Practical attacks on AES-like cryptographic hash functions
Stefan K¨olbl, Christian Rechberger
DTU - Technical University of Denmark
September 12, 2014 Cryptographic Hash Functions
“Today is the 12th of September...”
h
4981A99EDA782
2/23 Cryptographic Hash Functions
“Today is the 13th of September...”
h
11F9C8023AB0A
3/23 Cryptographic Hash Functions
Applications:
I Message Integrity
I Digital Signature Schemes
I Password Protection
I Key Derivation
I Payment Schemes (Bitcoin)
I ... Features:
I No secret parameter is involved.
I Fast to compute.
4/23 Cryptographic Hash Functions
Security Requirements
I Preimage Resistance: Given h(x) find x
I Second-Preimage Resistance: Given x, h(x) find y 6= x s.t. h(x) = h(y)
I Collision Resistance: Find x, y with x 6= y s.t. h(x) = h(y)
Generic Attack Complexity 2n for (second) preimage and 2n/2 for collisions.
5/23 Cryptographic Hash Functions Security Properties
M Hash Function IV h
6/23 Cryptographic Hash Functions Security Properties
m0 m1 mn
IV f f f h x1 xn
Analyze the collision resistance of the compression function f 0 I semi-free-start collision: Find {mi , mi , xi } s.t. 0 f (mi , xi ) = f (mi , xi ) 0 0 I free-start collision: Find {mi , mi , xi , xi } s.t. 0 0 f (mi , xi ) = f (mi , xi )
7/23 AES-based hash functions
Compression functions based on AES are common I Whirlpool (ISO/IEC 10118-3)
I Maelstrom I Whirlwind
I Streebog (GOST R 34.11-2012) I SHA-3 Competiton
I Grøstl I ECHO I LANE
8/23 GOST R 34.11-2012
Compression Function
mi hi+1 hi SPL E
9/23 GOST R 34.11-2012
Block Cipher E with 12 rounds of
I AK Adds the key byte-wise by XORing it to the state.
I S Substitutes each byte of the state independently using an 8-bit S-Box.
I P Transposes the state.
I L Multiplies each row by an 8 × 8 MDS matrix.
K 1 L0 AK1 S1 P1 L1
AK S P L
10/23 GOST R 34.11-2012
Block Cipher E with 12 rounds of
I AK Adds the key byte-wise by XORing it to the state.
I S Substitutes each byte of the state independently using an 8-bit S-Box.
I P Transposes the state.
I L Multiplies each row by an 8 × 8 MDS matrix.
K 1 L0 AK1 S1 P1 L1
AK S P L
10/23 GOST R 34.11-2012
Block Cipher E with 12 rounds of
I AK Adds the key byte-wise by XORing it to the state.
I S Substitutes each byte of the state independently using an 8-bit S-Box.
I P Transposes the state.
I L Multiplies each row by an 8 × 8 MDS matrix.
K 1 L0 AK1 S1 P1 L1
AK S P L
10/23 GOST R 34.11-2012
Block Cipher E with 12 rounds of
I AK Adds the key byte-wise by XORing it to the state.
I S Substitutes each byte of the state independently using an 8-bit S-Box.
I P Transposes the state.
I L Multiplies each row by an 8 × 8 MDS matrix.
K 1 L0 AK1 S1 P1 L1
AK S P L
10/23 Related Work
Overview of practical attacks on the compression function
Function Rounds Time Memory Type Reference 4.5 264 216 collision [WYW13] 4.75 practical 28 near-collision [AKY13] GOST R 4 219.8 216 collision this work 4.5 219.8 216 collision this work 5.5 264 264 collision [WYW13] 6.5 264 216 collision this work 4 225.1 216 collision this work 6.5 225.1 216 near-collision this work Whirlpool 4 28 28 collision1 [WYW13] 7 264 28 collision1 [SWWW12]
1free-start collision 11/23 Differential Cryptanalysis
x ∆x x∗
h h
y ∆y y ∗
I ∆x 6= 0 and ∆y = 0 gives a collision.
I Find a differential characteristic leading to zero output difference.
I Find a confirming message pair.
12/23 Rebound Attacks
Powerful technique for analysis of hash functions [MRST09]
AK0 AK1 AK2 AK3 AK4
S S S S P P P P L L L L AK AK AK AK
Inbound Outbound Outbound
Two parts:
I Inbound phase: Match-in-the-middle
I Outbound phase: Probabilistic Many improvements over the last few years...
