• Abstract and Figures
• Public Full-text

Analysis OF THE Kupyna-256 Hash Function Christoph DobrAUNIG Maria Eichlseder Florian Mendel FSE 2016 M I T + Permutation-based DESIGN 2 N H −1 H AES-like ROUND TRANSFORMATIONS I T ⊕ I 2 2 N N Similar TO Grøstl Modular ADDITIONS INSIDE www.iaik.tugraz.at The Kupyna Hash Function UkrAINIAN STANDARD DSTU 7564:2014 [Oli+15; Олi+15a] M1 M2 M T IV F F F Ω HASH 2 2 2 N N N N N 2 f256; 512g 1 / 14 www.iaik.tugraz.at The Kupyna Hash Function UkrAINIAN STANDARD DSTU 7564:2014 [Oli+15; Олi+15a] M1 M2 M T IV F F F Ω HASH 2 2 2 N N N N N 2 f256; 512g M I T + Permutation-based DESIGN 2 N H −1 H AES-like ROUND TRANSFORMATIONS I T ⊕ I 2 2 N N Similar TO Grøstl Modular ADDITIONS INSIDE 1 / 14 www.iaik.tugraz.at The Kupyna-256 Round TRANSFORMATIONS Kupyna-512: 8 × 16 state, 14 ROUNDS Kupyna-256: 8 × 8 state, 10 rounds: AddConstant SubBytes ShiftBytes MixBytes f3f3f3f3f3f3f3f3 f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 S + f0f0f0f0f0f0f0f0 T : f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 f¯ı e¯ı d¯ı c¯ı b¯ı a¯ı 9¯ı 8¯ı 0I 1I 2I 3I 4I 5I 6I 7I T ⊕: S R = MB ◦ RB ◦ SB ◦ AC I 2 / 14 Destroys byte-alignment & MDS PROPERTY BrANCH NUMBER OF T + REDUCED FROM 9 TO ≤ 6: MB AC > MB > AC > X1:(00 00 00 00 00 00 00 00) 7−−!(00 00 00 00 00 00 00 00) 7−!(F3 F0 F0 F0 F0 F0 F0 70); > MB > AC > X2:(00 00 00 00 00 00 00 FF) 7−−!(DB C7 38 AB FF 24 FF FF) 7−!(CE B8 29 9C F0 15 F0 70); > MB > AC > ∆:(00 00 00 00 00 00 00FF ) 7−−!(DB C7 38 AB FF 24 FF FF) 7−!(3D 48 D9 6C 00 E5 00 00): www.iaik.tugraz.at Modular Constant Addition Prevent SAME TRAILS FOR T +, T ⊕ Grøstl INSTEAD HAS DIFFERENT ROTATION CONSTANTS 3 / 14 www.iaik.tugraz.at Modular Constant Addition Prevent SAME TRAILS FOR T +, T ⊕ Grøstl INSTEAD HAS DIFFERENT ROTATION CONSTANTS Destroys byte-alignment & MDS PROPERTY BrANCH NUMBER OF T + REDUCED FROM 9 TO ≤ 6: MB AC > MB > AC > X1:(00 00 00 00 00 00 00 00) 7−−!(00 00 00 00 00 00 00 00) 7−!(F3 F0 F0 F0 F0 F0 F0 70); > MB > AC > X2:(00 00 00 00 00 00 00 FF) 7−−!(DB C7 38 AB FF 24 FF FF) 7−!(CE B8 29 9C F0 15 F0 70); > MB > AC > ∆:(00 00 00 00 00 00 00FF ) 7−−!(DB C7 38 AB FF 24 FF FF) 7−!(3D 48 D9 6C 00 E5 00 00): 3 / 14 www.iaik.tugraz.at The Rebound AtTACK [Men+09] EBW EIN EFW INBOUND OUTBOUND OUTBOUND Inbound PHASE EffiCIENT match-in-the-middle PHASE IN EIN Using AVAILABLE DEGREES OF FREEDOM Outbound PHASE Probabilistic PART IN EBW AND EFW Repeat INBOUND PHASE IF NEEDED 4 / 14 www.iaik.tugraz.at AtTACK ON THE Compression Function ∆ www.iaik.tugraz.at Basic AtTACK StrATEGY M I T + 2N H −1 H I T ⊕ I 2N 2N Semi-free-start collision: ∗ ∗ F (H −1; M ) = F (H −1; M ); M 6= M I I I I I I ArbitrARY H 1 I − 5 / 14 M I 2N H 1 H I − I 2N 2N www.iaik.tugraz.at Basic AtTACK StrATEGY ∆ T + T ⊕ Semi-free-start collision: ∗ ∗ F (H −1; M ) = F (H −1; M ); M 6= M I I I I I I ArbitrARY H 1 I − 5 / 14 www.iaik.tugraz.at Rebound ATTACK ON 6 Rounds Similar TO [Men+10] Same TRUNCATED DIFFERENTIAL TRAIL IN BOTH PERMUTATIONS T ⊕ AND T +: 8 −!R1 8 −!R2 64 −!R3 64 −!R4 8 −!R5 8 −!R6 64 AC AC AC AC AC AC M1 SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB AC AC AC AC AC AC H SB SB SB SB SB SB H 0 RB RB RB RB RB RB 1 MB MB MB MB MB MB OUTBOUND INBOUND OUTBOUND 6 / 14 ≈ 1 RIGHT PAIR WITH COMPLEXITY 264 time-memory TRade-off WITH T · M = 2128 WITH T ≥ 264 ) 264 SOLUTIONS WITH COMPLEXITY OF 264 (amortized COST 1) MATCH ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 8550cc6d9a4943c5 c0 a2 47d37b3f795c62a5 0dcc010a7043e927 e6 72 cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 b16020f41ecdbf10 5a ff b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 DIFFERENCES MATCH DIFFERENCES DIFFERENCES 2 Match-in-the-middle AT SuperBoX (SB − MB − AC − SB) www.iaik.tugraz.at Inbound PHASE FOR T ⊕ Similar TO [Men+10] SB MB MB RB AC AC MB RB SB 1 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 7 / 14 ≈ 1 RIGHT PAIR WITH COMPLEXITY 264 time-memory TRade-off WITH T · M = 2128 WITH T ≥ 264 ) 264 SOLUTIONS WITH COMPLEXITY OF 264 (amortized COST 1) MATCH ee e8f490d4751b5ecd 3a ca 8550cc6d9a4943c5 c0 3f 0dcc010a7043e927 e6 11 a2b16311961e4d04 b9 2f b16020f41ecdbf10 5a 3a f8ed85b7435ad5fc 8c af 1627514315de2bf8 08 8d 4d349690f1f8075e c0 MATCH DIFFERENCES DIFFERENCES 2 Match-in-the-middle AT SuperBoX (SB − MB − AC − SB) www.iaik.tugraz.at Inbound PHASE FOR T ⊕ Similar TO [Men+10] ee eeee9fee2371c1cd 45 135694ca2af19126 SB a2 MB47d37b3f795c62a5 MB RB 72 AC cd3d831176abb4c8 73 45f2542f21a61cd2 AC MB ff RB b5269f3a9467ef3f f6 27d82aaf739cb215 SB 32 9a677b8d52ab92ff DIFFERENCES 1 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 7 / 14 ≈ 1 RIGHT PAIR WITH COMPLEXITY 264 time-memory TRade-off WITH T · M = 2128 WITH T ≥ 264 ) 264 SOLUTIONS WITH COMPLEXITY OF 264 (amortized COST 1) MATCH ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90 MATCH DIFFERENCES 2 Match-in-the-middle AT SuperBoX (SB − MB − AC − SB) www.iaik.tugraz.at Inbound PHASE FOR T ⊕ Similar TO [Men+10] ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 SB 8550cc6d9a4943c5 c0 a2 MB47d37b3f795c62a5 0dcc010a7043e927 e6 MB RB 72 AC cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 AC b16020f41ecdbf10MB 5a ff RB b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 SB 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 DIFFERENCES DIFFERENCES 1 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 7 / 14 ≈ 1 RIGHT PAIR WITH COMPLEXITY 264 time-memory TRade-off WITH T · M = 2128 WITH T ≥ 264 ) 264 SOLUTIONS WITH COMPLEXITY OF 264 (amortized COST 1) MATCH ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90 2 Match-in-the-middle AT SuperBoX (SB − MB − AC − SB) www.iaik.tugraz.at Inbound PHASE FOR T ⊕ Similar TO [Men+10] ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 SB 8550cc6d9a4943c5 c0 a2 MB47d37b3f795c62a5 0dcc010a7043e927 e6 MB RB 72 AC cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 AC b16020f41ecdbf10MB 5a ff RB b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 SB 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 DIFFERENCES MATCH DIFFERENCES DIFFERENCES 1 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 7 / 14 ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90 ≈ 1 RIGHT PAIR WITH COMPLEXITY 264 time-memory TRade-off WITH T · M = 2128 WITH T ≥ 264 ) 264 SOLUTIONS WITH COMPLEXITY OF 264 (amortized COST 1) www.iaik.tugraz.at Inbound PHASE FOR T ⊕ Similar TO [Men+10] MATCH ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 SB 8550cc6d9a4943c5 c0 a2 MB47d37b3f795c62a5 0dcc010a7043e927 e6 MB RB 72 AC cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 AC b16020f41ecdbf10MB 5a ff RB b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 SB 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 DIFFERENCES MATCH DIFFERENCES DIFFERENCES 1 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 2 Match-in-the-middle AT SuperBoX (SB − MB − AC − SB) 7 / 14 ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90 time-memory TRade-off WITH T · M = 2128 WITH T ≥ 264 ) 264 SOLUTIONS WITH COMPLEXITY OF 264 (amortized COST 1) www.iaik.tugraz.at Inbound PHASE FOR T ⊕ Similar TO [Men+10] MATCH ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 SB 8550cc6d9a4943c5 c0 a2 MB47d37b3f795c62a5 0dcc010a7043e927 e6 MB RB 72 AC cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 AC b16020f41ecdbf10MB 5a ff RB b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 SB 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 DIFFERENCES MATCH DIFFERENCES DIFFERENCES 1 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 2 Match-in-the-middle AT SuperBoX (SB − MB − AC − SB) ≈ 1 RIGHT PAIR WITH COMPLEXITY 264 7 / 14 ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90 www.iaik.tugraz.at Inbound PHASE FOR T ⊕ Similar TO [Men+10] MATCH ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 SB 8550cc6d9a4943c5 c0 a2 MB47d37b3f795c62a5 0dcc010a7043e927 e6 MB RB 72 AC cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 AC b16020f41ecdbf10MB 5a ff RB b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 SB 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 DIFFERENCES MATCH DIFFERENCES DIFFERENCES 1 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 2 Match-in-the-middle AT SuperBoX (SB − MB − AC − SB) ≈ 1 RIGHT PAIR WITH COMPLEXITY 264 time-memory TRade-off WITH T · M = 2128 WITH T ≥ 264 ) 264 SOLUTIONS WITH COMPLEXITY OF 264 (amortized COST 1) 7 / 14 AC CREATES DEPENDENCES BETWEEN SuperBoXES ! fiX carry! Byte 0: X +F3>FF ! 243 SOLUTIONS ! 230.6 VALID PAIRS avg,. ) 254:4 SOLUTIONS WITH COMPLEXITY OF 263:4 MATCH ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 8550cc6d9a4943c5 c0 a2 47d37b3f795c62a5 0dcc010a7043e927 e6 72 cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 b16020f41ecdbf10 5a ff b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 DIFFERENCES X MATCH DIFFERENCES DIFFERENCES 20 Match-in-the-middle (AC − RB − SB − MB − AC − SB) www.iaik.tugraz.at Inbound PHASE FOR T + AddConstant COMPLICATES ANALYSIS SB MB MB RB AC AC MB RB SB 10 Start WITH ARBITRARY DIFFERENCES IN ROUND 2 AND 4 8 / 14 AC CREATES DEPENDENCES BETWEEN SuperBoXES ! fiX carry! Byte 0: X +F3>FF ! 243 SOLUTIONS ! 230.6 VALID PAIRS avg,.

Load more

  46

Copy Link