DOCSLIB.ORG

Improved Rebound Attack on the Finalist Grøstl

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Improved Rebound Attack on the Finalist Grøstl Improved Rebound Attack on the Finalist Grøstl Jérémy Jean1 María Naya-Plasencia2 Thomas Peyrin3 1École Normale Supérieure, France 2University of Versailles, France 3Nanyang Technological University, Singapore RAIM’2012 – June 21, 2012 (published in FSE’2012) Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Hash Functions H: hash function (e.g.: MD5, SHA-1,...) H 50697fb42e88f27b0d19b625b18ae016 Security Notions Preimage resistance Collision resistance Second-Preimage resistance Distinguisher from Random Oracle RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 2/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 64 submissions received; 51 entered first round (Dec. 9, 2008): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 14 entered second round (July 24, 2009): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 5 entered the final (Dec. 9, 2010): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. In 2012: the winner will be chosen. Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl hash function H I H takes input m of any length Compression Function f I Difficult to handle mn h Use fixed-size input f function f n I hn−1 I Split m into chunks m = m1jjm2jj · · · Mode of Operation m = m1 m2 m3 m4 f f f f Ω h0 = IV H(m) h1 h2 h3 h4 RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 4/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Compression Function (CF): f Grøstl-v0 [Knudsen et al. 08] has been tweaked for the final: I Grøstl-256: jhj = jmj=512 bits. I Grøstl-512: jhj = jmj=1024 bits. h P h0 m Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 5/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Internal Permutations Permutations P and Q apply the wide-trail strategy from the AES. I Grøstl-256: 10 rounds on state a 8 × 8. I Grøstl-512: 14 rounds on state a 8 × 16. AddRoundConstant SubBytes ShiftBytes MixBytes Tweak: constants in ARC and ShB changed to introduce asymmetry between P and Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 6/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Finalization Round Ω Once all blocks of message have been treated: truncation. hi−1 P h h is the hash value the input message RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 7/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl: Best Analysis After the Tweak I Grøstl-256: • [Sasaki et al A10]: 8-round permutation distinguisher. • [Gilbert et al. FSE10]: 8-round CF distinguisher. • [Boura et al. FSE11]: 10-round zero-sum. I Grøstl-512 • [Schläffer 2011]: 6-round collision on the CF. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 8/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 1/2 [Jean et al. FSE12] I Based on the rebound technique [Mendel et al. FSE09]. I Based on a way of finding solutions for three consecutive full active rounds: new. I They apply both to 256 and 512 versions. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 9/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 2/2 [Jean et al. FSE12] I On Grøstl-256, we provide distinguishers for 9 rounds of the permutation (total: 10). I On Grøstl-512, we provide distinguishers for 8, 9 and 10 rounds of the permutation (total: 14). RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 10/30 Outbound Inbound Outbound Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB Outbound Inbound Outbound RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SuperSBox Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SuperSBox = SB ◦ MC ◦ SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 12/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Limited Birthday Distinguisher [Gilbert et Peyrin FSE2010] Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n-bit permutation π? WLOG, we assume: i ≤ j. n n − i π n − j j Time complexity if j ≤ 2(n − i), then time complexity is 2j=2. if j > 2(n − i), then time complexity is 2i+j−n. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl-256 Permutation RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 14/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Differential Characteristic for 9 rounds Mb Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 15/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J.
Load more

Recommended publications
  • Indifferentiable Authenticated Encryption
    Indifferentiable Authenticated Encryption Manuel Barbosa1 and Pooya Farshim2;3 1 INESC TEC and FC University of Porto, Porto, Portugal [email protected] 2 DI/ENS, CNRS, PSL University, Paris, France 3 Inria, Paris, France [email protected] Abstract. We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a \good" AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be predicted in advance, as in general-purpose crypto libraries and standards. We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds. Keywords. Authenticated encryption, indifferentiability, composition, Feistel, lower bound, CAESAR. 1 Introduction Authenticated Encryption with Associated Data (AEAD) [54,10] is a funda- mental building block in cryptographic protocols, notably those enabling secure communication over untrusted networks. The syntax, security, and constructions of AEAD have been studied in numerous works. Recent, ongoing standardization processes, such as the CAESAR competition [14] and TLS 1.3, have revived interest in this direction.
