Exceeding u multiplicative complexity necessitates a collision

d e f i n i t i o n , f - 1 ( f ( x ) ) = x' , w h e r e x' i s e i t h e r p r e i m a g e o r s e c o n d - p r e i m a g e . I f x = x ', t h e n t h e r e a r e a t l e a s t t w o i n p u t s t h a t c o l l i d e . N o w c o n s i d e r t h e m u l t i p l i c a t i v e c o m p l e x i t y o f f- 1 . I f i t i s n , t h e n e v e r y b i t i n a v e c t o r {0 , 1} n m u s t b e c o m b i n e d u s i n g A t o p r o d u c e t h e o u t p u t : t h e A N F m u s t b e e q u i v a l e n t t o x 0 A x 1 A ■ ■ ■ A x n, w h e r e e a c h xi m a y b e n e g a t e d . I f i t i s g r e a t e r t h a n n , t h e n a s e c o n d p r o d u c t t e r m m u s t e x i s t s i n c e r e p e a t i n g a v a r i a b l e x i w i t h t h e s a m e p o l a r i t y w o u l d b e r e d u n d a n t a n d r e p e a t i n g a v a r i a b l e xi w i t h a n i n v e r t e d p o l a r i t y w o u l d c a u s e t h e t e r m t o b e 0 .

9.1. SCALABILITY 123

Assume that two product terms exist in the ANF of f -1 , such that f -1 = a © b where

a,b E { 0 , 1}n. It is evident that there must be at least two inputs which, when XORed

together, produce this result. The maximum possible multiplicative complexity that can be achieved while remaining collision-free is therefore n .

As a more concrete example, let f -1 = (x0 A x 1 A x 2 A x 3) © (—x 0 A x 1 A —x 2 A x 3).

The two colliding vectors can be determined, by inspection of the ANF, to be 1111 and 0101.

A consequence of the above discussion for a general preimage-finding algorithm is that it will not be sufficient to concentrate on a subset of the output bits that numbering less than ^ u to obtain a preimage: at least ~ u output bits must be considered.

9.1

Scalability

To understand the scalability characteristics of various reordering heuristics, a simple experiment was performed. For a particular number of input bits n , starting from n = 1, a SHA-1 BDD representation was created using each of the nineteen heuristics. The amount of time that it took to apply each of the logical operations {A, V, © } was recorded. The — operation for BDDs is implemented in CUDD as a simple complement of a pointer’s least significant bit, and is therefore very fast, non-recursive, and guaranteed to create no new nodes; no statistics were gathered for this operation. A six-figure statistical summary (minimum, lower quartile, median, geometric mean, upper quartile, maximum) of the recorded times, per-operation and across all operations, was generated. Furthermore, the number of nodes in the final SHA-1 representation as recorded to ensure that the heuristics resulted in reasonable representations. The number of input bits n was increased, and the same procedure was repeated again; however, if the total time taken to generate a SHA-1 representation using a heuristic exceeded two minutes, then that heuristic was excluded from consideration for future values of n . The experiment was considered to be complete when no usable reordering heuristic remained.

Figure 9.6 plots the sizes of the resulting BDDs for each number of inputs. It can readily be seen that the difference in size is entirely negligible, no matter what reordering method is used; the data points overlap in all cases. Note that the y-axis is logarithmic, and the line (from n = 3 onwards) is reasonably straight. This allows us to approximate the size of a BDD representation of SHA-1, based on the gathered data, to be 16 ■ 2L02n, for an n-bit input.

9.1. SCALABILITY 124 N o n e X R a n d o m s w a p s * R a n d o m p i v o t □ S i f t ■ S i f t ( i t e r . ) O S i f t ( s y m m e t r i c ) S i f t ( s y m m e t r i c , it e r . ) A W i n d o w ( s z = 2 ) A W i n d o w ( s z = 3 ) V W i n d o w ( s z = 4 ) ▼ W i n d o w ( s z = 2 , it e r . ) 0 W i n d o w ( s z = 3 , i t e r . ) ♦ W i n d o w ( s z = 4 , it e r . ) Q S i f t ( g r o u p ) * S i f t ( g r o u p , it e r . ) S i m u l a t e d a n n e a l i n g O G e n e t i c © S i f t ( l a z y ) E x a c t P r e d i c t e d ■ ■

Figure 9.6: Size of SHA-1 BDD representation under different reordering heuristics Table 9.1: BDD orderings and related size variance

Input bits Heuristics Unique orderings Min. size Max. size Size variance

2 19 ₁ 14 14 0% 3 19 1 133 133 0% 4 18 5 330 334 1.2% 5 18 8 695 696 0.1% 6 16 6 1351 1361 0.7% 7 15 8 2633 2641 0.3% 8 10 4 5136 5136 0.0% 9 5 2 10068 10071 0.0% 10 2 1 19612 19612 0.0% 11 2 1 37464 37464 0.0%

It was initially thought that the similar sizes were due to the quality of the reordering heuristics, but further investigation proved this hypothesis to be incorrect. Table 9.1 shows that while all heuristics converge on a set ordering when very few input bits (n < 3) or very few heuristics (n < 5) are being used, there are multiple different competing orderings for the majority of the runs seen. Nor were these permutations only slightly different: for example, two 7-bit orderings were 0-1-2-3-4-5-6 and 5-1-0-4-3-6-2, with the resulting sizes being 2633 and 2634 respectively. This is a very surprising result, given that the existing literature makes it clear that the ordering of variables typically results in very different sizes of BDD (Bryant, 1992; Bollig and Wegener, 1996; Krause, Savicky, and Wegener, 1999; Sieling, 2002). However, the result does make some sense in the light of Section 5.2, which implies that all variables are equally important.

The data collected on the time taken by various reordering heuristics is largely irrelevant if all heuristics result in equally-bad outcomes. If all are equally bad then the best solution is to simply not apply any reordering heuristic at all: any heuristic has a non-zero cost

9.1. SCALABILITY 125

and not applying any heuristic is the only solution that adds no cost at all.

Bryant (1992, p. 6) separates functions into three typical classes: symmetric, integer addi­

tion, and integer multiplication. The last class is the worst, with the BDD representation

invariably requiring an exponential number of bits. Given the failure of all the attempted heuristics to find a non-exponential representation for any set of input bits, it is likely that SHA-1 happens to fall into this class. Wegener (1994, p. 368) defines the concept of

■sensitivity as “the quotient of the size of a reduced OBDD for [a function] f with respect

to a worst ordering of the variables and the size of a reduced OBDD for f with respect to an optimal ordering of variables” , and states that symmetric functions have a sensitivity of 1. It appears that SHA-1 shares this sensitivity, but is not symmetric since no heuristic was able to find a non-exponential representation.

An argument could be made that the heuristics are at fault, and that a non-exponential BDD representation is possible. To investigate this, three heuristics which utilised ran­ domness were selected from the available set of CUDD heuristics, under the assumption that a random ordering is more likely to happen upon a “better” ordering (if one exists). These heuristics were examined in detail, informed by the official CUDD documenta­ tion (Somenzi, 2015) and by an examination of the CUDD 3.0.0 source code.

The RandomSwaps heuristic (called CUDD_REORDER_RANDOM in CUDD) randomly chooses

n pairs of variables, where n is the number of inputs, and swaps the order of adjacent

variables between the pairs. The most reduced order is the one which is used.

E xa m p le 9.4. RandomSwaps heuristic. Assume that a 5-variable BDD has the or­