Microsoft Word - sifis-ed.doc ETASR - Engineering, Technology & Applied Science Research Vol. 2, �o. 3, 2012, 226-231 226 www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks Security Analysis of Zipper Hash Against Multicollisions Attacks Nasour Bagheri Electrical Engineering Department, Shahid Rajee Teacher Training University (SRTTU) Tehran, Iran nbagheri@srttu.edu Abstract— In this paper, the existence of multicollisions in Zipper Hash structure, a new Hash structure which was introduced to strengthen the iterated Hash structures, is presented. This study shows that finding multicollisions, i.e. 2k- way collision, in this Hash structure is not much harder than finding such multicollisions in ordinary Merkle - Damgard (MD) structure. In fact, the complexity of the attacks is approximately n/2 times harder than what has been found for MD structures. Then, these large multicollisions are used as a tool to find D-way preimage for this structure. The complexity of finding 2K-way multicollisions and 2k-way preimages are ( )( )/ 2/ 2 1 2nO k n× + × and ( )/ 2/ 2 2 2 2n nO k n× × + × respectively. Similar to what has been proved by Joux for MD, it is shown in this paper that this structure could not be used to create a Hash function with 2n-bit length by concatenating this structure with any other Hash structure by Hash’s output length of n-bite. It is also shown that time complexity of finding a collision for this concatenated structure is ( )( )2 / 2/ 2 2nO n × which is much smaller than what was expected from generic-birthday attack which would be ( )2nΩ . In addition, it is shown that increasing the number of rounds of this Hash function can not improve its security against this attack significantly and the attacker can find multicollisions on this Hash function which means that this Hash function has a structural flaw. Keywords- Zipper Hash Structure; Hash function; multicollision attack; Joux attack; preimage attack; r-way collision I. INTRODUCTION A. Background In a recent paper by Joux [1], it was shown that there is a k 2 -way collision attack for the classical iterated Hash function based on a compression function, { } { }nnmf 1,01,0: →+ , where the attack has a complexity of ( )2/2nkO × . This complexity is much smaller than the complexity for the generalized birthday attack which is ( )2 1 22 k k n O −         [2] This is the basic idea of Joux’s attack. The main strategy of Joux’s attack is to first find k successive collisions by performing k successive birthday attacks using a collision finder oracle machine C. The attack works as follows: – Let 0 h be equal to the initial value IV of H. – For i from 1 to k do: • Call C and find i M and i M ′ such that ( ) ( ) iiiiii MMandMhfMhf ′≠′= −− ,, 11 . • Let ( ) iii Mhfh , 1−= . – Pad and output the k 2 messages of the form ( )Paddingmmm k ,,...,, 21 (where i m is one of the two blocks of i M or i M ′. Clearly, the 2 k different messages built as above all reach the same final value. A schematic representation of these 2 k messages together with their common intermediate Hash values is drawn in figure 1. Since birthday attack is a probabilistic attack, there is some positive reason that Joux’s attack fails. In following proposition, it is shown that an attacker needs more effort to achieve k-way collision than what has been claimed by Joux. Proposition 1. The complexity of finding 2 k –way collision in Joux’s attack is ( )2/1 22 nkkO ×× − . Proof: Assume that probability of each chain in Joux’s attack, shown in figure 1, equals toε . Hence, the success probability of those messages to lead to collision would be kε . On the other hand, in ordinary 2 k -way collision birthday attack on an ideal Hash function, for the success probability of 2 1 , the complexity would be (2 1) 22 k k n O −        [2]. Hence, if one aims to compare the Joux’s attack to the ordinary birthday attack, he