    [Show full text]
  • Nasha, Cubehash, SWIFFTX, Skein
    6.857 Homework Problem Set 1 # 1-3 - Open Source Security Model Aleksandar Zlateski Ranko Sredojevic Sarah Cheng March 12, 2009 NaSHA NaSHA was a fairly well-documented submission. Too bad that a collision has already been found. Here are the security properties that they have addressed in their submission: • Pseudorandomness. The paper does not address pseudorandomness directly, though they did show proof of a fairly fast avalanching effect (page 19). Not quite sure if that is related to pseudorandomness, however. • First and second preimage resistance. On page 17, it references a separate document provided in the submission. The proofs are given in the file Part2B4.pdf. The proof that its main transfunction is one-way can be found on pages 5-6. • Collision resistance. Same as previous; noted on page 17 of the main document, proof given in Part2B4.pdf. • Resistance to linear and differential attacks. Not referenced in the main paper, but Part2B5.pdf attempts to provide some justification for this. • Resistance to length extension attacks. Proof of this is given on pages 4-5 of Part2B4.pdf. We should also note that a collision in the n = 384 and n = 512 versions of the hash function. It was claimed that the best attack would be a birthday attack, whereas a collision was able to be produced within 2128 steps. CubeHash According to the author, CubeHash is a very simple cryptographic hash function. The submission does not include almost any of the security details, and for the ones that are included the analysis is very poor. But, for the sake of making this PSet more interesting we will cite some of the authors comments on different security issues.
    [Show full text]
  • Rebound Attack
    Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based
    [Show full text]
  • The Hitchhiker's Guide to the SHA-3 Competition
    History First Second Third The Hitchhiker’s Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department 20 June, 2012 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 33 History First Second Third Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 33 History First Second Third History Sad Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 33 History First Second Third History Sad A(n Extremely) Short History of Hash Functions 1976 Diffie and Hellman suggest to use hash functions to make digital signatures shorter. 1979 Salted passwords for UNIX (Morris and Thompson). 1983/4 Davies/Meyer introduce Davies-Meyer. 1986 Fiat and Shamir use random oracles. 1989 Merkle and Damg˚ard present the Merkle-Damg˚ard hash function.
    [Show full text]
  • NISTIR 7620 Status Report on the First Round of the SHA-3
    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
    [Show full text]
  • Master Thesis Proposal Continuation of the Security Proofs of the MD6 Hash Function Mode of Operation
    Master Thesis Proposal Continuation of the Security Proofs of the MD6 Hash Function Mode of Operation By Ahmed Mohamed Ezzat American University in Cairo Contents CHAPTER 1 ...........................................................................................................................................3 INTRODUCTION .....................................................................................................................................3 Background.....................................................................................................................................3 Hash function properties.................................................................................................................4 Mode of Operation..........................................................................................................................5 Iterative Modes of Operation..........................................................................................................5 NIST SHA-3 Competition................................................................................................................7 CHAPTER 2 ...........................................................................................................................................9 PRELIMINARIES ....................................................................................................................................9 The MD6 Cryptographic Hash Function ........................................................................................9
    [Show full text]
  • Finding Bugs in Cryptographic Hash Function Implementations Nicky Mouha, Mohammad S Raunak, D
    1 Finding Bugs in Cryptographic Hash Function Implementations Nicky Mouha, Mohammad S Raunak, D. Richard Kuhn, and Raghu Kacker Abstract—Cryptographic hash functions are security-critical on the SHA-2 family, these hash functions are in the same algorithms with many practical applications, notably in digital general family, and could potentially be attacked with similar signatures. Developing an approach to test them can be par- techniques. ticularly diffcult, and bugs can remain unnoticed for many years. We revisit the NIST hash function competition, which was In 2007, the National Institute of Standards and Technology used to develop the SHA-3 standard, and apply a new testing (NIST) released a Call for Submissions [4] to develop the new strategy to all available reference implementations. Motivated SHA-3 standard through a public competition. The intention by the cryptographic properties that a hash function should was to specify an unclassifed, publicly disclosed algorithm, to satisfy, we develop four tests. The Bit-Contribution Test checks be available worldwide without royalties or other intellectual if changes in the message affect the hash value, and the Bit- Exclusion Test checks that changes beyond the last message bit property restrictions. To allow the direct substitution of the leave the hash value unchanged. We develop the Update Test SHA-2 family of algorithms, the SHA-3 submissions were to verify that messages are processed correctly in chunks, and required to provide the same four message digest lengths. then use combinatorial testing methods to reduce the test set size Chosen through a rigorous open process that spanned eight by several orders of magnitude while retaining the same fault- years, SHA-3 became the frst hash function standard that detection capability.
