Differential Cryptanalysis of Hash Functions: How to find Collisions?


 Eleanor Fisher
 1 years ago
 Views:
Transcription
1 Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria Albena 2011 Albena Hash Function Cryptanalysis I 1
2 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 2
3 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 3
4 Motivation Cryptanalysis of block ciphers: well understood Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers Attacks on MDfamily by Wang et al. broke A1 NIST A3 competition to find a successor of A1 to focus research on hash function cryptanalysis Albena Hash Function Cryptanalysis I 4
5 Cryptographic Hash Function h m h(m) Hash function h maps arbitrary length input m to nbit output h(m) Collision Resistance (2 n/2 ) find m, m with m m and h(m) = h(m ) SecondPreimage Resistance (2 n ) given m, h(m) find m with m m and h(m) = h(m ) Preimage Resistance (2 n ) given h(m) find m Albena Hash Function Cryptanalysis I 5
6 Iterated Hash Function Construction M 1 M 2 M 3 M t IV w f w f w f f w g n H(m) Most hash functions use some kind of iteration compression function f output transformation g chaining value size w n Strength depends on f, g, w smaller w needs stronger f Also building blocks are analyzed Albena Hash Function Cryptanalysis I 6
7 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 7
8 Collision Attacks m m h h h(m) = h(m ) Find two different messages which result in the same hash value: m m with h(m) = h(m ) birthday effect applies: 2 n/2 Albena Hash Function Cryptanalysis I 8
9 Collision Attacks (Differential View) m = m 0 m h h h h(m) h(m ) = h(m) = 0 Find two different messages which result in the same hash m, m with m 0 and h(m) = 0 Usually XOR differences are used: m = m m and h(m) = h(m) h(m ) Albena Hash Function Cryptanalysis I 9
10 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 10
11 Differential Characteristic m 0? h how to find m, m? find differential characteristic (trail, path) determines m holds with high probability P if P > 2 n/2 : find colliding m by trying 1/P random messages with complexity < 2 n/2 h(m) = 0 Albena Hash Function Cryptanalysis I 11
12 Differential Characteristic m 0? h how to find m, m? find differential characteristic (trail, path) determines m holds with high probability P if P > 2 n/2 : find colliding m by trying 1/P random messages with complexity < 2 n/2 how to improve complexity of attack? h(m) = 0 how to find good differential characteristics? Albena Hash Function Cryptanalysis I 11
13 How to Improve Complexity of Attack? m 0 h Good characteristic for block ciphers: optimizes probability Good characteristic for hash functions optimizes probability minimizes effort to find m How to find m? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic h(m) = 0 Albena Hash Function Cryptanalysis I 12
14 How to Improve Complexity of Attack? m 0 h Good characteristic for block ciphers: optimizes probability Good characteristic for hash functions optimizes probability minimizes effort to find m How to find m? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic h(m) = 0 characteristic with lower probability at input to get higher probability towards end Albena Hash Function Cryptanalysis I 12
15 How to Find Good Differential Characteristics? block cipher based design: use characteristic of block cipher attack (also related key characteristics) by hand: MD4, MD5, A1 (Wang et al.) (semi) automatic tools: linearize hash function (coding tools) nonlinear differential search by design: well known best characteristics Albena Hash Function Cryptanalysis I 13
16 Example: A1 high probability in second part (L) linearize hash function [RO05] search for linear differential characteristic using low weight code search connect with IV in first part (NL) low probability search for nonlinear characteristic [WYY05, DR06] message modification easy for first 16 steps (just invert equation) also possible for more steps ( 25) (advanced message modification) Albena Hash Function Cryptanalysis I 14
17 Finding Linear Characteristics Message expansion is linear Linearize modular addition by XOR no carry with probability 1/2 Linearize Boolean function by XOR holds with probability 1/2 Probabilities are given for single bit differences Albena Hash Function Cryptanalysis I 15
18 Finding Linear Characteristics Differences with low Hamming weight result in good probability Finding good linear characteristic corresponds to finding lowweight code word in linear code Good representation of hash function is important Open source tool to find low weight code words: krypto/codingtool/ Albena Hash Function Cryptanalysis I 16
