Security Analysis of SIMD

Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Charles Bouillaguet, Pierre-Alain Fouque, Gaëtan Leurent

École Normale Supérieure Paris, France

SAC 2010 – University of Waterloo

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 1 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Hash functions

I A public function with no structural properties. I Cryptographic strength without keys!

∗ n I F : {0, 1} → {0, 1}

F 0x1d66ca77ab361c6f

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 2 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Hash functions

I A public function with no structural properties. I Cryptographic strength without keys!

∗ n I F : {0, 1} → {0, 1}

F 0x1d66ca77ab361c6f

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 2 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

The SHA-3 competition

I Similar to the AES competition I Organized by NIST

I Submission dead-line was October 2008: 64 candidiates I 51 valid submissions

I 14 in the second round (July 2009) I 5 ﬁnalists in September 2010? I Winner in 2012?

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 3 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

SIMD

I Merkle-Damgård with a Davies-Meyer compression function

I Strong message expansion

I Several Parallel MD-like Feistel

Gaëtan Leurent, Charles Bouillaguet, Pierre-Alain Fouque SIMD Is a Message Digest Submission to the NIST SHA-3 competition

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 4 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

SIMD Iteration Mode

M0 M1 M2 |M|

2n 2n 2n 2n 2n f 2n f 2n f 2n g 2n n T IV H0 H1 H2 H3 H

I Wide-pipe

I Finalisation function

I Use only the message length as input in the last block I Acts as a kind of blank round I Can break unexpected properties

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 5 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

SIMD Compression Function

I Block cipher based hi−1 I Well understood

2n I Davies-Meyer I Allows a strong 2n 16n message expansion M E 32 steps

I Add the message at the start I Prevents some message modifications 4 steps I Modified feed-forward: Feistel rounds instead of XOR hi I Avoids some fixed point and multi-block attacks

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 6 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

SIMD Feistel Rounds

D0 C0 B0 A0 D1 C1 B1 A1 φ φ w0 w1 r r s s

D0 C0 B0 A0 D1 C1 B1 A1

I Follows the SHA/MD legacy I Additions, rotations, boolean functions

I 4 Parallel lanes for SIMD-256, 8 for SIMD-512 I Parallel Feistel rounds allow vectorized implementation

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 7 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Outline

New distinguisher for SIMD

Security proof with distinguishers

Analysis of differential paths

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 8 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Outline

New distinguisher for SIMD

Security proof with distinguishers

Analysis of differential paths

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 9 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Symmetry based distinguisher

D0 C0 B0 A0 D1 C1 B1 A1 φ φ w0 w1 r r s s

D0 C0 B0 A0 D1 C1 B1 A1

I Put the same values in two lanes I Put the same message I Need a special message...

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 10 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Message pairs

←→ I Let • be a symmetry relation swapping pairs of lanes 0 0 ←−→ I Let M, M be such that E(M ) = E(M) ←→ ( ) 0( ) 0( ) ( ) I Let S 0 , S 0 be such that S 0 = S 0 ←−→ 0( ) ( ) I Then S 31 = S 31

I We can use a single message I We can use a single state

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 11 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Message pairs

I We can use a single message I We can use a single state

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 11 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Message pairs

I We can use a single message I We can use a single state

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 11 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Message expansion

1 FFT transform over F257 doubles the size of the message. 2 Make two copies of the FFT output.

3 Multiply by 185/233 (from F257 to 16-bit words). 4 Permute and pack into 32-bit words.

I Constant are only in the ﬁrst layer.

I FFT is linear: easy to enforce linear conditions. I Enough degrees of freedom for equality constraints. I Equality is preserved by the remaining steps. I Permutations are nice wrt. to this. I We can easily generate those messages.

I Obvious ﬁx: add constants at the end of the expansion.

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 12 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Message expansion

1 FFT transform over F257 doubles the size of the message. 2 Make two copies of the FFT output.

3 Multiply by 185/233 (from F257 to 16-bit words). 4 Permute and pack into 32-bit words.

I Constant are only in the ﬁrst layer.

I Obvious ﬁx: add constants at the end of the expansion.

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 12 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Message expansion

1 FFT transform over F257 doubles the size of the message. 2 Make two copies of the FFT output.

3 Multiply by 185/233 (from F257 to 16-bit words). 4 Permute and pack into 32-bit words.

I Constant are only in the ﬁrst layer.

I Obvious ﬁx: add constants at the end of the expansion.

