boomerang attacks on blake 32
play

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex - PowerPoint PPT Presentation

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) University of Luxembourg, Luxembourg February 15, 2011 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) Boomerang attacks on BLAKE-32


  1. Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) University of Luxembourg, Luxembourg February 15, 2011 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  2. About BLAKE BLAKE is now one of the five finalists in SHA-3 competition anounced by NIST. One of the two (Addition-Rotation-Xor)ARX designs in the final round It is one of the fastest functions on various platforms in software Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  3. Hash function BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  4. Hash function BLAKE-32 Initialization � v 0 v 1 v 2 v 3 � � h 0 h 1 h 2 h 3 � v 4 v 5 v 6 v 7 h 4 h 5 h 6 h 7 ← v 8 v 9 v 10 v 11 s 0 ⊕ c 0 s 1 ⊕ c 1 s 2 ⊕ c 2 s 3 ⊕ c 3 v 12 v 13 v 14 v 15 t 0 ⊕ c 4 t 0 ⊕ c 5 t 1 ⊕ c 6 t 1 ⊕ c 7 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  5. Hash function BLAKE-32 Initialization � v 0 v 1 v 2 v 3 � � h 0 h 1 h 2 h 3 � v 4 v 5 v 6 v 7 h 4 h 5 h 6 h 7 ← v 8 v 9 v 10 v 11 s 0 ⊕ c 0 s 1 ⊕ c 1 s 2 ⊕ c 2 s 3 ⊕ c 3 v 12 v 13 v 14 v 15 t 0 ⊕ c 4 t 0 ⊕ c 5 t 1 ⊕ c 6 t 1 ⊕ c 7 Each round is composed of 8 applications of G function and Compression function iterates a series of 10 rounds Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  6. Hash function BLAKE-32 Initialization � v 0 v 1 v 2 v 3 � � h 0 h 1 h 2 h 3 � v 4 v 5 v 6 v 7 h 4 h 5 h 6 h 7 ← v 8 v 9 v 10 v 11 s 0 ⊕ c 0 s 1 ⊕ c 1 s 2 ⊕ c 2 s 3 ⊕ c 3 v 12 v 13 v 14 v 15 t 0 ⊕ c 4 t 0 ⊕ c 5 t 1 ⊕ c 6 t 1 ⊕ c 7 Each round is composed of 8 applications of G function and Compression function iterates a series of 10 rounds Each round uses all 16 message words according to permutation table described in the proposal of BLAKE Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  7. Hash function BLAKE-32 Initialization � v 0 v 1 v 2 v 3 � � h 0 h 1 h 2 h 3 � v 4 v 5 v 6 v 7 h 4 h 5 h 6 h 7 ← v 8 v 9 v 10 v 11 s 0 ⊕ c 0 s 1 ⊕ c 1 s 2 ⊕ c 2 s 3 ⊕ c 3 v 12 v 13 v 14 v 15 t 0 ⊕ c 4 t 0 ⊕ c 5 t 1 ⊕ c 6 t 1 ⊕ c 7 Each round is composed of 8 applications of G function and Compression function iterates a series of 10 rounds Each round uses all 16 message words according to permutation table described in the proposal of BLAKE Finalization procedure is linear Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  8. High probability differential trail 1 round 1.5 round m m’ a b c G d m Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  9. High probability differential trail 1 round 1.5 round m m’ a b c G d m’ Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  10. High probability differential trails We obtain a 2-round differential trail with probability 2 − 1 with active MSB 3-round differential trail with probability 2 − s where s = 6 , 7 , 8 3.5-round differential trail with probability ≥ 2 − 32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  11. High probability differential trails We obtain a 2-round differential trail with probability 2 − 1 with active MSB 3-round differential trail with probability 2 − s where s = 6 , 7 , 8 3.5-round differential trail with probability ≥ 2 − 32 2-round differential trail with probability 2 − (3 t − 1) or 2 − 3 t or 2 − (3 t +1) where t is number of active bits (excluding MSB) Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  12. High probability differential trails We obtain a 2-round differential trail with probability 2 − 1 with active MSB 3-round differential trail with probability 2 − s where s = 6 , 7 , 8 3.5-round differential trail with probability ≥ 2 − 32 2-round differential trail with probability 2 − (3 t − 1) or 2 − 3 t or 2 − (3 t +1) where t is number of active bits (excluding MSB) 3-round differential trail consistent with the counters t 0 , t 1 which has probability 2 − 21 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  13. High probability differential trails We obtain a 2-round differential trail with probability 2 − 1 with active