Rebound Attack
Florian Mendel
Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria
http://www.iaik.tugraz.at/ Outline
1 Motivation
2 Whirlpool Hash Function
3 Application of the Rebound Attack
4 Summary SHA-3 competition
Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition
Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09]
Tool in the differential cryptanalysis of hash functions
Invented during the design of Grøstl AES-based designs allow a simple application of the idea
Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack
Ebw Ein Efw
inbound outbound outbound
Applies to block cipher and permutation based designs:
E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw The Rebound Attack
Ebw Ein Efw
inbound outbound outbound
Inbound phase
efficient meet-in-the-middle phase in Ein using available degrees of freedom
Outbound phase
probabilistic part in Ebw and Efw repeat inbound phase if needed The Whirlpool Hash Function
M1 M2 M3 Mt
IV f f f f H(m)
designed by Barretto and Rijmen [BR00] evaluated by NESSIE
standardized by ISO/IEC 10118-3:2003
iterative, based on the Merkle-Damgard˚ design principle
message block, chaining values, hash size: 512 bit The Whirlpool Compression Function
key schedule Hj−1 SB SC MR AC
state update Mj SB SC MR AK Hj
512-bit hash value and using 512-bit message blocks
Block-cipher based design (similar to AES) Miyaguchi-Preneel mode with conservative key schedule The Whirlpool Round Transformations
SubBytes ShiftColumns MixRows AddRoundKey
Ki
S(x) +
The state update and the key schedule update an 8 × 8 state S and K of 64 bytes
10 rounds each
AES like round transformation
ri = AK ◦ MR ◦ SC ◦ SB Notations
Round i
Ci SB SC MR Ki−1 Ki Ki Ki Ki
SB SC MR AC
SB SC MR Si−1 Si Si Si Si
SB SC MR AK ∆Mj
Collision Attack on Whirlpool
key schedule Hj−1 SB SC MR AC
state update Mj SB SC MR AK Hj
1-block collision:
fixed Hj−1 (to IV )
∗ ∗ f (Mj , Hj−1) = f (Mj , Hj−1), Mj 6= Mj
generic complexity 2256 (n = 512) Mj
Collision Attack on Whirlpool
key schedule Hj−1 SB SC MR AC
state update ∆Mj SB SC MR AK Hj
1-block collision:
fixed Hj−1 (to IV )
∗ ∗ f (Mj , Hj−1) = f (Mj , Hj−1), Mj 6= Mj
generic complexity 2256 (n = 512) constant
How to find a message pair following the differential trail?
Collision Attack on 4 Rounds
K0 K1 K2 K3 K4
SB SB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8)
maximum differential probability: (2−5)81 = 2−405 How to find a message pair following the differential trail?
Collision Attack on 4 Rounds
K0 K1 K2 K3 K4 SB constantSB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8)
maximum differential probability: (2−5)81 = 2−405 Collision Attack on 4 Rounds
K0 K1 K2 K3 K4 SB constantSB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8)
maximum differential probability: (2−5)81 = 2−405
How to find a message pair following the differential trail? First: Use Truncated Differences
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
byte-wise truncated differences: active / not active we do not mind about actual differences
single active byte at input and output is enough probabilistic in MixRows: 2−56 for 8 → 1
we can remove many restrictions (more freedom) hopefully less complexity of message search meet in the middle?
inside out?
rebound!
How to Find a Message Pair?
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
message modification? inside out?
rebound!
How to Find a Message Pair?
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
message modification?
meet in the middle? rebound!
How to Find a Message Pair?
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
message modification?
meet in the middle?
inside out? How to Find a Message Pair?
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
message modification?
meet in the middle?
inside out?
rebound! Rebound Attack on 4 Rounds [MRST09]
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK
outbound phase inbound phase outbound phase
Inbound phase (1) start with differences in round 2 and 3
(2) match-in-the-middle at S-box using values of the state
Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4
(4) match one-byte difference of feed-forward ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 85 50 cc 6d 9a 49 43 c5 0d cc 01 0a 70 43 e9 27 ? a2 b1 63 11 96 1e 4d 04 b1 60 20 f4 1e cd bf 10 f8 ed 85 b7 43 5a d5 fc 16 27 51 43 15 de 2b f8 4d 34 96 90 f1 f8 07 5e
SB linearly propagate all differences backward to S3
SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row
Inbound Phase
SC SB MR S2 S2 S3 S3 3a c0 e6 MR SC b9 SB AK MR 5a 8c 08 c0
get values
MR (1) Start with arbitrary differences in state S3 ee ee ee 9f ee 23 71 c1 cd
?
SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row
Inbound Phase
SC SB MR S2 S2 S3 S3 e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0
differences
get values
MR (1) Start with arbitrary differences in state S3
SB linearly propagate all differences backward to S3 ?
(2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row
Inbound Phase
SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0
differences differences
get values
MR (1) Start with arbitrary differences in state S3
SB linearly propagate all differences backward to S3
SC linearly propagate row-wise forward from S2 to S2 Inbound Phase
SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR ? a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
get values
MR (1) Start with arbitrary differences in state S3
SB linearly propagate all differences backward to S3
SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Match-in-the-Middle for Single S-box
∆a Sbox ∆b
Check for matching input/output differences
Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b
Use Difference Distribution Table (DDT) Difference Distribution Table (Whirlpool)
in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 0000000000000000 01 0620062000400000 02 0000000200004000 03 0220220020000002 04 0022040002222020 05 0000020200000042 06 .4020020026240220. 07 .0220020040202020. 08 .0000222000022440. 09 8000242200000202 0a 0000202020200000 0b 8222200002222204 0c 0220000402200242 0d 0220024400220002 0e 4042000020204200 0f 0200020000002022 ...
Differences can be connected if there is a non-zero entry in the table Match-in-the-Middle for Single S-box
∆a Sbox ∆b
Check for matching input/output differences
Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b
Using Difference Distribution Table (DDT)
Solve equation for all x and count the number of solutions Difference Distribution Table (Whirlpool)
The number of differentials and possible pairs for the Sbox
solutions frequency 0 39655 2 20018 4 5043 6 740 8 79 256 1
25880/65025 entries (with ∆a, ∆b 6= 0) in DDT are nonzero
we get either 2, 4, 6 or 8 values for each match
25880 65280 65025 · 25880 = 1.004 values (right pairs) on average Match-in-the-Middle for Single S-box
∆a Sbox ∆b
Check for matching input/output differences
Using Difference Distribution Table (DDT)
Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b
Solve equation for all x and count the number of solutions. ∼ 1 value (right pair) on average we need to solve each row at once: complexity ∼ 210.6 (average 1)
Inbound Phase
SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR ? a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0
differences differences
get values
MR (1) Start with arbitrary differences in state S3
SB linearly propagate all differences backward to S3
SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) ?
Inbound Phase
SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
get values
MR (1) Start with arbitrary differences in state S3
SB linearly propagate all differences backward to S3
SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) we need to solve each row at once: complexity ∼ 210.6 (average 1) Outbound Phase
S0 S1 S2 S3 S4
SB SB SB SB SC SC SC SC MR MR MR MR AK AK AK AK
outbound inbound outbound
2−56 average 1 2−56
(3) Propagate through MixRows of round 1 and round 4
using truncated differences (active bytes: 8 → 1)
probability: 2−56 in each direction
(4) Match difference in one active byte of feed-forward (2−8)
⇒ collision for 4 rounds of Whirlpool with complexity 2120 Extending the Attack to 5 Rounds [LMR+09]
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
outbound inbound outbound
2−56 average 1 2−56
By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds
The outbound phase is identical to the attack on 4 rounds probability: 2−120 similar to 64-bit S-box (DDT has size 2128)
match
ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 0d cc 01 0a 70 43 e9 27 e6 72 cd 3d 83 11 76 ab b4 c8 a2 b1 63 11 96 1e 4d 04 b9 73 45 f2 54 2f 21 a6 1c d2 b1 60 20 f4 1e cd bf 10 5a ff b5 26 9f 3a 94 67 ef 3f f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)
Inbound Phase
SC ∗ SB MR S2 S2 S4 S4
SB MR MR SC AK AK MR SC SB
SC MR (1) Start with arbitrary differences in state S2 and S4 similar to 64-bit S-box (DDT has size 2128)
match
ee ee ee 9f ee 23 71 c1 cd 45 13 56 94 ca 2a f1 91 26 a2 47 d3 7b 3f 79 5c 62 a5 72 cd 3d 83 11 76 ab b4 c8 73 45 f2 54 2f 21 a6 1c d2 ff b5 26 9f 3a 94 67 ef 3f f6 27 d8 2a af 73 9c b2 15 32 9a 67 7b 8d 52 ab 92 ff
differences match differences
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)
Inbound Phase
SC ∗ SB MR S2 S2 S4 S4 e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 SB 0d cc 01 0a 70 43 e9 27 e6 MR MR a2 b1 63 11 96 1e 4d 04 SC b9 AK AK b1 60 20 f4 1e cd bf 10 MR 5a SC SB f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0
differences
SC MR (1) Start with arbitrary differences in state S2 and S4 similar to 64-bit S-box (DDT has size 2128)
match
match differences
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)
