Differential Cryptanalysis of Hash Functions: How to find Collisions?



Similar documents
Grøstl a SHA-3 candidate

How To Attack Preimage On Hash Function 2.2 With A Preimage Attack On A Pre Image

Tools in Cryptanalysis of Hash Functions

Hash Function JH and the NIST SHA3 Hash Competition

The Advanced Encryption Standard (AES)

Chapter 1 On the Secure Hash Algorithm family

The 128-bit Blockcipher CLEFIA Design Rationale

The Advanced Encryption Standard: Four Years On

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Permutation-based encryption, authentication and authenticated encryption

An Efficient Cryptographic Hash Algorithm (BSA)

Enhancing Advanced Encryption Standard S-Box Generation Based on Round Key

The First 30 Years of Cryptographic Hash Functions and the NIST SHA-3 Competition

Lecture 4 Data Encryption Standard (DES)

How to Break MD5 and Other Hash Functions

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay

Hash Function of Finalist SHA-3: Analysis Study

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Length extension attack on narrow-pipe SHA-3 candidates

On the Influence of the Algebraic Degree of the Algebraic Degree of

The Advanced Encryption Standard (AES)

Split Based Encryption in Secure File Transfer

SeChat: An AES Encrypted Chat

CS 758: Cryptography / Network Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Chapter 11

Secret File Sharing Techniques using AES algorithm. C. Navya Latha Garima Agarwal Anila Kumar GVN

A New 128-bit Key Stream Cipher LEX

Ascon. Ch. Dobraunig 1, M. Eichlseder 1, F. Mendel 1, M. Schläffer 2. 22nd Crypto Day, Infineon, Munich. (A Submission to CAESAR)

1 Data Encryption Algorithm

On the Impact of Known-Key Attacks on Hash Functions

Unknown Plaintext Template Attacks

CIS433/533 - Computer and Network Security Cryptography

Computer Security: Principles and Practice

CSCE 465 Computer & Network Security

Application of cube attack to block and stream ciphers

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Message Authentication

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

A NEW HASH ALGORITHM: Khichidi-1

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

On Collisions for MD5

SD12 REPLACES: N19780

Authentication requirement Authentication function MAC Hash function Security of

Table of Contents. Bibliografische Informationen digitalisiert durch

Introduction to Computer Security

Cryptanalysis of Grain using Time / Memory / Data Tradeoffs

Comparison of seven SHA-3 candidates software implementations on smart cards.

Cryptography and Network Security Block Cipher

Introduction to SHA-3 and Keccak

SFLASH v3, a fast asymmetric signature scheme

BPS: a Format-Preserving Encryption Proposal

Network Security - ISA 656 Introduction to Cryptography

Cryptography and Network Security

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

The Stream Cipher HC-128

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT

Elliptic Curve Hash (and Sign)

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Multi-Layered Cryptographic Processor for Network Security

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Network Security. Omer Rana

On the Key Schedule Strength of PRESENT

KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

A Comparative Study Of Two Symmetric Encryption Algorithms Across Different Platforms.

Cryptography and Network Security Chapter 12

Statistical weakness in Spritz against VMPC-R: in search for the RC4 replacement

Cryptography and Network Security Chapter 3

Enhancing the Integrity of Short Message Service (SMS) in New Generation Mobile Devices

Cryptographic Hash Functions Message Authentication Digital Signatures

FPGA IMPLEMENTATION OF AN AES PROCESSOR

Cryptography Lecture 8. Digital signatures, hash functions

A NEW DNA BASED APPROACH OF GENERATING KEY-DEPENDENT SHIFTROWS TRANSFORMATION

Serpent: A Proposal for the Advanced Encryption Standard

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Transcription:

Differential Cryptanalysis of Hash Functions: How to find Collisions? Martin Schläffer Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Austria martin.schlaeffer@iaik.tugraz.at Albena 2011 Albena Hash Function Cryptanalysis I 1

Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 2

Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 3

Motivation Cryptanalysis of block ciphers: well understood Cryptanalysis of hash functions: not so much hash functions were attacked like block ciphers Attacks on MD-family by Wang et al. broke A-1 NIST A-3 competition to find a successor of A-1 to focus research on hash function cryptanalysis Albena Hash Function Cryptanalysis I 4