19 Finding NonLinear Characteristics [DR06] Using generalized conditions Albena Hash Function Cryptanalysis I 17
20 Finding NonLinear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Albena Hash Function Cryptanalysis I 18
21 Finding NonLinear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using nonlinear tool Albena Hash Function Cryptanalysis I 18
22 Finding NonLinear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using nonlinear tool Add conditions to control diff. no probability needed here Albena Hash Function Cryptanalysis I 18
23 Finding NonLinear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using nonlinear tool Add conditions to control diff. no probability needed here Find conforming message pair message mod. until step 25 probabilistic for further steps Albena Hash Function Cryptanalysis I 18
24 Message Modification To improve complexity of attack in first few steps up to 25 in the case of A1 Many dedicated techniques have been published: advanced message modifications [WYY05] equation solving [SKPI07] neutral bits [BC04] boomerang/tunnels [JP07, Kli06] greedy approach [D07] Resulting theoretical complexity for A1: 2 63 [WYY05] implementation overhead! Albena Hash Function Cryptanalysis I 19
25 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 20
26 The Rebound Attack [ST09] One more tool in the cryptanalysis of hash functions Invented during the cryptanalysis of Whirlpool and Grøstl AESbased designs allow a simple application of the idea Related work: truncated differentials insideout techniques meetinthemiddle techniques message modification... Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool,... Albena Hash Function Cryptanalysis I 21
27 The Rebound Attack E bw E in E fw outbound inbound outbound Applies to blockcipher and permutation based designs: E = E fw E in E bw Inbound phase efficient meetinthemiddle phase in E in aided by available degrees of freedom Outbound phase probabilistic part in E bw and E fw repeat inbound phase if needed P = P fw P in P bw Albena Hash Function Cryptanalysis I 22
28 The Whirlpool Hash Function Designed by Barretto and Rijmen in 2000 [BR00] evaluated by NESSIE standardized by ISO/IEC :2003 Iterative hash function based on the MerkleDamgård design principle message block, chaining values, hash size: 512 bit M 1 M 2 M 3 M t IV f f f f H(m) Albena Hash Function Cryptanalysis I 23
29 The Whirlpool Compression Function H j 1 key schedule M j state update H j 512bit hash value and using 512bit message blocks Blockcipher based design (AES) MiyaguchiPreneel mode with conservative key schedule Albena Hash Function Cryptanalysis I 24
30 The Whirlpool Round Transformations The state update and the key schedule update an 8 8 state S and K of 64 bytes 10 rounds each AES like round transformation r i = SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + Albena Hash Function Cryptanalysis I 25
31 Collision Attack on Whirlpool H j 1 key schedule M j state update H j 1block collision: fixed H j 1 (to IV ) f (M j, H j 1 ) = f (Mj, H j 1 ), M j Mj Albena Hash Function Cryptanalysis I 26
32 Collision Attack on Whirlpool H j 1 key schedule M j state update H j 1block collision: fixed H j 1 (to IV ) f (M j, H j 1 ) = f (Mj, H j 1 ), M j Mj Albena Hash Function Cryptanalysis I 26
33 Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active Sboxes 81 for any 4round trail ( ) maximum differential probability: (2 5 ) 81 = Albena Hash Function Cryptanalysis I 27
34 Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 constant S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active Sboxes 81 for any 4round trail ( ) maximum differential probability: (2 5 ) 81 = Albena Hash Function Cryptanalysis I 27
35 Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 constant S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active Sboxes 81 for any 4round trail ( ) maximum differential probability: (2 5 ) 81 = How to find a message pair following the differential trail? Albena Hash Function Cryptanalysis I 27
36 First: Use Truncated Differences S 0 S 1 S 2 S 3 S 4 M 1 H 1 bytewise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2 56 for 8 1 we can remove many restrictions (more freedom) hopefully less complexity of message search Albena Hash Function Cryptanalysis I 28
37 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? Albena Hash Function Cryptanalysis I 29
38 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? Albena Hash Function Cryptanalysis I 29
39 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? meet in the middle? Albena Hash Function Cryptanalysis I 29
