Practical Collisions for Widea-8

PRACTICAL COLLISIONS FOR WIDEA-8

Kerem Varıcı KU Leuven / COSIC

Session ID: CRYP-R31 Session Classification: Advanced OUTLINE

► Introduction ► Collisions for the WIDEA-8 ► Results and Remarks

▶ Presenter Logo OUTLINE

► Introduction ► Collisions for the WIDEA-8 ► Results and Remarks

▶ Presenter Logo Introduction ( WIDEA )

► Widea - a family of block ciphers ► Inspired by IDEA block cipher ► Designed by Junod and Macchetti ► Presented in FSE’09 ► Suggested to use as compression function for hash function in Davies - Mayer mode ► Competitive efciency with most of the hash functions

▶ Presenter Logo IDEA X1 X2 X3 X4 (1) (1) (1) (1) Z1 Z2 Z3 Z4 ► Designed by Lai and Massey

in 1991 (1) Z5

► 64-bit block size (1) Z6 ► 128-bit key size ► 8.5 rounds ► Widely implemented

► 20+ security analysis ( 7 more rounds ) ► Secure except weak keys

(9) (9) (9) (9) Z1 Z2 Z3 Z4

Y1 Y2 Y3 Y4

▶ Presenter Logo (i) (i) (i) (i) x0,1 x1,1 x2,1 x3,1

WIDEA-n (i) (i) (i) (i) x0,n x1,n x2,n x3,n

Z0,1 Z1,1 Z2,1 Z3,1

► Composed of n parallel Z0,n Z1,n Z2,n Z3,n applications of IDEA connected with an MDS matrix. Z4,1 MA-Box Z4,n

► 64×n bits block size MDS Z5,1 ► 64×2n key size Z5,n ► 8.5 rounds

(i+1) (i+1) x2,1 x3,1

(i+1) (i+1) (i+1) (i+1) x0,n x1,n x2,n x3,n

▶ Presenter Logo Davies-Meyer Mode

► Proposed to construct hash functions from block ciphers ► Most widely used hash functions, including MD5, SHA-1 and mi SHA-2 use this construction

hi 1 hi

▶ Presenter Logo OUTLINE

► Introduction ► Collisions for the WIDEA-8 ► Attack strategy ► Application of theory to practice ► Extending the attack to full WIDEA-8 ► Results and Remarks

▶ Presenter Logo Attack strategy - I

I I 0 I

▶ Presenter Logo Attack strategy - II

Characteristic Z1 Z4 Z5 Z6 (0,0,0,△) ⇒ (△,△,△,0) - ±1 - ±1 X1 X2 X3 X4 (0,0,△,0) ⇒ (△,0,0,0) - - ±1 ±1 (1) (1) (1) (1) (0,0,△,△) ⇒ (0,△,△,0) - ±1 ±1 - Z1 Z2 Z3 Z4 (0,△,0,0) ⇒ (△,△,0,△) - - - ±1 (0,△,0,△) ⇒ (0,0,△,△) - ±1 - - (0,△,△,0) ⇒ (0,△,0,△) - - ±1 - (1) Z5 (0,△,△,△) ⇒ (△,0,△,△) - ±1 ±1 ±1 (△,0,0,0) ⇒) (0,△,0,0) ±1 - ±1 ±1 Z(1) 6 (△,0,0,△) ⇒ (△,0,△,0) ±1 ±1 ±1 - (△,0,△,0) ⇒ (△,△,0,0) ±1 - - - (△,0,△,△) ⇒ (0,0,△,0) ±1 ±1 - ±1 (△,△,0,0) ⇒ (△,0,0,△) ±1 - ±1 - (△,△,0,△) ⇒ (0,△,△,△) ±1 ±1 ±1 ±1

( 7 more rounds ) (△,△,△,0) ⇒ (0,0,0,△) ±1 - - ±1 (△,△,△,△) ⇒ (△,△,△,△) ±1 ±1 - -

▶ Presenter (9) (9) (9) (9) Z1 Z2 Z3 Z4 Logo

Y1 Y2 Y3 Y4 Attack strategy - III

Observation 1 The parallel instances of IDEA are only connected by the MDS matrix in the MA- box and hence if we can ﬁnd a characteristic for one lane where the MA-box is never active, the attack is reduced of attacking only

MDS one lane instead of all eight.