Cryptographic Hash Function h m h(m) Hash function h maps arbitrary length input m to n-bit output h(m) Collision Resistance (2 n/2 ) find m, m with m m and h(m) = h(m ) Second-Preimage Resistance (2 n ) given m, h(m) find m with m m and h(m) = h(m ) Preimage Resistance (2 n ) given h(m) find m Albena Hash Function Cryptanalysis I 5

Iterated Hash Function Construction M 1 M 2 M 3 M t IV w f w f w f f w g n H(m) Most hash functions use some kind of iteration compression function f output transformation g chaining value size w n Strength depends on f, g, w smaller w needs stronger f Also building blocks are analyzed Albena Hash Function Cryptanalysis I 6

Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 7

Collision Attacks m m h h h(m) = h(m ) Find two different messages which result in the same hash value: m m with h(m) = h(m ) birthday effect applies: 2 n/2 Albena Hash Function Cryptanalysis I 8

Collision Attacks (Differential View) m = m 0 m h h h h(m) h(m ) = h(m) = 0 Find two different messages which result in the same hash m, m with m 0 and h(m) = 0 Usually XOR differences are used: m = m m and h(m) = h(m) h(m ) Albena Hash Function Cryptanalysis I 9

Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 10

Differential Characteristic m 0? h how to find m, m? find differential characteristic (trail, path) determines m holds with high probability P if P > 2 n/2 : find colliding m by trying 1/P random messages with complexity < 2 n/2 h(m) = 0 Albena Hash Function Cryptanalysis I 11

Differential Characteristic m 0? h how to find m, m? find differential characteristic (trail, path) determines m holds with high probability P if P > 2 n/2 : find colliding m by trying 1/P random messages with complexity < 2 n/2 how to improve complexity of attack? h(m) = 0 how to find good differential characteristics? Albena Hash Function Cryptanalysis I 11

How to Improve Complexity of Attack? m 0 h Good characteristic for block ciphers: optimizes probability Good characteristic for hash functions optimizes probability minimizes effort to find m How to find m? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic h(m) = 0 Albena Hash Function Cryptanalysis I 12

How to Improve Complexity of Attack? m 0 h Good characteristic for block ciphers: optimizes probability Good characteristic for hash functions optimizes probability minimizes effort to find m How to find m? no secret key involved we can choose m according to characteristic resulting equations in first steps are easy (only a small part of the message involved) reduced costs at input of characteristic h(m) = 0 characteristic with lower probability at input to get higher probability towards end Albena Hash Function Cryptanalysis I 12

How to Find Good Differential Characteristics? block cipher based design: use characteristic of block cipher attack (also related key characteristics) by hand: MD4, MD5, A-1 (Wang et al.) (semi-) automatic tools: linearize hash function (coding tools) non-linear differential search by design: well known best characteristics Albena Hash Function Cryptanalysis I 13

Example: A-1 high probability in second part (L) linearize hash function [RO05] search for linear differential characteristic using low weight code search connect with IV in first part (NL) low probability search for non-linear characteristic [WYY05, DR06] message modification easy for first 16 steps (just invert equation) also possible for more steps ( 25) (advanced message modification) Albena Hash Function Cryptanalysis I 14

Finding Linear Characteristics Message expansion is linear Linearize modular addition by XOR no carry with probability 1/2 Linearize Boolean function by XOR holds with probability 1/2 Probabilities are given for single bit differences Albena Hash Function Cryptanalysis I 15

Finding Linear Characteristics Differences with low Hamming weight result in good probability Finding good linear characteristic corresponds to finding low-weight code word in linear code Good representation of hash function is important Open source tool to find low weight code words: http://www.iaik.tugraz.at/content/research/ krypto/codingtool/ Albena Hash Function Cryptanalysis I 16

Finding Non-Linear Characteristics [DR06] Using generalized conditions Albena Hash Function Cryptanalysis I 17

Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Albena Hash Function Cryptanalysis I 18

Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Albena Hash Function Cryptanalysis I 18

Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Albena Hash Function Cryptanalysis I 18

