cryptanalysis of round reduced keccak using non linear
play

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures - PowerPoint PPT Presentation

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK


  1. Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad

  2. Outline 2 Introduction Hash function Structure of KECCAK Results Our Preimage attacks Preimage attack on 2 rounds KECCAK-512 Preimage attack on 3 rounds KECCAK-384 Conclusion

  3. Introduction 3 ◮ Cryptographic hash functions are hash functions which are resistant to preimage, collision attacks and other attacks.

  4. Introduction 3 ◮ Cryptographic hash functions are hash functions which are resistant to preimage, collision attacks and other attacks. ◮ Practical applications include message integrity checks, digital signatures, authentication, etc.

  5. Introduction 3 ◮ Cryptographic hash functions are hash functions which are resistant to preimage, collision attacks and other attacks. ◮ Practical applications include message integrity checks, digital signatures, authentication, etc. ◮ SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST which is based on KECCAK .

  6. Attacks 4 Let H be a cryptographic hash function.

  7. Attacks 4 Let H be a cryptographic hash function. ◮ Preimage attack: Given H ( m )

  8. Attacks 4 Let H be a cryptographic hash function. ◮ Preimage attack: Given H ( m ) , find any m ′ such that H ( m ′ ) = H ( m ).

  9. Attacks 4 Let H be a cryptographic hash function. ◮ Preimage attack: Given H ( m ) , find any m ′ such that H ( m ′ ) = H ( m ). ◮ Collision attack: Find any m � = m ′

  10. Attacks 4 Let H be a cryptographic hash function. ◮ Preimage attack: Given H ( m ) , find any m ′ such that H ( m ′ ) = H ( m ). ◮ Collision attack: Find any m � = m ′ , such that H ( m ) = H ( m ′ ).

  11. Sponge Construction 5 Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

  12. Sponge Construction 5 Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf pad: padding function (10*1)

  13. Sponge Construction 5 Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf pad: padding function (10*1) f: KECCAK-f permutation

  14. State 6 Figure: State Source: https://keccak.team/figures.html

  15. KECCAK-p permutation 7 ◮ Block size: 5 × 5 × 64 = 1600.

  16. KECCAK-p permutation 7 ◮ Block size: 5 × 5 × 64 = 1600. ◮ c = 2 ℓ, r = 1600 − c where ℓ ∈ { 224 , 256 , 384 , 512 } .

  17. KECCAK-p permutation 7 ◮ Block size: 5 × 5 × 64 = 1600. ◮ c = 2 ℓ, r = 1600 − c where ℓ ∈ { 224 , 256 , 384 , 512 } . ◮ Number of rounds: In each round there are five Step mappings ( θ, ρ, π, χ, ι ).

  18. Description of θ 8 S ′ [ x, y, z ] = S [ x, y, z ] ⊕ P [( x +1) mod 5][( z − 1) mod 64] ⊕ P [( x − 1) mod 5][ z ] where P [ x ][ z ] = � 4 i =0 S [ x, i, z ] Figure: θ Source: https://keccak.team/figures.html

  19. Description of ρ 9 Figure: ρ Source: https://keccak.team/figures.html

  20. Description of π 10 Figure: π Source: https://keccak.team/figures.html

  21. Description of χ and ι 11 ◮ χ : Only non-linear function

  22. Description of χ and ι 11 ◮ χ : Only non-linear function S ′ [ x, y, z ] = S [ x, y, z ] ⊕ (( S [( x + 1) mod 5 , y, z ] ⊕ 1) · S [( x + 2) mod 5 , y, z ])

  23. Description of χ and ι 11 ◮ χ : Only non-linear function S ′ [ x, y, z ] = S [ x, y, z ] ⊕ (( S [( x + 1) mod 5 , y, z ] ⊕ 1) · S [( x + 2) mod 5 , y, z ]) ◮ ι : S ′ [0 , 0] = S [0 , 0] ⊕ RC i where RC i is a constant which depends on i where i is the round number.

  24. Recap 12 Source: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

  25. Results 13 Rounds Instances Our Results Previous Results 2 129 [Guo et al., 2016] 2 113 384 2 2 384 [Guo et al., 2016] 2 321 512 2 321 2 322 [Guo et al., 2016] 384 3 2 482 [Guo et al., 2016] 2 475 512 2 371 2 378 [Morawiecki et al., 2013] 4 384 Table: Summary of preimage attacks

  26. Preimage attack 14 1. If all input bits are variables, then the output of KECCAK is a non-linear polynomial .

  27. Preimage attack 14 1. If all input bits are variables, then the output of KECCAK is a non-linear polynomial . 2. This is due to χ function.

  28. Preimage attack 14 1. If all input bits are variables, then the output of KECCAK is a non-linear polynomial . 2. This is due to χ function. 3. To avoid this, we will equate one of the terms in the product to some constant .

  29. Preimage attack 14 1. If all input bits are variables, then the output of KECCAK is a non-linear polynomial . 2. This is due to χ function. 3. To avoid this, we will equate one of the terms in the product to some constant . 4. θ must also be controlled to avoid diffusion.