Observation 2

Given any eight consecutive subkeys {Zi+1,

Zi+2, ..., Zi+8} it is possible to construct the whole set of subkeys.

▶ Presenter Logo Theory to practice

Z0,1 Z1,1 Z2,1 Z3,1

Z0,n Z1,n Z2,n Z3,n

Z4,1

Z4,n

MDS Z5,1

Z5,n

▶ Presenter Logo Extending the attack to full WIDEA-8

Z0,1 Z1,1 Z2,1 Z3,1

Z0,n Z1,n Z2,n Z3,n

Z4,1

Z4,n

MDS Z5,1

Z5,n

▶ Presenter Logo Extending the attack to full WIDEA-8

▶ Presenter Logo Collision Example

▶ Presenter Logo Results

target rounds time attack type

comp. function 7 1 free-start collision

comp. function 8.5 (full) 1 free-start near-collision

comp. function 8.5 (full) 213.53 free-start collision

▶ Presenter Logo ANY QUESTIONS ? Finding Collisions for Round-Reduced SM3

Florian Mendel, Tomislav Nad, Martin Schlaffer¨

Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

[email protected]

CT-RSA 2013

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 1 / 30 Outline

1 Motivation

2 Cryptographic Hash Functions

3 Differential Cryptanalysis

4 Description of SM3

5 Differential Collision Attacks on SM3

6 Summary

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 2 / 30 Outline

1 Motivation

2 Cryptographic Hash Functions

3 Differential Cryptanalysis

4 Description of SM3

5 Differential Collision Attacks on SM3

6 Summary

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 3 / 30 The MD4 Family of Hash Functions

MD4

MD5 SHA-0 HAVAL RIPEMD

SHA-1 RIPEMD-128 RIPEMD-160

SHA-224 SHA-256 SHA-384 SHA-512

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions

MD4

MD5 SHA-0 HAVAL RIPEMD

SHA-1 RIPEMD-128 RIPEMD-160

SHA-224 SHA-256 SHA-384 SHA-512

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions

MD4

MD5 SHA-0 HAVAL RIPEMD

SHA-1 RIPEMD-128 RIPEMD-160

SHA-224 SHA-256 SHA-384 SHA-512 SM3

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions

MD4

MD5 SHA-0 HAVAL RIPEMD

SHA-1 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 SM3

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 The MD4 Family of Hash Functions

MD4

MD5 SHA-0 HAVAL RIPEMD

SHA-1 RIPEMD-128 RIPEMD-160 SHA-224 SHA-256 SHA-384 SHA-512 ?SM3

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 4 / 30 Outline

1 Motivation

2 Cryptographic Hash Functions

3 Differential Cryptanalysis

4 Description of SM3

5 Differential Collision Attacks on SM3

6 Summary

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 5 / 30 Hash Functions

Some arbitrary length input message.

H(M)

19BDAF403B3

Protect short hash value instead of long text.

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 6 / 30 Main Security Requirements

Preimage Resistance given h(m) ﬁnd m generic complexity:2 n

Second-Preimage Resistance

given m, h(m) ﬁnd m0 with m = m0 and h(m) = h(m0) generic complexity:2 n 6

Collision Resistance

ﬁnd m, m0 with m = m0 and h(m) = h(m0) generic complexity:6 2 n/2

No non-random properties

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 7 / 30 Iterated Hash Function Construction

M1 M2 M3 Mt

IV f f f f g H(m) w w w w n

Most hash functions use some kind of iteration compression function f output transformation g chaining value size w n ≥ Strength depends on f , g, w smaller w needs stronger f Analyze building blocks collision resistance of f non-random properties of f

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 8 / 30 free-start collision:

attacker can choose difference and value of chaining input Hi 1 − f (Mi , Hi 1) = f (Mi0, Hi0 1), Mi = Mi0, Hi 1 = Hi0 1 − − 6 − 6 −