13/23 Finding the characteristic Technique similar to start-from-the-middle
AK0 AK1 AK2 AK3 AK4
S S S S P P P P L L L L AK AK AK AK
1 3 2
1. Propagate difference from AK 4 to S2. 2. Choose differences in AK 2 to ensure 64–8 by using freedom of S-Box. 3. Solve 8–1 by swapping values (a, b) ↔ (b, a). Complexity Finding the characteristic 219.8
14/23 Finding the message pair
We need to fulfill conditions on 81 bytes.
AK0 AK1 AK2 AK3 AK4
S S S S P P P P L L L L AK AK AK AK
2 2 2 I First we fix the values of AK such that S = S(AK ).
I This solves 64 byte conditions but uses all degrees of freedom we have for the state.
15/23 Finding the message pair
We need to fulfill conditions on 81 bytes.
AK0 AK1 AK2 AK3 AK4
S S S S P P P P L L L L AK AK AK AK
2 2 2 I First we fix the values of AK such that S = S(AK ).
I This solves 64 byte conditions but uses all degrees of freedom we have for the state.
15/23 Finding the message pair
We need to fulfill conditions on 81 bytes.
AK0 AK1 AK2 AK3 AK4
S S S S P P P P L L L L AK AK AK AK
1 1 I How to solve the conditions for AK = S(S )...
16/23 Finding the message pair
AK1 S1 P1 L1
1 K AK S P L
AC S P 2 2 2 2 L AK S P L
2 K AK S P L
17/23 Finding the message pair
AK1 S1 P1 L1
1 K AK S P L
AC S P 2 2 2 2 L AK S P L
2 K AK S P L
17/23 Finding the message pair
AK1 S1 P1 L1
1 K AK S P L
AC S P 2 2 2 2 L AK S P L
2 K AK S P L
17/23 Finding the message pair
AK1 S1 P1 L1
1 K AK S P L
AC S P 2 2 2 2 L AK S P L
2 K AK S P L
17/23 Finding the message pair
We need to fulfill conditions on 81 bytes.
AK0 AK1 AK2 AK3 AK4
S S S S P P P P L L L L AK AK AK AK
3 3 I How to solve the conditions for AK = S(S )...
18/23 Finding the message pair
AC2 KS2 KP2 K2 AK2
AC S P L AK
AC3 KS3 KP3 K3 AK3
AC S P L AK
19/23 Finding the message pair
AC2 KS2 KP2 K2 AK2
AC S P L AK
AC3 KS3 KP3 K3 AK3
AC S P L AK
19/23 Finding the message pair
AC2 KS2 KP2 K2 AK2
AC S P L AK
AC3 KS3 KP3 K3 AK3
AC S P L AK
19/23 Finding the message pair
We need to fulfill conditions on 81 bytes.
AK0 AK1 AK2 AK3 AK4
S S S S P P P P L L L L AK AK AK AK
1 I One byte condition remaining in AK . 0 4 I ∆AK = ∆AK . Complexity Repeat message finding procedure 216 times.
20/23 Attack
Summary of Attack on GOST R 19.8 I Finding Characteristic: 2 16 I Finding Message Pair: 2 Costs depend on properties of the S-Box
S-Box MDP ANS Matching Costs #S2 AES 2−6 127 26.42 255.91 Whirlpool 2−5 101.49 225.10 253.32 GOST R 2−5 107.05 219.77 253.94
21/23 Conclusion
Function Rounds Time Memory Type 4 219.8 216 collision GOST R 4.5 219.8 216 collision 6.5 264 216 collision 4 225.1 216 collision Whirlpool 6.5 225.1 216 near-collision
I Technique could be used to fulfill more conditions
I Application on other designs
I https://github.com/kste/aeshash
22/23 Thank you for your attention!
23/23 ReferencesI
Riham AlTawy, Aleksandar Kircanski, and Amr M. Youssef, Rebound Attacks on Stribog, Cryptology ePrint Archive, Report 2013/539, 2013, http://eprint.iacr.org/. Mario Lamberger, Florian Mendel, Martin Schl¨affer,Christian Rechberger, and Vincent Rijmen, The Rebound Attack and Subspace Distinguishers: Application to Whirlpool, Journal of Cryptology (2013), 1–40 (English). Florian Mendel, Christian Rechberger, Martin Schl¨affer,and Søren S. Thomsen, The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl, FSE (Orr Dunkelman, ed.), Lecture Notes in Computer Science, vol. 5665, Springer, 2009, pp. 260–276.
1/2 ReferencesII
Yu Sasaki, Lei Wang, Shuang Wu, and Wenling Wu, Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks, vol. 7658, pp. 562–579, Springer Berlin Heidelberg, 2012. Zongyue Wang, Hongbo Yu, and Xiaoyun Wang, Cryptanalysis of GOST R Hash Function, Cryptology ePrint Archive, Report 2013/584, 2013, http://eprint.iacr.org/.
2/2