Finding Non-Linear Characteristics [DR06] Determine message difference and difference after step 16 using linear tool Find propagation of differences using non-linear tool Add conditions to control diff. no probability needed here Find conforming message pair message mod. until step 25 probabilistic for further steps Albena Hash Function Cryptanalysis I 18

Message Modification To improve complexity of attack in first few steps up to 25 in the case of A-1 Many dedicated techniques have been published: advanced message modifications [WYY05] equation solving [SKPI07] neutral bits [BC04] boomerang/tunnels [JP07, Kli06] greedy approach [D07] Resulting theoretical complexity for A-1: 2 63 [WYY05] implementation overhead! Albena Hash Function Cryptanalysis I 19

Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 20

The Rebound Attack [ST09] One more tool in the cryptanalysis of hash functions Invented during the cryptanalysis of Whirlpool and Grøstl AES-based designs allow a simple application of the idea Related work: truncated differentials inside-out techniques meet-in-the-middle techniques message modification... Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool,... Albena Hash Function Cryptanalysis I 21

The Rebound Attack E bw E in E fw outbound inbound outbound Applies to block-cipher and permutation based designs: E = E fw E in E bw Inbound phase efficient meet-in-the-middle phase in E in aided by available degrees of freedom Outbound phase probabilistic part in E bw and E fw repeat inbound phase if needed P = P fw P in P bw Albena Hash Function Cryptanalysis I 22

The Whirlpool Hash Function Designed by Barretto and Rijmen in 2000 [BR00] evaluated by NESSIE standardized by ISO/IEC 10118-3:2003 Iterative hash function based on the Merkle-Damgård design principle message block, chaining values, hash size: 512 bit M 1 M 2 M 3 M t IV f f f f H(m) Albena Hash Function Cryptanalysis I 23

The Whirlpool Compression Function H j 1 key schedule M j state update H j 512-bit hash value and using 512-bit message blocks Block-cipher based design (AES) Miyaguchi-Preneel mode with conservative key schedule Albena Hash Function Cryptanalysis I 24

The Whirlpool Round Transformations The state update and the key schedule update an 8 8 state S and K of 64 bytes 10 rounds each AES like round transformation r i = SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + Albena Hash Function Cryptanalysis I 25

Collision Attack on Whirlpool H j 1 key schedule M j state update H j 1-block collision: fixed H j 1 (to IV ) f (M j, H j 1 ) = f (Mj, H j 1 ), M j Mj Albena Hash Function Cryptanalysis I 26

Collision Attack on Whirlpool H j 1 key schedule M j state update H j 1-block collision: fixed H j 1 (to IV ) f (M j, H j 1 ) = f (Mj, H j 1 ), M j Mj Albena Hash Function Cryptanalysis I 26

Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 8 64 8) maximum differential probability: (2 5 ) 81 = 2 405 Albena Hash Function Cryptanalysis I 27

Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 constant S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 8 64 8) maximum differential probability: (2 5 ) 81 = 2 405 Albena Hash Function Cryptanalysis I 27

Collision Attack on 4 Rounds IV K 0 K 1 K 2 K 3 K 4 constant S 0 S 1 S 2 S 3 S 4 M 1 H 1 Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 8 64 8) maximum differential probability: (2 5 ) 81 = 2 405 How to find a message pair following the differential trail? Albena Hash Function Cryptanalysis I 27

First: Use Truncated Differences S 0 S 1 S 2 S 3 S 4 M 1 H 1 byte-wise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2 56 for 8 1 we can remove many restrictions (more freedom) hopefully less complexity of message search Albena Hash Function Cryptanalysis I 28

How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? Albena Hash Function Cryptanalysis I 29

How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? Albena Hash Function Cryptanalysis I 29

How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? meet in the middle? Albena Hash Function Cryptanalysis I 29

How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 M 1 H 1 message modification? inside out? meet in the middle? rebound! Albena Hash Function Cryptanalysis I 29

Rebound Attack on 4 Rounds [ST09] S 0 S 1 S 2 S 3 S 4 M 1 H 1 outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward Albena Hash Function Cryptanalysis I 30

Inbound Phase S2 S 2 S3 S3 3a c0 e6 b9 5a 8c 08 c0 get values (1) Start with arbitrary differences in state S 3 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

