DOCSLIB.ORG

Rebound Attack

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Rebound Attack Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based designs: E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw The Rebound Attack Ebw Ein Efw inbound outbound outbound Inbound phase efficient meet-in-the-middle phase in Ein using available degrees of freedom Outbound phase probabilistic part in Ebw and Efw repeat inbound phase if needed The Whirlpool Hash Function M1 M2 M3 Mt IV f f f f H(m) designed by Barretto and Rijmen [BR00] evaluated by NESSIE standardized by ISO/IEC 10118-3:2003 iterative, based on the Merkle-Damgard˚ design principle message block, chaining values, hash size: 512 bit The Whirlpool Compression Function key schedule Hj−1 SB SC MR AC state update Mj SB SC MR AK Hj 512-bit hash value and using 512-bit message blocks Block-cipher based design (similar to AES) Miyaguchi-Preneel mode with conservative key schedule The Whirlpool Round Transformations SubBytes ShiftColumns MixRows AddRoundKey Ki S(x) + The state update and the key schedule update an 8 × 8 state S and K of 64 bytes 10 rounds each AES like round transformation ri = AK ◦ MR ◦ SC ◦ SB Notations Round i Ci SB SC MR Ki−1 Ki Ki Ki Ki SB SC MR AC SB SC MR Si−1 Si Si Si Si SB SC MR AK ∆Mj Collision Attack on Whirlpool key schedule Hj−1 SB SC MR AC state update Mj SB SC MR AK Hj 1-block collision: fixed Hj−1 (to IV ) ∗ ∗ f (Mj ; Hj−1) = f (Mj ; Hj−1); Mj 6= Mj generic complexity 2256 (n = 512) Mj Collision Attack on Whirlpool key schedule Hj−1 SB SC MR AC state update ∆Mj SB SC MR AK Hj 1-block collision: fixed Hj−1 (to IV ) ∗ ∗ f (Mj ; Hj−1) = f (Mj ; Hj−1); Mj 6= Mj generic complexity 2256 (n = 512) constant How to find a message pair following the differential trail? Collision Attack on 4 Rounds K0 K1 K2 K3 K4 SB SB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 ! 8 ! 64 ! 8) maximum differential probability: (2−5)81 = 2−405 How to find a message pair following the differential trail? Collision Attack on 4 Rounds K0 K1 K2 K3 K4 SB constantSB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 ! 8 ! 64 ! 8) maximum differential probability: (2−5)81 = 2−405 Collision Attack on 4 Rounds K0 K1 K2 K3 K4 SB constantSB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 ! 8 ! 64 ! 8) maximum differential probability: (2−5)81 = 2−405 How to find a message pair following the differential trail? First: Use Truncated Differences S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK byte-wise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2−56 for 8 ! 1 we can remove many restrictions (more freedom) hopefully less complexity of message search meet in the middle? inside out? rebound! How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? inside out? rebound! How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? meet in the middle? rebound! How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? meet in the middle? inside out? How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? meet in the middle? inside out? rebound! Rebound Attack on 4 Rounds [MRST09] S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 85 50 cc 6d 9a 49 43 c5 0d cc 01 0a 70 43 e9 27 ? a2 b1 63 11 96 1e 4d 04 b1 60 20 f4 1e cd bf 10 f8 ed 85 b7 43 5a d5 fc 16 27 51 43 15 de 2b f8 4d 34 96 90 f1 f8 07 5e SB linearly propagate all differences backward to S3 SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Inbound Phase SC SB MR S2 S2 S3 S3 3a c0 e6 MR SC b9 SB AK MR 5a 8c 08 c0 get values MR (1) Start with arbitrary differences in state S3 ee ee ee 9f ee 23 71 c1 cd ? SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Inbound Phase SC SB MR S2 S2 S3 S3 e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences get values MR (1) Start with arbitrary differences in state S3 SB linearly propagate all differences backward to S3 ? (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Inbound Phase SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences differences get values MR (1) Start with arbitrary differences in state S3 SB linearly propagate all differences backward to S3 SC linearly propagate row-wise forward from S2 to S2 Inbound Phase SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR ? a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences get values MR (1) Start with arbitrary differences in state S3 SB linearly propagate all differences backward to S3 SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Match-in-the-Middle for Single S-box ∆a Sbox ∆b Check for matching input/output differences Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b Use Difference Distribution Table (DDT) Difference Distribution Table (Whirlpool) in n out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 0000000000000000 01 0620062000400000 02 0000000200004000 03 0220220020000002 04 0022040002222020 05 0000020200000042 06 .4020020026240220.