    [Show full text]
  • Grøstl – a SHA-3 Candidate
    Cryptographic hash functions NIST SHA-3 Competition Grøstl Grøstl – a SHA-3 candidate Krystian Matusiewicz Wroclaw University of Technology CECC 2010, June 12, 2010 Krystian Matusiewicz Grøstl – a SHA-3 candidate 1 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Talk outline ◮ Cryptographic hash functions ◮ NIST SHA-3 Competition ◮ Grøstl Krystian Matusiewicz Grøstl – a SHA-3 candidate 2 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions Krystian Matusiewicz Grøstl – a SHA-3 candidate 3 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Cryptographic hash functions: why? ◮ We want to have a short, fixed length “fingerprint” of any piece of data ◮ Different fingerprints – certainly different data ◮ Identical fingerprints – most likely the same data ◮ No one can get any information about the data from the fingerprint Krystian Matusiewicz Grøstl – a SHA-3 candidate 4 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Krystian Matusiewicz Grøstl – a SHA-3 candidate 5 / 26 Cryptographic hash functions NIST SHA-3 Competition Grøstl Random Oracle Construction: ◮ Box with memory ◮ On a new query: pick randomly and uniformly the answer, remember it and return the result ◮ On a repeating query, repeat the answer (function) Properties: ◮ No information about the data ◮ To find a preimage:
    [Show full text]
  • Attacks on and Advances in Secure Hash Algorithms
    IAENG International Journal of Computer Science, 43:3, IJCS_43_3_08 ______________________________________________________________________________________ Attacks on and Advances in Secure Hash Algorithms Neha Kishore, Member IAENG, and Bhanu Kapoor service but is a collection of various services. These services Abstract— In today’s information-based society, encryption include: authentication, access control, data confidentiality, along with the techniques for authentication and integrity are non-repudiation, and data integrity[1]. A system has to key to the security of information. Cryptographic hashing ensure one or more of these depending upon the security algorithms, such as the Secure Hashing Algorithms (SHA), are an integral part of the solution to the information security requirements for a particular system. For example, in problem. This paper presents the state of art hashing addition to the encryption of the data, we may also need algorithms including the security challenges for these hashing authentication and data integrity checks for most of the algorithms. It also covers the latest research on parallel situations in the dynamic context [2]. The development of implementations of these cryptographic algorithms. We present cryptographic hashing algorithms, to ensure authentication an analysis of serial and parallel implementations of these and data integrity services as part of ensuring information algorithms, both in hardware and in software, including an analysis of the performance and the level of protection offered security, has been an active area of research. against attacks on the algorithms. For ensuring data integrity, SHA-1[1] and MD5[1] are the most common hashing algorithms being used in various Index Terms—Cryptographic Hash Function, Parallel types of applications.