MSB 3-round differential trail with probability 2 − s where s = 6 , 7 , 8 3.5-round differential trail with probability ≥ 2 − 32 2-round differential trail with probability 2 − (3 t − 1) or 2 − 3 t or 2 − (3 t +1) where t is number of active bits (excluding MSB) 3-round differential trail consistent with the counters t 0 , t 1 which has probability 2 − 21 2-round differential trail with i th and ( i + 16)th bit active with probability 2 − 9 (when i th bit is MSB) otherwise probability is ≥ 2 − 14 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  14. Boomerang attack on Compression Function P 1 P 3 ∆ ∆ Pr [∆ → ∆ ∗ ] = p P 2 P 4 Pr [ ∇ → ∇ ∗ ] = q f 0 f = f 1 ◦ f 0 f ( P 1 ) ⊕ f ( P 3 ) = ∇ ∗ ∇ ∆ ∗ ∆ ∗ f ( P 2 ) ⊕ f ( P 4 ) = ∇ ∗ f 1 ∇ ∗ Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  15. Boomerang attack on Compression Function P 1 P 3 ∆ ∆ Pr [∆ → ∆ ∗ ] = p P 2 P 4 Pr [ ∇ → ∇ ∗ ] = q f 0 f = f 1 ◦ f 0 f ( P 1 ) ⊕ f ( P 3 ) = ∇ ∗ ∇ ∆ ∗ ∆ ∗ f ( P 2 ) ⊕ f ( P 4 ) = ∇ ∗ f 1 ∇ ∗ Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  16. Boomerang distinguisher Let F ( H ) = f ( H ) ⊕ H where f = f 1 ◦ f 0 . Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  17. Boomerang distinguisher Let F ( H ) = f ( H ) ⊕ H where f = f 1 ◦ f 0 . For the boomerang quartet ( P 1 , P 2 , P 3 , P 4 ) we obtain: P 1 ⊕ P 2 = ∆ , (1) P 3 ⊕ P 4 = ∆ , (2) [ F ( P 1 ) ⊕ P 1 ] ⊕ [ F ( P 3 ) ⊕ P 3 ] = ∇ ∗ , (3) [ F ( P 2 ) ⊕ P 2 ] ⊕ [ F ( P 4 ) ⊕ P 4 ] = ∇ ∗ (4) Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  18. Boomerang distinguisher Let F ( H ) = f ( H ) ⊕ H where f = f 1 ◦ f 0 . For the boomerang quartet ( P 1 , P 2 , P 3 , P 4 ) we obtain: P 1 ⊕ P 2 = ∆ , (1) P 3 ⊕ P 4 = ∆ , (2) [ F ( P 1 ) ⊕ P 1 ] ⊕ [ F ( P 3 ) ⊕ P 3 ] = ∇ ∗ , (3) [ F ( P 2 ) ⊕ P 2 ] ⊕ [ F ( P 4 ) ⊕ P 4 ] = ∇ ∗ (4) For a random n -bit compression function finding such quartet will have complexity 2 n (with a fixed difference) Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  19. Boomerang distinguisher Let F ( H ) = f ( H ) ⊕ H where f = f 1 ◦ f 0 . For the boomerang quartet ( P 1 , P 2 , P 3 , P 4 ) we obtain: P 1 ⊕ P 2 = ∆ , (1) P 3 ⊕ P 4 = ∆ , (2) [ F ( P 1 ) ⊕ P 1 ] ⊕ [ F ( P 3 ) ⊕ P 3 ] = ∇ ∗ , (3) [ F ( P 2 ) ⊕ P 2 ] ⊕ [ F ( P 4 ) ⊕ P 4 ] = ∇ ∗ (4) For a random n -bit compression function finding such quartet will have complexity 2 n (with a fixed difference) To get a boomerang distinguisher for compression function F we need p 2 q 2 > 2 − n Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  20. Zero-sum distinguisher P 1 P 3 ∆ P 2 P 4 From the last f 0 equations we get: F ( P 1 ) ⊕ F ( P 2 ) ⊕ ∇ F ( P 3 ) ⊕ F ( P 4 ) = 0 ∆ ∗ f 1 ∇ ∗ Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  21. Zero-sum distinguisher P 1 P 3 ∆ P 2 P 4 From the last f 0 equations we get: F ( P 1 ) ⊕ F ( P 2 ) ⊕ ∇ F ( P 3 ) ⊕ F ( P 4 ) = 0 ∆ ∗ For a random permutation complexity is 2 n / 4 . f 1 But with fixed ∇ ∗ difference the complexity rises to 2 n / 2 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  22. Boomerang attack on BLAKE-32 p 2 ˆ q 2 , where ˆ The real probability of the Boomerang is ˆ p , ˆ q are the amplified probability defined as: ∆ ∗ Pr [∆ → ∆ ∗ ] 2 , ˆ �� �� ∇ Pr [ ∇ → ∇ ∗ ] 2 p = ˆ q = Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  23. Boomerang attack on BLAKE-32 p 2 ˆ q 2 , where ˆ The real probability of the Boomerang is ˆ p , ˆ q are the amplified probability defined as: ∆ ∗ Pr [∆ → ∆ ∗ ] 2 , ˆ �� �� ∇ Pr [ ∇ → ∇ ∗ ] 2 p = ˆ q = But getting these probabilities is hard in some cases. So we run computer simulation Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

  24. Boomerang attack on BLAKE-32 p 2 ˆ q 2 , where ˆ The real probability of the Boomerang is ˆ p , ˆ q are the amplified probability defined as: ∆ ∗ Pr [∆ → ∆ ∗ ] 2 , ˆ �� �� ∇ Pr [ ∇ → ∇ ∗ ] 2 ˆ p = q = But getting these probabilities is hard in some cases. So we run computer simulation For the attack on Hash function, the returned pairs are consistent if v 12 ⊕ v 13 and v 14 ⊕ v 15 are fixed. This increases the complexity of the attack by a factor of 2 64 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli´ c) Boomerang attacks on BLAKE-32

Recommend


More recommend