Darxplorer a Toolbox for Cryptanalysis and Cipher Designers
Total Page:16
File Type:pdf, Size:1020Kb
DARXplorer a Toolbox for Cryptanalysis and Cipher Designers Dennis Hoppe Bauhaus-University Weimar 22nd April 2009 Dennis Hoppe (BUW) DARXplorer 22nd April 2009 1 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer { DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 2 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer { DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 3 / 31 Introduction to Hash Functions Hash Functions A hash function H : f0; 1g∗ ! f0; 1gn is used to compute an n-bit fingerprint from an arbitrarily-sized input M 2 f0; 1g∗ Most of them are based on a compression function C : f0; 1gn × f0; 1gm ! f0; 1gn with fixed size input Computation: Hi := C(Hi−1;Mi) C C C H[0] H[1] . H[L-1] H[L] M[1] M[2] . M[L] Dennis Hoppe (BUW) DARXplorer 22nd April 2009 4 / 31 Introduction to Hash Functions { cont'd Compression Functions A crucial building block of iterated hash functions is the compression function C Designer often make use of block ciphers Which properties should be imposed on C to guarantee that the hash function satisfies certain properties? Theorem (Damg˚ard-Merkle) If the compression function C is collision-resistant, then the hash function H is collision-resistant as well. If the compression function C is preimage-resistant, then the hash function H is preimage-resistant as well. Dennis Hoppe (BUW) DARXplorer 22nd April 2009 5 / 31 Introduction to Hash Functions { cont'd Vulnerability of Hash Functions Black-Box attacks on the compression function Exploit the way in which multiple compression functions are combined Joux (2004), Kelsey u. Kohno (2006) Attacks dependent on the internal details of the compression function Make use of cryptanalytical techniques One of the most successful attacks against block ciphers is Differential Cryptanalysis Used to crypt analyze MD4, MD5 [Wang u. a. (2004)] Dennis Hoppe (BUW) DARXplorer 22nd April 2009 6 / 31 Introduction to Hash Functions { cont'd Vulnerability of Hash Functions Black-Box attacks on the compression function Exploit the way in which multiple compression functions are combined Joux (2004), Kelsey u. Kohno (2006) Attacks dependent on the internal details of the compression function Make use of cryptanalytical techniques One of the most successful attacks against block ciphers is Differential Cryptanalysis Used to crypt analyze MD4, MD5 [Wang u. a. (2004)] Dennis Hoppe (BUW) DARXplorer 22nd April 2009 6 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer { DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 7 / 31 Introduction to Block Ciphers One-way compression functions built from block ciphers Hi-1 m i mi E Hi-1 g E Hi Hi Davies-Meyer Matyas-Meyer-Oseas Dennis Hoppe (BUW) DARXplorer 22nd April 2009 8 / 31 The ThreeFish Block Cipher Motivation Tweakable block cipher, designed with the purpose to be used as a building block for a hash function Provides speed, flexibility and the ease of analysis to proof security Supports different block sizes (ThreeFish-n); n = 256; 512; 1024 ThreeFish-n supports n-bit blocks and n-bit keys and a 128-bit tweak Usage (Skein) Skein-n uses ThreeFish-n Hi := C(Hi−1;Ti;Mi) :=ThreefishHi−1;Ti (Mi) ⊕ Mi We have to show, that the probability is below 2−2n−128 by providing an upper bound on the probability of the best exclusive-OR difference Dennis Hoppe (BUW) DARXplorer 22nd April 2009 9 / 31 The ThreeFish Block Cipher Motivation Tweakable block cipher, designed with the purpose to be used as a building block for a hash function Provides speed, flexibility and the ease of analysis to proof security Supports different block sizes (ThreeFish-n); n = 256; 512; 1024 ThreeFish-n supports n-bit blocks and n-bit keys and a 128-bit tweak Usage (Skein) Skein-n uses ThreeFish-n Hi := C(Hi−1;Ti;Mi) :=ThreefishHi−1;Ti (Mi) ⊕ Mi We have to show, that the probability is below 2−2n−128 by providing an upper bound on the probability of the best exclusive-OR difference Dennis Hoppe (BUW) DARXplorer 22nd April 2009 9 / 31 The ThreeFish Block Cipher { cont'd Structure of ThreeFish-256 Non-linear MIX function on two 64-bit words MIX MIX Permutation Input (A, B, C, D) Output (A, D, C, B) A B C D Key Schedule PERMUTE Generates subkeys Injects subkeys each 8th round A D C B Completely omitted in DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 10 / 31 The ThreeFish Block Cipher { cont'd A B MIX Operation Primitives Addition mod 264, Word-wise rotation, and Bit-wise exclusive-OR c <<< MIX(A; B; c) = (X; Y ) Y = A + B X = (A n c) ⊕ Y X Y Dennis Hoppe (BUW) DARXplorer 22nd April 2009 11 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer { DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 12 / 31 Differential Cryptanalysis Differential Cryptanalysis [Biham u. Shamir (1990)] Exploits the high probability of certain occurrences by tracing differences through the network In: (X0;X00), ∆X = X0 ⊕ X00 Out: (Y 0;Y 00), ∆Y = Y 0 ⊕ Y 00 Ideally randomizing cipher: the probability that a particular output difference ∆Y occurs given a particular input difference ∆X is 2−n Dennis Hoppe (BUW) DARXplorer 22nd April 2009 13 / 31 Differential Cryptanalysis { cont'd Example (DC) Input Difference: ∆P1 = [0000 1011 0000 0000] Difference-Pair for S-Box: S12 : ∆X = B ! ∆Y = 2 with probability p1 = 1=2 Output Difference: ∆V1 = [0000 0010 0000 0000] Try to find r-round characteristics! Dennis Hoppe (BUW) DARXplorer 22nd April 2009 14 / 31 Differential Cryptanalysis of ThreeFish Differential Cryptanalysis of ThreeFish We need to make assumptions about A B the differential properties of the primitives Differential exclusive-OR δw = δu ⊕ δv P r[δw] = 1:0 c <<< Differential rotations 0 t = u n i; t = (u ⊕ δu) n i 0 δt = t ⊕ t = δu n i P r[δt] = 1:0 Differential addition Evaluating the differential properties of addition with respect to X Y exclusive-OR is hard Dennis Hoppe (BUW) DARXplorer 22nd April 2009 15 / 31 Differential Cryptanalysis of ThreeFish Differential Cryptanalysis of ThreeFish We need to make assumptions about A B the differential properties of the primitives Differential exclusive-OR δw = δu ⊕ δv P r[δw] = 1:0 c <<< Differential rotations 0 t = u n i; t = (u ⊕ δu) n i 0 δt = t ⊕ t = δu n i P r[δt] = 1:0 Differential addition Evaluating the differential properties of addition with respect to X Y exclusive-OR is hard Dennis Hoppe (BUW) DARXplorer 22nd April 2009 15 / 31 Differential Cryptanalysis of ThreeFish Differential Cryptanalysis of ThreeFish We need to make assumptions about A B the differential properties of the primitives Differential exclusive-OR δw = δu ⊕ δv P r[δw] = 1:0 c <<< Differential rotations 0 t = u n i; t = (u ⊕ δu) n i 0 δt = t ⊕ t = δu n i P r[δt] = 1:0 Differential addition Evaluating the differential properties of addition with respect to X Y exclusive-OR is hard Dennis Hoppe (BUW) DARXplorer 22nd April 2009 15 / 31 Differential Cryptanalysis of ThreeFish { cont'd Computing the Differential Properties of Addition [Lipmaa u. Moriai (2001)] Due to the lack of theory it was hard to evaluate the security of ciphers that employ both exclusive-OR and addition Compute the probability that, given input differences δu and δv result in the output difference δs + DP (δu; δv ! δs) Θ(log n) (worst-case), Θ(1) + t (average) Compute all \good" output differentials in a deterministic way + + DPmax(δu; δv) = maxδs fDP (δu; δv ! δs)g Θ(log n) Dennis Hoppe (BUW) DARXplorer 22nd April 2009 16 / 31 Differential Cryptanalysis of ThreeFish { cont'd Computing the Differential Properties of Addition [Lipmaa u. Moriai (2001)] Due to the lack of theory it was hard to evaluate the security of ciphers that employ both exclusive-OR and addition Compute the probability that, given input differences δu and δv result in the output difference δs + DP (δu; δv ! δs) Θ(log n) (worst-case), Θ(1) + t (average) Compute all \good" output differentials in a deterministic way + + DPmax(δu; δv) = maxδs fDP (δu; δv ! δs)g Θ(log n) Dennis Hoppe (BUW) DARXplorer 22nd April 2009 16 / 31 Differential Cryptanalysis of ThreeFish { cont'd Computing the Differential Properties of Addition [Lipmaa u. Moriai (2001)] Due to the lack of theory it was hard to evaluate the security of ciphers that employ both exclusive-OR and addition Compute the probability that, given input differences δu and δv result in the output difference δs + DP (δu; δv ! δs) Θ(log n) (worst-case), Θ(1) + t (average) Compute all \good" output differentials in a deterministic way + + DPmax(δu; δv) = maxδs fDP (δu; δv ! δs)g Θ(log n) Dennis Hoppe (BUW) DARXplorer 22nd April 2009 16 / 31 Differential Cryptanalysis of ThreeFish { cont'd Recap Regard input and output differences MIX MIX of the ThreeFish building blocks MIX operation Permutation A B C D ) A complete round PERMUTE Try to find r-round characteristics A D C B Dennis Hoppe (BUW) DARXplorer 22nd April 2009 17 / 31 Agenda 1 Introduction to Hash Functions 2 The ThreeFish Block Cipher 3 Differential Cryptanalysis 4 DARXplorer { DC of ThreeFish 5 Results on ThreeFish 6 Generalization of DARXplorer Dennis Hoppe (BUW) DARXplorer 22nd April 2009 18 / 31 DARXplorer { An Introduction DARXplorer [Lucks (2008)] Provides automatic