Collisions on the Compression Function

M = M0 i 6 i

f Hi 1 Hi −

semi-free-start collision:

attacker can choose value of chaining input Hi 1 − f (Mi , Hi 1) = f (Mi0, Hi 1), Mi = Mi0 − − 6

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 9 / 30 Collisions on the Compression Function

M = M0 i 6 i

f Hi 1 = Hi0 1 Hi − 6 −

semi-free-start collision:

attacker can choose value of chaining input Hi 1 − f (Mi , Hi 1) = f (Mi0, Hi 1), Mi = Mi0 − − 6 free-start collision:

attacker can choose difference and value of chaining input Hi 1 − f (Mi , Hi 1) = f (Mi0, Hi0 1), Mi = Mi0, Hi 1 = Hi0 1 − − 6 − 6 −

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 9 / 30 Outline

1 Motivation

2 Cryptographic Hash Functions

3 Differential Cryptanalysis

4 Description of SM3

5 Differential Collision Attacks on SM3

6 Summary

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 10 / 30 Collision Attacks

m = m 6 ∗

H H

H(m) = H(m∗)

Find two different messages which result in the same hash value:

m = m∗ with H(m) = H(m∗) 6 Birthday effect applies: 2n/2

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 11 / 30 Collision Attacks (Differential View)

m = m ∆m = 0 6 ∗ 6

H H ⇐⇒ H

H(m) = H(m∗) H(∆m) = 0

Find two different messages which result in the same hash

m, ∆m with ∆m = 0 and H(∆m) = 0 6 Usually XOR differences are used: ∆m = m m∗ and H(∆m) = H(m) H(m∗) ⊕ ⊕

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 12 / 30 Differential Characteristic

How to ﬁnd m, ∆m? Find differential characteristic (trail, path) using (semi-) automatic tools determines ∆m holds with high probability P try 1/P random messages

How to find m more efficiently? we can choose m according to characteristic invert equations in first steps of hash function called message modification

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 13 / 30 Outline

1 Motivation

2 Cryptographic Hash Functions

3 Differential Cryptanalysis

4 Description of SM3

5 Differential Collision Attacks on SM3

6 Summary

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 14 / 30 SM3: too complex to draw :-(

Design Complexity of the MD4 Family

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 15 / 30 Design Complexity of the MD4 Family

SM3: too complex to draw :-(

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 15 / 30 The Hash Function SM3

Chinese hash function standard [Chi] (Chinese Commercial Cryptography Administration Ofﬁce)

Designed by Wang et al. after her attacks on SHA-1 Based on SHA-2 more complicated mixing functions additional expanded message words

Only few cryptanalysis results published:

component attack steps complexity reference hash function preimage 35 2249 [ZWW+11] compression function free-start collision 30 2117.1 [KSWY12]

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 16 / 30 Description of SM3 message expansion: Mi 0 ≤ i < 16 Wi = σ0(Wi−16 ⊕ Wi−9 ⊕ Wi−3 ≪ 15) ⊕ Wi−13 ≪ 7 ⊕ Wi−6 16 ≤ i < 68

state update transformation:

T1 = (Ai−1 ≪ 12 + Ei−1 + Ki ) ≪ 7 T2 = Hi−1 + f0(Ei−1, Fi−1, Gi−1) + T1 + Wi Ai = Di−1 + f1(Ai−1, Bi−1, Ci−1) + (T1 ⊕ Ai−1 ≪ 12) + (Wi ⊕ Wi+4) Ei = Σ0(T2) Bi = Ai−1 Ci = Bi−1 ≪ 9 Di = Ci−1 Fi = Ei−1 Gi = Fi−1 ≪ 19 Hi = Gi−1 (linear) Boolean functions:

fXOR(X, Y , Z ) = X ⊕ Y ⊕ Z σ0(X) = X ⊕ (X ≪ 15) ⊕ (X ≪ 23) fIF(X, Y , Z ) = XY ⊕ XZ ⊕ Z Σ0(X) = X ⊕ (X ≪ 9) ⊕ (X ≪ 17) fMAJ(X, Y , Z ) = XY ⊕ YZ ⊕ XZ

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 17 / 30 equations of small complexity: easier to update using automatic tool

Description of SM3

simpliﬁed equations and stored variables:

S = W − W − W − 15 i i 16 ⊕ i 9 ⊕ i 3 ≪ P = S S 15 S 23 i i ⊕ i ≪ ⊕ i ≪ Wi = Pi Wi−13 ≪ 7 Wi−6 0 ⊕ ⊕ W = W W + i i ⊕ i 4 Li = Ai−1 ≪ 12 + Ei−1 + Ki ≪ 7 Fi = f0(Ai−1, Ai−2, Ai−3 ≪ 9) 0 A = F + W + A − 9 + (L 7 A − 12) i i i i 4 ≪ i ≪ ⊕ i 1 ≪ Gi = f1(Ei−1, Ei−2, Ei−3 ≪ 19) Ri = Ei−4 ≪ 19 + Li ≪ 7 + Wi + Gi E = R R 9 R 17 i i ⊕ i ≪ ⊕ i ≪

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 18 / 30 Description of SM3

simpliﬁed equations and stored variables:

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 18 / 30 Outline

1 Motivation

2 Cryptographic Hash Functions

3 Differential Cryptanalysis

4 Description of SM3

5 Differential Collision Attacks on SM3

6 Summary

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 19 / 30 1 message word difference? linear low-weight code search 7-step local collision 20-step hash collision

2 search for differential path using semi-automatic tool optimize search by hand

3 determine message pair using semi-automatic tool combine with path search

iterations between phases ⇒

Constructing Hash Collisions for 20 Steps

-4 -3 (A) (E) -2 hi 1 hi 1 -1 − − 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Ai Ei Wi 14 15 16 17 18 19 0 1 (A) (E) 2 h h 3 i i

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 20 / 30 2 search for differential path using semi-automatic tool optimize search by hand

3 determine message pair using semi-automatic tool combine with path search

iterations between phases ⇒

Constructing Hash Collisions for 20 Steps

-4 (A) (E) -3 1 message word difference? -2 hi 1 hi 1 -1 − − 0 linear low-weight code search 1 2 7-step local collision 3 4 20-step hash collision t = 7 5 6 7 8 9 10 11 12 13 Ai Ei Wi 14 15 16 17 18 19 0 1 (A) (E) 2 h h 3 i i

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 20 / 30 3 determine message pair using semi-automatic tool combine with path search

iterations between phases ⇒

Constructing Hash Collisions for 20 Steps

-4 (A) (E) -3 1 message word difference? -2 hi 1 hi 1 -1 − − 0 linear low-weight code search 1 2 7-step local collision 3 4 20-step hash collision t = 7 5 6 7 2 search for differential path 8 9 using semi-automatic tool 10 11 optimize search by hand 12 13 Ai Ei Wi 14 15 16 17 18 19 0 1 (A) (E) 2 h h 3 i i

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 20 / 30 iterations between phases ⇒

Constructing Hash Collisions for 20 Steps

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 20 / 30 Constructing Hash Collisions for 20 Steps

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 20 / 30 Differences and Conditions

Generalized Conditions [DR06] take all 16 possible conditions on a pair of bits into account

∗ ∗ (Xi , Xi ) (0, 0)(1, 0)(0, 1)(1, 1) (Xi , Xi ) (0, 0)(1, 0)(0, 1)(1, 1) ? XXXX 3 XX -- - X -- X 5 X - X - x - XX - 7 XXX - 0 X --- A - X - X u - X -- B XX - X n -- X - C -- XX 1 --- X D X - XX # ---- E - XXX

2-bit Conditions [MNS11] linear relation between closely related bits: X X = 0/1 i ⊕ j 2-bit conditions on any generalized condition (-,x,?,...) used to determine critical bits (those with many relations)

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 21 / 30 Starting Point for 20 Steps

i A E W ∇ i ∇ i ∇ i -4 ------3 ------2 ------1 ------0 ------1 ???????????????????????????????? ???????????????????????????????? ------x-x------x---- 2 ???????????????????????????????? ???????????????????????????????? ------x---- 3 ???????????????????????????????? ???????????????????????????????? ------4 ???????????????????????????????? ???????????????????????????????? ------5 ------x------x------x------6 ------7 ------8 ------x-x------x---- 9 ------10 ------11 ------12 ------13 ------14 ------15 ------16 ------17 ------18 ------19 ------