Inbound Phase S2 S 2 S3 S3 e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences get values differences (1) Start with arbitrary differences in state S3 linearly propagate all differences backward to S3 linearly propagate row-wise forward from S2 to S 2 we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6? a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2 xx we get 2 xx solutions for each row we get 2 64 right pairs with complexity 2 8 Albena Hash Function Cryptanalysis I 31

Difference Distribution Table (Whirlpool) in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 6 2 0 0 6 2 0 0 0 4 0 0 0 0 0 02 0 0 0 0 0 0 0 2 0 0 0 0 4 0 0 0 03 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 2 04 0 0 2 2 0 4 0 0 0 2 2 2 2 0 2 0 05 0 0 0 0 0 2 0 2 0 0 0 0 0 0 4 2 06. 4 0 2 0 0 2 0 0 2 6 2 4 0 2 2 0. 07. 0 2 2 0 0 2 0 0 4 0 2 0 2 0 2 0. 08. 0 0 0 0 2 2 2 0 0 0 0 2 2 4 4 0. 09 8 0 0 0 2 4 2 2 0 0 0 0 0 2 0 2 0a 0 0 0 0 2 0 2 0 2 0 2 0 0 0 0 0 0b 8 2 2 2 2 0 0 0 0 2 2 2 2 2 0 4 0c 0 2 2 0 0 0 0 4 0 2 2 0 0 2 4 2 0d 0 2 2 0 0 2 4 4 0 0 2 2 0 0 0 2 0e 4 0 4 2 0 0 0 0 2 0 2 0 4 2 0 0 0f 0 2 0 0 0 2 0 0 0 0 0 0 2 0 2 2... Albena Hash Function Cryptanalysis I 32

Match-in-the-Middle for Single S-box a Sbox b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox(x) Sbox(x a) = b Solve equation for all x and count the number of solutions: 25880/65025 entries (with a, b 0) in DDT are nonzero match with probability 0.398 we get either 2, 4, 6 or 8 values 65280 values for 25880 possible differentials 2.522 values (right pairs) on average Albena Hash Function Cryptanalysis I 33

Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6? a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) Albena Hash Function Cryptanalysis I 34

Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2 10.6 we get 2 10.7 solutions for each row Albena Hash Function Cryptanalysis I 34

Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences match differences get values differences (1) Start with arbitrary differences in state S 3 linearly propagate all differences backward to S 3 linearly propagate row-wise forward from S 2 to S 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2 10.6 we get 2 10.7 solutions for each row we get 2 8 10.7 right pairs with complexity < 2 16 Albena Hash Function Cryptanalysis I 34

Outbound Phase S 0 S 1 S 2 S 3 S 4 outbound inbound 2 56 average 1 outbound 2 56 (3) Propagate through MixRows of round 1 and round 4 using truncated differences (active bytes: 8 1) probability: 2 56 in each direction (4) Match difference in one active byte of feed-forward (2 8 ) collision for 4 rounds of Whirlpool with complexity 2 120 Albena Hash Function Cryptanalysis I 35

Extending the Attack to 5 Rounds [L + 09] S 0 S 1 S 2 S 3 S 4 S 5 outbound 2 56 inbound average 1 outbound 2 56 By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds The outbound phase is identical to the attack on 4 rounds probability: 2 120 Construct 2 120 starting points in the inbound phase with average complexity 1 Albena Hash Function Cryptanalysis I 36

Inbound Phase ee match S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 differences (1) Start with arbitrary differences in state S 3 and S 3 (2) Match-in-the-middle at SuperBox ( ) similar to 64-bit S-box (DDT has size 2 128 ) Albena Hash Function Cryptanalysis I 37

Inbound Phase ee match S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 values/differences 2 64 differences (1) Start with arbitrary differences in state S3 and S3 we need to propagate all 2 64 differences backward at once (2) Match-in-the-middle at SuperBox ( ) similar to 64-bit S-box (DDT has size 2 128 ) time-memory trade-off with time/memory 2 64 Albena Hash Function Cryptanalysis I 37