40 How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? meet in the middle? rebound! Albena Hash Function Cryptanalysis I 29
41 Rebound Attack on 4 Rounds [ST09] S 0 S 1 S 2 S 3 S 4 M 1 H 1 outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) matchinthemiddle at Sbox using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match onebyte difference of feedforward Albena Hash Function Cryptanalysis I 30
42 Inbound Phase S2 S 2 S3 S3 3a c0 e6 b9 5a 8c 08 c0 get values (1) Start with arbitrary differences in state S 3 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31
43 Inbound Phase S2 S 2 S3 S3 e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31
44 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences get values differences (1) Start with arbitrary differences in state S3 linearly propagate all differences backward to S3 linearly propagate rowwise forward from S2 to S 2 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31
45 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6? a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate rowwise forward from S 2 to S 2 (2) Matchinthemiddle at SubBytes layer check if differences can be connected (for each Sbox) with probability 2 xx we get 2 xx solutions for each row we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31
46 Difference Distribution Table (Whirlpool) in \ out a 1b 1c 1d 1e 1f a b c d e f Albena Hash Function Cryptanalysis I 32
47 MatchintheMiddle for Single Sbox a Sbox b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox(x) Sbox(x a) = b Solve equation for all x and count the number of solutions: 25880/65025 entries (with a, b 0) in DDT are nonzero match with probability we get either 2, 4, 6 or 8 values values for possible differentials values (right pairs) on average Albena Hash Function Cryptanalysis I 33
48 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6? a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate rowwise forward from S 2 to S 2 (2) Matchinthemiddle at SubBytes layer check if differences can be connected (for each Sbox) Albena Hash Function Cryptanalysis I 34
49 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate rowwise forward from S 2 to S 2 (2) Matchinthemiddle at SubBytes layer check if differences can be connected (for each Sbox) with probability we get solutions for each row Albena Hash Function Cryptanalysis I 34
50 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate rowwise forward from S 2 to S 2 (2) Matchinthemiddle at SubBytes layer check if differences can be connected (for each Sbox) with probability we get solutions for each row we get right pairs with complexity < 2 16 Albena Hash Function Cryptanalysis I 34
51 Outbound Phase S 0 S 1 S 2 S 3 S 4 outbound inbound 2 56 average 1 outbound 2 56 (3) Propagate through MixRows of round 1 and round 4 using truncated differences (active bytes: 8 1) probability: 2 56 in each direction (4) Match difference in one active byte of feedforward (2 8 ) collision for 4 rounds of Whirlpool with complexity Albena Hash Function Cryptanalysis I 35
52 Extending the Attack to 5 Rounds [L + 09] S 0 S 1 S 2 S 3 S 4 S 5 outbound 2 56 inbound average 1 outbound 2 56 By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds The outbound phase is identical to the attack on 4 rounds probability: Construct starting points in the inbound phase with average complexity 1 Albena Hash Function Cryptanalysis I 36
53 Inbound Phase ee match S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 differences (1) Start with arbitrary differences in state S 3 and S 3 (2) Matchinthemiddle at SuperBox ( ) similar to 64bit Sbox (DDT has size ) Albena Hash Function Cryptanalysis I 37
54 Inbound Phase ee match S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 values/differences 2 64 differences (1) Start with arbitrary differences in state S3 and S3 we need to propagate all 2 64 differences backward at once (2) Matchinthemiddle at SuperBox ( ) similar to 64bit Sbox (DDT has size ) timememory tradeoff with time/memory 2 64 Albena Hash Function Cryptanalysis I 37
55 Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 values/differences 2 64 differences (1) Start with arbitrary differences in state S3 and S3 we need to propagate all 2 64 differences backward at once (2) Matchinthemiddle at SuperBox ( ) similar to 64bit Sbox (DDT has size ) timememory tradeoff with time/memory 2 64 with complexity 2 64 we get at least 2 64 pairs Albena Hash Function Cryptanalysis I 37
56 From Collisions to NearCollisions S 0 S 1 S 2 S 3 S 4 S 5 S 6 S average Add one round at input and output no additional complexity MixRows: 1 8 with probability 1 Nearcollision attack for 7 rounds time complexity and 2 64 memory Albena Hash Function Cryptanalysis I 38
