and M. Schl¨affer. Collision Attacks on the Reduced Dual-
Stream Hash Function RIPEMD-128. In A. Canteaut, editor, FSE, volume 7549
of LNCS, pages 226–243. Springer, 2012.
9. National Institute of Standards and Technology. Announcing Request for Candi-
date Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3)
Family. Federal Register, 27(212):62212–62220, November 2007. Available online:
http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf.
10. P. Rogaway and T. Shrimpton. Cryptographic Hash-Function Basics: Definitions,
Implications, and Separations for Preimage Resistance, Second-Preimage Resis-
tance, and Collision Resistance. In B. K. Roy and W. Meier, editors, FSE, volume
3017 of LNCS, pages 371–388. Springer, 2004.
11. D. R. Stinson. Some Observations on the Theory of Cryptographic Hash Functions.
Des. Codes Cryptography, 38(2):259–277, 2006.
12. X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu. Cryptanalysis of the Hash Functions
MD4 and RIPEMD. In R. Cramer, editor, EUROCRYPT, volume 3494 of LNCS,
pages 1–18. Springer, 2005.
13. X. Wang, Y. L. Yin, and H. Yu. Finding Collisions in the Full SHA-1. In V. Shoup,
editor, CRYPTO, volume 3621 of LNCS, pages 17–36. Springer, 2005.
14. X. Wang and H. Yu. How to Break MD5 and Other Hash Functions. In R. Cramer,
editor, EUROCRYPT, volume 3494 of LNCS, pages 19–35. Springer, 2005.
15. J. Zou, W. Wu, S. Wu, B. Su, and L. Dong. Preimage Attacks on Step-Reduced
SM3 Hash Function. In H. Kim, editor, ICISC, volume 7259 of LNCS, pages
375–390. Springer, 2011.
Finding Collisions for Round-Reduced SM3 185
Table 5. Starting point for a collision for 20 steps of SM3.
iAiEiWiW0
i
-4 -------------------------------- --------------------------------
-3 -------------------------------- --------------------------------
-2 -------------------------------- --------------------------------
-1 -------------------------------- --------------------------------
0-------------------------------- -------------------------------- -------------------------------- --------------------------------
1???????????????????????????????? ???????????????????????????????? ---------x-x---------------x---- --x------x---------x-------x----
2???????????????????????????????? ???????????????????????????????? ---------------------------x---- ---------------------------x----
3???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------
4???????????????????????????????? ???????????????????????????????? -------------------------------- ---------x-x---------------x----
5-------------------------------- -------------------------------- --x--------x-------x------------ --x--------x-------x------------
6-------------------------------- -------------------------------- -------------------------------- --------------------------------
7-------------------------------- -------------------------------- -------------------------------- --------------------------------
8-------------------------------- -------------------------------- ---------x-x---------------x---- ---------x-x---------------x----
9-------------------------------- -------------------------------- -------------------------------- --------------------------------
10 -------------------------------- -------------------------------- -------------------------------- --------------------------------
11 -------------------------------- -------------------------------- -------------------------------- --------------------------------
12 -------------------------------- -------------------------------- -------------------------------- --------------------------------
13 -------------------------------- -------------------------------- -------------------------------- --------------------------------
14 -------------------------------- -------------------------------- -------------------------------- --------------------------------
15 -------------------------------- -------------------------------- -------------------------------- --------------------------------
16 -------------------------------- -------------------------------- -------------------------------- --------------------------------
17 -------------------------------- -------------------------------- -------------------------------- --------------------------------
18 -------------------------------- -------------------------------- -------------------------------- --------------------------------
19 -------------------------------- -------------------------------- -------------------------------- --------------------------------
186 Florian Mendel, Tomislav Nad, and Martin Schl¨affer
Table 6. Differential characteristic for a collision for 20 steps of SM3.
