Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions
Total Page:16
File Type:pdf, Size:1020Kb
Contributions to Cryptanalysis: Design and Analysis of Cryptographic Hash Functions By Przemys law Szczepan Soko lowski A thesis submitted to Macquarie University for the degree of Doctor of Philosophy Department of Computing, Faculty of Science August 2012 Abstract A cryptographic hash function is a mechanism producing a fixed-length output of a message of arbitrary length. It fullfils a collection of security requirements guaranteeing that a hash function does not introduce any weakness into the system to which it is applied. The example applications of cryptographic hash functions include digital signatures and message authentification codes. This thesis analyzes cryptographic hash functions and studies the design principles in the construction of secure cryptographic hash functions. We investigate the problem of building hash functions from block ciphers and the security properties of different structures used to design compression func- tions. We show that we can build open-key differential distinguishers for Crypton, Hierocrypt-3, SAFER++and Square. We know that our attack on SAFER++ is the first rebound attack with standard differentials. To demonstrate the effi- ciency of proposed distinguishers, we provide formal proof of a lower bound for finding a differential pair that follows a truncated differential in the case of a random permutation. Our analysis shows that block ciphers used as the underly- ing primitive should also be analyzed in the open-key model to prevent possible collision attacks. We analyze the IDEA-based hash functions in a variety of cipher modes. We present practical complexity collision search attacks and preimage attacks, where we exploit a null weak-key and a new non-trivial property of IDEA. We prove that even if a cipher is considered secure in the secret-key model, one has to be very careful when using it as a building block in the hashing modes. Finally, we investigate the recent rotational analysis. We show how to extend the rotational analysis to subtractions, shifts, bit-wise Boolean functions, multi i Abstract additions and multi subtractions. In particular, we develop formulae for calcu- lation of probabilities of preserving the rotation property for multiple modular additions and subtractions. We examine S-functions and its application to the ro- tational analysis. The findings are applied to BMW and SIMD. We also propose a new shift distinguisher and apply it to Shabal. ii Contents Abstract i Acknowledgements vii Declaration ix List of Publications xi 1. Introduction 1 1.1. Cryptographic Hash Function Properties . .1 1.2. Classification of Hash Functions . .3 1.3. Hash Functions Applications . .4 1.4. Cryptanalysis . .7 1.4.1. Generic Analysis . .7 1.4.2. Algorithm Specific Analysis . .8 1.5. Secure Hash Standards . 10 1.6. Thesis structure . 12 2. Cryptographic Hash Functions 15 2.1. Introduction to Cryptographic Hash Functions . 15 2.2. Designing Hash Functions . 17 2.3. Block Ciphers in Hash Function Modes of Operation . 22 2.4. Security Notation for Cryptographic Hash Functions . 24 2.5. Methods of Hash Functions Analysis . 25 2.5.1. Generic Attacks . 25 2.5.2. Differential Analysis . 27 iii Contents 2.5.3. Rotational Analysis . 33 2.5.4. Shift Analysis . 36 2.5.5. T-functions and S-functions . 37 3. Open Key Differential Analysis for Block Ciphers 39 3.1. Impact of Block Cipher Known Key Differential Trails on Hash Modes . 40 3.2. Lower Bound on Complexity of Differential Distinguisher for Ran- dom Permutations . 43 3.3. Differential Trails for Specific Block Ciphers . 46 3.3.1. Crypton, Hierocrypt-3 and Square . 47 3.3.2. SAFER++ . 51 3.3.3. Feistel Ciphers . 53 3.4. Summary . 55 4. IDEA in Various Hashing Modes 57 4.1. The IDEA block cipher . 58 4.2. Weak-keys for IDEA ........................... 60 4.2.1. Analysis of the Internal Functions . 60 4.2.2. Weak-keys Classes . 61 4.2.3. The null Weak-key . 62 4.3. Simple Collision Attacks . 64 4.4. Improved Collision Attacks . 66 4.4.1. Exploiting the Almost Half-Involution . 66 4.4.2. Improving Collision Attacks . 69 4.5. Preimage Attacks . 73 4.6. Summary . 75 5. Analysis of Addition-Rotation-XOR Designs 77 5.1. Rotational Properties of Multi Additions and Subtractions . 79 5.2. Rotational Pairs with Corrections . 84 5.2.1. Definition of Problem . 85 iv Contents 5.2.2. Calculation of Probabilities of Rotational Pairs with Cor- rections for Addition . 88 5.3. Rotational Analysis of BMW-512 . 91 5.3.1. Rotational Properties of Some BMW-512 Transforms . 91 5.3.2. Analysis of BMWv1-512 . 92 5.4. Lower Complexity Attack on the Full BMWv1 . 98 5.4.1. Analysis of Modified Version of BMWv2-512 . 99 5.5. Rotational Analysis of SIMD-512 . 101 5.5.1. Analysis of the Feistel of SIMD . 103 5.5.2. Analysis of Round-reduced Linearized SIMD . 104 5.5.3. Analysis of Round-reduced SIMD . 