Inverting Thanks to SAT Solving - An Application on Reduced-step MD*

Florian Legendre, Gilles Dequen, Michaël Krajecki

Abstract

The SATisfiability Problem is a core problem in mathematical logic and computing theory. The last decade progresses have led it to be a great and competitive approach to practically solve a wide range of industrial and academic problems. Thus, the current SAT solving capacity allows the propositional formalism to be an interesting alternative to tackle cryptanalysis problems. This paper deals with an original application of the SAT problem to cryptanalysis. We thus present a principle, based on a propositional modeling and solving, and provide details on logical inferences, simplifications, learning and pruning techniques used as a preprocessor with the aim of reducing the computational complexity of the SAT solving and hence weakening the associated cryptanalysis. As cryptographic hash functions are central elements in modern cryptography we choose to illustrate our approach with a dedicated attack on the second preimage of the well-known MD⋆ hash functions. We finally validate this reverse-engineering process, thanks to a generic SAT solver achieving a weakening of the inversion of MD⋆. As a result, we present an improvement of the current limit of best practical attacks on step-reduced MD4 and MD5 second preimage, respectively up to 39 and 28 inverted rounds.

References

  1. Aumasson, J., Meier, W., and Mendel, F. (2008). Preimage attacks on 3-pass haval and step-reduced md5. In Selected Areas in Cryptography, pages 120-135.
  2. Bacchus, F. and Winter, J. (2003). Effective preprocessing with hyper-resolution and equality reduction.
  3. Biere, A. (2010). Lingeling, plingeling, picosat and precosat at sat race 2010. In Tech. Rep. 10/1, FMV Reports Series, Johannes Kepler University, Altenbergerstr. Linz, Austria, pages 244-257.
  4. Biere, A., Heljanko, K., Junttila, T., Latvala, T., and Schuppan, V. (2006). Linear encodings of bounded LTL model checking. Logical Methods in Computer Science.
  5. Biere, A., Heule, M. J. H., Maaren, H. V., and Walsh, T., editors (2009). Handbook of Satisfiability, volume 185 of Frontiers in Artificial Intelligence and Applications. IOS Press.
  6. Biham, E. and Shamir, A. (1990). Differential cryptanalysis of des-like cryptosystems. In CRYPTO, pages 2-21.
  7. Cook, S. A. (1971). The Complexity of Theorem Proving Procedures. In 3rd ACM Symp. on Theory of Computing, Ohio, pages 151-158.
  8. Damga°rd, I. (1989). A design principle for hash functions. In CRYPTO, pages 416-427.
  9. Davis, M., Logemann, G., and Loveland, D. (1962). A Machine Program for Theorem-Proving. Journal Association for Computing Machine, (5):394-397.
  10. De, D., Kumarasubramanian, A., and Venkatesan, R. (2007). Inversion attacks on secure hash functions using satsolvers. In SAT, pages 377-382.
  11. Dobbertin, H. (1996). Cryptanalysis of md4. In FSE, pages 53-69.
  12. Kautz, H. and Selman, B. (1996). Pushing the envelope: Planning, propositional logic and stochastic search. In Proc. of 30th national AI and 8th IAAI.
  13. Klíma, V. (2005). Finding md5 collisions on a notebook pc using multi-message modifications. In IACR Cryptology ePrint Archive, page 102.
  14. Leurent, G. (2008). Md4 is not one-way. In FSE, pages 412-428.
  15. Massacci, F. and Marraro, L. (2000). Logical cryptanalysis as a sat problem. J.Autom.Reasoning, pages 165-203.
  16. Matsui, M. and Yamagishi, A. (1992). A new method for known plaintext attack of feal cipher. In EUROCRYPT, pages 81-91.
  17. Merkle, R. (1989). One way hash functions and des. In CRYPTO, pages 428-446.
  18. Mironov, I. and Zhang, L. (2006). Applications of sat solvers to cryptanalysis of hash functions. In SAT, pages 102-115.
  19. Potlapally, N. R., Raghunathan, A., Ravi, S., Jha, N. K., and Lee, R. B. (2007). Aiding side-channel attacks on cryptographic software with satisfiability-based analysis. IEEE Trans. VLSI Syst., 15(4):465-470.
  20. Sasaki, Y. and Aoki, K. (2008). Preimage attacks on stepreduced md5. In ACISP, pages 282-296.
  21. Wang, X. and Yu, H. (2005). How to break md5 and other hash functions. In EUROCRYPT, pages 19-35.
  22. Wang, X., Yu, H., Wang, W., Zhang, H., and Zhan, T. (2009). Cryptanalysis on hmac/nmac-md5 and md5- mac. In EUROCRYPT, pages 121-133.
  23. Yu, H. and Wang, X. (2007). Multi-collision attack on the compression functions of md4 and 3-pass haval. In ICISC, pages 206-226.
  24. Zhang, L., Madigan, C., Moskewicz, M., and Malik, S. (2001). Efficient conflict driven learning in a boolean satisfiability solver. In ICCAD, pages 11-16.
Download


Paper Citation


in Harvard Style

Legendre F., Dequen G. and Krajecki M. (2012). Inverting Thanks to SAT Solving - An Application on Reduced-step MD* . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 339-344. DOI: 10.5220/0004077603390344


in Bibtex Style

@conference{secrypt12,
author={Florian Legendre and Gilles Dequen and Michaël Krajecki},
title={Inverting Thanks to SAT Solving - An Application on Reduced-step MD*},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={339-344},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004077603390344},
isbn={978-989-8565-24-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - Inverting Thanks to SAT Solving - An Application on Reduced-step MD*
SN - 978-989-8565-24-2
AU - Legendre F.
AU - Dequen G.
AU - Krajecki M.
PY - 2012
SP - 339
EP - 344
DO - 10.5220/0004077603390344