iAiEiWiW0
i
-4 -------------------------------- --------------------------------
-3 -------------------------------- --------------------------------
-2 -------------------------------- --------------------------------
-1 -------------------------------- --------------------------------
0-------1------------------------ -------------------------------- -------------------------------- --------------------------------
1xxx-----xx----------xxxxxxxx--1- x-x----xxxxx------x-10xxx-xx--xx --0------x-x-------1-------x---- --x------x-1-------x-------x----
2-xx-x---xx-xx--xxx--x--------xxx ---x0xxxx----xx-x-xxx-x--x----xx ---------------------------x---- ---------------------------x----
3x-x-x--------xxxxxxxx-------x-x- xx-x--x1x-xxx-x-----------xxx--- -------------------------------- --------------------------------
4xxxxx--------------xx--------xxx xxxxxxxxxxxxxxx-------------x-xx ---------0-1---------------0---- ---------x-x---------------x----
5-------------------------------- -------------------------------- --x------0-x-------x-------1---- --x--------x-------x------------
6-------------------------------- -------------------------------- ---------------------------0---- --------------------------------
7-------------------------------- -------------------------------- -------------------------------- --------------------------------
8-------------------------------- -------------------------------- ---------x-x---------------x---- ---------x-x---------------x----
9-------------------------------- -------------------------------- --0--------1-------1------------ --------------------------------
10 -------------------------------- -------------------------------- -------------------------------- --------------------------------
11 -------------------------------- -------------------------------- -------------------------------- --------------------------------
12 -------------------------------- -------------------------------- ---------1-0---------------0---- --------------------------------
13 -------------------------------- -------------------------------- -------------------------------- --------------------------------
14 -------------------------------- -------------------------------- -------------------------------- --------------------------------
15 -------------------------------- -------------------------------- -------------------------------- --------------------------------
16 -------------------------------- -------------------------------- -------------------------------- --------------------------------
17 -------------------------------- -------------------------------- -------------------------------- --------------------------------
18 -------------------------------- -------------------------------- -------------------------------- --------------------------------
19 -------------------------------- -------------------------------- -------------------------------- --------------------------------
Finding Collisions for Round-Reduced SM3 187
Table 7. Starting point for a free-start collision for 24 steps of SM3.
iAiEiWiW0
i
-4 ---------x--------x------------- ------x------------x------------
-3 ---------x---------------------- -------------------x------------
-2 ---------x---------------------- -------------------x------------
-1 -------------------------------- --------------------------------
0-------------------------------- -------------------------------- -------------------------------- --------------------------------
1-------------------------------- -------------------------------- -------------------------------- --------------------------------
2-------------------------------- -------------------------------- x------------------------------- x-------------------------------
3-------------------------------- -------------------------------- -------------------------------- --------------------------------
4-------------------------------- -------------------------------- -------------------------------- --------------------------------
5-------------------------------- -------------------------------- -------------------------------- --------------------------------
6-------------------------------- -------------------------------- -------------------------------- --------------------------------
7-------------------------------- -------------------------------- -------------------------------- --------------------------------
8-------------------------------- -------------------------------- -------------------------------- --------------------------------
9-------------------------------- -------------------------------- -------------------------------- --------------------------------
10 -------------------------------- -------------------------------- -------------------------------- --------------------------------
11 -------------------------------- -------------------------------- -------------------------------- --------------------------------
12 -------------------------------- -------------------------------- -------------------------------- --------------------------------
13 -------------------------------- -------------------------------- -------------------------------- --------------------------------
14 x--------x-------x-------------- -------------------------------- -------------------------------- x--------x-------x--------------
15 ???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------
16 ???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------
17 ???????????????????????????????? ???????????????????????????????? -------------------------------- ---x-------------x-x------------
18 ???????????????????????????????? ???????????????????????????????? x--------x-------x-------------- x--------x-------x--------------
19 ???????????????????????????????? ???????????????????????????????? -------------------------------- --------------------------------
20 ---------x--------x------------- ------x------------x------------ -------------------------------- x-x-xx---x-x-x---x-xxx-------x--
21 ---------x---------------------- -------------------x------------ ---x-------------x-x------------ ---x-------------x-x------------
22 ---------x---------------------- -------------------x------------ -------------------------------- --------------------------------
23 -------------------------------- -------------------------------- -------------------------------- x-x---------------xx------------
188 Florian Mendel, Tomislav Nad, and Martin Schl¨affer
Table 8. Differential characteristic for a free-start collision for 24 steps of SM3.
