Huge Multicollisions and Multipreimages of Hash Functions BLENDER-n

In this paper we present a multicollision and multipreimage attack on the hash function Blender-n for all output sizes n = 224, 256, 384 and 512. The complexity and memory requirements for finding 2 multipreimages (multicollisions) of Blender-n [1] is roughly 10 times more than finding a collision for n/2-bit random hash function. All previous attacks were based on the trick by Joux [2] using many messages. Our attacks are based on one message with several fixpoints. The state register has eight words. By properly choosing message words we force half of the register to go to the original state. Then we will find a collision in the rest with complexity 2. The collision creates a fix point in the sequence of states of the state register. We use 10 such fix points. Previously known attacks [4, 5] on Blender-n have the complexity at least 2. Our 2-multicollision and multipreimage attacks have a complexity 10*2. 1 An overview of Blender-n For the sake of simplicity we will only consider Blender-256. The attacks on other variants are similar. The hash function Blender is an iterated hash function. It uses w-bit words (w = 32 for Blender-256, w = 64 for Blender-512), a state register A of eight w-bit words, two carry bits c1, c2 and a hash register H of eight w-bit words. In the beginning the register H and bits c1, c2 are zeroed. The initial value of the state register A is A = (a0, a1, a2, a3, a4, a5, a6, a7) = Hinit. The register H contains a chaining value, which is the sum (modulo 2 by words) of the states of the state register A, H = ∑t=1,...,K A. A new state is the function of the old state and a message word. So we have (A, c1, c2) = f(A, c1, c2, W), where f is the compression function and W is the current message word. The sequence of words W is prepared by taking the message and the tail, consisting of fill bytes (fill consists of 13 first bytes repeated to the required length), bit-length of the message, length of the bit-length in bytes and finally two w-bit checksums. The checksums are computed from all message words (before the first checksum): checksum1 = non( ∑t=1,...,K W ), checksum2 = ∑t=1,...,K (nonW). The bit-length of the message is not limited. 1) Independent cryptologist, Prague, Czech Republic, http://cryptography.hyperlink.cz, [email protected] 1 To avoid technical details, we will assume only messages with integer number of words, having the first 13 bytes the same (for filling), the same length and even the same checksums. It is important to note that checksums, updates of the register H and the register A, are computed from w-bit words, especially the addition is made modulo 2. Here we remind a part of the original description of the hashing, paragraph 2.6.2, [1]: The 256-bit algorithm uses eight 32-bit working variables, a0 to a7, eight 32-bit result variables, H0 to H7, and two single-bit carry variables, c1 and c2; these constitute the “state” of the algorithm carried from round to round. This algorithm also uses three 32-bit intermediate values, T, T1 and T2, and one intermediate integer value r used to hold a rotation factor. Before hash computation begins, the working variables, a0 to a7, are initialized to the following eight 32-bit words (Hinit) in hex: a0 = 6a09e667, ...(cut)..., a7 = 5be0cd19. After the message has been prepared and the variables initialized, perform the following computations for each 32-bit word W in the prepared message: 1. Compute the preliminary intermediate values using add-with-carry: [c1,T1] = ( a5 ⊕ W ) + ( a1 ⊕ rotl(a3, 8) ) + c1 [c2,T2] = ( a0 ⊕ rotr(W, 8) ) + ( a4 ⊕ rotr(a2, 8) ) + c2 2. Compute the rotation factor: r = 8 – (c1 + c2) 3. Rotate the intermediate values: T1 = rotl(T1, r) T2 = rotr(T2, r) 4. Compute the next state: T = rotr(a0, 7) a0 = a1 ⊕ T2 a1 = a2 ⊕ T1 a2 = a3 ⊕ T2 a3 = a4 ⊕ T1 a4 = a5 ⊕ T2 a5 = a6 ⊕ T1 a6 = a7 ⊕ T2 a7 = T ⊕ T1 5. Update the hash result variables: H0 = H0 + a0 H1 = H1 + a1 H2 = H2 + a2 H3 = H3 + a3 H4 = H4 + a4 H5 = H5 + a5 H6 = H6 + a6 H7 = H7 + a7 2 These five steps constitute one round of the algorithm. After repeating these steps for each word in the prepared message, the resulting 256-bit message digest of the message M is H0 || H1 || H2 || H3 || H4 || H5 || H6 || H7. 2 The state register The hashing process has an internal state, defined by values (A, c1, c2, H). We will create collisions in the state register A and then in the hash register H. For the sake of simplicity we will talk about the state register A, but all of the following computations are made for the state A including the carry bits c1, c2. The state register has eight words. By a careful choice of 256 message words W we will force the state register to have only 4 changing words after every 256th round. Let us denote A = (a0, a1, a2, a3, a4, a5, a6, a7) = Hinit the initial value of the state register A. The basic attack Round 0: From values of the state A we compute the first word W of the message so that T2 = 0. There is exactly one corresponding value W, as we can see from the equation T2 = (a0 ⊕ rotr(W, 8)) + (a4 ⊕ rotr(a2, 8)) + c2. Recall that the register A rotates its words one position to the left and at the last word it rotates bits by 7 positions to the right: A = ( a1 ,a2 ⊕ T1, a3 ,a4 ⊕ T1, a5 , a6 ⊕ T1, a7 , rotr(a0,7) ⊕ T1). Round 1: Similarly in the round 1 we choose the word W of the message such that T1 = 0. There is exactly one corresponding value computed from the equation T1 = (a5 ⊕ W) + (a1 ⊕ rotl(a3, 8)) + c1. We get A = (a2 ⊕ T1 ⊕T2, a3 ,a4 ⊕ T1 ⊕ T2, a5 , a6 ⊕ T1 ⊕ T2, a7 , rotr(a0,7) ⊕ T1 ⊕ T2, rotr(a1,7) ). Round 256: In the previous rounds the words T2 and T1 are chosen so that they have no influence on values a1, a3, a5, a7. Therefore the state register returns to its original value on odd positions after 256 rounds: A = (a0, a1 , a2, a3 , a4, a5 , a6, a7 ). 3 Collisions in the state register For the sake of simplicity of the filling process (as a part of completing any message before hashing), we assume the first 13 words to be constant. They can be followed by an arbitrarily chosen sequence of bytes, so that we get an integer number of w-bit words at the beginning, for instance 256 words. Let us call this part of the message as the first stationary part (S1). We start from the last state and then we use the method described above to create states A, A, A, ..., until we find a collision in this sequence. This collisions creates a fix point (or a cycle), because we can return back (and make several cycles) or go on. After the first cycle we make 256 steps with randomly chosen message words W (to break the