105 5.6. Shift Distinguishers on Shabal . 107 5.7. Summary . 110 6. Conclusions 113 6.1. Contributions . 114 6.2. Design Guidelines . 116 6.3. Open Problems and Future Research Directions . 116 A. Proofs of Rotational Analysis Lemmas 119 B. mCrypton 121 B.1. Nonlinear Substitution γ ........................ 122 B.2. Column-Wise Bit Permutation π ................... 122 B.3. Column-To-Row Transposition τ ................... 123 B.4. Key Addition σ ............................. 123 B.5. Altered Key Schedule . 123 B.6. Encryption . 124 Bibliography 137 v Acknowledgements I would like to express my gratitude to my supervisors, Prof. Josef Pieprzyk for his knowledge and wisdom which he is always keen to share. His guidance and care have been priceless to me and I am forever indebted to him. I would like to thank Prof. Jerzy Jaworski, who inspired me to start research in the field of cryptology and has been my guide ever since. I am also grateful to Dr Ron Steinfeld for his encouragement and suggestions for improvements during my studies. The completion of this thesis could not have been achieved without collabora- tion with Ivica Nikoli´c,Lei Wei and Thomas Peyrin. Their fresh look on analyzed problems and many discussions were an inspiration for my research. I would like to thank my parents Maria and Stanislaw for their unconditional support and understanding throughout my PhD candidature. Finally, I would like to express my gratitude to my wife Urszula, for her love and faith in me. My research was supported by Macquarie University via a Cotutelle Macquarie University Research Scholarship. vii Declaration This thesis is submitted in fulfilment of the requirements of the degree of Doctor of Philosophy at Macquarie University and has not been submitted for a higher degree to any other university or institution. This thesis represents my original work and contributions. I certify that to the best of my knowledge, all sources and assistance received in the preparation of this thesis have been acknowledged. Przemyslaw Szczepan Sokolowski ix List of Publications 1. Ivica Nikoli´c,Josef Pieprzyk, Przemys law Soko lowski and Ron Steinfeld, Known and Chosen Key Differential Distinguishers for Block Ciphers, in Information Security and Cryptology - ICISC 2010, Lecture Notes in Com- puter Science 6829, Springer 2011, pp. 29 { 48 2. Lei Wei, Thomas Peyrin, Przemys law Soko lowski, San Ling, Josef Pieprzyk and Huaxiong Wang On the (In)Security of IDEA in Various Hashing Modes, in Fast Software Encryption 2012 - FSE 2012, Lecture Notes in Computer Science, to be published. Extended version available as: - Lei Wei, Thomas Peyrin, Przemys law Soko lowski, San Ling, Josef Pieprzyk and Huaxiong Wang On the (In)Security of IDEA in Various Hashing Modes, in IACR Cryptology ePrint Archive, Report 2011/420, 2011 3. Ivica Nikoli´c,Josef Pieprzyk, Przemys law Sokolowski and Ron Steinfeld Ro- tational Cryptanalysis of (Modified) Versions of BMW and SIMD, Available online at https://cryptolux.org/mediawiki/uploads/0/07/Rotational_ distinguishers_%28Nikolic%2C_Pieprzyk%2C_Sokolowski%2C_Steinfeld% 29.pdf xi 1. Introduction A cryptographic hash function is a transformation that maps an arbitrary length input, called the \message", into a fixed-length output, the \message digest". It is designed to be easily computable and has to achieve certain security properties, e.g.: preimage resistance, second preimage resistance, and collision resistance. Cryptographic hash functions are crucial parts of many cryptographic algo- rithms like digital signatures, message authentication algorithms and commit- ment protocols to name a few. For example, digital signatures can be of a fixed length no matter how long the signed messages are. This is normally done by signing the message digest (of a fixed length) instead of signing the whole mes- sage. Note that finding two messages that have the same digest immediately allows an adversary to replace the message with its colliding sibling as the re- ceiver making it impossible to determine which of the two colliding messages is genuine. 1.1. Cryptographic Hash Function Properties As previously mentioned, the fundamental properties of the cryptographic hash functions are: 1. preimage resistance { given digest d = H(M) for a message M, it is com- putationally difficult to find any message that gives the digest, 2. second preimage resistance { given message M, it is computationally diffi- cult to find a different message M 0 that gives the same digest, i.e. a message M 0 such that H(M) = H(M 0), 1 1. Introduction 3. collision resistance { it is computationally difficult to find two different messages M; M 0 that give the same digest, i.e. for two messages M and M 0, H(M) = H(M 0), where H is the hash function that takes a message M of arbitrary length and produces a fixed length digest (formal definition of the three properties is pro- vided in Section 2.1).