Inbound Phase ee S2 S 2 S3 S3 eeee9fee2371c1cd e8f490d4751b5ecd 3a 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 a2b16311961e4d04 b9 b16020f41ecdbf10 5a f8ed85b7435ad5fc 8c 1627514315de2bf8 08 4d349690f1f8075e c0 differences match differences differences 2 64 values/differences 2 64 differences (1) Start with arbitrary differences in state S3 and S3 we need to propagate all 2 64 differences backward at once (2) Match-in-the-middle at SuperBox ( ) similar to 64-bit S-box (DDT has size 2 128 ) time-memory trade-off with time/memory 2 64 with complexity 2 64 we get at least 2 64 pairs Albena Hash Function Cryptanalysis I 37

From Collisions to Near-Collisions S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 1 2 56 average 1 2 56 1 Add one round at input and output no additional complexity MixRows: 1 8 with probability 1 Near-collision attack for 7 rounds time complexity 2 112 and 2 64 memory Albena Hash Function Cryptanalysis I 38

Compression Function Attacks H j 1 key schedule M j state update H j We can freely choose the chaining input H j 1 no differences in H j 1 semi-free-start (near-) collisions Extend previous attacks by 2 rounds using multiple inbound phases Outbound phases of attacks stay the same Albena Hash Function Cryptanalysis I 39

Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40

Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40

Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase 2nd inbound phase Idea: use two independent inbound phases Albena Hash Function Cryptanalysis I 40

Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512-bit freedom of key input (S 3 = S 2 K 3 ) Albena Hash Function Cryptanalysis I 40

Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512-bit freedom of key input (S 3 = S 2 K 3 ) A bit more tricky than that (3 key inputs involved) connect rows independently find 2 64 solutions with complexity 2 128 Albena Hash Function Cryptanalysis I 40

Inbound Phase S 0 S 1 S 2 S 3 S 4 S 5 1st inbound phase connect 2nd inbound phase Idea: use two independent inbound phases connect them using 512-bit freedom of key input (S 3 = S 2 K 3 ) A bit more tricky than that (3 key inputs involved) connect rows independently find 2 64 solutions with complexity 2 128 Collision on 7 and near-collision on 9 rounds Albena Hash Function Cryptanalysis I 40

Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash 5 2 184 s 2 s collision function 7 2 176 s 2 s near-collision 7 2 compression 2 64 collision 9 2 function 2 64 near-collision Albena Hash Function Cryptanalysis I 41

Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash 5.5 2 184 s 2 s collision function 7.5 2 176 s 2 s near-collision 7.5 2 compression 2 64 collision 9.5 2 function 2 64 near-collision Albena Hash Function Cryptanalysis I 41

Summary of Results on Whirlpool target rounds computational memory complexity requirements type hash 5.5 2 184 s 2 s collision function 7.5 2 176 s 2 s near-collision 7.5 2 compression 2 64 collision 9.5 2 function 2 64 near-collision 10 2 188 2 64 distinguisher Albena Hash Function Cryptanalysis I 41

Open Problems H j 1 key schedule M j state update H j Using differences also in the chaining input Combination of: related-key attacks on block ciphers local collisions rebound attack Albena Hash Function Cryptanalysis I 42

The A-3 Candidate Grøstl [GKM + 11] M i Q H i 1 P H i A-3 finalist AES-based hash function Permutation based design Designed by DTU (Denmark) and TU Graz (Austria) Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, Søren S. Thomsen Albena Hash Function Cryptanalysis I 43

Permutations P and Q of Grøstl Q: AddRoundConstant ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fieidicibiai9i8i SubBytes S ShiftRows MixColumns P: 0i1i2i3i4i5i6i7i S AES like round transformations 8 8 state and 10 rounds for Grøstl-256 8 16 state and 14 rounds for Grøstl-512 Based on design principles of AES not using AES as a direct building block better diffusion, wider trails Albena Hash Function Cryptanalysis I 44

The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 1 2 56 average 1 2 56 1 1 1) Construct optimal truncated differential path by hand, well-known how to find right pairs? Albena Hash Function Cryptanalysis I 45

The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 1 2 56 average 1 2 56 1 1 1) Construct optimal truncated differential path by hand, well-known how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox time-memory trade-offs Albena Hash Function Cryptanalysis I 45

