Analysis of cryptographic hash functions Christina Boura SECRET - PowerPoint PPT Presentation

Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43

Symmetric key cryptography Alice and Bob share the same secret key . Key Ciphertext Plaintext Plaintext Encryption Decryption Stream ciphers Block ciphers Hash functions 2 / 43

Cryptographic Hash Functions H : { 0 , 1 } ∗ → { 0 , 1 } n . Security properties: Preimage resistance (Complexity of the generic attack: 2 n ) Second-preimage resistance (Complexity of the generic attack: 2 n ) Collision resistance (Complexity of the generic attack: 2 n/ 2 ) Applications: password protection, digital signatures, key derivation, random number generation,... 3 / 43

The NIST SHA-3 competition Devastating attacks against MD5, SHA-1,... Lack of confidence in SHA-2 (standard). NIST launches in 2008 a public competition for defining a new standard. 64 submissions (October 2008) 51 first-round candidates 14 second-round candidates (July 2009) 5 finalists (December 2010) Winner of the competition: Keccak 4 / 43

Design of symmetric primitives Block ciphers and hash functions use similar building blocks. Iterated structure F = R r ◦ · · · ◦ R 1 . Every round follows the principles announced by Claude Shannon. A nonlinear part providing confusion. A linear part providing diffusion. 5 / 43

Outline Analysis of the algebraic properties of some primitives 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of ( v, w ) -linearity Side-channel analysis of some SHA-3 candidates 2 6 / 43

Analysis of the algebraic properties of some primitives Outline Analysis of the algebraic properties of some primitives 1 Zero-sum distinguishers A bound on the degree of SPN-type iterated permutations A bound implying the degree of the inverse permutation The notion of ( v, w ) -linearity Side-channel analysis of some SHA-3 candidates 2 7 / 43

Analysis of the algebraic properties of some primitives Vectorial functions Cryptographic primitives seen as vectorial Boolean functions F : F n 2 → F m 2 . These functions should behave like random functions . Study the properties of the inner Boolean functions to detect a non-random behaviour . Find a way to exploit the detected non-random behaviour. 8 / 43

Analysis of the algebraic properties of some primitives Algebraic degree F : F 4 F 3 → 2 2 F ( x 0 , x 1 , x 2 , x 3 ) := ( x 0 x 1 + x 3 , x 0 x 2 x 3 + x 1 x 2 , x 0 + x 1 + x 2 ) 9 / 43

Analysis of the algebraic properties of some primitives Algebraic degree F : F 4 F 3 → 2 2 F ( x 0 , x 1 , x 2 , x 3 ) := ( x 0 x 1 + x 3 , x 0 x 2 x 3 + x 1 x 2 , x 0 + x 1 + x 2 ) deg( F ) = 3 9 / 43

Analysis of the algebraic properties of some primitives Algebraic degree F : F 4 F 3 → 2 2 F ( x 0 , x 1 , x 2 , x 3 ) := ( x 0 x 1 + x 3 , x 0 x 2 x 3 + x 1 x 2 , x 0 + x 1 + x 2 ) deg( F ) = 3 Exploit a low algebraic degree in: algebraic attacks, higher-order differential attacks, cube attacks,... Higher-order differential attacks [Lai 94, Knudsen 94] For every subspace V with dim V > deg F : � F ( x + v ) = 0 , for every x ∈ F n D V F ( x ) = 2 . v ∈ V 9 / 43

Analysis of the algebraic properties of some primitives Algebraic degree of iterated constructions P = P r ◦ · · · ◦ P 1 Question : How to estimate the algebraic degree of an iterated construction? Trivial bound deg( G ◦ F ) ≤ deg G deg F 10 / 43

Analysis of the algebraic properties of some primitives The SHA-3 case Keccak [Bertoni-Daemen-Peeters-VanAssche 08] Winner of the SHA-3 competition Sponge construction Keccak - f Permutation 1600 -bit state, seen as a 3 -dimensional 5 × 5 × 64 matrix 24 rounds of R = ι ◦ χ ◦ π ◦ ρ ◦ θ Nonlinear layer: 320 parallel applications of a 5 × 5 S-box χ deg χ = 2 , deg χ − 1 = 3 11 / 43

