SHA0 Collision

Author: scopeInfinity

DES/__init__.py

@@ -0,0 +1,13 @@
+from  des_variation import encrypt
+import random
+import sys
+
+key = int(sys.argv[1])
+rounds = 8
+samples = 100000
+with open(str(key)+'_'+str(rounds)+'.txt','w') as f:
+	for i in range(samples):
+		msg = random.randint(0,(1<<63)-1)
+		cipher = encrypt(msg, key, rounds = rounds)
+		f.write("%d %d\n" % (msg,cipher))
+

DES/data_generator.py

@@ -4,7 +4,22 @@
 import numpy as np
 
 DES_ROUNDS = 16
-
+permutation_bitlocation = [
+		14,17,11,24, 1, 5, 3,28,
+		15, 6,21,10,23,19,12, 4,
+		26, 8,16, 7,27,20,13, 2,
+		40,52,31,37,47,55,30,40,
+		51,45,33,48,44,49,39,56,
+		34,53,46,42,50,36,29,32
+	]
+d_pemutation = [
+	17,28,12,29,21,20, 7,16,
+	 1,15,23,26, 5,18,31,10,
+	25, 4,11,22, 6,30,13,19,
+	 2, 8,24,14,32,27, 3, 9
+]
+s_table = [0xE,0x4,0xD,0x1,0x2,0xF,0xB,0x8,0x3,0xA,0x6,0xC,0x5,0x9,0x0,0x7]
+	
 def rotatebitleft(b,cnt,bitlength):
 	r = ((b<<cnt) | (b>>(bitlength-cnt))) & ((1<<bitlength)-1)
 	return r
@@ -20,19 +35,11 @@ def pbox(permutation,_in):
 # Key scheduler compression pbox
 # 56bits to 48bits then truncate to 32 bits
 def ks_compression_pbox(_in):
-	permutation_bitlocation = [
-			14,17,11,24, 1, 5, 3,28,
-			15, 6,21,10,23,19,12, 4,
-			26, 8,16, 7,27,20,13, 2,
-			40,52,31,37,47,55,30,40,
-			51,45,33,48,44,49,39,56,
-			34,53,46,42,50,36,29,32
-		]
 	out_48 = pbox(permutation_bitlocation, _in)
 	out_32 = out_48&((1<<32)-1)
 	return out_32
 
-def key_scheduler(key):
+def key_scheduler(key, rounds):
 	# Assuming msb 8 bit to be parity bit
 	# Ignoring high 8 parity bits
 	cipherkey = key&((1<<56)-1)
@@ -42,7 +49,7 @@ def key_scheduler(key):
 	ck_l = cipherkey>>CK_HALFSIZE
 	ck_r = cipherkey&((1<<CK_HALFSIZE)-1)
 	keys = []
-	for r in range(DES_ROUNDS):
+	for r in range(rounds):
 		shamt = 2
 		if r in onebitshiftround:
 			shamt = 1
@@ -64,14 +71,6 @@ def sboxs(table, _in, splitinto):
 	return _out
 
 def des_round(data_l,data_r,rkey):
-	d_pemutation = [
-		17,28,12,29,21,20, 7,16,
-		 1,15,23,26, 5,18,31,10,
-		25, 4,11,22, 6,30,13,19,
-		 2, 8,24,14,32,27, 3, 9
-	]
-	s_table = [0xE,0x4,0xD,0x1,0x2,0xF,0xB,0x8,0x3,0xA,0x6,0xC,0x5,0x9,0x0,0x7]
-	
 	x_out = data_r^rkey
 	s_out = sboxs(s_table, x_out, 8)
 	out_p = pbox(d_pemutation, s_out)
@@ -88,8 +87,8 @@ def des(data,round_keys):
 	cipher = (data_l<<DA_HALFSIZE) | data_r
 	return cipher
 