should improve the Joux’s attack in order for the success probability to reach 2 1 . To improve the success probability of ETASR - Engineering, Technology & Applied Science Research Vol. 2, �o. 3, 2012, 226-231 227 www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks Joux’s attack the attack may be repeated several times. The success probability for “�” repetition of attack, Pr � , could be determined as follows: ( )Pr 1 1 2 � k � −= − − where for 1 Pr 2 � = the value of N should be 2k-1. Recall that the complexity of original Joux’s attack is ( )2/2nkO × , the total complexity of finding k-way collision following the Joux’s attack would be ( )2/1 22 nkkO ×× − . Proof has been completed. Fig. 1. Schematic representation of Joux multicollision construction. After introducing this attack, many structure have been proposed to strength iterated structure against this type of attach such Zipper Hash [3], 3C and 3C+ [4,5], SFRH and MFRH[6], WPH and DPH [7], L-pipe[8], etc. Most of these structure have tried to strengthen against multicollision attack. Among this new Hash structure, in this paper the strength of Zipper Hash [3] against multicollision attack is investigated. B. Related Work and Contribution In [9] Lin et. al have presented a multicollision attack for Zipper Hash. However, their attack work when the underling compression functions are weak while there is such assumption on compression function and the adversary has oracle access to compression functions. Hence, this Hash function is analyzed on random oracle model for compression functions and the results are more general in comparison with the results of [9]. In addition, it is shown that even if this structure is repaired, the attacker can find multicollision for this Hash function. It means that this Hash function is not suitable for general deployment and it has structural flaw. C. Paper organization In this paper an attack for this previously believed secure Hash structure is presented. For this purpose a brief description of Zipper Hash function is given in section 2. Section 3 contains an explanation of the attack for finding multicollision on this structure, whereas section 4 presents a preimage attack for it. In section 5 it is clarified why Zipper Hash could not be used as a primitive for 2n-bit concatenated Hash function. In section 6 it is shown that even if structure is repaired by employing more functions, the attacker can find multicollision on it, which means that it is not suitable for general deployment. Conclusion will be presented in section 7. II. ZIPPER HASH STRUCTURE The Zipper Hash structure can be considered as a general Hash function construction. To build an n-bit Hash function, two independent ( ) bitkm −, compression functions 0 f and 1 f are needed. These functions can be seen as a{ } { }kmk 1,01,0 →+ mapping. Same as all Hash structures, this one needs a padding function P and an initialization vector IV. For function P(x) for input x, it is guaranteed to return a padded value such that P(x) is a string that can be broken down into m-bit length blocks, and for all ( ) ( )MPMMPMMM ≠≠ '',' . Moreover it uses a finalization function { } { }nkg 1,01,0: → . Given all these pieces, the Zipper Hash function works as follows[3]: 1. Let l MM ,..., 1 be m-bit strings such that ( )MPMMM l =,..., 1 . 2. 1 h is computed as ( )IVMf , 10 , and l hh ,..., 2 are computed iteratively as ( ) 10 , −= iii hMfh . 3. 1 h′is computed as ( ) ll hxf , 1 , and l hh ′′,..., 2 are computed iteratively as ( ) 111 , −+− ′′=′ iili hMfh . 