conditional cube attacks on keccak p based constructions
play

Conditional Cube Attacks on Keccak - p Based Constructions Ling - PowerPoint PPT Presentation

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2


  1. Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30

  2. Outlines 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 2 / 30

  3. Outline 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 3 / 30

  4. SHA-3 ( Keccak ) Hash Function The sponge construction [BDPV11] b -bit permutation f The message is padded and then split into r -bit blocks. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 3 / 30 Two parameters: bitrate r , capacity c , and b = r + c .

  5. Keccak Permutation http://www.iacr.org/authors/tikz/ ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi 4 / 30 steps: each round R consists of five 24 rounds of 64-bit lanes, 1600 bits: seen as a 5 × 5 array A [ x , y ] , 0 ≤ x , y < 5 Row Lane Column Slice R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : the only nonlinear operation

  6. Keccak Permutation http://keccak.noekeon.org/ The Column Parity kernel L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 5 / 30 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ◮ If C [ x ] = 0 , 0 ≤ x < 5 , then the state A is in the CP kernel.

  7. Keccak Permutation 21 10 43 25 39 41 45 15 8 20 18 2 61 56 14 L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 3 6 / 30 55 28 http://keccak.noekeon.org/ 1 62 0 27 36 44 6 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] Rotation offsets r [ x , y ] x = 0 x = 1 x = 2 x = 3 x = 4 y = 0 y = 1 y = 2 y = 3 y = 4

  8. Keccak Permutation L. Song, J. Guo, D. Shi ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions 7 / 30 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ π step: permutation on lanes 0,0 1,0 2,0 3,0 4,0 0,0 1,1 2,2 3,3 4,4 0,1 1,1 2,1 3,1 4,1 3,0 4,1 0,2 1,3 2,4 π 0,2 1,2 2,2 3,2 4,2 1,0 2,1 3,2 4,3 0,4 0,3 1,3 2,3 3,3 4,3 4,0 0,1 1,2 2,3 3,4 0,4 1,4 2,4 3,4 4,4 2,0 3,1 4,2 0,3 1,4 A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ]

  9. Keccak Permutation L. Song, J. Guo, D. Shi ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions 8 / 30 Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 + ( x 1 + 1) · x 2 , y 1 = x 1 + ( x 2 + 1) · x 3 , y 2 = x 2 + ( x 3 + 1) · x 4 , y 3 = x 3 + ( x 4 + 1) · x 0 , y 4 = x 4 + ( x 0 + 1) · x 1 . y 0 y 1 y 2 y 3 y 4

  10. Keccak Permutation L. Song, J. Guo, D. Shi ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions 9 / 30 Adding one round-dependent constant to the first ”lane”, to destroy the symmetry. Round function: ι ◦ χ ◦ π ◦ ρ ◦ θ ι step: adding a round constant to the state 0,0 1,0 2,0 3,0 4,0 0,1 1,1 2,1 3,1 4,1 0,2 1,2 2,2 3,2 4,2 0,3 1,3 2,3 3,3 4,3 0,4 1,4 2,4 3,4 4,4 A [0 , 0] = A [0 , 0] ⊕ RC [ i ]

  11. Keccak Permutation Round function ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi 10 / 30 Internal state A: a 5 × 5 array of 64-bit lanes θ step C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ step A [ x , y ] = A [ x , y ] ≪ r [ x , y ] - The constants r [ x , y ] are the rotation offsets. π step A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] χ step A [ x , y ] = A [ x , y ] ⊕ (( A [ x + 1 , y ]) & A [ x + 2 , y ]) ι step A [0 , 0] = A [0 , 0] ⊕ RC [ i ] - RC [ i ] are the round constants. The only non-linear operation is χ step.

  12. Keccak - p Based Constructions KMAC Figure: KMAC processing one message block Two versions: KMAC128 and KMAC256 N and S are public strings. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 11 / 30

  13. Keccak - p Based Constructions Kravatte stands for permutations and symbolizes rolling functions. 1 Version of 17-Jul-2017. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 12 / 30 p b = p c = Keccak - p [ 1600 , 6 ], p d = p e = Keccak - p [ 1600 , 4 ] 1 .

  14. Keccak - p Based Constructions Keyak and Ketje (a) Keyak and (b) Ketje L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 13 / 30

  15. Outline 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 14 / 30

  16. Cube Attacks [DS09] The the cube sum is exactly ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi 14 / 30 Given a Boolean polynomial f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) and a monomial t I = ∧ i r ∈ I v i r , I = ( i 1 , ..., i d ) , f can be written as f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) = t I · p S I + q ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) ◮ q contains terms that are not divisible by t I ◮ p S I is called the superpoly of I in f ◮ v i 1 , ..., v i d are called cube variables. d is the dimension. ∑ p S I = f ( k 0 , ..., k n − 1 , v 0 , ..., v m − 1 ) ( v i 1 ,..., v id ) ∈ C I Cube attacks: p S I is a low-degree polynomial in key bits. Cube testers: distinguish p S I from a random function. E.g., p S I = 0 .

  17. Conditional Cube Testers of Keccak [HWX+17] Time complexity of the key recovery: ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi number of key bits involved in the conditions. t , where t is the 2 2 n t k used to recover the key. Ordinary cube variables: If the conditions involve the key, the conditional cube can be -round Keccak . The cube sum is zero for n n -dimensional cubes with 1 conditional cube variable Properties certain conditions. Conditional cube variables: 15 / 30 ◮ Do not multiply with any variable in the first round. ◮ Do not multiply with any variable in the first two rounds under

  18. Conditional Cube Testers of Keccak [HWX+17] Time complexity of the key recovery: ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi number of key bits involved in the conditions. t , where t is the 2 2 n t k used to recover the key. Ordinary cube variables: If the conditions involve the key, the conditional cube can be Properties certain conditions. Conditional cube variables: 15 / 30 ◮ Do not multiply with any variable in the first round. ◮ Do not multiply with any variable in the first two rounds under 2 n -dimensional cubes with 1 conditional cube variable ◮ The cube sum is zero for ( n + 1) -round Keccak .

  19. Conditional Cube Testers of Keccak [HWX+17] used to recover the key. ASK 2017 Conditional Cube Attacks on Keccak - p Based Constructions L. Song, J. Guo, D. Shi number of key bits involved in the conditions. k Time complexity of the key recovery: If the conditions involve the key, the conditional cube can be Ordinary cube variables: Properties certain conditions. Conditional cube variables: 15 / 30 ◮ Do not multiply with any variable in the first round. ◮ Do not multiply with any variable in the first two rounds under 2 n -dimensional cubes with 1 conditional cube variable ◮ The cube sum is zero for ( n + 1) -round Keccak . t · 2 2 n + t , where t is the

  20. Outline 1 Keccak 2 Conditional Cube Attacks 3 New MILP Model for Searching Conditional Cubes Requirements New MILP Model 4 Main Results L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 16 / 30

  21. Observation When there is no neighbouring variables in the input of an Sbox, then the application of does NOT increase algebraic degree. L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 16 / 30 How to keep the first χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 .

  22. Observation When there is no neighbouring variables in the input of an Sbox, then L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 16 / 30 How to keep the first χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . the application of χ does NOT increase algebraic degree.

Recommend


More recommend