iAiEiWiW0
i
-4 ---------x--------x------------- ------x------------x------------
-3 ---------x---------------------- -------------------x------------
-2 ---------x---------------------- -------------------x------------
-1 -------------------------------- --------------------------------
0-------------------------------- -------------------------------- -------------------------------- --------------------------------
1-------------------------------- -------------------------------- -------------------------------- --------------------------------
2-------------------------------- -------------------------------- x------------------------------- x-------------------------------
3-------------------------------- -------------------------------- -------------------------------- --------------------------------
4-------------------------------- -------------------------------- -------------------------------- --------------------------------
5-------------------------------- -------------------------------- -------------------------------- --------------------------------
6-------------------------------- -------------------------------- 1------------------------------- --------------------------------
7-------------------------------- -------------------------------- -------------------------------- --------------------------------
8-------------------------------- -------------------------------- -------------------------------- --------------------------------
9-------------------------------- -------------------------------- -------------------------------- --------------------------------
10 -------------------------------- -------------------------------- -------------------------------- --------------------------------
11 -------------------------------- -------------------------------- -------------------------------- --------------------------------
12 -------------------------------- -------------------------------- -------------------------------- --------------------------------
13 -------------------------------- -------------------------------- -------------------------------- --------------------------------
14 x--------x-------x-------------- -------------------------------- 0--------0-------0-------------- x--------x-------x--------------
15 x----x--xx-xx-xxx-xx--x-------x- ----xx-------x-------xx-----x-x- -------------------------------- --------------------------------
16 -xx-x--x-x---x---x---x-x--xx---- ----x--x--x-x------x--1x-------- -------------------------------- --------------------------------
17 x--x----------x----xx-----x----x ---------x-x------x-x-x0------x- ---0-------------0-1------------ ---x-------------x-x------------
18 xx----------------xx-x---------- ----x------x-------xxx----xx--xx x--------x-------x-------------- x--------x-------x--------------
19 xxxxxxx--xxx------x--x----x-x-x- -------xxx---------x-00-------xx -------------------------------- --------------------------------
20 ---------x--------x------------- ------x------------x----------11 -------------------------------- x-x-xx---x-x-x---x-xxx-------x--
21 ---------x---------------------- -------------------x--0--------- ---x-------------x-x------------ ---x-------------x-x------------
22 ---------x---------------------- -------------------x------------ 1--------1-------0-------------- --------------------------------
23 -------------------------------- -------------------------------- -------------------------------- x-x---------------xx------------
... Mendel et al. [15] concluded that the design of SM3 is very similar to SHA-256, extended the methods for collision attacks on SHA-256 and applied them to SM3. They produced two collision attacks on round-reduced SM3 with practical complexity. ...
Conference Paper
SM2, SM3, and SM4 are cryptographic standards authorized to be used in China. To comply with Chinese cryptography laws, standard cryptographic algorithms in products targeting the Chinese market may need to be replaced with the algorithms mentioned above. It is important to know beforehand if the replaced algorithms impact performance. Bad performance may degrade user experience and increase future system costs. We present a performance study of the standard cryptographic algorithms (RSA, ECDSA, SHA-256, and AES-128) and corresponding Chinese cryptographic algorithms. Our results indicate that the digital signature algorithms SM2 and ECDSA have similar design and also similar perfor-mance. SM2 and RSA have fundamentally different designs. SM2 performs better than RSA when generating keys and signatures. Hash algorithms SM3 and SHA-256 have many design similarities, but SHA-256 performs slightly better than SM3. AES-128 and SM4 share some similarities in the design. In the controlled experiment, AES-128 outperforms SM4 with a significant margin.
... These approaches have then been refined in a number of publications. Recently, more sophisticated approaches have been proposed that enable attacks on more complex hash functions such as SHA-256 [27, 29] among many others [20, 22, 26, 28]. All these approaches (including the search by hand) follow the guess-and-determine strategy. ...
Conference Paper
Full-text available
In this work, we present practical semi-free-start collisions for SHA-512 on up to 38 (out of 80) steps with complexity 2^{40.5}. The best previously published result was on 24 steps. The attack is based on extending local collisions as proposed by Mendel et al. in their Eurocrypt 2013 attack on SHA-256. However, for SHA-512, the search space is too large for direct application of these techniques. We achieve our result by improving the branching heuristic of the guess-and-determine approach to find differential characteristics and conforming message pairs. Experiments show that for smaller problems like 27 steps of SHA-512, the heuristic can also speed up the collision search by a factor of 2^{20}.