4. Final output ( ) ( ) l hgMH ′= . Since existence of g function is not affecting the attack, in the rest of the paper, without losing generality, it is assumed that output length of functions 0 f and 1 f are equal to n therefore these functions can be seen as { } { }nmn 1,01,0 →+ mapping. Figure 2 depicts the Zipper Hash construction. Fig. 2. The Zipper Hash structure. III. MULTICOLLISION ATTACK ON ZIPPER HASH Zipper Hash structure was developed as a strengthen structure against multicolission attack. In this section, we show that constructing multicollisions in Zipper Hash function can be done in a efficient way. In particular, constructing k 2 - collisions costs 2/nk × times as much as building ordinary 2-collisions and 2/n times as much as building multicollisions in ordinary MD structure. If collisions between messages of the same length are considered, the ETASR - Engineering, Technology & Applied Science Research Vol. 2, �o. 3, 2012, 226-231 228 www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks blocks of padding are identical, the padding process can be ignored and this is the case study in this paper. Moreover, if the intermediate Hash chaining values collide at some point in the Hash computation of two messages, the following values remain equal as soon as the ends of the messages are identical. Thus, on messages of the same length, collisions without the padding clearly lead to collisions with the padding. Although this attack could be applied for any length of message block and chaining value, for simplicity of proof, it is assumed that the size of the message blocks is bigger than the size of the chaining values. However, the attack can be easily generalized. It is also assumed that one can access two collision finding machines C and 'C . C is a machine that, given as input a chaining value h , outputs two different blocks M and 'M such that ( ) ( )',, 00 MhfMhf = and 'C is such a one that given 2/ 2 n different messages of length 2n blocks and h as chining value, finds the multiblocks Ψ and 'Ψ among them such that ( ) ( )',, 11 Ψ′=Ψ′ hFhF where ( )Ψ′, 1 hF is ordinary compressed value of Ψ by applying 1 f as compress function and h’ as initial value where illustrated in figure 3. These collision finding machines may use the generic birthday attack or any specific attack based on a weakness of 0 f and 1 f multicollision attack on ordinary MD. The most relevant property is that C and 'C should work properly for all chaining values. It’s clear that most of these assumed conditions for the scenario investigated in this paper is similar to what considered in [1]. ( ) 2/122/12/ ... njjnjnj mmm +++=Ψ ( ) ( )jjnnj hFh Ψ′=′ + ,2/2/1 Fig. 3. The ( ) jj hF Ψ′, 1 function structure. We now claim that we can generate k 2 equal collisions by only ( )/ 2O k n× calls to the C oracle machine and ( )kO calls to C′ oracle machine which is much less than what we expected from birthday paradox ( ) ( )( )( )kknO 2122/2 −× . Assuming that, l is the number of message blocks and is equal to 12 +× nk , the attack works as follows: 1 Let 0 h be equal to the initial value IV of Zipper Hash. 2 For i from 1 to 2nk × do: a. Call C and find i M and i M ′ in such a way that ( ) ( ) iiii MhfMhf ′= −− ,, 1010 . b. Set ( ) iii Mhfh , 10 −= . 3 since 12/ +×nkM is the padded message block determine ( ) 12/2/012/ , +××+× = nknknk Mhfh and ( ) 12/12/11 , +×+×=′ nknk Mhfh 4 For j from 1 to k do: a. Call 'C to find jΨ and 'jΨ among 2/ 2 n different messages of 2n blocks length and ( ) ( ) 112/ +−×′ jnh in such a way that ( ) ( )( ) ( ) ( )( )jjnjjn hFhF Ψ′′=Ψ′ +−×+−× ,, 112/1112/1 . 5 Output the k 2 messages of form ( )1 / 2 1,..., ,k knMψ ψ + where j ψ will be one of the two multi blocks j Ψ or ' j Ψ . Obviously, all k 2 different messages generated in this way result to the same value of Hash. The third step of this algorithm finds ( )2/ 2 nk× different multicollisions for the forward part of the Zipper Hash which uses 0 f as the compress function and the fourth step finds k 2 different multicollisions for the reverse part of the Zipper Hash which uses 1 f as the compress function. The time complexity of the attack is equal to all attempts done by the adversary. It is equal to ( ) 2/22 nnk ×× for finding a 2-way collision in the forward path of the attack and 2/ 2 n k × for finding a 2-way collision in the reverse path. Figure 4 is a schematic illustration of these k 2 multiblocks messages together with their common intermediate Hash values. 