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 12 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Message expansion

1 FFT transform over F257 doubles the size of the message. 2 Make two copies of the FFT output.

3 Multiply by 185/233 (from F257 to 16-bit words). 4 Permute and pack into 32-bit words.

I Constant are only in the ﬁrst layer.

I Obvious ﬁx: add constants at the end of the expansion.

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 12 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Application to the Compression Function hi−1

2n I There are a few messages giving a symmetric expanded message 2n 16n M E 32 steps I Symmetric expanded message I Symmetric state in the Feistel

I Message not symmetric I Almost symmetric input 4 steps I Somewhat symmetric output

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 13 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Important properties

I 216 weak messages (232 for SIMD-512) 256+16 512+32 I 2 weak chaining values (2 for SIMD-512) I 232 weak pairs of messages (264 for SIMD-512) 512+32 1024+64 I 2 pairs of weak chaining values (2 for SIMD-512)

I Wide-pipe: It is hard to get into a symmetric state / pair of states 256−16 512−32 I Takes time 2 (2 for SIMD-512)

I There is no intersection between the symmetry classes I Each pair only works with a single message pair I An output pair can not be used as input pair I It cannot be used in the ﬁnal transform I Getting into a symmetric state is not really useful...

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 14 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Outline

New distinguisher for SIMD

Security proof with distinguishers

Analysis of differential paths

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 15 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Preﬁx-free Merkle-Damgård

M0 M1 M2 M3

p f p f p f p g p

IV H0 H1 H2 H3

I Used by several SHA-3 candidates

I Indistinguishable up to 2p/2 queries [Coron, Dodis, Malinaud, and Puniya] I Assuming that the compression function is perfect

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 16 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Preﬁx-free Merkle-Damgård

M0 M1 M2 M3

p f p f p f p g p

IV H0 H1 H2 H3

I Used by several SHA-3 candidates

I Indistinguishable up to 2p/2 queries [Coron, Dodis, Malinaud, and Puniya] I Assuming that the compression function is perfect

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 16 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Weak random oracle

I Random oracle with some efﬁcient distinguishers

I We model the compression function as a random oracle, constrained to satisfy some relations:

∀(h, m) : R1(h, m, F(h, m)) = 1

∀(h1, h2, m1, m2) : R2(h1, m1, h2, m2, F(h1, m1), F(h2, m2)) = 1

I Examples: I Symmetric states: ←→ ←→ 0 ←→0 R1 := m = m ∧ h = h ⇒ h = h I Deterministic differential path 0 0 R2 := (m1 ⊕ m2 = ∆m ∧ h1 ⊕ h2 = ∆in) ⇒ h1 ⊕ h2 = ∆out

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 17 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Proof of Security

Deﬁnition (Weak states) 0 0 W = {h | ∃m, h s.t. R1(h, m, h ) = 0}

Deﬁnition (Weak pairs of states) 0 0 0 0 WP = {h1 ↔ h2 | ∃m1, m2, h1, h2 s.t. R2(h1, m1, h2, m2, h1, h2) = 0}

I In order to distinguish the weak RO from a real RO, the adversary needs to reach W or WP.

I If they are small enough, we can simulate the weakness.

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 18 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Proof of Security

Deﬁnition (Weak states) 0 0 W = {h | ∃m, h s.t. R1(h, m, h ) = 0}

Deﬁnition (Weak pairs of states) 0 0 0 0 WP = {h1 ↔ h2 | ∃m1, m2, h1, h2 s.t. R2(h1, m1, h2, m2, h1, h2) = 0}

Deﬁnition (Weak pairs of state+message) 0 0 0 WP = {(h1, m1) ↔ (h2, m2) | ∃m1, m2, h1, h2 s.t. R2(...) = 0}

0 I Connected components in WP must be of size 2 at most I Evaluation on one input gives information about a single extra input

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 18 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Proof of Security

Deﬁnition (Weak states) 0 0 W = {h | ∃m, h s.t. R1(h, m, h ) = 0}

Deﬁnition (Weak pairs of states) 0 0 0 0 WP = {h1 ↔ h2 | ∃m1, m2, h1, h2 s.t. R2(h1, m1, h2, m2, h1, h2) = 0}

Deﬁnition (Weak pairs of state+message) 0 0 0 WP = {(h1, m1) ↔ (h2, m2) | ∃m1, m2, h1, h2 s.t. R2(...) = 0}

0 I Connected components in WP must be of size 2 at most I Evaluation on one input gives information about a single extra input q2 q q2 I Adv ≤ 16 · p + 4 · |W| · p + 4 · |WP| · 2 2 (2p−q)2

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 18 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Results Iterating a random oracle [Coron, Dodis, Malinaud, and Puniya] q2 Adv = O 2p

I Secure up to q = O(2p/2)

Iterating a weak random oracle q2 q q2 Adv = O p + |W| · p + |WP| · 2 2 (2p−q)2 p I Secure up to q = O(2 /2) if |W| = O(2p/2) and |WP| = O(2p)

I Indifferentiability proofs are quite resilient: many defects in the compression function have a small impact I Can we extent this result by allowing other kinds of weaknesses?