The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 1 2 56 average 1 2 56 1 1 1) Construct optimal truncated differential path by hand, well-known how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox time-memory trade-offs 3) Outbound phase high probability for sparse paths Albena Hash Function Cryptanalysis I 45

The Rebound Attack on Grøstl P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 1 2 56 average 1 2 56 1 1 1) Construct optimal truncated differential path by hand, well-known how to find right pairs? 2) Inbound phase three rounds with average complexity 1 using SuperBox time-memory trade-offs 3) Outbound phase high probability for sparse paths find solutions with complexity 2 112 and 2 64 memory Albena Hash Function Cryptanalysis I 45

Relatively Simple Analysis of Grøstl M 1 Q 0 Q 1 Q 2 Q 3 average 1 2 56 2 8 IV P 0 P 1 P 2 P 3 H 1 Easy to construct truncated differential paths optimal use of available freedom (message) Results for Grøstl-256, Grøstl-512 hash function collisions for 3 rounds (of 10,14) compression function collisions for 6 rounds (of 10,14) Albena Hash Function Cryptanalysis I 46

Summary for Rebound Attack on Grøstl Lots of cryptanalysis (mostly on Grøstl-0) [MPRS09, Pey10, SLW + 10, ST09, ST10, ITP10] No multiple inbound phases possible No key-schedule input (no related-key attacks) Provable resistance against standard differential attacks Using (powerful) truncated differentials still only 3 out of 10 rounds can be attacked Albena Hash Function Cryptanalysis I 47

Summary of Rebound Attacks Basic principle not that difficult efficient inbound phase probabilistic outbound phase Difficulty in constructing and merging inbound phases finding good and sparse truncated differential paths efficient way to use available freedom for merge Albena Hash Function Cryptanalysis I 48

Other Rebound Attacks ECHO: big state but rather sparse truncated differential paths JH: 4-bit S-boxes, multiple inbound phases Lane: 2x inbound for Lane-256, 3x inbound for LANE-512 Luffa: 4-bit S-boxes, find differential path first, then values Skein: rotational rebound attack http://ehash.iaik.tugraz.at/wiki/the_a-3_zoo Albena Hash Function Cryptanalysis I 49

Outline 1 Motivation 2 Collision Attacks 3 Differential Cryptanalysis of Hash Functions Application to A-1 4 The Rebound Attack Application to Whirlpool Application to Grøstl 5 Conclusion Albena Hash Function Cryptanalysis I 50

More Freedom in Attacking Hash Functions... than in attacks on block ciphers AES-based designs (Whirlpool Grøstl): 3 rounds in the middle with (average) complexity 1 1.5 rounds at the beginning ARX-based designs (A-1): up to 25 steps at the beginning with message modification Albena Hash Function Cryptanalysis I 51

Conclusion Differential cryptanalysis powerful tool in analyzing hash functions many hash functions broken using DC sparse (truncated) differential characteristics needed AES based designs: best truncated differential path can be used (with small modifications) rebound attack to find differences and values simultaneously ARX based designs: unknown if good characteristics exist (semi-)automatic tools needed (linear,nonlinear) still some work to do for ARX based A-3 finalists Albena Hash Function Cryptanalysis I 52

Thank you for your Attention! Questions? Albena Hash Function Cryptanalysis I 53

References I [BC04] [BR00] [D07] Eli Biham and Rafi Chen. Near-Collisions of A-0. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of LNCS, pages 290 305. Springer, 2004. Paulo S. L. M. Barreto and Vincent Rijmen. The WHIRLPOOL Hashing Function. Submitted to NESSIE, September 2000, revised May 2003, 2000. Available online: http://www.larc.usp.br/~pbarreto/whirlpoolpage.html. Christophe De Cannière, Florian Mendel, and Christian Rechberger. Collisions for 70-Step A-1: On the Full Cost of Collision Search. In Carlisle M. Adams, Ali Miri, and Michael J. Wiener, editors, Selected Areas in Cryptography, volume 4876 of LNCS, pages 56 73. Springer, 2007. Albena Hash Function Cryptanalysis I 54