1Ψ 1Ψ′ 2Ψ 2Ψ′ k Ψ k Ψ′ Fig. 4. Schematic representation of multicollision attack on Zipper Hash structure. IV. FINDING K-WAY SECOND-PREIMAGE ATTACK ON ZIPPER HASH In reference [1] Joux puts forward the attack method called k-way which is applicable for finding the second preimage of an output of a Hash function based on the MD structure. For a given Hash target value ( ) { }0,1 k Y H M= ∈ , at first the attackers find 2 r collisions on r-block messages 1 2 2 , ,..., rM M M making ( ) ( ) ( )1 2 2... rrH H M H M H M= = = = . Then, to find the block 1r M + such that ( )1,r rf H M Y+ = . In this way, the attackers succeed in finding 2 r second preimages with the message M. Obviously, the time complexity of this attack is ( )/ 22 2n nO r + . ETASR - Engineering, Technology & Applied Science Research Vol. 2, �o. 3, 2012, 226-231 229 www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks For the Hash function based on the Zipper Hash structure, we show that theadversary can find 2 r -way preimage and second preimage with cost of ( ) ( )( )/ 21 / 2 2 2 2n nO r n+ × + × . For this purpose, as mentioned in [3], it is assumed that g function is a identical function. The attack works as follows: 1. Fixed 1 h with some random value. 2. For i from 2 to 12 +×= nrl do: a. Call C and find i M and i M ′ in such a way that ( ) ( ) iiii MhfMhf ′= −− ,, 1010 . b. Set ( ) iii Mhfh , 10 −= 3. since 12/ +×nkM is the padded message block determine ( ) 22/12/022/ , +×+×+× = nrnrnr Mhfh and ( ) 22/22/11 , +×+×=′ nknk Mhfh 4. For j from 1 to k do: a. Call 'C to find jΨ and 'jΨ among 2/ 2 n different messages of length 2n blocks and ( ) ( ) 112/ +−×′ jnh in such a way that ( ) ( )( ) ( ) ( )( )jjnjjn hFhF Ψ′′=Ψ′ +−×+−× ,, 112/1112/1 . 5. Find 1 M in such a way that ( )( ) 112/1 , MhfgY nr +× ′= . 6. Find IV in such a way that ( ) 101 , MIVfh = . Obviously, all k 2 different messages generated in this way lead to value Y as a Hash result. This procedure can be divided in two parts. Fist part of the attack is finding the r 2 -way collision whose cost is ( ) 2/22 nnr ×× and the second part, described in steps 5 and 6, is related to finding two preimages to guarantee the successes of the attack with cost n 22× . Hence, the total complexity of the attack equals to the claimed value. By applying a similar procedure, the adversary can find a r 2 -way second preimage with identical cost of time complexity which is far from ideal value nr 22 × . Clearly this kind of attack can not be used for the original version of Zipper Hash structure which use prefixed IV value, but it shows that this structure is far from ideal structure. V. ZIPPER HASH IN 2N-BIT CONCATENATED STRUCTURE A natural construction to build large Hash values is to concatenate several smaller Hashes. For example, given two Hash functions F and G, it seems reasonable given a message M to form the large Hash value ( ) ( )( )F M G M . In this construction, F and G can either be two completely different Hash functions or two slightly different instances of the same Hash function. In [1] Joux has shown that if at least one of these Hash function is a MD iterated Hash function, the complexity of finding a collision for this structure is slightly more than finding collision for one branch and it is equal to ( )/ 2/ 2 2nO n × . The basic idea in this attack is to find a / 22 n -way collision for MD structure and find a collision among this / 22 n different messages for the second Hash function. Clearly this collision is applicable to booth branches. A similar attack can be applied to find a collision on the “2n-bit” Hash construction ( ) ( )( )F M G M when one replaces