sign in sign up
<<
Home , GOST (hash function)

Practical attacks on AES-like cryptographic hash functions

Stefan K¨olbl, Christian Rechberger

DTU - Technical University of Denmark

September 12, 2014 Cryptographic Hash Functions

“Today is the 12th of September...”

h

4981A99EDA782

2/23 Cryptographic Hash Functions

“Today is the 13th of September...”

h

11F9C8023AB0A

3/23 Cryptographic Hash Functions

Applications:

I Message Integrity

I Schemes

I Password Protection

I Derivation

I Payment Schemes (Bitcoin)

I ... Features:

I No secret parameter is involved.

I Fast to compute.

4/23 Cryptographic Hash Functions

Security Requirements

I Preimage Resistance: Given h(x) find x

I Second-Preimage Resistance: Given x, h(x) find y 6= x s.t. h(x) = h(y)

I Collision Resistance: Find x, y with x 6= y s.t. h(x) = h(y)

Generic Attack Complexity 2n for (second) preimage and 2n/2 for collisions.

5/23 Cryptographic Hash Functions Security Properties

M Hash Function IV h

6/23 Cryptographic Hash Functions Security Properties

m0 m1 mn

IV f f f h x1 xn

Analyze the collision resistance of the compression function f 0 I semi-free-start collision: Find {mi , mi , xi } s.t. 0 f (mi , xi ) = f (mi , xi ) 0 0 I free-start collision: Find {mi , mi , xi , xi } s.t. 0 0 f (mi , xi ) = f (mi , xi )

7/23 AES-based hash functions

Compression functions based on AES are common I Whirlpool (ISO/IEC 10118-3)

I Maelstrom I Whirlwind

I (GOST R 34.11-2012) I SHA-3 Competiton

I Grøstl I ECHO I

8/23 GOST R 34.11-2012

Compression Function

mi hi+1 hi SPL E

9/23 GOST R 34.11-2012

Block Cipher E with 12 rounds of

I AK Adds the key byte-wise by XORing it to the state.

I S Substitutes each byte of the state independently using an 8-bit S-Box.

I P Transposes the state.

I L Multiplies each row by an 8 × 8 MDS matrix.

K 1 L0 AK1 S1 P1 L1

AK S P L

10/23 GOST R 34.11-2012

Block Cipher E with 12 rounds of

I AK Adds the key byte-wise by XORing it to the state.

I S Substitutes each byte of the state independently using an 8-bit S-Box.

I P Transposes the state.

I L Multiplies each row by an 8 × 8 MDS matrix.

K 1 L0 AK1 S1 P1 L1

AK S P L

10/23 GOST R 34.11-2012

Block Cipher E with 12 rounds of

I AK Adds the key byte-wise by XORing it to the state.

I S Substitutes each byte of the state independently using an 8-bit S-Box.

I P Transposes the state.

I L Multiplies each row by an 8 × 8 MDS matrix.

K 1 L0 AK1 S1 P1 L1

AK S P L

10/23 GOST R 34.11-2012

Block Cipher E with 12 rounds of

I AK Adds the key byte-wise by XORing it to the state.

I S Substitutes each byte of the state independently using an 8-bit S-Box.

I P Transposes the state.

I L Multiplies each row by an 8 × 8 MDS matrix.

K 1 L0 AK1 S1 P1 L1

AK S P L

10/23 Related Work

Overview of practical attacks on the compression function

Function Rounds Time Memory Type Reference 4.5 264 216 collision [WYW13] 4.75 practical 28 near-collision [AKY13] GOST R 4 219.8 216 collision this work 4.5 219.8 216 collision this work 5.5 264 264 collision [WYW13] 6.5 264 216 collision this work 4 225.1 216 collision this work 6.5 225.1 216 near-collision this work Whirlpool 4 28 28 collision1 [WYW13] 7 264 28 collision1 [SWWW12]

1free-start collision 11/23 Differential

x ∆x x∗

h h

y ∆y y ∗

I ∆x 6= 0 and ∆y = 0 gives a collision.

I Find a differential characteristic leading to zero output difference.

I Find a confirming message pair.

12/23 Rebound Attacks

Powerful technique for analysis of hash functions [MRST09]

AK0 AK1 AK2 AK3 AK4

S S S S P P P P L L L L AK AK AK AK

Inbound Outbound Outbound

Two parts:

I Inbound phase: Match-in-the-middle

I Outbound phase: Probabilistic Many improvements over the last few years...