    [Show full text]
  • Security Analysis of BLAKE2's Modes of Operation
    Security Analysis of BLAKE2’s Modes of Operation Atul Luykx1, Bart Mennink1 and Samuel Neves2 1 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium [email protected], [email protected] 2 CISUC, Dept. of Informatics Engineering, University of Coimbra, Portugal [email protected] Abstract. BLAKE2 is a hash function introduced at ACNS 2013, which has been adopted in many constructions and applications. It is a successor to the SHA-3 finalist BLAKE, which received a significant amount of security analysis. Nevertheless, BLAKE2 introduces sufficient changes so that not all results from BLAKE carry over, meaning new analysis is necessary. To date, all known cryptanalysis done on BLAKE2 has focused on its underlying building blocks, with little focus placed on understanding BLAKE2’s generic security. We prove that BLAKE2’s compression function is indifferentiable from a random function in a weakly ideal cipher model, which was not the case for BLAKE. This implies that there are no generic attacks against any of the modes that BLAKE2 uses. Keywords: BLAKE · BLAKE2 · hash function · indifferentiability · PRF 1 Introduction Widespread adoption of cryptographic algorithms in practice often occurs regardless of their scrutiny by the cryptographic community. Although competitions such as AES and SHA-3 popularize thoroughly analyzed algorithms, they are not the only means with which practitioners find new algorithms. Standards, textbooks, and social media are sometimes more effective than publications and competitions. Nevertheless, analysis of algorithms is important regardless of how they were pop- ularized, and can result in finding insecurities, but also new techniques. For example, the PLAID protocol avoided cryptographic scrutiny by being standardized via the Cards and personal identification subcommittee of ISO, instead of via the Cryptography and security mechanisms working group, and when properly analyzed, PLAID turned out to be significantly weaker than claimed [DFF+14].
    [Show full text]
  • Hash Function Design Overview of the Basic Components in SHA-3 Competition
    Hash Function Design Overview of the basic components in SHA-3 competition Daniel Joščák [email protected] S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract In this article we bring an overview of basic building blocks used in the design of new hash functions submitted to the SHA-3 competition. We briefly present the current widely used hash functions MD5, SHA-1, SHA-2 and RIPEMD-160. At the end we consider several properties of the candidates and give an example of candidates that are in SHA-3 competition. Keywords: SHA-3 competition, hash functions. 1 Introduction In 2004 a group of researchers led by Xiaoyun Wang (Shandong University, China) presented real collisions in MD5 and other hash functions at the rump session of Crypto conference and they explained the method in [10]. In 2006 the same group presented a collision attack on SHA–1 in [8] and since then a lot of progress in collision finding algorithms has been made. Although there is no specific reason to believe that a practical attack on any of the SHA–2 family of hash functions is imminent, a successful collision attack on an algorithm in the SHA–2 family could have catastrophic effects for digital signatures. In reaction to this situation the National Institute of Standards and Technology (NIST) created a public competition for a new hash algorithm standard SHA–3 [1]. Except for the obvious requirements of the hash function (i.e. collision resistance, first and second preimage resistance, …) NIST expects SHA–3 to have a security strength that is at least as good as the hash algorithms in the SHA–2 family, and that this security strength will be achieved with significantly improved efficiency.
    [Show full text]
  • Correlation Cube Attacks: from Weak-Key Distinguisher to Key Recovery
    Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery B Meicheng Liu( ), Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, People’s Republic of China [email protected] Abstract. In this paper, we describe a new variant of cube attacks called correlation cube attack. The new attack recovers the secret key of a cryp- tosystem by exploiting conditional correlation properties between the superpoly of a cube and a specific set of low-degree polynomials that we call a basis, which satisfies that the superpoly is a zero constant when all the polynomials in the basis are zeros. We present a detailed procedure of correlation cube attack for the general case, including how to find a basis of the superpoly of a given cube. One of the most significant advantages of this new analysis technique over other variants of cube attacks is that it converts from a weak-key distinguisher to a key recovery attack. As an illustration, we apply the attack to round-reduced variants of the stream cipher Trivium. Based on the tool of numeric mapping intro- duced by Liu at CRYPTO 2017, we develop a specific technique to effi- ciently find a basis of the superpoly of a given cube as well as a large set of potentially good cubes used in the attack on Trivium variants, and further set up deterministic or probabilistic equations on the key bits according to the conditional correlation properties between the super- polys of the cubes and their bases.
    [Show full text]