Closed dignifiedquire closed 5 days ago
The code was written quite generally as you might have noticed. There is a lot of code for recomputing from many other middle steps than actually used. That's also because the ubc_check was mostly generated automatically, the code for that is in a separate repository: https://github.com/cr-marcstevens/sha1collisiondetection-tools
The ubc_check code and the big list in there you're referencing is generated from the short list of DVs, which are purely defined by the specific combination of values for dvtype, dvK and dvB. From there also dm is generated, and ubc checks are first determined and then code generated. Although sha1collisiondetection directly uses dm for speed, instead of dvtype, dvK and dvB, I would say those values are still important information to keep: those three values are the identifier for which "disturbance vector" the attack is actually based on.
maski is always 0 and therefore unused, because we chose to generate the code for exactly 32 disturbance vectors. I think it's fine to remove maski. Because if we ever want to increase the DVlist, we'll start using uint64 instead of uint32.
If you want to know more about disturbance vectors then I should refer you to the original paper:
https://marc-stevens.nl/research/papers/C13-S.pdf
The techniques and choice for sha1collisiondetection tool are described in this paper:
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-stevens.pdf
Thanks a lot for the quick answer!
When porting the code to rust, I noticed that the struct fields of
dv_info_t
dvk
,dvb
,maski
are never actually accessed in the code, so I was wondering what the reason is for still including them, thanks. Als
dv_type
seems to be one of0
(terminal marker?)1
or2
, but the only usage I found is for checking if it is!= 0
Definition: https://github.com/cr-marcstevens/sha1collisiondetection/blob/master/lib/ubc_check.h#L35