Inbound Phase
SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences differences
SC MR (1) Start with arbitrary differences in state S2 and S4 match differences
similar to 64-bit S-box (DDT has size 2128)
Inbound Phase
match SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences differences
SC MR (1) Start with arbitrary differences in state S2 and S4
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB) Inbound Phase
match SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
SC MR (1) Start with arbitrary differences in state S2 and S4
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB) similar to 64-bit S-box (DDT has size 2128) with complexity 264 we get ∼ 264 right pairs
time-memory trade-off with T · M = 2128 with T ≥ 264
match
ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 0d cc 01 0a 70 43 e9 27 e6 72 cd 3d 83 11 76 ab b4 c8 a2 b1 63 11 96 1e 4d 04 b9 73 45 f2 54 2f 21 a6 1c d2 b1 60 20 f4 1e cd bf 10 5a ff b5 26 9f 3a 94 67 ef 3f f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
264 values/differences 264 differences
we propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)
Inbound Phase
SC ∗ SB MR S2 S2 S4 S4
SB MR MR SC AK AK MR SC SB
SC MR (1) Start with arbitrary differences in state S2 and S4 with complexity 264 we get ∼ 264 right pairs
time-memory trade-off with T · M = 2128 with T ≥ 264
match
ee ee ee 9f ee 23 71 c1 cd 45 13 56 94 ca 2a f1 91 26 a2 47 d3 7b 3f 79 5c 62 a5 72 cd 3d 83 11 76 ab b4 c8 73 45 f2 54 2f 21 a6 1c d2 ff b5 26 9f 3a 94 67 ef 3f f6 27 d8 2a af 73 9c b2 15 32 9a 67 7b 8d 52 ab 92 ff
differences match differences
264 values/differences
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)
Inbound Phase
SC ∗ SB MR S2 S2 S4 S4 e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 SB 0d cc 01 0a 70 43 e9 27 e6 MR MR a2 b1 63 11 96 1e 4d 04 SC b9 AK AK b1 60 20 f4 1e cd bf 10 MR 5a SC SB f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0
differences
264 differences
SC MR (1) Start with arbitrary differences in state S2 and S4 we propagate all 264 differences backward at once with complexity 264 we get ∼ 264 right pairs
time-memory trade-off with T · M = 2128 with T ≥ 264
match
match differences
264 values/differences
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)
Inbound Phase
SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences differences
264 differences
SC MR (1) Start with arbitrary differences in state S2 and S4 we propagate all 264 differences backward at once match differences
264 values/differences
with complexity 264 we get ∼ 264 right pairs
time-memory trade-off with T · M = 2128 with T ≥ 264
Inbound Phase
match SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences differences
264 differences
SC MR (1) Start with arbitrary differences in state S2 and S4 we propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB) with complexity 264 we get ∼ 264 right pairs
time-memory trade-off with T · M = 2128 with T ≥ 264
Inbound Phase
match SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
264 values/differences 264 differences
SC MR (1) Start with arbitrary differences in state S2 and S4 we propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB) time-memory trade-off with T · M = 2128 with T ≥ 264
Inbound Phase
match SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
264 values/differences 264 differences
SC MR (1) Start with arbitrary differences in state S2 and S4 we propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB) with complexity 264 we get ∼ 264 right pairs Inbound Phase
match SC ∗ SB MR S2 S2 S4 S4 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MR 72 cd 3d 83 11 76 ab b4 c8 MR a2 b1 63 11 96 1e 4d 04 SC b9 AK 73 45 f2 54 2f 21 a6 1c d2 AK b1 60 20 f4 1e cd bf 10 MR 5a SC ff b5 26 9f 3a 94 67 ef 3f SB f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
264 values/differences 264 differences
SC MR (1) Start with arbitrary differences in state S2 and S4 we propagate all 264 differences backward at once
(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB) with complexity 264 we get ∼ 264 right pairs
time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ Construct 2120 starting points in the inbound phase with average complexity 1 (but increased memory of 264)
Extending the Attack to 5 Rounds [LMR+09]
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
outbound inbound outbound
2−56 average 1 2−56
By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds
The outbound phase is identical to the attack on 4 rounds probability: 2−120 Extending the Attack to 5 Rounds [LMR+09]
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
outbound inbound outbound
2−56 average 1 2−56
By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds
The outbound phase is identical to the attack on 4 rounds probability: 2−120
⇒ Construct 2120 starting points in the inbound phase with average complexity 1 (but increased memory of 264) Complexity ⇒ 2256 for 1 solution
⇒ Complexity is too high for a collision attack
Extending the Attack to 6 Rounds?