57 Compression Function Attacks H j 1 key schedule M j state update H j We can freely choose the chaining input H j 1 no differences in H j 1 semifreestart (near) collisions Extend previous attacks by 2 rounds using multiple inbound phases Outbound phases of attacks stay the same Albena Hash Function Cryptanalysis I 39
58 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40
59 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40
60 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase 2nd inbound phase Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40
61 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512bit freedom of key input (S 3 = S 2 K 3 ) Albena Hash Function Cryptanalysis I 40
62 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512bit freedom of key input (S 3 = S 2 K 3 ) A bit more tricky than that (3 key inputs involved) connect rows independently find 2 64 solutions with complexity Albena Hash Function Cryptanalysis I 40
63 Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512bit freedom of key input (S 3 = S 2 K 3 ) A bit more tricky than that (3 key inputs involved) connect rows independently find 2 64 solutions with complexity Collision on 7 and nearcollision on 9 rounds Albena Hash Function Cryptanalysis I 40
64 Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash s 2 s collision function s 2 s nearcollision 7 2 compression 2 64 collision 9 2 function 2 64 nearcollision Albena Hash Function Cryptanalysis I 41
65 Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash s 2 s collision function s 2 s nearcollision compression 2 64 collision function 2 64 nearcollision Albena Hash Function Cryptanalysis I 41
66 Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash s 2 s collision function s 2 s nearcollision compression 2 64 collision function 2 64 nearcollision distinguisher Albena Hash Function Cryptanalysis I 41
67 Open Problems H j 1 key schedule M j state update H j Using differences also in the chaining input Combination of: relatedkey attacks on block ciphers local collisions rebound attack Albena Hash Function Cryptanalysis I 42
68 The A3 Candidate Grøstl [GKM + 11] M i Q H i 1 P H i A3 finalist AESbased hash function Permutation based design Designed by DTU (Denmark) and TU Graz (Austria) Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen Albena Hash Function Cryptanalysis I 43
69 Permutations P and Q of Grøstl Q: AddRoundConstant ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fieidicibiai9i8i SubBytes S ShiftRows MixColumns P: 0i1i2i3i4i5i6i7i S AES like round transformations 8 8 state and 10 rounds for Grøstl state and 14 rounds for Grøstl512 Based on design principles of AES not using AES as a direct building block better diffusion, wider trails Albena Hash Function Cryptanalysis I 44
70 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, wellknown how to find right pairs? Albena Hash Function Cryptanalysis I 45
71 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, wellknown how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox timememory tradeoffs Albena Hash Function Cryptanalysis I 45
72 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, wellknown how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox timememory tradeoffs 3) Outbound phase high probability for sparse paths Albena Hash Function Cryptanalysis I 45
73 The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P average ) Construct optimal truncated differential path by hand, wellknown how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox timememory tradeoffs 3) Outbound phase high probability for sparse paths find solutions with complexity and 2 64 memory Albena Hash Function Cryptanalysis I 45
74 Relatively Simple Analysis of Grøstl M 1 Q 0 Q 1 Q 2 Q 3 average IV P 0 P 1 P 2 P 3 H 1 Easy to construct truncated differential paths optimal use of available freedom (message) Results for Grøstl256, Grøstl512 hash function collisions for 3 rounds (of 10,14) compression function collisions for 6 rounds (of 10,14) Albena Hash Function Cryptanalysis I 46
75 Summary for Rebound Attack on Grøstl Lots of cryptanalysis (mostly on Grøstl0) [MPRS09, Pey10, SLW + 10, ST09, ST10, ITP10] No multiple inbound phases possible No keyschedule input (no relatedkey attacks) Provable resistance against standard differential attacks Using (powerful) truncated differentials still only 3 out of 10 rounds can be attacked Albena Hash Function Cryptanalysis I 47
