hash attacks and hashcash (SHA1 partial preimage of 0^160)

Adam Back adam at cypherspace.org
Wed Aug 18 13:33:12 PDT 2004 

(This discussion from hashcash list is Cc'd to cryptography and
cypherpunks.)

Hashcash uses SHA1 and computes a partial pre-image of the all 0bit
string (0^160).

Following is a discussion of what the recent results from Joux, Wang
et al, and Biham et al on SHA0, MD5, SHA1 etc might imply for hashcash
SHA1 (and for hypothetical hashcash SHA0, MD5 etc by way of seeing
what it will mean if SHA1 eventually suffers similar fate to SHA0).

(All as far as I understand so far).

Hashcash stresses the SHA1 function in a different direction than
sigantures and MACs -- in assuming partial pre-images are hard (ie an
k-bit partial pre-image should take about 2^k operations).  (Partial
2nd pre-images are also "interesting" against hashcash -- see below).

(As a security argument if partial pre-images say up to m<n bits were
to turn out to be easy (take much less than 2^m work effort) then this
could be used to find full pre-images with < 2^n effort, and full
birthday collisions with < 2^(n/2) effort -- where n is the hash
output size).


Hashcash is computing partial preimages (of the all 0 bit string).

The original hashcash (alpha format) computed partial 2nd-preimages as
follows:

H( time || resource ) =partial H( time || resource || random )

so the image is H( time || resource ), the pre-image is time ||
resource, and the (partial) 2nd pre-image is time || resource ||
random, and the images 

H( time || resource ) and H( time || resource || random )

partially match.

Then several people independently (Hal Finney, Thomas Boschloo)
suggested using a fixed image (0^160, ie all 0 bits) instead of the
image H( time || resource ).  (Hashcash version 0 and version 1
formats use the all 0 bits approach.)  ie so one is looking for:

H( time || resource || random ) =partial 0^160

As long as SHA1 is a good hash function this should be just as "fair"
a string to find partial pre-images of.


So with the last days news: as I read it the MD5 attack can find
relatively arbitrary pairs of pre-images (which differ in a few
well-chosen bits).  As a birthday attack, or perhaps with some more
work as a 2nd pre-image attack (2nd pre-image unclear).

Birthday style attacks don't help against hashcash as the atacker has
limited control over the H( time || resource ) in the alpha format and
no control over the 0^160 in v0 and v1 format hashcash.


So the way to apply a 2nd pre-image attack (if general 2nd pre-image
is possible with the approach) is to find one partial hash collision
the usual way (brute force), then re-use the work a bit and use it to
get subsequent collisions.  As far as hashcash is concerned these will
be of approximately the same value as the original (and not full
collisions) because they are against 0^n and the partial hash
collision (which a full collision was found against) only has 0^k bits
of leading 0s.


So I think if hashcash were using SHA-0, the following attack should
work: spend lots of work create eg a 50-bit hashcash token, use the
SHA-0 attack (Wang et al attack has work order 2^40 hash operations)
to find another (and maybe a small family of) hashcash stamps which
are full collisions with the 40-bit partial collision we just created.

I have not seen any indication if there is a family of collisions that
come more cheaply after the initial 2^40 operations of the Wang et al
approach.

As long as the work to create each 2nd pre-image in the family that
can be derived from one starting stamp is less than the value of the
stamp, the spammer wins in some way.  He can get some economies of
scale (up to the family size) in creating multiple stamps for the same
recipient.  However this is not so interesting to the spammer he would
sooner have economies of scale in sending to _everyone_ not DoSing one
user.  Also until we know the family size we do not know how bad even
a DoS advantage there would be.


For SHA-1 so far none of the above holds.  If someone manages to
extend the Biham attack to the full 80 rounds then the similar
argument to the SHA-0 based hashcash would presumably hold.

But this is based on what has been said so far about how the attacks
work.  Perhpas the same or related techniques now people have seen how
they work could be adapted to provide partial pre-images more
efficiently than brute force directly.

Adam

On Wed, Aug 18, 2004 at 02:03:09PM -0400, Jean-Luc Cooke wrote:
> To be clear:
>   MD5 is borken.  The whole thing:
>     http://www.md5crk.com/md5col.zip
>   SHA-0 is broken.  The whole thing:
>     http://www.md5crk.com/sha0col
>   HAVAL-128 and RIPEMD-128 and MD4 are also broken using the same techniques.
> 
> 56 round SHA-1 (out of a possible 80) is broken.
> 
> The event of the pasat week cast heavy doubt on the current common techniques
> used in hash algorithms.  MD4 was the first to use this unblanced Fiezel
> network.
> 
> Wirlpool and Tiger are sometimes called "wide-trail" hashs.  Different beasts
> entirly.
> 
> I suspect even SHA-256 and SHA-384/512 may be vulnerable to these attacks to
> some extent.
> 
> I expect there to be a flurry of new hashs proposed and adopted as
> industry/government/international standards.

More information about the cypherpunks-legacy mailing list