SC MR S2 S2 S3 S4 S5
SB SB SB MR SC SC SC AK MR MR MR AK AK
Add one more round in the inbound phase [JNPP12] ⇒ Complexity is too high for a collision attack
Extending the Attack to 6 Rounds?
SC MR S2 S2 S3 S4 S5
SB SB SB MR SC SC SC AK MR MR MR AK AK
Add one more round in the inbound phase [JNPP12] Complexity ⇒ 2256 for 1 solution Extending the Attack to 6 Rounds?
SC MR S2 S2 S3 S4 S5
SB SB SB MR SC SC SC AK MR MR MR AK AK
Add one more round in the inbound phase [JNPP12] Complexity ⇒ 2256 for 1 solution
⇒ Complexity is too high for a collision attack From Collisions to Near-Collisions
S0 S1 S2 S3 S4 S5 S6 S7 SB SB SB SB SB SB SB SC SC SC SC SC SC SC MB MB MB MB MB MB MB AK AK AK AK AK AK AK
1 2−56 average 1 2−56 1
Add one round at input and output no additional complexity
MixRows: 1 → 8 with probability 1
⇒ Near-collision attack for 7 rounds time complexity 2112 and 264 memory using multiple inbound phases
Extend previous attacks by 2 rounds
Outbound phases of attacks stay the same
Compression Function Attacks
key schedule Hj−1 SB SC MR AC
state update ∆Mj SB SC MR AK Hj
We can freely choose the chaining input Hj−1
no differences in Hj−1 semi-free-start (near-) collisions Outbound phases of attacks stay the same
Compression Function Attacks
key schedule Hj−1 SB SC MR AC
state update ∆Mj SB SC MR AK Hj
We can freely choose the chaining input Hj−1
no differences in Hj−1 semi-free-start (near-) collisions
Extend previous attacks by 2 rounds using multiple inbound phases Compression Function Attacks
key schedule Hj−1 SB SC MR AC
state update ∆Mj SB SC MR AK Hj
We can freely choose the chaining input Hj−1
no differences in Hj−1 semi-free-start (near-) collisions
Extend previous attacks by 2 rounds using multiple inbound phases
Outbound phases of attacks stay the same 1st inbound phase connect 2nd inbound phase
connect them using 512-bit freedom of key input MR -(S3 = S2 ⊕ K3)
Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
Basic Idea:
use two independent inbound phases connect 2nd inbound phase
connect them using 512-bit freedom of key input MR -(S3 = S2 ⊕ K3)
Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
1st inbound phase
Basic Idea:
use two independent inbound phases connect
connect them using 512-bit freedom of key input MR -(S3 = S2 ⊕ K3)
Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
1st inbound phase 2nd inbound phase
Basic Idea:
use two independent inbound phases Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
1st inbound phase connect 2nd inbound phase
Basic Idea:
use two independent inbound phases
connect them using 512-bit freedom of key input MR -(S3 = S2 ⊕ K3) connect rows independently
find 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
1st inbound phase connect 2nd inbound phase
In practice: Slightly more tricky than that (3 key inputs involved) find 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds
Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
1st inbound phase connect 2nd inbound phase
In practice: Slightly more tricky than that (3 key inputs involved)
connect rows independently ⇒ Collision on 7 and near-collision on 9 rounds
Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
1st inbound phase connect 2nd inbound phase
In practice: Slightly more tricky than that (3 key inputs involved)
connect rows independently
find 264 solutions with complexity 2128 Inbound Phase
S0 S1 S2 S3 S4 S5
SB SB SB SB SB SC SC SC SC SC MR MR MR MR MR AK AK AK AK AK
1st inbound phase connect 2nd inbound phase
In practice: Slightly more tricky than that (3 key inputs involved)
connect rows independently
find 264 solutions with complexity 2128
⇒ Collision on 7 and near-collision on 9 rounds .5 .5 .5 .5 10 2188 264 distinguisher
Summary of Results on Whirlpool
computational memory target rounds type complexity requirements hash 5 2184−s 2s collision function 7 2176−s 2s near-collision 7 2184 264 collision compression 9 2176 264 near-collision function 10 2188 264 distinguisher
Summary of Results on Whirlpool
computational memory target rounds type complexity requirements hash 5.5 2184−s 2s collision function 7.5 2176−s 2s near-collision 7.5 2184 264 collision compression 9.5 2176 264 near-collision function Summary of Results on Whirlpool
computational memory target rounds type complexity requirements hash 5.5 2184−s 2s collision function 7.5 2176−s 2s near-collision 7.5 2184 264 collision compression 9.5 2176 264 near-collision function 10 2188 264 distinguisher Summary
Basic principle not that difficult efficient inbound phase (average 1)
probabilistic outbound phase (determined by linear layer)
Difficulty in constructing and merging inbound phases finding good and sparse truncated differential paths efficient way to use available freedom for merge
⇒ powerful tool in the cryptanalysis of hash functions Thank you for your attention!