References II [DR06] [GKM + 11] [ITP10] Christophe De Cannière and Christian Rechberger. Finding A-1 Characteristics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors, ASIRYPT, volume 4284 of LNCS, pages 1 20. Springer, 2006. Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl a A-3 candidate. Submission to NIST (Round 3), January 2011. Available online: http://csrc.nist.gov/groups/st/hash/sha-3/ Round3/submissions_rnd3.html. Kota Ideguchi, Elmar Tischhauser, and Bart Preneel. Improved Collision Attacks on the Reduced-Round Grøstl Hash Function. In Mike Burmester, Gene Tsudik, Spyros S. Magliveras, and Ivana Ilic, editors, I, volume 6531 of LNCS, pages 1 16. Springer, 2010. Albena Hash Function Cryptanalysis I 55

References III [JF11] [JP07] [Kli06] Jérémy Jean and Pierre-Alain Fouque. Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function. In Fast Software Encryption, 2011. To appear. Antoine Joux and Thomas Peyrin. Hash Functions and the (Amplified) Boomerang Attack. In Alfred Menezes, editor, CRYPTO, volume 4622 of LNCS, pages 244 263. Springer, 2007. Vlastimil Klima. Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology eprint Archive, Report 2006/105, 2006. http://eprint.iacr.org/. Albena Hash Function Cryptanalysis I 56

References IV [KNPRS10] [L + 09] Dmitry Khovratovich, María Naya-Plasencia, Andrea Röck, and Martin Schläffer. Cryptanalysis of Luffa v2 Components. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages 388 409. Springer, 2010. Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schläffer. Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In Mitsuru Matsui, editor, ASIRYPT, volume 5912 of LNCS, pages 126 143. Springer, 2009. [MNPN + 09] Krystian Matusiewicz, María Naya-Plasencia, Ivica Nikolić, Yu Sasaki, and Martin Schläffer. Rebound Attack on the Full Lane Compression Function. In Mitsuru Matsui, editor, ASIRYPT, volume 5912 of LNCS, pages 106 125. Springer, 2009. Albena Hash Function Cryptanalysis I 57

References V [MPRS09] [S09] Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schläffer. Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages 16 35. Springer, 2009. Florian Mendel, Christian Rechberger, and Martin Schläffer. Cryptanalysis of Twister. In Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and Damien Vergnaud, editors, NS, volume 5536 of LNCS, pages 342 353, 2009. [ST09] Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages 260 276. Springer, 2009. Albena Hash Function Cryptanalysis I 58

References VI [ST10] Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Rebound Attacks on the Reduced Grøstl Hash Function. In Josef Pieprzyk, editor, CT-RSA, volume 5985 of LNCS, pages 350 365. Springer, 2010. [Pey10] [RO05] Thomas Peyrin. Improved Differential Attacks for ECHO and Grøstl. In Tal Rabin, editor, CRYPTO, volume 6223 of LNCS, pages 370 392. Springer, 2010. Vincent Rijmen and Elisabeth Oswald. Update on A-1. In Alfred Menezes, editor, CT-RSA, volume 3376 of LNCS, pages 58 71. Springer, 2005. Albena Hash Function Cryptanalysis I 59

References VII [Sch10] [SKPI07] [SLW + 10] Martin Schläffer. Subspace Distinguisher for 5/8 Rounds of the ECHO-256 Hash Function. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages 369 387. Springer, 2010. Makoto Sugita, Mitsuru Kawazoe, Ludovic Perret, and Hideki Imai. Algebraic Cryptanalysis of 58-Round A-1. In Alex Biryukov, editor, FSE, volume 4593 of LNCS, pages 349 365. Springer, 2007. Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, and Kazuo Ohta. Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl. In Masayuki Abe, editor, ASIRYPT, volume 6477 of LNCS, pages 38 55. Springer, 2010. Albena Hash Function Cryptanalysis I 60

References VIII [WFW09] [WYY05] Shuang Wu, Dengguo Feng, and Wenling Wu. Cryptanalysis of the LANE Hash Function. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages 126 140. Springer, 2009. Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full A-1. In Victor Shoup, editor, CRYPTO, volume 3621 of LNCS, pages 17 36. Springer, 2005. Albena Hash Function Cryptanalysis I 61

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information