Load more

Recommended publications
  • RESOURCE-EFFICIENT CRYPTOGRAPHY for UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective
    RESOURCE-EFFICIENT CRYPTOGRAPHY FOR UBIQUITOUS COMPUTING Lightweight Cryptographic Primitives from a Hardware & Software Perspective DISSERTATION for the degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr University Bochum, Germany by Elif Bilge Kavun Bochum, December 2014 Copyright © 2014 by Elif Bilge Kavun. All rights reserved. Printed in Germany. Anneme ve babama... Elif Bilge Kavun Place of birth: Izmir,˙ Turkey Author’s contact information: [email protected] www.emsec.rub.de/chair/ staff/elif bilge kavun Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Christian Rechberger Danmarks Tekniske Universitet, Denmark Thesis submitted: December 19, 2014 Thesis defense: February 6, 2015 v Abstract Technological advancements in the semiconductor industry over the last few decades made the mass production of very small-scale computing devices possible. Thanks to the compactness and mobility of these devices, they can be deployed “pervasively”, in other words, everywhere and anywhere – such as in smart homes, logistics, e-commerce, and medical technology. Em- bedding the small-scale devices into everyday objects pervasively also indicates the realization of the foreseen “ubiquitous computing” concept. However, ubiquitous computing and the mass deployment of the pervasive devices in turn brought some concerns – especially, security and privacy. Many people criticize the security and privacy management in the ubiquitous context. It is even believed that an inadequate level of security may be the greatest barrier to the long-term success of ubiquitous computing. For ubiquitous computing, the adversary model and the se- curity level is not the same as in traditional applications due to limited resources in pervasive devices – area, power, and energy are actually harsh constraints for such devices.
    [Show full text]
  • Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using Fpgas
    Fair and Comprehensive Methodology for Comparing Hardware Performance of Fourteen Round Two SHA-3 Candidates Using FPGAs Kris Gaj, Ekawat Homsirikamol, and Marcin Rogawski ECE Department, George Mason University, Fairfax, VA 22030, U.S.A. {kgaj,ehomsiri,mrogawsk}@gmu.edu http://cryptography.gmu.edu Abstract. Performance in hardware has been demonstrated to be an important factor in the evaluation of candidates for cryptographic stan- dards. Up to now, no consensus exists on how such an evaluation should be performed in order to make it fair, transparent, practical, and ac- ceptable for the majority of the cryptographic community. In this pa- per, we formulate a proposal for a fair and comprehensive evaluation methodology, and apply it to the comparison of hardware performance of 14 Round 2 SHA-3 candidates. The most important aspects of our methodology include the definition of clear performance metrics, the de- velopment of a uniform and practical interface, generation of multiple sets of results for several representative FPGA families from two major vendors, and the application of a simple procedure to convert multiple sets of results into a single ranking. Keywords: benchmarking, hash functions, SHA-3, FPGA. 1 Introduction and Motivation Starting from the Advanced Encryption Standard (AES) contest organized by NIST in 1997-2000 [1], open contests have become a method of choice for select- ing cryptographic standards in the U.S. and over the world. The AES contest in the U.S. was followed by the NESSIE competition in Europe [2], CRYPTREC in Japan, and eSTREAM in Europe [3]. Four typical criteria taken into account in the evaluation of candidates are: security, performance in software, performance in hardware, and flexibility.