Chapter
In this paper, we study dedicated quantum collision attacks on SHA-256 and SHA-512 for the first time. The attacks reach 38 and 39 steps, respectively, which significantly improve the classical attacks for 31 and 27 steps. Both attacks adopt the framework of the previous work that converts many semi-free-start collisions into a 2-block collision, and are faster than the generic attack in the cost metric of time-space tradeoff. We observe that the number of required semi-free-start collisions can be reduced in the quantum setting, which allows us to convert the previous classical 38 and 39 step semi-free-start collisions into a collision. The idea behind our attacks is simple and will also be applicable to other cryptographic hash functions.
Conference Paper
Obtaining differential patterns over many rounds of a cryptographic primitive often requires working on local differential trail analysis. In the case of boomerang and rectangle attacks, merging two short differential trails into one long differential pattern is required. It was previously shown by Murphy that caution should be exercised as there is increased chance of running into contradictions in the middle rounds of the primitive. In this paper, we propose the use of a SAT-based constraint solver URSA as aid in analysis of differential trails and find that previous rectangle/boomerang attacks on XTEA, SHACAL-1 and SM3 primitives are based on incompatible trails. Given the C specification of the cryptographic primitive, verifying differential trail portions requires minimal work on the side of the cryptanalyst.
Article
In this study, the authors study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by Aumasson et al. For SM3, they present boomerang distinguishers for the compression function reduced to 34/35/36/37 steps out of 64 steps, with time complexities 231.4, 233.6, 273.4 and 2192, respectively. Then, they show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, they launch boomerang attacks on up to 7-and 8-round keyed permutation of BLAKE-256, which are the first valid 7-round and 8-round boomerangs for BLAKE-256. Especially, since the author's distinguishers on 34/35-steps compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, they are able to obtain boomerang quartets of these attacks. As far as they know, these are the best results against round-reduced SM3 and BLAKE-256.
Conference Paper
The question of compatibility of differential paths plays a central role in second order collision attacks on hash functions. In this context, attacks typically proceed by starting from the middle and constructing the middle-steps quartet in which the two paths are enforced on the respective faces of the quartet structure. Finding paths that can fit in such a quartet structure has been a major challenge and the currently known compatible paths extend over a suboptimal number of steps for hash functions such as SHA-2 and HAS-160. In this paper, we investigate a heuristic that searches for compatible differential paths. The application of the heuristic in case of HAS-160 yields a practical second order collision over all of the function steps, which is the first practical result that covers all of the HAS-160 steps. An example of a colliding quartet is provided.
Article
In this paper, we study differential attacks against ARX schemes. We build upon the generalized characteristics of De Cannière and Rechberger and the multi-bit constraints of Leurent. Our main result is an algorithm to build complex non-linear differential characteristics for ARX constructions, that we applied to reduced versions of the hash function Skein. We present several characteristics for use in various attack scenarios: on the one hand we show attacks with a relatively low complexity, in relatively strong settings; and on the other hand weaker distinguishers reaching more rounds. Our most notable results are practical free-start and semi-free-start collision attacks for 20 rounds and 12 rounds of Skein-256, respectively. Since the full version of Skein-256 has 72 rounds, this result confirms the large security margin of the design. These results are some of the first examples of complex differential trails built for pure ARX designs. We believe this is an important work to assess the security those functions against differential cryptanalysis. Our tools are publicly available from the ARXtools webpage.
Conference Paper
The cryptographic hash function SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. It is based on the Merkle-Damgård design and is very similar to SHA-2 but includes some additional strengthening features. In this paper, we apply the boomerang attack to SM3 compression function, and present such distinguishers on up to 34/35/36/37 steps out of 64 steps, with time complexities 2 31·4 ,2 33·6 ,2 73·4 and 2 93 compression function calls respectively. Especially, we are able to obtain the examples of the distinguishers on 34-step and 35-step on a PC due to their practical complexities. In addition, incompatible problems in the recent boomerang attack are pointed out.