13/23 Finding the characteristic Technique similar to start-from-the-middle

AK0 AK1 AK2 AK3 AK4

S S S S P P P P L L L L AK AK AK AK

1 3 2

1. Propagate difference from AK 4 to S2. 2. Choose differences in AK 2 to ensure 64–8 by using freedom of S-Box. 3. Solve 8–1 by swapping values (a, b) ↔ (b, a). Complexity Finding the characteristic 219.8

14/23 Finding the message pair

We need to fulfill conditions on 81 bytes.

AK0 AK1 AK2 AK3 AK4

S S S S P P P P L L L L AK AK AK AK

2 2 2 I First we fix the values of AK such that S = S(AK ).

I This solves 64 byte conditions but uses all degrees of freedom we have for the state.

15/23 Finding the message pair

We need to fulfill conditions on 81 bytes.

AK0 AK1 AK2 AK3 AK4

S S S S P P P P L L L L AK AK AK AK

2 2 2 I First we fix the values of AK such that S = S(AK ).

I This solves 64 byte conditions but uses all degrees of freedom we have for the state.

15/23 Finding the message pair

We need to fulfill conditions on 81 bytes.

AK0 AK1 AK2 AK3 AK4

S S S S P P P P L L L L AK AK AK AK

1 1 I How to solve the conditions for AK = S(S )...

16/23 Finding the message pair

AK1 S1 P1 L1

1 K AK S P L

AC S P 2 2 2 2 L AK S P L

2 K AK S P L

17/23 Finding the message pair

AK1 S1 P1 L1

1 K AK S P L

AC S P 2 2 2 2 L AK S P L

2 K AK S P L

17/23 Finding the message pair

AK1 S1 P1 L1

1 K AK S P L

AC S P 2 2 2 2 L AK S P L

2 K AK S P L

17/23 Finding the message pair

AK1 S1 P1 L1

1 K AK S P L

AC S P 2 2 2 2 L AK S P L

2 K AK S P L

17/23 Finding the message pair

We need to fulfill conditions on 81 bytes.

AK0 AK1 AK2 AK3 AK4

S S S S P P P P L L L L AK AK AK AK

3 3 I How to solve the conditions for AK = S(S )...

18/23 Finding the message pair

AC2 KS2 KP2 K2 AK2

AC S P L AK

AC3 KS3 KP3 K3 AK3

AC S P L AK

19/23 Finding the message pair

AC2 KS2 KP2 K2 AK2

AC S P L AK

AC3 KS3 KP3 K3 AK3

AC S P L AK

19/23 Finding the message pair

AC2 KS2 KP2 K2 AK2

AC S P L AK

AC3 KS3 KP3 K3 AK3

AC S P L AK

19/23 Finding the message pair

We need to fulfill conditions on 81 bytes.

AK0 AK1 AK2 AK3 AK4

S S S S P P P P L L L L AK AK AK AK

1 I One byte condition remaining in AK . 0 4 I ∆AK = ∆AK . Complexity Repeat message finding procedure 216 times.

20/23 Attack

Summary of Attack on GOST R 19.8 I Finding Characteristic: 2 16 I Finding Message Pair: 2 Costs depend on properties of the S-Box

S-Box MDP ANS Matching Costs #S2 AES 2−6 127 26.42 255.91 Whirlpool 2−5 101.49 225.10 253.32 GOST R 2−5 107.05 219.77 253.94

21/23 Conclusion

Function Rounds Time Memory Type 4 219.8 216 collision GOST R 4.5 219.8 216 collision 6.5 264 216 collision 4 225.1 216 collision Whirlpool 6.5 225.1 216 near-collision

I Technique could be used to fulfill more conditions

I Application on other designs

I https://github.com/kste/aeshash

22/23 Thank you for your attention!

23/23 ReferencesI

Riham AlTawy, Aleksandar Kircanski, and Amr M. Youssef, Rebound Attacks on Stribog, Cryptology ePrint Archive, Report 2013/539, 2013, http://eprint.iacr.org/. Mario Lamberger, Florian Mendel, Martin Schl¨affer,Christian Rechberger, and Vincent Rijmen, The Rebound Attack and Subspace Distinguishers: Application to Whirlpool, Journal of Cryptology (2013), 1–40 (English). Florian Mendel, Christian Rechberger, Martin Schl¨affer,and Søren S. Thomsen, The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl, FSE (Orr Dunkelman, ed.), Lecture Notes in Computer Science, vol. 5665, Springer, 2009, pp. 260–276.

1/2 ReferencesII

Yu Sasaki, Lei Wang, Shuang Wu, and Wenling Wu, Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks, vol. 7658, pp. 562–579, Springer Berlin Heidelberg, 2012. Zongyue Wang, Hongbo Yu, and Xiaoyun Wang, Cryptanalysis of GOST R Hash Function, Cryptology ePrint Archive, Report 2013/584, 2013, http://eprint.iacr.org/.

2/2