http://eprint.iacr.org/2010/198 ReferencesI
Paulo S. L. M. Barreto and Vincent Rijmen. The WHIRLPOOL Hashing Function. Submitted to NESSIE, September 2000, revised May 2003, 2000. Available online: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html. Henri Gilbert and Thomas Peyrin. Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations. In Seokhie Hong and Tetsu Iwata, editors, FSE, volume 6147 of LNCS, pages 365–383. Springer, 2010. Jer´ emy´ Jean, Mar´ıa Naya-Plasencia, and Thomas Peyrin. Improved Rebound Attack on the Finalist Grøstl. In Anne Canteaut, editor, FSE, volume 7549 of LNCS, pages 110–126. Springer, 2012. Jer´ emy´ Jean, Mar´ıa Naya-Plasencia, and Martin Schlaffer.¨ Improved Analysis of ECHO-256. In Ali Miri and Serge Vaudenay, editors, Selected Areas in Cryptography, volume 7118 of LNCS, pages 19–36. Springer, 2011. Stefan Kolbl¨ and Florian Mendel. Practical Attacks on the Maelstrom-0 Compression Function. In Javier Lopez and Gene Tsudik, editors, ACNS, volume 6715 of LNCS, pages 449–461, 2011. Dmitry Khovratovich, Mar´ıa Naya-Plasencia, Andrea Rock,¨ and Martin Schlaffer.¨ Cryptanalysis of Luffa v2 Components. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages 388–409. Springer, 2010. ReferencesII
Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schlaffer.¨ Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages 126–143. Springer, 2009. Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schlaffer.¨ The Rebound Attack and Subspace Distinguishers: Application to Whirlpool. Cryptology ePrint Archive, Report 2010/198, 2010. Krystian Matusiewicz, Mar´ıa Naya-Plasencia, Ivica Nikolic,´ Yu Sasaki, and Martin Schlaffer.¨ Rebound Attack on the Full Lane Compression Function. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages 106–125. Springer, 2009. Marine Minier, Mar´ıa Naya-Plasencia, and Thomas Peyrin. Analysis of Reduced-SHAvite-3-256 v2. In Antoine Joux, editor, FSE, volume 6733 of LNCS, pages 68–87. Springer, 2011. Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schlaffer.¨ Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages 16–35. Springer, 2009. Florian Mendel, Christian Rechberger, and Martin Schlaffer.¨ Cryptanalysis of Twister. In Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and Damien Vergnaud, editors, ACNS, volume 5536 of LNCS, pages 342–353, 2009. References III
Florian Mendel, Christian Rechberger, Martin Schlaffer,¨ and Søren S. Thomsen. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages 260–276. Springer, 2009. Florian Mendel, Christian Rechberger, Martin Schlaffer,¨ and Søren S. Thomsen. Rebound Attacks on the Reduced Grøstl Hash Function. In Josef Pieprzyk, editor, CT-RSA, volume 5985 of LNCS, pages 350–365. Springer, 2010. Mar´ıa Naya-Plasencia. How to Improve Rebound Attacks. In Phillip Rogaway, editor, CRYPTO, volume 6841 of LNCS, pages 188–205. Springer, 2011. Mar´ıa Naya-Plasencia, Deniz Toz, and Kerem Varici. Rebound Attack on JH42. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT, volume 7073 of LNCS, pages 252–269. Springer, 2011. Thomas Peyrin. Improved Differential Attacks for ECHO and Grøstl. In Tal Rabin, editor, CRYPTO, volume 6223 of LNCS, pages 370–392. Springer, 2010. Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, and Kazuo Ohta. Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl. In Masayuki Abe, editor, ASIACRYPT, volume 6477 of LNCS, pages 38–55. Springer, 2010. Yu Sasaki, Lei Wang, Shuang Wu, and Wenling Wu. Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks. In Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT, volume 7658 of LNCS, pages 562–579. Springer, 2012.