Improved Rebound Attack on the Finalist Grøstl Jérémy Jean1 María Naya-Plasencia2 Thomas Peyrin3 1École Normale Supérieure, France 2University of Versailles, France 3Nanyang Technological University, Singapore RAIM’2012 – June 21, 2012 (published in FSE’2012) Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Hash Functions H: hash function (e.g.: MD5, SHA-1,...) H 50697fb42e88f27b0d19b625b18ae016 Security Notions Preimage resistance Collision resistance Second-Preimage resistance Distinguisher from Random Oracle RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 2/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 64 submissions received; 51 entered first round (Dec. 9, 2008): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 14 entered second round (July 24, 2009): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 5 entered the final (Dec. 9, 2010): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. In 2012: the winner will be chosen. Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl hash function H I H takes input m of any length Compression Function f I Difficult to handle mn h Use fixed-size input f function f n I hn−1 I Split m into chunks m = m1jjm2jj · · · Mode of Operation m = m1 m2 m3 m4 f f f f Ω h0 = IV H(m) h1 h2 h3 h4 RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 4/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Compression Function (CF): f Grøstl-v0 [Knudsen et al. 08] has been tweaked for the final: I Grøstl-256: jhj = jmj=512 bits. I Grøstl-512: jhj = jmj=1024 bits. h P h0 m Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 5/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Internal Permutations Permutations P and Q apply the wide-trail strategy from the AES. I Grøstl-256: 10 rounds on state a 8 × 8. I Grøstl-512: 14 rounds on state a 8 × 16. AddRoundConstant SubBytes ShiftBytes MixBytes Tweak: constants in ARC and ShB changed to introduce asymmetry between P and Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 6/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Finalization Round Ω Once all blocks of message have been treated: truncation. hi−1 P h h is the hash value the input message RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 7/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl: Best Analysis After the Tweak I Grøstl-256: • [Sasaki et al A10]: 8-round permutation distinguisher. • [Gilbert et al. FSE10]: 8-round CF distinguisher. • [Boura et al. FSE11]: 10-round zero-sum. I Grøstl-512 • [Schläffer 2011]: 6-round collision on the CF. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 8/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 1/2 [Jean et al. FSE12] I Based on the rebound technique [Mendel et al. FSE09]. I Based on a way of finding solutions for three consecutive full active rounds: new. I They apply both to 256 and 512 versions. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 9/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 2/2 [Jean et al. FSE12] I On Grøstl-256, we provide distinguishers for 9 rounds of the permutation (total: 10). I On Grøstl-512, we provide distinguishers for 8, 9 and 10 rounds of the permutation (total: 14). RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 10/30 Outbound Inbound Outbound Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB Outbound Inbound Outbound RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SuperSBox Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SuperSBox = SB ◦ MC ◦ SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 12/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Limited Birthday Distinguisher [Gilbert et Peyrin FSE2010] Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n-bit permutation π? WLOG, we assume: i ≤ j. n n − i π n − j j Time complexity if j ≤ 2(n − i), then time complexity is 2j=2. if j > 2(n − i), then time complexity is 2i+j−n. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl-256 Permutation RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 14/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Differential Characteristic for 9 rounds Mb Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 15/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J.