    [Show full text]
  • Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS
    Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols
    [Show full text]
  • CS-466: Applied Cryptography Adam O'neill
    Hash functions CS-466: Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage • Today we will study a second lower-level primitive, hash functions. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. Setting the Stage • Today we will study a second lower-level primitive, hash functions. • Hash functions like MD5, SHA1, SHA256 are used pervasively. • Primary purpose is data compression, but they have many other uses and are often treated like a “magic wand” in protocol design. Collision resistance (CR) Collision Resistance n Definition: A collision for a function h : D 0, 1 is a pair x1, x2 D → { } ∈ of points such that h(x1)=h(x2)butx1 = x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a | | collision for h. Mihir Bellare UCSD 3 Collision resistance (CR) Collision resistanceCollision Resistance (CR) n Definition: A collision for a function h : D 0, 1 n is a pair x1, x2 D Definition: A collision for a function h : D → {0, 1} is a pair x1, x2 ∈ D of points such that h(x1)=h(x2)butx1 = →x2.{ } ∈ of points such that h(x1)=h(x2)butx1 ≠ x2. ̸ If D > 2n then the pigeonhole principle tells us that there must exist a If |D| > 2n then the pigeonhole principle tells us that there must exist a collision| | for h. collision for h. We want that even though collisions exist, they are hard to find.
    [Show full text]
  • Linearization Framework for Collision Attacks: Application to Cubehash and MD6
    Linearization Framework for Collision Attacks: Application to CubeHash and MD6 Eric Brier1, Shahram Khazaei2, Willi Meier3, and Thomas Peyrin1 1 Ingenico, France 2 EPFL, Switzerland 3 FHNW, Switzerland Abstract. In this paper, an improved differential cryptanalysis framework for finding collisions in hash functions is provided. Its principle is based on lineariza- tion of compression functions in order to find low weight differential characteris- tics as initiated by Chabaud and Joux. This is formalized and refined however in several ways: for the problem of finding a conforming message pair whose differ- ential trail follows a linear trail, a condition function is introduced so that finding a collision is equivalent to finding a preimage of the zero vector under the con- dition function. Then, the dependency table concept shows how much influence every input bit of the condition function has on each output bit. Careful analysis of the dependency table reveals degrees of freedom that can be exploited in ac- celerated preimage reconstruction under the condition function. These concepts are applied to an in-depth collision analysis of reduced-round versions of the two SHA-3 candidates CubeHash and MD6, and are demonstrated to give by far the best currently known collision attacks on these SHA-3 candidates. Keywords: Hash functions, collisions, differential attack, SHA-3, CubeHash and MD6. 1 Introduction Hash functions are important cryptographic primitives that find applications in many areas including digital signatures and commitment schemes. A hash function is a trans- formation which maps a variable-length input to a fixed-size output, called message digest. One expects a hash function to possess several security properties, one of which is collision resistance.
    [Show full text]
  • Sharing Resources Between AES and the SHA-3 Second Round
    Sharing Resources Between AES and the SHA-3 Second Round Candidates Fugue and Grøstl Kimmo Järvinen Department of Information and Computer Science Aalto University, School of Science and Technology Espoo, Finland AES-inspired SHA-3 Candidates I Design strongly influenced by AES: Share the structure and have significant similarity in transformations, or even use AES as a subroutine I ECHO, Fugue, Grøstl, and SHAvite-3 I Benadjila et al. (ASIACRYPT 2009) studied useability of Intel’s AES instructions for AES-inspired candidates Conclusion: only ECHO and SHAvite-3, which use AES as a subroutine, benefit from the instructions I This is the first study of combining AES with the SHA-3 candidates on hardware (FPGA) The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Research Topics and Motivation Research Questions I What modifications are required