Analysis of the algebraic properties of some primitives The algebraic degree of the Keccak- f permutation Algebraic degree of the round permutation: deg( R ) = 2 . After r rounds (trivial bound): deg( R r ) ≤ 2 deg( R r − 1 ) . For r = 24 , deg( R 24 ) > 1600 → no relevant information 12 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers Zero-sums For block ciphers (known-key model) [Knudsen-Rijmen 07] For hash functions [Aumasson-Meier 09] Let F : F n 2 → F n 2 . A zero-sum of size k for F is a subset { x 1 , . . . , x k } such that k k � � x i = F ( x i ) = 0 . i =1 i =1 13 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers Minimal size of a zero-sum [SAC 10] Let F : F n 2 → F n 2 . C F : linear code of length 2 n and dimension 2 n defined by � � x 0 x 1 x 2 x 3 . . . x 2 n − 1 G F = F ( x 0 ) F ( x 1 ) F ( x 2 ) F ( x 3 ) F ( x 2 n − 1 ) . . . Proposition. { x i 1 , . . . , x i K } ⊂ F n 2 is a zero-sum for F if and only if the codeword with support { i 1 , . . . , i K } belongs to C ⊥ F . Most notably, there exists at least a zero-sum of size ≤ 5 for F ; F has no zero-sum of size less than or equal to 4 if and only if F is an APN function. 14 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers Zero-sum partitions Let P be a permutation from F n 2 into F n 2 . A zero-sum partition for P of size K = 2 k is a collection of 2 n − k disjoint zero-sums. Complexity of the best-known generic algorithm for finding zero-sum partitions : 2 n − 2 k + (2 n ) 3 (2 n − k − 1) . Finding zero-sum partitions for an iterated permutation: Exploit the non-linear part. Exploit the linear part. 15 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers Exploiting the non-linear part [Aumasson-Meier 09] Take advantage of a low algebraic degree after several rounds. P = R r ◦ · · · ◦ R 1 . Let F r − t = R r ◦ · · · ◦ R t +1 and G t = R − 1 ◦ · · · ◦ R − 1 t . 1 Let V ⊂ F n 2 with dim V > max(deg F r − t , deg G t ) . Let V ⊕ W = F n 2 . P G t F r − t P ( X a ) X a V + a X a = { G t ( a + z ) , z ∈ V } , a ∈ W 2 of size 2 dim V for P . is a zero-sum partition of F n 16 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers Using the principle of higher-order differentials P G t F r − t P ( X a ) X a V + a � � x = G t ( z + a ) = D V G t ( a ) = 0 x ∈ X a z ∈ V � � P ( x ) = F r − t ( z + a ) = D V F r − t ( a ) = 0 x ∈ X a z ∈ V 17 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers Exploiting the structure of the diffusion part Round function R = L ◦ S . S composed of several small Sboxes S 0 defined over F n 0 2 . B i = { x ∈ F n 2 , supp ( x ) ⊂ word i } . Let V such that B i ⊂ V and B ′ = � � B = B j ⊂ L ( V ) i ∈I j ∈J with dim B > deg G t and dim B ′ > deg F r − t . G t ◦ L − 1 F r − t S − 1 L S � ( b ′ + B ′ ) � ( b + B ) � ( b + B ′ ) B ⊂ V 18 / 43

Analysis of the algebraic properties of some primitives Zero-sum distinguishers Application to Keccak- f We have shown by using a result of [Canteaut and Videau 02] that deg( R − 7 ) ≤ 1369 . 18 rounds Many zero-sum partitions of size 2 1370 for Keccak- f By exploiting the linear structure: 19 rounds A zero-sum partition of size 2 1458 for Keccak- f . 20 rounds A zero-sum partition of size 2 1595 for Keccak- f . 19 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations Substitution Permutation Networks S S S S S S Linear Layer S S S S S S Linear Layer S S S S S S Linear Layer How to estimate the evolution of the degree of such constructions? 20 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations Question deg S = 3 If S is a permutation, find δ k : maximum degree of the x 0 x 1 x 2 x 3 product of k coordinates of S S-Box y 0 y 1 y 2 y 3 21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations Question deg S = 3 If S is a permutation, find δ k : maximum degree of the x 0 x 1 x 2 x 3 product of k coordinates of S k δ k 1 3 S-Box y 0 y 1 y 2 y 3 21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations Question deg S = 3 If S is a permutation, find δ k : maximum degree of the x 0 x 1 x 2 x 3 product of k coordinates of S k δ k 1 3 2 3 S-Box 3 3 y 0 y 1 y 2 y 3 21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations Question deg S = 3 If S is a permutation, find δ k : maximum degree of the x 0 x 1 x 2 x 3 product of k coordinates of S k δ k 1 3 2 3 S-Box 3 3 4 4 F permutation of F n 2 : δ k = n iff k = n . y 0 y 1 y 2 y 3 21 / 43

Analysis of the algebraic properties of some primitives A bound on the degree of SPN-type iterated permutations The new bound [FSE 11] Theorem. Let F be a function from F n 2 into F n 2 corresponding to the parallel application of an Sbox, S , defined over F n 0 2 . Then, for any G from F n 2 into F ℓ 2 , we have deg( G ◦ F ) ≤ n − n − deg G , γ where n 0 − i γ = max . n 0 − δ i 1 ≤ i ≤ n 0 − 1 22 / 43