Improved Rebound Attack on the Finalist Grøstl

Improved Rebound Attack on the Finalist Grøstl

Improved Rebound Attack on the Finalist Grøstl Jérémy Jean1 María Naya-Plasencia2 Thomas Peyrin3 1École Normale Supérieure, France 2University of Versailles, France 3Nanyang Technological University, Singapore RAIM’2012 – June 21, 2012 (published in FSE’2012) Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Hash Functions H: hash function (e.g.: MD5, SHA-1,...) H 50697fb42e88f27b0d19b625b18ae016 Security Notions Preimage resistance Collision resistance Second-Preimage resistance Distinguisher from Random Oracle RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 2/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 64 submissions received; 51 entered first round (Dec. 9, 2008): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 14 entered second round (July 24, 2009): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. 5 entered the final (Dec. 9, 2010): Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SHA-3 Competition In 2007, the NIST announced a competition to select a new hash function standard. In 2012: the winner will be chosen. Abacus Dynamic SHA2 LANE SHAvite-3 ARIRANG ECHO Lesamnta SIMD AURORA ECOH Luffa Skein BLAKE EDON-R LUX Spectral Hash Blender EnRUPT MCSSHA-3 StreamHash BMW ESSENCE MD6 SWIFFTX BOOLE FSB MeshHash Tangle Cheetah Fugue NaSHA TIB3 CHI Grøstl SANDstorm CRUNCH Hamsi Sarmal Twister CubeHash JH Sgail Vortex DCH Keccak Shabal WaMM Dynamic SHA Khichidi-1 SHAMATA Waterfall RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 3/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl hash function H I H takes input m of any length Compression Function f I Difficult to handle mn h Use fixed-size input f function f n I hn−1 I Split m into chunks m = m1jjm2jj · · · Mode of Operation m = m1 m2 m3 m4 f f f f Ω h0 = IV H(m) h1 h2 h3 h4 RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 4/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Compression Function (CF): f Grøstl-v0 [Knudsen et al. 08] has been tweaked for the final: I Grøstl-256: jhj = jmj=512 bits. I Grøstl-512: jhj = jmj=1024 bits. h P h0 m Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 5/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Internal Permutations Permutations P and Q apply the wide-trail strategy from the AES. I Grøstl-256: 10 rounds on state a 8 × 8. I Grøstl-512: 14 rounds on state a 8 × 16. AddRoundConstant SubBytes ShiftBytes MixBytes Tweak: constants in ARC and ShB changed to introduce asymmetry between P and Q RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 6/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl Finalization Round Ω Once all blocks of message have been treated: truncation. hi−1 P h h is the hash value the input message RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 7/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl: Best Analysis After the Tweak I Grøstl-256: • [Sasaki et al A10]: 8-round permutation distinguisher. • [Gilbert et al. FSE10]: 8-round CF distinguisher. • [Boura et al. FSE11]: 10-round zero-sum. I Grøstl-512 • [Schläffer 2011]: 6-round collision on the CF. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 8/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 1/2 [Jean et al. FSE12] I Based on the rebound technique [Mendel et al. FSE09]. I Based on a way of finding solutions for three consecutive full active rounds: new. I They apply both to 256 and 512 versions. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 9/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Our New Results 2/2 [Jean et al. FSE12] I On Grøstl-256, we provide distinguishers for 9 rounds of the permutation (total: 10). I On Grøstl-512, we provide distinguishers for 8, 9 and 10 rounds of the permutation (total: 14). RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 10/30 Outbound Inbound Outbound Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Rebound Attack Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB Outbound Inbound Outbound RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 11/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion SuperSBox Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SuperSBox = SB ◦ MC ◦ SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 12/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Limited Birthday Distinguisher [Gilbert et Peyrin FSE2010] Limited Birthday What is the generic complexity for mapping i fixed-difference bits to j fixed-difference bits with a random n-bit permutation π? WLOG, we assume: i ≤ j. n n − i π n − j j Time complexity if j ≤ 2(n − i), then time complexity is 2j=2. if j > 2(n − i), then time complexity is 2i+j−n. RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 13/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Grøstl-256 Permutation RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 14/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Differential Characteristic for 9 rounds Mb Mb Mb Mb Mb Mb Mb Mb Mb Sh Sh Sh Sh Sh Sh Sh Sh Sh SB SB SB SB SB SB SB SB SB RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 15/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J. Jean, M. Naya-Plasencia, T. Peyrin – Improved Rebound Attack on the Finalist Grostl 16/30 Hash Functions Grøstl & SHA-3 Cryptanalysis Techniques Grøstl-256 Grøstl-512 Conclusion Inbound for 3 Full-Active Rounds S0 S1 S2 S3 SB Sh Mb S3 S4 S5 S6 SB Sh Mb S6 S7 S8 S9 SB Sh Mb S9 S10 S11 S12 SB Sh Mb RAIM’2012 – J.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    77 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us