76 Summary of Rebound Attacks Basic principle not that difficult efficient inbound phase probabilistic outbound phase Difficulty in constructing and merging inbound phases finding good and sparse truncated differential paths efficient way to use available freedom for merge Albena Hash Function Cryptanalysis I 48
77 Other Rebound Attacks ECHO: big state but rather sparse truncated differential paths JH: 4bit Sboxes, multiple inbound phases Lane: 2x inbound for Lane256, 3x inbound for LANE512 Luffa: 4bit Sboxes, find differential path first, then values Skein: rotational rebound attack Albena Hash Function Cryptanalysis I 49
78 Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 50
79 More Freedom in Attacking Hash Functions... than in attacks on block ciphers AESbased designs (Whirlpool Grøstl): 3 rounds in the middle with (average) complexity rounds at the beginning ARXbased designs (A1): up to 25 steps at the beginning with message modification Albena Hash Function Cryptanalysis I 51
80 Conclusion Differential cryptanalysis powerful tool in analyzing hash functions many hash functions broken using DC sparse (truncated) differential characteristics needed AES based designs: best truncated differential path can be used (with small modifications) rebound attack to find differences and values simultaneously ARX based designs: unknown if good characteristics exist (semi)automatic tools needed (linear,nonlinear) still some work to do for ARX based A3 finalists Albena Hash Function Cryptanalysis I 52
81 Thank you for your Attention! Questions? Albena Hash Function Cryptanalysis I 53
82 References I [BC04] [BR00] [D07] Eli Biham and Rafi Chen. NearCollisions of A0. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of LNCS, pages Springer, Paulo S. L. M. Barreto and Vincent Rijmen. The WHIRLPOOL Hashing Function. Submitted to NESSIE, September 2000, revised May 2003, Available online: Christophe De Cannière, Florian Mendel, and Christian Rechberger. Collisions for 70Step A1: On the Full Cost of Collision Search. In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, Selected Areas in Cryptography, volume 4876 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 54
83 References II [DR06] [GKM + 11] [ITP10] Christophe De Cannière and Christian Rechberger. Finding A1 Characteristics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors, ASIRYPT, volume 4284 of LNCS, pages Springer, Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl a A3 candidate. Submission to NIST (Round 3), January Available online: Round3/submissions_rnd3.html. Kota Ideguchi, Elmar Tischhauser, and Bart Preneel. Improved Collision Attacks on the ReducedRound Grøstl Hash Function. In Mike Burmester, Gene Tsudik, Spyros S. Magliveras, and Ivana Ilic, editors, I, volume 6531 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 55
84 References III [JF11] [JP07] [Kli06] Jérémy Jean and PierreAlain Fouque. Practical NearCollisions and Collisions on RoundReduced ECHO256 Compression Function. In Fast Software Encryption, To appear. Antoine Joux and Thomas Peyrin. Hash Functions and the (Amplified) Boomerang Attack. In Alfred Menezes, editor, CRYPTO, volume 4622 of LNCS, pages Springer, Vlastimil Klima. Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology eprint Archive, Report 2006/105, Albena Hash Function Cryptanalysis I 56
85 References IV [KNPRS10] [L + 09] Dmitry Khovratovich, María NayaPlasencia, Andrea Röck, and Martin Schläffer. Cryptanalysis of Luffa v2 Components. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages Springer, Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schläffer. Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In Mitsuru Matsui, editor, ASIRYPT, volume 5912 of LNCS, pages Springer, [MNPN + 09] Krystian Matusiewicz, María NayaPlasencia, Ivica Nikolić, Yu Sasaki, and Martin Schläffer. Rebound Attack on the Full Lane Compression Function. In Mitsuru Matsui, editor, ASIRYPT, volume 5912 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 57
86 References V [MPRS09] [S09] Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schläffer. Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh SafaviNaini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages Springer, Florian Mendel, Christian Rechberger, and Martin Schläffer. Cryptanalysis of Twister. In Michel Abdalla, David Pointcheval, PierreAlain Fouque, and Damien Vergnaud, editors, NS, volume 5536 of LNCS, pages , [ST09] Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages Springer, Albena Hash Function Cryptanalysis I 58
On Collisions for MD5
Eindhoven University of Technology Department of Mathematics and Computing Science MASTER S THESIS On Collisions for MD5 By M.M.J. Stevens Supervisor: Prof. dr. ir. H.C.A. van Tilborg Advisors: Dr. B.M.M.