either F or G, namely F, by the Zipper Hash structure. The attack complexity includes the complexity of finding / 22 n -way collision on Zipper Hash which is ( ) ( )( )/ 2/ 2 / 2 2nO n n× × plus the complexity of finding a collision on G which is ( )/ 22nO . Hence, the total complexity would be ( ) ( )( )/ 2/ 2 1 / 2 2nO n n+ × × .” VI. INCREASING THE ROUNDS OF THE ZIPPER HASH Assume that someone tries to protect the Zipper Hash by adding another layer to this structure. Figure 5 has illustrated this modified version of Zipper Hash. In general it is assumed that 2 0 f f≠ and 2 1 f f≠ . The following theorem shows that this structure is vulnerable to multicollision attack. To finding multicollision in this new structure we introduce an new oracle machine C′′ which is such a one that given 2/ 2 n different messages of length ( ) 2 2 n blocks, i.e. / 2 2 n messages of form ( )1 2 ,..., n ψ ψ where j ψ will be one of the two multi blocks j Ψ or j ′Ψ , and h′ as the chining value, to find the multiblock ϒ and ′ϒ among them such that ( ) ( )2 2, ,F h F h′ ′ ′ϒ = ϒ where ( )2 ,F h′ ϒ is ordinary compressed value of ϒ by applying 2 f as compress function and h′ as initial value. These collision finding machines may use the generic birthday attack or any specific attack based on a weakness of 2 f . The most relevant property is that C′′ should work properly for nay chaining values. Fig. 5. Schematic representation of multicollision attack on Zipper Hash structure. ETASR - Engineering, Technology & Applied Science Research Vol. 2, �o. 3, 2012, 226-231 230 www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks We now claim that we can generate 2 k equal collision by only ( )( )2/ 2O k n× calls to the C oracle machine, and ( )2nO k × calls to C′ oracle machine and ( )O k calls to C′ oracle machine which is much less than what we expected from birthday paradox ( ) ( )( )( )kknO 2122/2 −× . Assuming that, l is the number of message blocks and is equal to 12 +× nk , the attack works as follows: 1 Let 0 h be equal to the initial value IV of Zipper Hash. 2 For i from 1 to ( ) 2 2k n× do: a. Call C and find i M and i M ′ in such a way ( ) ( )0 1 0 1, ,i i i if h M f h M− − ′= . b. Set ( )0 1,i i ih f h M−= . 3 Since 12/ +×nkM is padded block fined ( )/ 2 1 0 / 2 / 2 1,k n k n k nh f h M× + × × += and ( )1 1 / 2 1 / 2 1,k n k nh f h M× + × +′ = 4 For j from 1 to 2 nk × do: a. Call 'C to find jΨ and 'jΨ among 2/ 2 n different messages of 2n blocks length and ( ) ( ) 112/ +−×′ jnh in such a way ( ) ( )( ) ( ) ( )( )1 1/ 2 1 1 / 2 1 1, ,j jn j n jF h F h× − + × − +′ ′ ′Ψ = Ψ . 5 For l from 1 to 2 nk × do: a. Call C′′ to find j ϒ and j ′ϒ among 2/ 2 n different messages of ( ) 2 2n blocks length and ( ) ( ) 112/ +−×′ jnh in such a way ( ) ( )( ) ( ) ( )( )1 1/ 2 1 1 / 2 1 1, ,j jn j n jF h F h× − + × − +′ ′ ′ϒ = ϒ 6 Output the k 2 messages of form ( )1,..., kγ γ where jγ will be one of the two multiblocks j γ or j γ ′ . Obviously, all k 2 different messages generated in this way result to the same value of Hash. The third step of this algorithm finds ( ) ( ) / 2 / 2 2 2 k n n× × different multicollisions for the first round of the Zipper Hash which uses 0 f as a compress function, the fourth step finds ( ) / 2 2 k n× different multicollisions for the second round of the Zipper Hash which uses 1 f as a compress function and the fifth step finds 2 k different multicollisions for the third round of the Zipper Hash which uses 2 f as a compress function. The time complexity of the attack is equal to all attempts done by the adversary. It is equal to ( ) 2 / 2 2 2 n k n× × for finding 2-way collision in the first round of attack, ( ) / 22 2nk n× × for finding 2-way collision in the second round and / 22nk × for finding 2-way collision in the third round. This approach can be easily extended to Zipper Hash with extra rounds. In similar way, it can be shown that the