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 22 / 30 Search Strategy

Search Algorithm [DR06, MNS11, MNS13] (1) Start with an unrestricted characteristic (’?’ and ’-’)

(2) Successively impose new conditions on the characteristic path search: replace ’?’ by ’-’ and ’x’ by ’n’ or ’u’ message search: replace ’-’ by ’1’ or ’0’

(3) Propagate the conditions and check for consistency if a contradiction occurs: backtrack else proceed with step 2

(4) Repeat steps 2 and 3 until all bits are determined

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 23 / 30 Dedicated for every hash function (unfortunately) ⇒

Search Strategy

The difﬁculties are in the details... Which information to propagate (and when)? path search: generalized conditions message search: generalized conditions and 2-bit conditions Which bits (which area) to guess? dedicated to hash function bits with many 2-bit conditions (in message search) lots of trial and error needed to ﬁnd best strategy How to backtrack? if a contradiction occurs on a bit, backtrack until bit can be set keep and check a list of previous critical bits

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 24 / 30 Search Strategy

Dedicated for every hash function (unfortunately) ⇒

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 24 / 30 Characteristic for 20-step Hash Collision

search: ﬁrst guess outputs of modular additions (Li , Ai , Ri )

i A E W ∇ i ∇ i ∇ i -4 ------3 ------2 ------1 ------0 ------1------1 unn-----un------uuuuuuuu--1- u-u----unuuu------n-10nnu-nu--uu --0------u-n------1------u---- 2 -uu-n---un-uu--uun--n------uun ---u0nunu----uu-u-unu-u--n----uu ------n---- 3 n-n-u------unnnnnnn------n-u- nu-u--n1n-nuu-u------nuu------4 uuuuu------nn------nuu uuuuuuuuuuuuuuu------u-un ------5 ------u------0-u------n------1---- 6 ------7 ------8 ------n-n------u---- 9 ------10 ------11 ------12 ------1-0------0---- 13 ------14 ------15 ------16 ------17 ------18 ------19 ------

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 25 / 30 Characteristic for 24-step Free-Start Collision

i A E W ∇ i ∇ i ∇ i -4 ------u------u------n------n------3 ------n------n------2 ------u------u------1 ------0 ------1 ------2 ------x------3 ------4 ------5 ------6 ------7 ------8 ------9 ------10 ------11 ------12 ------13 ------14 u------n------u------0------0------15 u----u--un-un-nnn0nn--n------u- ---0nn0------n------un-----n-u------16 -uu-n--u-n---n---n---u-u--uu------u--n--n-n------u--1u------17 u--n------n----un-----n----n ------n-n------u-n-u0------u------18 nn------nn-n------n------n------unn----uu--uu x------n------u------19 nnnnnnn--nuu------u--n----u-n-u------unn------n-00------0un ------20 ------u------n------n------u------11 ------21 ------n------u--0------u------x-x------22 ------n------n------23 ------

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 26 / 30 Outline

1 Motivation

2 Cryptographic Hash Functions

3 Differential Cryptanalysis

4 Description of SM3

5 Differential Collision Attacks on SM3

6 Summary

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 27 / 30 Summary

Results:

component attack steps complexity hash function collision 20 example compression function free-start collision 24 example

First collision attacks on reduced SM3 automatic path search and automatic message modiﬁcation time consuming to ﬁnd the right settings once settings are found, collisions can be found in minutes

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 28 / 30 ReferencesI

Chinese Commercial Cryptography Administration Office. Specification of SM3 cryptographic hash function (In Chinese). http://www.oscca.gov.cn/UpFile/20101222141857786.pdf. Ronald Cramer, editor. Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, volume 3494 of LNCS. Springer, 2005. Christophe De Canniere` and Christian Rechberger. Finding SHA-1 Characteristics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 of LNCS, pages 1–20. Springer, 2006. Aleksandar Kircanski, Yanzhao Shen, Gaoli Wang, and Amr Youssef. Boomerang and Slide-Rotational Analysis of the SM3 Hash Function. In Lars R. Knudsen and Huapeng Wu, editors, Selected Areas in Cryptography, LNCS. Springer, 2012. to appear. Florian Mendel, Tomislav Nad, and Martin Schlaffer.¨ Finding SHA-2 Characteristics: Searching through a Minefield of Contradictions. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT, volume 7073 of LNCS, pages 288–307. Springer, 2011.