-def encrypt(data,key):
-	round_keys = key_scheduler(key)
+def encrypt(data,key, rounds = DES_ROUNDS):
+	round_keys = key_scheduler(key, rounds)
 	cipher = des(data, round_keys)
 	return cipher
 

DES/des_variation.py

@@ -0,0 +1,108 @@
+from  des_variation import encrypt, pbox, permutation_bitlocation, d_pemutation, s_table
+import numpy as np
+import sys
+# bits = Bits to consider in 'number' for xor
+def getxor(number, bits):
+	number = number&bits
+	xor = bin(number).count('1')%2
+	return xor
+
+def get_linearapprox(sbox):
+	BITSIZE = 4
+	out = []
+	for i in range(1<<BITSIZE):
+		out.append(sbox[i])
+	lineartable = []
+	SIZE = 1<<BITSIZE
+	for i in range(SIZE):
+		row = []
+		for j in range(SIZE):
+			c = 0
+			for sample_in,sample_out in enumerate(out):
+				if (getxor(sample_in,i)^getxor(sample_out,j)) == 0:
+					c+=1
+			row.append(c)
+		lineartable.append(row)
+	lineartable = np.asarray(lineartable)
+	lineartable_wb = lineartable - SIZE/2
+	return lineartable_wb
+
+def getbest_s_table_single(s_lineartable,_in):
+	index = np.argmax(s_lineartable[_in])
+	return (index,s_lineartable[_in][index]/16.0)
+
+def getbest_s_table(s_lineartable,_in):
+	_out = 0
+	p1 = 1
+	for i in range(8):
+		_in_i = (_in>>(4*i))&0xF
+		res = getbest_s_table_single(s_lineartable, _in_i)
+		_out |= res[0]<<(4*i)
+		p1 *= res[1]
+	return _out,p1
+
+def attack(fname, rounds):
+	print "Trying to find key"
+	s_lineartable = get_linearapprox(s_table)
+	# init_mxbias = (2,14) # on pain_r
+
+	plaintextbits  = 2	# Bits of plaintext to consider
+	out_bits = 2
+	kbits = 0
+
+	DA_HALFSIZE = 32
+	cbits_l = out_bits>>DA_HALFSIZE
+	cbits_r = out_bits&((1<<DA_HALFSIZE)-1)
+	# Xor of plaintextbits in plaintext and out_bits in out of cround round and kbits of rkey is zero
+	prob_l = 2.0 # only bias
+	prob_r = 2.0 # only bias
+
+	for cround in range(rounds):
+		ncbits_l = cbits_r
+		afterstable,bias =  getbest_s_table(s_lineartable,cbits_l)
+		afterpermuation = pbox(d_pemutation, afterstable)
+		ncbits_r = afterpermuation | cbits_l
+		cbits_l,cbits_r = ncbits_l,ncbits_r
+		prob_r = prob_r/2 * bias
+		prob_r,prob_l = prob_l,prob_r
+		print "Probablity Bias : %0.15f %0.15f" % (prob_l,prob_r)
+	print "Probable bit flips %s %s" % (bin(cbits_l),bin(cbits_r)) 
+
+	
+	samples = []
+	with open(fname,'r') as f:
+		for line in f:
+			samples.append([int(x) for x in line.split()])
+
+	bkey = None
+	i = 0
+	while i<(1<<64):
+		good = False
+		for sample in samples:
+			cipher = encrypt(sample[0], i, rounds=8)
+			if cipher == sample[1]:
+				good = True
+			break	
+		if good:
+			bkey = i
+			break
+		i += 1
+	if bkey is None:
+		print "Unable to obtain key"
+		assert False
+	return bkey
+
+def main():
+	assert len(sys.argv)>1
+	if sys.argv[1] == '--show-s_table':
+		s_lineartable = get_linearapprox(s_table)
+		print s_lineartable
+		return
+	fname = sys.argv[1]
+	rounds = int(sys.argv[2])
+	key = attack(fname, rounds)	
+	print "Key found as %d" % key
+	
+if __name__ == '__main__':
+	main()
+