Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline 1 Motivation 2 Whirlpool Hash Function 3 Application of the Rebound Attack 4 Summary SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, ... The Rebound Attack Ebw Ein Efw inbound outbound outbound Applies to block cipher and permutation based designs: E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw The Rebound Attack Ebw Ein Efw inbound outbound outbound Inbound phase efficient meet-in-the-middle phase in Ein using available degrees of freedom Outbound phase probabilistic part in Ebw and Efw repeat inbound phase if needed The Whirlpool Hash Function M1 M2 M3 Mt IV f f f f H(m) designed by Barretto and Rijmen [BR00] evaluated by NESSIE standardized by ISO/IEC 10118-3:2003 iterative, based on the Merkle-Damgard˚ design principle message block, chaining values, hash size: 512 bit The Whirlpool Compression Function key schedule Hj−1 SB SC MR AC state update Mj SB SC MR AK Hj 512-bit hash value and using 512-bit message blocks Block-cipher based design (similar to AES) Miyaguchi-Preneel mode with conservative key schedule The Whirlpool Round Transformations SubBytes ShiftColumns MixRows AddRoundKey Ki S(x) + The state update and the key schedule update an 8 × 8 state S and K of 64 bytes 10 rounds each AES like round transformation ri = AK ◦ MR ◦ SC ◦ SB Notations Round i Ci SB SC MR Ki−1 Ki Ki Ki Ki SB SC MR AC SB SC MR Si−1 Si Si Si Si SB SC MR AK ∆Mj Collision Attack on Whirlpool key schedule Hj−1 SB SC MR AC state update Mj SB SC MR AK Hj 1-block collision: fixed Hj−1 (to IV ) ∗ ∗ f (Mj ; Hj−1) = f (Mj ; Hj−1); Mj 6= Mj generic complexity 2256 (n = 512) Mj Collision Attack on Whirlpool key schedule Hj−1 SB SC MR AC state update ∆Mj SB SC MR AK Hj 1-block collision: fixed Hj−1 (to IV ) ∗ ∗ f (Mj ; Hj−1) = f (Mj ; Hj−1); Mj 6= Mj generic complexity 2256 (n = 512) constant How to find a message pair following the differential trail? Collision Attack on 4 Rounds K0 K1 K2 K3 K4 SB SB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 ! 8 ! 64 ! 8) maximum differential probability: (2−5)81 = 2−405 How to find a message pair following the differential trail? Collision Attack on 4 Rounds K0 K1 K2 K3 K4 SB constantSB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 ! 8 ! 64 ! 8) maximum differential probability: (2−5)81 = 2−405 Collision Attack on 4 Rounds K0 K1 K2 K3 K4 SB constantSB SB SB SC SC SC SC IV MR MR MR MR AC AC AC AC S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 ! 8 ! 64 ! 8) maximum differential probability: (2−5)81 = 2−405 How to find a message pair following the differential trail? First: Use Truncated Differences S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK byte-wise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2−56 for 8 ! 1 we can remove many restrictions (more freedom) hopefully less complexity of message search meet in the middle? inside out? rebound! How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? inside out? rebound! How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? meet in the middle? rebound! How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? meet in the middle? inside out? How to Find a Message Pair? S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK message modification? meet in the middle? inside out? rebound! Rebound Attack on 4 Rounds [MRST09] S0 S1 S2 S3 S4 SB SB SB SB SC SC SC SC M1 MR MR MR MR H1 AK AK AK AK outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 85 50 cc 6d 9a 49 43 c5 0d cc 01 0a 70 43 e9 27 ? a2 b1 63 11 96 1e 4d 04 b1 60 20 f4 1e cd bf 10 f8 ed 85 b7 43 5a d5 fc 16 27 51 43 15 de 2b f8 4d 34 96 90 f1 f8 07 5e SB linearly propagate all differences backward to S3 SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Inbound Phase SC SB MR S2 S2 S3 S3 3a c0 e6 MR SC b9 SB AK MR 5a 8c 08 c0 get values MR (1) Start with arbitrary differences in state S3 ee ee ee 9f ee 23 71 c1 cd ? SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Inbound Phase SC SB MR S2 S2 S3 S3 e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences get values MR (1) Start with arbitrary differences in state S3 SB linearly propagate all differences backward to S3 ? (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Inbound Phase SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences differences get values MR (1) Start with arbitrary differences in state S3 SB linearly propagate all differences backward to S3 SC linearly propagate row-wise forward from S2 to S2 Inbound Phase SC SB MR S2 S2 S3 S3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR ? a2 b1 63 11 96 1e 4d 04 SC b9 SB AK b1 60 20 f4 1e cd bf 10 MR 5a f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences get values MR (1) Start with arbitrary differences in state S3 SB linearly propagate all differences backward to S3 SC linearly propagate row-wise forward from S2 to S2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row Match-in-the-Middle for Single S-box ∆a Sbox ∆b Check for matching input/output differences Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b Use Difference Distribution Table (DDT) Difference Distribution Table (Whirlpool) in n out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 0000000000000000 01 0620062000400000 02 0000000200004000 03 0220220020000002 04 0022040002222020 05 0000020200000042 06 .4020020026240220.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages72 Page
-
File Size-