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 29 / 30 ReferencesII

Florian Mendel, Tomislav Nad, and Martin Schlaffer.¨ Improving Local Collisions: New Attacks on Reduced SHA-256. In EUROCRYPT, 2013. to appear. Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, and Xiuyuan Yu. Cryptanalysis of the Hash Functions MD4 and RIPEMD. In Cramer [Cra05], pages 1–18. Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In Cramer [Cra05], pages 19–35. Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In Victor Shoup, editor, CRYPTO, volume 3621 of LNCS, pages 17–36. Springer, 2005. Jian Zou, Wenling Wu, Shuang Wu, Bozhan Su, and Le Dong. Preimage Attacks on Step-Reduced SM3 Hash Function. In Howon Kim, editor, ICISC, volume 7259 of LNCS, pages 375–390. Springer, 2011.

Martin Schlaffer¨ (CT-RSA 2013) Finding Collisions for Round-Reduced SM3 30 / 30 Many Weak Keys for PRINTcipher: Fast Key Recovery and Countermeasures

Michael Walter UC San Diego

Session ID: CRYP-R31 Session Classification: Advanced PRINTcipher

► Iterative block cipher, substitution-permutation network ► 48-bit blocks and 80-bit key, 48 rounds ► 96-bit blocks and 160-bit key, 96 rounds Round function

► Plaintext ► o KeyAddition

o BitPermutation

o S-Box

► Ciphertext Invariant coset attack

► First studied by Leander et al. CRYPTO 2011 ► ► Attack: ► Distinguish by checking if ► Knowing recover faster than brute force ► ► Therefore: invariant (linear) coset attack Masks for S-Boxes

► Values of some input bits values of some output bits Example:

► 3 – 3 and 0 – 0 masks ► Any of 3*3=9 possible arrangements yields a 2 – 2 mask for some ► No 1 – 1 masks ► a – a masks for a=0,2,3 yield an invariant property Example of invariant coset via masks Getting invariant cosets systematically

1 1 1 0 1 1

1 1 1 1 0 1

S-Box conditions + bit permutation Using the technique

► Key recovery: ► For observe whether thus we have many bits of are known ► Recover the remaining bits of ► Two-step process, faster than vanilla brute force ► How to find all elements of ? ► Since and is defined by linear (in)equalities, we can apply Integer Linear Programming techniques ► Constraints: S-Box conditions + bit permutation as above ► Objective function: constant on ► Practically: ► all 64 elements of (for 48-bit version), and ► 115,669 elements (96-bit) in a fraction of a second using the IBM ILOG CPLEX solver Results for PRINTcipher - 48

Our analysis Leander et al. # weak key 64 / Yes 2 / No families / all found? Log (upper bound 52.5 52 on # weak keys) Log (fastest time 24 38 for key recovery in CP/KP scenario) Results for PRINTcipher - 96

Our analysis Leander et al. # weak key 115,669 / Yes 2 / No families / all found? Log (upper bound 117.7 102 on # weak keys) Log (fastest time 30 76 for key recovery in CP/KP scenario) ► Countermeasures exist, but not obvious! http://eprint.iacr.org/2012/085

Motivation: Lightweight

► Vast growth in using resource constraint devices ► Ergent need for crypto for these devices  In particular block ciphers ► Standard primitives (e.g. AES) are too expensive to implement Masks in detail

Input mask Output mask k0,k1 x0,x1,x2 y0,y1,y2 + + - + + - 0* 00* 00* + + - + - + 10 10* 1*1 + + - - + + 11 11* *10 + - + + + - 10 0*0 00* + - + + - + 00/11 0*1/1*0 1*1 + - + - + + 01 1*1 *10 - + + + + - 11 *00 00* - + + + - + 01 *10 1*1 - + + - + + *0 *11 *10 Characterization Example invariant propagation