More informationHow to Break MD5 and Other Hash Functions
How to Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu Shandong University, Jinan 250100, China xywang@sdu.edu.cn yhb@mail.sdu.edu.cn Abstract. MD5 is one of the most widely used cryptographic
More informationHow to Break MD5 and Other Hash Functions
How to Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu Shandong University, Jinan 250100, China, xywang@sdu.edu.cn, yhb@mail.sdu.edu.cn Abstract. MD5 is one of the most widely used cryptographic
More informationLightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT
Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT Onur Özen1, Kerem Varıcı 2, Cihangir Tezcan 3, and Çelebi Kocair 4 1 EPFL IC LACAL Station 14. CH1015 Lausanne, Switzerland
More informationOn the Key Schedule Strength of PRESENT
On the Key Schedule Strength of PRESENT Julio Cesar HernandezCastro 1, Pedro PerisLopez 2 JeanPhilippe Aumasson 3 1 School of Computing, Portsmouth University, UK 2 Information Security & Privacy Lab,
More informationLinear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT
Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT Jorge Nakahara Jr 1, Pouyan Sepehrdad 1, Bingsheng Zhang 2, Meiqin Wang 3 1 EPFL, Lausanne, Switzerland 2 Cybernetica AS, Estonia and
More informationPRESENT: An UltraLightweight Block Cipher
PRESENT: An UltraLightweight Block Cipher A. Bogdanov 1, L.R. Knudsen 2, G. Leander 1, C. Paar 1, A. Poschmann 1, M.J.B. Robshaw 3, Y. Seurin 3, and C. Vikkelsoe 2 1 HorstGörtzInstitute for ITSecurity,
More informationDuplexing the sponge: singlepass authenticated encryption and other applications
Duplexing the sponge: singlepass authenticated encryption and other applications Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract.
More informationELECTROMAGNETIC SIDECHANNEL ANALYSIS ON INTEL ATOM PROCESSOR
ELECTROMAGNETIC SIDECHANNEL ANALYSIS ON INTEL ATOM PROCESSOR A Major Qualifying Project Report: submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE by Anh Do Soe Thet Ko Aung Thu Htet Date:
More informationLogical Cryptanalysis as a SAT Problem
Journal of Automated Reasoning 24: 165 203, 2000. 2000 Kluwer Academic Publishers. Printed in the Netherlands. 165 Logical Cryptanalysis as a SAT Problem Encoding and Analysis of the U.S. Data Encryption
More informationFormat Oracles on OpenPGP
This is a preliminary version. The final version of this paper appears in the proceedings of CTRSA 2015. The final publication is available at Springer via http://dx.doi.org/10.1007/9783319167152_12.