complexity of finding 2 k -way collision in Zipper Hash with I round is ( )( )/ 2/ 2 2i nO k n . This approach can be easily extended to Zipper Hash with extra rounds. Following the given algorithms to find 2 k -way collision on the Zipper Hash with two and three rounds that have the complexities of ( )( )/ 2/ 2 2nO k n and ( )( )/ 2/ 2 2i nO k n respectively, it can be shown that the complexity of finding 2 k -way collision in Zipper Hash extended to “i” rounds would be ( )( )1 / 2/ 2 2i nO k n − . Whenever this complexity reaches the birthday bound to find a 2 k -way collision on an ideal Hash function, ( ) ( )( )2 1 2 2 k k n O × −      , the extended Zipper Hash would be strengthen to the multicollision attack. To determine a bound for “i” we do as follows: ( ) ( )( ) ( ) ( ) 2 1 21 1/ 2 / 2 1 / 2 2 / 2 / 2 2 2 / 2 2 2 / 2 2 / 2 log 1 k k ni in n n i n n k n k n n i n × −− − − ≥ ⇒ ≥ ⇒ ≥ ⇒ ≥ × + This means that, in oracle model of compression function, the extended Zipper Hash to “i” rounds, for 2 / 2 / 2 log 1 n i n≥ × + , is not vulnerable to the multicollision attack. VII. CONCLUSION In this paper, it is shown that multicollisions in Zipper Hash structure are not much harder to find than finding multicollisions in the MD one. It is also shown that finding 2 r - way preimages and second preimages on this structure are not really harder to find than ordinary preimages and second preimages. Another important result is the fact that Zipper Hash structure can not be used as a building block for creating 2n-bit concatenated Hash structure because of its strength against collision which is much less than the ideal one. The study shows that although this structure is slightly more secure than iterated Hash function, it is really far from an ideal Hash function. It is shown that modifying the Zipper Hash by an extra round can not make it resistant to this attack. Finally, it is shown that in oracle model of compression function, the extended Zipper Hash to “i” rounds, for 2 / 2 / 2 log 1 n i n≥ × + , is not vulnerable to the multicollision attack REFERENCE [1] A. Joux, “Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions”, Advances in Cryptology-CRYPTO ’04, Springer-Verlag, pp. 306–316, 2004 [2] M. Nandi, D. R. Stinson, “Multicollision Attacks on Some Generalized Sequential Hash Functions”, IEEE Transactions on Information Theory, Vol. 53, No. 2, pp. 759-767, 2007 [3] M. Liskov, “Constructing an Ideal Hash Function from Weak Ideal Compression Functions”, 13th International Conference on Selected Areas in Cryptography, pp. 358-375, 2007 [4] P. Gauravaram, W. Millan, E. Dawson, K. Viswanathan, ”Constructing Secure Hash Functions by Enhancing Merkle-Damgard Construction”, Lecture Notes in Computer Science, Vol. 4058, pp. 407–420, 2006. [5] P. Gauravaram, W. Millan, E. Dawson, K. Viswanathan, ”Constructing Secure Hash Functions by Enhancing Merkle-Damga°rd Construction ETASR - Engineering, Technology & Applied Science Research Vol. 2, �o. 3, 2012, 226-231 231 www.etasr.com Bagheri: Security Analysis of Zipper Hash Against Multicollisions Attacks (Extended Version). ” Information Security Institute (ISI), Queensland University of Technology (QUT), number QUT-ISI-TR-2006-013, http://www.isi.qut.edu.au/ research/ publications/technical/qut-isi-tr- 2006-013.pdf, July 2006. [6] S. Su, Y. Yang, B. Yang, S. Zhang ,”The Design and Analysis of a Hash Ring-iterative Structure”, available: http://eprint.iacr.org/2006/384.pdf [7] S. Lucks, “A failure-friendly design principle for Hash functions”, Advances in Cryptology - ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, 2005 [8] W. R. Speirs, J. Molly, ”Making large Hash Functions from small compression function”, available:http://eprint.iacr.org/2007/239.ps. [9] P. Lin, W. Wu, C. Wu1, T. Qiu, "Analysis of Zipper as a Hash Function”, Lecture Notes in Computer Science, Vol. 4991, pp. 392-403, 2008