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 19 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Application

I Symmetry based distinguishers 127 I Lesamnta-256 is secure up to 2 queries 255 I Lesamnta-512 is secure up to 2 queries 256−16 I SIMD-256 is secure up to 2 queries 512−32 I SIMD-512 is secure up to 2 queries

I Free-start differential paths I A differential path with a non-zero difference in h costs one bit of security

I Rotational distinguisher, . . .

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 20 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Wide-pipe vs Narrow-pipe

I In a wide-pipe design, the indifferentiability proof implies: I Collision resistance I Preimage resistance (up to a small loss) I No other attack (up to a small loss)

I In a narrow-pipe design, the indifferentiability proof implies: I Collision resistance (up to a small loss)

I Some distinguishers can be used for non-standard attack: I Herding attack on Lesamnta with a symmetry based distinguisher I Distinguishing-H attack on HMAC-MD5 with a free-start differential path

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 21 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Outline

New distinguisher for SIMD

Security proof with distinguishers

Analysis of differential paths

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 22 / 29 m 5 φ

m 6 φ

m 7 φ

Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Local Collisions m 4 φ m m 5 φ 5 φ m6 φ A single active state bit m 7 φ I Introduced by a difference in m4 I Cancelled by a difference in m8 m 8 φ I Cancelled on the neighbour lane I At least 3 active messages m9 I At most 6 active messages φ I 3 φ-conditions + 1 carry condition

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 23 / 29 m 5 φ

m 6 φ

m 7 φ

Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 23 / 29 m 5 φ

m 6 φ

m 7 φ

Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 23 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Differential Attacks

I We assume that the adversary builds a differential path with a signed difference. I We consider paths with a non-zero message difference I paths with no message difference only give free-start attacks

I Each active state bit lowers the probability I Minimize active state bits

I The message expansion gives many message differences I 520 for SIMD-256 I 1032 for SIMD-512

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 24 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Heuristic Heuristic The adversary can build an expanded message of minimal weight I such that the differences create local collisions I but without extra properties

I Optimal path: all Boolean function transmit differences I Minimizes the number of active state bits

I 6 active message bits per active state bit I 87 active state bits for SIMD-256 / 172 for SIMD-512

I 4 conditions per active state bit I 348 conditions for SIMD-256 / 688 for SIMD-512

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 25 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Comparison with SHA-1

I Differential attacks on SHA-1 use local collisions.

I Use the fact that the code is linear and circulant I Start with an expanded message of minimal weight I Make 6 shifted copy to create local collisions I The ﬁnal expanded message has weight 6 times the minimal distance

I Our heuristic is quite weak.

I The message expansion of SIMD is neither circulant nor linear

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 26 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Comparison with SHA-1

I Differential attacks on SHA-1 use local collisions.

I Our heuristic is quite weak.

I The message expansion of SIMD is neither circulant nor linear

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 26 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Weaker assumptions

Strong adversary The adversary can build an expanded message with any difference pattern

I If active state words are adjacent, some φ conditions disappear I If two inputs of the MAJ function are active we know the output

I 1 active state bit gives I 4.5 active message bits I 1 conditions

I SIMD-256: 116 conditions I SIMD-512: 230 conditions

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 27 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Modeling Differential Paths

I Impossible to have two active inputs for all active function I Hard to proof any usefull bound...

I We model the this problem as an Integer Linear Program I about 30,000 variables, 80,000 equations

I Solver computes a lower bound, and tries to improve the lower bound SIMD-256 p ≤ 2−132 SIMD-512 p ≤ 2−253 (several weeks of computation)

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 28 / 29 Introduction New distinguisher for SIMD Security proof with distinguishers Analysis of differential paths

Conclusion

I SIMD security I Differential paths with a difference in the message are unlikely I Differential paths with a difference in the chaining value do not affect the iterated hash function.

I Security with distinguishers I Not speciﬁc to SIMD I A class of distinguishers does not affect the indifferentiability proof I Interesting for wide-pipe design

I Full version: ePrint report 2010/323.

G. Leurent (ENS) Security Analysis of SIMD SAC 2010 29 / 29