More informationAnalysis of Nonfortuitous Predictive States of the RC4 Keystream Generator
Analysis of Nonfortuitous Predictive States of the RC4 Keystream Generator Souradyuti Paul and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg 10, B 3001 LeuvenHeverlee,
More informationK 2r+8 PHT <<<1 MDS MDS
)*.1,(/+032 THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS 034 TECHNICAL REPORT OF IEICE. 7865'9 Twosh ;? @A 3 B&C y 3 NTT FRUX_a[\]Ye`khE f 2390847 Gnql #Hw~ ˆ g 11
More informationA new probabilistic public key algorithm based on elliptic logarithms
A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa
More informationWhere s the FEEB? The Effectiveness of Instruction Set Randomization
Where s the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel David Evans Nathanael Paul University of Virginia, Department of Computer Science http://www.cs.virginia.edu/feeb Abstract
More informationCryptanalytic Attacks on Pseudorandom Number Generators
Cryptanalytic Attacks on Pseudorandom Number Generators John Kelsey Bruce Schneier David Wagner Chris Hall Abstract. In this paper we discuss PRNGs: the mechanisms used by realworld secure systems to
More informationRobust Set Reconciliation
Robust Set Reconciliation Di Chen 1 Christian Konrad 2 Ke Yi 1 Wei Yu 3 Qin Zhang 4 1 Hong Kong University of Science and Technology, Hong Kong, China 2 Reykjavik University, Reykjavik, Iceland 3 Aarhus
More informationThe Disadvantages of Free MIX Routes and How to Overcome Them
The Disadvantages of Free MIX Routes and How to Overcome Them Oliver Berthold 1, Andreas Pfitzmann 1, and Ronny Standtke 2 1 Dresden University of Technology, Germany {ob2,pfitza}@inf.tudresden.de 2 Secunet,
More informationThe Steganographic File System
The Steganographic File System Ross Anderson 1, Roger Needham 2, Adi Shamir 3 1 Cambridge University; rja14@cl.cam.ac.uk 2 Microsoft Research Ltd; needham@microsoft.com 3 Weizmann Institute; shamir@wisdom.weizmann.ac.il
More informationGeneralized Compact Knapsacks are Collision Resistant
Generalized Compact Knapsacks are Collision Resistant Vadim Lyubashevsky Daniele Micciancio University of California, San Diego 9500 Gilman Drive, La Jolla, CA 920930404, USA {vlyubash,daniele}@cs.ucsd.edu
More informationIEEE TRANSACTIONS ON AUDIO, SPEECH, AND LANGUAGE PROCESSING, 2013. ACCEPTED FOR PUBLICATION 1
IEEE TRANSACTIONS ON AUDIO, SPEECH, AND LANGUAGE PROCESSING, 2013. ACCEPTED FOR PUBLICATION 1 ActiveSet Newton Algorithm for Overcomplete NonNegative Representations of Audio Tuomas Virtanen, Member,
More informationHow to Encipher Messages on a Small Domain
Appears in Advances in Cryptology CRYPTO 2009 How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris 1, Phillip Rogaway 2, and Till Stegers 2 1 Dept. of Mathematics,
More informationHighRate Codes That Are Linear in Space and Time
1804 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 48, NO 7, JULY 2002 HighRate Codes That Are Linear in Space and Time Babak Hassibi and Bertrand M Hochwald Abstract Multipleantenna systems that operate
More informationSubspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity
Subspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity Wei Dai and Olgica Milenkovic Department of Electrical and Computer Engineering University of Illinois at UrbanaChampaign
More informationPrivate Set Intersection: Are Garbled Circuits Better than Custom Protocols?
Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang David Evans University of Virginia Jonathan Katz University of Maryland http://mightbeevil.org Abstract Cryptographic
More informationCOSAMP: ITERATIVE SIGNAL RECOVERY FROM INCOMPLETE AND INACCURATE SAMPLES
COSAMP: ITERATIVE SIGNAL RECOVERY FROM INCOMPLETE AND INACCURATE SAMPLES D NEEDELL AND J A TROPP Abstract Compressive sampling offers a new paradigm for acquiring signals that are compressible with respect
More informationCLoud Computing is the long dreamed vision of
1 Enabling Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data Cong Wang, Student Member, IEEE, Ning Cao, Student Member, IEEE, Kui Ren, Senior Member, IEEE, Wenjing Lou, Senior Member,
More informationA survey of pointbased POMDP solvers
DOI 10.1007/s1045801292002 A survey of pointbased POMDP solvers Guy Shani Joelle Pineau Robert Kaplow The Author(s) 2012 Abstract The past decade has seen a significant breakthrough in research on
More informationPerformance Analysis of BSTs in System Software
Performance Analysis of BSTs in System Software Ben Pfaff Stanford University Department of Computer Science blp@cs.stanford.edu Abstract Binary search tree (BST) based data structures, such as AVL trees,
More informationFairplay A Secure TwoParty Computation System
Fairplay A Secure TwoParty Computation System Dahlia Malkhi 1, Noam Nisan 1, Benny Pinkas 2, and Yaron Sella 1 1 The School of Computer Science and Engineering The Hebrew University of Jerusalem Email:
More information