  30. Preimage attack 14 1. If all input bits are variables, then the output of KECCAK is a non-linear polynomial . 2. This is due to χ function. 3. To avoid this, we will equate one of the terms in the product to some constant . 4. θ must also be controlled to avoid diffusion. 5. Make sure that the number of equations are not more than the number of variables .

  31. Preimage attack on 2 rounds KECCAK-512 15 π ◦ ρ θ − → − − − → (1) (2) (3) ι ◦ χ π ◦ ρ θ ← − − − ← − (6) (5) (4) Figure: Preimage attack on 2-rounds KECCAK-512

  32. Preimage attack on 2 rounds KECCAK-512 16 = 0 = 1 χ − 1 ◦ ι − 1 = constant ← − − − − − − − = linear = quadratic (7) (8) Figure: Preimage attack on 2-rounds KECCAK-512

  33. Preimage attack on 2 rounds KECCAK-512 17 ◮ Number of variables = 6 × 64 = 384.

  34. Preimage attack on 2 rounds KECCAK-512 17 ◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192.

  35. Preimage attack on 2 rounds KECCAK-512 17 ◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192. ◮ One equation for padding.

  36. Preimage attack on 2 rounds KECCAK-512 17 ◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192. ◮ One equation for padding. ◮ Number of equations between message variable and hash bits = 3 ∗ 64 − 1 = 191.

  37. Preimage attack on 2 rounds KECCAK-512 17 ◮ Number of variables = 6 × 64 = 384. ◮ Number of equations for first θ = 3 × 64 = 192. ◮ One equation for padding. ◮ Number of equations between message variable and hash bits = 3 ∗ 64 − 1 = 191. ◮ Complexity 2 512 − 191 = 2 321 .

  38. Preimage attack on 3 rounds KECCAK-384 18 = 0 = 1 = constant 3 R ← − − 0 0 = linear 1 1 = quadratic (2) (1) XOR 2 nd mes- sage block 1 c 2 1 0 0 1 0 0 c 3 c 2 c 3 0 c 1 1 π ◦ ρ ◦ θ χ − − − − − → − → 0 0 1 c 1 1 1 0 1 (3) (4) (5) Figure: Preimage attack on 3-rounds KECCAK-384

  39. Preimage attack on 3 rounds KECCAK-384 19 θ ◦ ι ι ◦ χ π ◦ ρ ← − − − ← − − − (8) (7) (6) θ χ − 1 ◦ ι − 1 = ← − − − − − − − − ρ − 1 ◦ π − 1 (9) (10) (11) Figure: Preimage attack on 3-rounds KECCAK-384

  40. Preimage attack on 3 rounds KECCAK-384 20 1. Number of variables = 6 × 64 = 384.

  41. Preimage attack on 3 rounds KECCAK-384 20 1. Number of variables = 6 × 64 = 384. 2. Number of equations for first θ = 2 × 64 = 128.

  42. Preimage attack on 3 rounds KECCAK-384 20 1. Number of variables = 6 × 64 = 384. 2. Number of equations for first θ = 2 × 64 = 128. 3. Number of equations for second θ = 3 × 64 = 192.

  43. Preimage attack on 3 rounds KECCAK-384 20 1. Number of variables = 6 × 64 = 384. 2. Number of equations for first θ = 2 × 64 = 128. 3. Number of equations for second θ = 3 × 64 = 192. 4. One equation for padding.

  44. Preimage attack on 3 rounds KECCAK-384 20 1. Number of variables = 6 × 64 = 384. 2. Number of equations for first θ = 2 × 64 = 128. 3. Number of equations for second θ = 3 × 64 = 192. 4. One equation for padding. 5. Number of equations between message variables and hash bits = 63.

  45. Preimage attack on 3 rounds KECCAK-384 20 1. Number of variables = 6 × 64 = 384. 2. Number of equations for first θ = 2 × 64 = 128. 3. Number of equations for second θ = 3 × 64 = 192. 4. One equation for padding. 5. Number of equations between message variables and hash bits = 63. 6. Complexity 2 384 − 63 = 2 321 .

  46. Conclusion 21 ◮ We have presented the best theoretical preimage attack for round-reduced KECCAK.

  47. Conclusion 21 ◮ We have presented the best theoretical preimage attack for round-reduced KECCAK. ◮ Would be interesting to see whether non-linear structures along with other techniques can be used to find better preimage attacks for higher rounds.

  48. Thank You

  49. Questions?

  50. References 24 Guo, J., Liu, M., and Song, L. (2016). Linear structures: applications to cryptanalysis of round-reduced keccak. In International Conference on the Theory and Application of Cryptology and Information Security , pages 249–274. Springer. Morawiecki, P., Pieprzyk, J., and Srebrny, M. (2013). Rotational cryptanalysis of round-reduced keccak. In International Workshop on Fast Software Encryption , pages 241–262. Springer.

Recommend


More recommend