to embed AES into the data path of the hash algorithm (or vice versa)? I How much resources can be shared (logic, registers, memory, . )? I What are the costs (area, delay, throughput, power consumption, . )? Applications I Any applications that require dedicated hardware implementations of a hash algorithm and a block cipher would benefit from reduced costs I Particularly important if resources are very limited The 2nd SHA-3 Candidate Conference Santa Barbara, CA, USA August 23–24, 2010 Advanced Encryption Standard AES with a 128-bit key (AES-128) 8 I State: 4 × 4 bytes; each byte is an element of GF(2 ) I 10 rounds with four transformations Transformations I SubBytes: Bytes mapped
    [Show full text]
  • Indifferentiable Authenticated Encryption
    Indifferentiable Authenticated Encryption Manuel Barbosa1 and Pooya Farshim2;3 1 INESC TEC and FC University of Porto, Porto, Portugal [email protected] 2 DI/ENS, CNRS, PSL University, Paris, France 3 Inria, Paris, France [email protected] Abstract. We study Authenticated Encryption with Associated Data (AEAD) from the viewpoint of composition in arbitrary (single-stage) environments. We use the indifferentiability framework to formalize the intuition that a \good" AEAD scheme should have random ciphertexts subject to decryptability. Within this framework, we can then apply the indifferentiability composition theorem to show that such schemes offer extra safeguards wherever the relevant security properties are not known, or cannot be predicted in advance, as in general-purpose crypto libraries and standards. We show, on the negative side, that generic composition (in many of its configurations) and well-known classical and recent schemes fail to achieve indifferentiability. On the positive side, we give a provably indifferentiable Feistel-based construction, which reduces the round complexity from at least 6, needed for blockciphers, to only 3 for encryption. This result is not too far off the theoretical optimum as we give a lower bound that rules out the indifferentiability of any construction with less than 2 rounds. Keywords. Authenticated encryption, indifferentiability, composition, Feistel, lower bound, CAESAR. 1 Introduction Authenticated Encryption with Associated Data (AEAD) [54,10] is a funda- mental building block in cryptographic protocols, notably those enabling secure communication over untrusted networks. The syntax, security, and constructions of AEAD have been studied in numerous works. Recent, ongoing standardization processes, such as the CAESAR competition [14] and TLS 1.3, have revived interest in this direction.
    [Show full text]
  • Nasha, Cubehash, SWIFFTX, Skein
    6.857 Homework Problem Set 1 # 1-3 - Open Source Security Model Aleksandar Zlateski Ranko Sredojevic Sarah Cheng March 12, 2009 NaSHA NaSHA was a fairly well-documented submission. Too bad that a collision has already been found. Here are the security properties that they have addressed in their submission: • Pseudorandomness. The paper does not address pseudorandomness directly, though they did show proof of a fairly fast avalanching effect (page 19). Not quite sure if that is related to pseudorandomness, however. • First and second preimage resistance. On page 17, it references a separate document provided in the submission. The proofs are given in the file Part2B4.pdf. The proof that its main transfunction is one-way can be found on pages 5-6. • Collision resistance. Same as previous; noted on page 17 of the main document, proof given in Part2B4.pdf. • Resistance to linear and differential attacks. Not referenced in the main paper, but Part2B5.pdf attempts to provide some justification for this. • Resistance to length extension attacks. Proof of this is given on pages 4-5 of Part2B4.pdf. We should also note that a collision in the n = 384 and n = 512 versions of the hash function. It was claimed that the best attack would be a birthday attack, whereas a collision was able to be produced within 2128 steps. CubeHash According to the author, CubeHash is a very simple cryptographic hash function. The submission does not include almost any of the security details, and for the ones that are included the analysis is very poor. But, for the sake of making this PSet more interesting we will cite some of the authors comments on different security issues.