Article
SM3 [12] is the Chinese cryptographic hash standard which was announced in 2010 and designed by Wang et al. It is based on the Merkle–Damgård design and its compression function can be seen as a block cipher used in Davies–Meyer mode. It uses message block of length 512 bits and outputs hash value of length 256 bits.This letter studies the security of SM3 hash function against preimage attack and pseudo-collision attack by using the weakness of diffusion process and linear message expansion. We propose preimage attacks on 29-step and 30-step SM3, and pseudo-preimage attacks on 31-step and 32-step SM3 out of 64 steps. The complexities of these attacks are 2245 29-step operations, 2251.1 30-step operations, 2245 31-step operations and 2251.1 32-step operations, respectively. These (pseudo-)preimage attacks are all from the 1-st step of the reduced SM3. Furthermore, these (pseudo-)preimage attacks can be converted into pseudo-collision attacks on SM3 reduced to 29 steps, 30 steps, 31 steps and 32 steps with complexities of 2122, 2125.1, 2122 and 2125.1 respectively. As far as we know, the previously best known preimage attacks on SM3 cover 28 steps (from the 1-st step) and 30 steps (from the 7-th step).
Chapter
Full-text available
The satisfiability (SAT) problem is a core problem in mathematical logic and computing theory. In practice, SAT is fundamental in solving many problems in automated reasoning, computer-aided design, computer-aided manufacturing, machine vision, database, robotics, integrated circuit design, computer architecture design, and computer network design. Traditional methods treat SAT as a discrete, constrained decision problem. In recent years, many optimization methods, parallel algorithms, and practical techniques have been developed for solving SAT. In this survey, we present a general framework (an algorithm space) that integrates existing SAT algorithms into a unified perspective. We describe sequential and parallel SAT algorithms including variable splitting, resolution, local search, global optimization, mathematical programming, and practical SAT algorithms. We give performance evaluation of some existing SAT algorithms. Finally, we provide a set of practical applications of the satisfiability problems.
Conference Paper
Full-text available
HAS-160 is an iterated cryptographic hash function that is standardized by the Korean government and widely used in Korea. In this paper, we present a semi-free-start collision for 65 (out of 80) steps of HAS-160 with practical complexity. The basic attack strategy is to construct a long differential characteristic by connecting two short ones by a complex third characteristic. The short characteristics are constructed using techniques from coding theory. To connect them, we are using an automatic search algorithm for the connecting characteristic utilizing the nonlinearity of the step function.
Conference Paper
Full-text available
In this work, we provide the first security analysis of reduced RIPEMD-160 regarding its collision resistance with practical complexity. The ISO/IEC standard RIPEMD-160 was proposed 15 years ago and may be used as a drop-in replacement for SHA-1 due to their same hash output length. Only few results have been published for RIPEMD-160 so far and most attacks have a complexity very close to the generic bound. In this paper, we present the first application of the attacks of Wang et al. on MD5 and SHA-1 to RIPEMD-160. Due to the dual-stream structure of RIPEMD-160 the application of these attacks is nontrivial and almost impossible without the use of automated tools. We present practical examples of semi-free-start near-collisions for the middle 48 steps (out of 80) and semi-free-start collisions for 36 steps of RIPEMD-160. Furthermore, our results show that the differential characteristics get very dense in RIPEMD-160 such that a full-round attack seems unlikely in the near future.
Conference Paper
SM3 is a hash function designed by Xiaoyun Wang et al., and published by the Chinese Commercial Cryptography Administration Office for the use of electronic authentication service system. The design of SM3 builds upon the design of the SHA-2 hash function, but introduces additional strengthening features. In this paper, using a higher order differential crypt-analysis approach, we present a practical 4-sum distinguisher against the com-pression function of SM3 reduced to 32 rounds. In addition, we point out a slide-rotational property of SM3-XOR, which exists due to the fact that con-stants used in the rounds are not independent.
Conference Paper
This paper proposes a preimage attack on SM3 hash function reduced to 30 steps. SM3 is an iterated hash function based on the Merkle-Damgård design. It is a hash function used in applications such as the electronic certification service system in China. Our cryptanalysis is based on the Meet-in-the-Middle (MITM) attack. We utilize several techniques such as initial structure, partial matching and message compensation to improve the standard MITM preimage attack. Moreover, we use some observations on the SM3 hash function to optimize the computation complexity. Overall, a preimage of 30 steps SM3 hash function can be computed with a complexity of 2249 SM3 compression function computation, and requires a memory of 216. As far as we know, this is yet the first preimage result on the SM3 hash function.