    [Show full text]
  • Características Y Aplicaciones De Las Funciones Resumen Criptográficas En La Gestión De Contraseñas
    Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas Alicia Lorena Andrade Bazurto Instituto Universitario de Investigación en Informática Escuela Politécnica Superior Características y aplicaciones de las funciones resumen criptográficas en la gestión de contraseñas ALICIA LORENA ANDRADE BAZURTO Tesis presentada para aspirar al grado de DOCTORA POR LA UNIVERSIDAD DE ALICANTE DOCTORADO EN INFORMÁTICA Dirigida por: Dr. Rafael I. Álvarez Sánchez Alicante, julio 2019 Índice Índice de tablas .................................................................................................................. vii Índice de figuras ................................................................................................................. ix Agradecimiento .................................................................................................................. xi Resumen .......................................................................................................................... xiii Resum ............................................................................................................................... xv Abstract ........................................................................................................................... xvii 1 Introducción .................................................................................................................. 1 1.1 Objetivos ...............................................................................................................4
    [Show full text]
  • Quantum Preimage and Collision Attacks on Cubehash
    Quantum Preimage and Collision Attacks on CubeHash Gaëtan Leurent University of Luxembourg, [email protected] Abstract. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. This kind of attack is expected to cost 2256 for a good 512-bit hash function, and we argue that this violates the expected security of CubeHash. The preimage attack can also be used as a collision attack, given that a generic quantum collision attack on a 512-bit hash function require 2256 operations, as explained in the CubeHash submission document. This attack only uses very simple techniques, most of which are borrowed from previous analysis of CubeHash: we just combine symmetry based attacks [1,8] with Grover’s algo- rithm. However, it is arguably the first attack on a second-round SHA-3 candidate that is more efficient than the attacks considered by the designer. 1 Introduction CubeHash is a hash function designed by Bernstein and submitted to the SHA-3 com- petition [2]. It has been accepted for the second round of the competition. In this paper we show a quantum preimage attack on CubeHash-512-normal with complexity 2192. We show that this attack should be considered as better that the attacks considered by the designer, and we explain what were our expectations of the security of CubeHash. P P Fig. 1. CubeHash follows the sponge construction 1.1 CubeHash Versions CubeHash is built following the sponge construction with a 1024-bit permutation. The small size of the state allows for compact hardware implementations, but it is too small to build a fast 512-bit hash function satisfying NIST security requirements.
    [Show full text]
  • Inside the Hypercube
    Inside the Hypercube Jean-Philippe Aumasson1∗, Eric Brier3, Willi Meier1†, Mar´ıa Naya-Plasencia2‡, and Thomas Peyrin3 1 FHNW, Windisch, Switzerland 2 INRIA project-team SECRET, France 3 Ingenico, France Some force inside the Hypercube occasionally manifests itself with deadly results. http://www.staticzombie.com/2003/06/cube 2 hypercube.html Abstract. Bernstein’s CubeHash is a hash function family that includes four functions submitted to the NIST Hash Competition. A CubeHash function is parametrized by a number of rounds r, a block byte size b, and a digest bit length h (the compression function makes r rounds, while the finalization function makes 10r rounds). The 1024-bit internal state of CubeHash is represented as a five-dimensional hypercube. The sub- missions to NIST recommends r = 8, b = 1, and h ∈ {224, 256, 384, 512}. This paper presents the first external analysis of CubeHash, with • improved standard generic attacks for collisions and preimages • a multicollision attack that exploits fixed points • a study of the round function symmetries • a preimage attack that exploits these symmetries • a practical collision attack on a weakened version of CubeHash • a study of fixed points and an example of nontrivial fixed point • high-probability truncated differentials over 10 rounds Since the first publication of these results, several collision attacks for reduced versions of CubeHash were published by Dai, Peyrin, et al. Our results are more general, since they apply to any choice of the parame- ters, and show intrinsic properties of the CubeHash design, rather than attacks on specific versions. 1 CubeHash Bernstein’s CubeHash is a hash function family submitted to the NIST Hash Competition.
    [Show full text]
  • The Hitchhiker's Guide to the SHA-3 Competition
    History First Second Third The Hitchhiker’s Guide to the SHA-3 Competition Orr Dunkelman Computer Science Department 20 June, 2012 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 1/ 33 History First Second Third Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 2/ 33 History First Second Third History Sad Outline 1 History of Hash Functions A(n Extremely) Short History of Hash Functions The Sad News about the MD/SHA Family 2 The First Phase of the SHA-3 Competition Timeline The SHA-3 First Round Candidates 3 The Second Round The Second Round Candidates The Second Round Process 4 The Third Round The Finalists Current Performance Estimates The Outcome of SHA-3 Orr Dunkelman The Hitchhiker’s Guide to the SHA-3 Competition 3/ 33 History First Second Third History Sad A(n Extremely) Short History of Hash Functions 1976 Diffie and Hellman suggest to use hash functions to make digital signatures shorter. 1979 Salted passwords for UNIX (Morris and Thompson). 1983/4 Davies/Meyer introduce Davies-Meyer. 1986 Fiat and Shamir use random oracles. 1989 Merkle and Damg˚ard present the Merkle-Damg˚ard hash function.
    [Show full text]