Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery - PowerPoint PPT Presentation

Introduction 1/24 Gaëtan Leurent Cryptanalysis of WIDEA Conclusion Hash collisions Key recovery Truncated differential FSE 2013 UCL Crypto Group FSE 2013 Cryptanalysis of WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group . . . . . . . . . . . . . . . . . . . . . . . . . . .

Truncated differential UCL Crypto Group Wide block ciphers Microelectronics Laboratory Wide block ciphers G. Leurent Conclusion Cryptanalysis of WIDEA Hash collisions FSE 2013 Key recovery 2/24 Introduction . . . . . . . . . . . . . . . . . . . ▶ Most block ciphers have a blocksize of 128 bits ▶ 64 bits for lightweight ▶ Sometimes a larger blocksize is useful ▶ More than 2 64 data with a single key ▶ Large key, very high security ▶ Hash function design ▶ Rijndael: 192/256 ▶ Threefish: 256/512/1024 ▶ WIDEA: 256/512 . . . . . . . .

Key recovery Truncated differential UCL Crypto Group Previous results Microelectronics Laboratory WIDEA G. Leurent Conclusion Cryptanalysis of WIDEA Hash collisions FSE 2013 3/24 Introduction . . . . . . . . . . . . . . . . . . . ▶ Wide block cipher based on IDEA ▶ Designed by Junod and Macchetti [FSE ’09] ▶ Motivation: build a hash function ▶ Expected to inherit the security of IDEA ▶ Full diffusion after one round ▶ Mix incompatible operations: ⊞ , ⊕ , ⊙ , ⊗ ▶ Same number of rounds: 8.5 ▶ Weak keys [Nakahara, CANS ’12], [Mendel  al. , CTRSA ’13] ▶ Freestart collision (practical) [Mendel  al. , CTRSA ’13] . . . . . . . .

Introduction Truncated differential UCL Crypto Group IDEA Microelectronics Laboratory Conclusion G. Leurent Hash collisions Cryptanalysis of WIDEA FSE 2013 Key recovery 4/24 . . . . . . . . . . . . . . . . . . . . X 0 . X 1 . . . . . . . . . . . . . . . . . . X 2 X 3 ▶ Lai  Massey 1991 Z 0 Z 1 Z 2 Z 3 ▶ 16bit words ▶ 64bit block, 128bit key ▶ 8.5 rounds A B Z 4 ▶ Based on incompatible operations: D ▶ ⊞ : modular addition Z 5 ▶ ⊕ : bitwise xor 𝛥 𝛦 ▶ ⊙ : mult. mod 2 16 + 1 ▶ Unbroken after 20 + years ▶ Weakkeys problems Y 0 Y 1 Y 2 Y 3 . . . . . . . .

Hash collisions Cryptanalysis of WIDEA Truncated differential Introduction 5/24 FSE 2013 Conclusion WIDEA G. Leurent Microelectronics Laboratory UCL Crypto Group Key recovery . . . . . . . . . . . . . . . . . . . X 0 , 3 X 1 , 3 X 2 , 3 X 3 , 3 . X 0 , 0 . X 1 , 0 X 0 . X 1 X 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X 1 X 2 X 3 X 2 X 3 X 2 , 0 X 3 , 0 ▶ Junod  Macchetti 2009 Z 0 , 3 Z 1 , 3 Z 2 , 3 Z 3 , 3 Z 0 Z 1 Z 2 Z 3 Z 0 Z 1 Z 2 Z 3 Z 0 , 0 Z 1 , 0 Z 2 , 0 Z 3 , 0 ▶ WIDEA w : w parallel IDEA ▶ MDS matrix for diffusion across the slices Z 4 , 3 ▶ WIDEA4: Z 4 Z 4 Z 4 , 0 256bit block, 512bit M key Z 5 , 3 Z 5 ▶ WIDEA8: Z 5 Z 5 , 0 512bit block, 1024bit key ▶ Efficient SIMD implem. Y 0 , 3 Y 1 , 3 Y 2 , 3 Y 3 , 3 Y 0 Y 1 Y 2 Y 3 ▶ w 16bit words Y 0 Y 1 Y 2 Y 3 Y 0 , 0 Y 1 , 0 Y 2 , 0 Y 3 , 0 . . . . . . . .

Key recovery Truncated differential UCL Crypto Group Previous results Microelectronics Laboratory WIDEA G. Leurent Conclusion Cryptanalysis of WIDEA Hash collisions FSE 2013 6/24 Introduction . . . . . . . . . . . . . . . . . . . ▶ Wide block cipher based on IDEA ▶ Designed by Junod and Macchetti [FSE ’09] ▶ Motivation: build a hash function ▶ Expected to inherit the security of IDEA ▶ Full diffusion after one round ▶ Mix incompatible operations: ⊞ , ⊕ , ⊙ , ⊗ ▶ Same number of rounds: 8.5 ▶ Weak keys [Nakahara, CANS ’12], [Mendel  al. , CTRSA ’13] ▶ Freestart collision (practical) [Mendel  al. , CTRSA ’13] . . . . . . . .

Hash collisions 7/24 Key recovery Truncated differential Introduction Outline Conclusion Hash collisions Key recovery Truncated differential Conclusion Introduction Cryptanalysis of WIDEA FSE 2013 G. Leurent Microelectronics Laboratory UCL Crypto Group . . . . . . . . . . . . . . . . . . . . . . . . . . .

Main idea Truncated differential UCL Crypto Group Hash collisions Microelectronics Laboratory G. Leurent Key recovery Cryptanalysis of WIDEA FSE 2013 Conclusion 8/24 Introduction . . . . . . . . . . . . . . . . . . . ▶ Consider differential attack. ▶ Can we keep a single slice active? . . . . . . . 1R ▶ Inside the MAD box: ⎛ ⎞ . . . . . . . . ⎜ ⎟ ⎜ ⎟ . . . . MDS . . . . . M/A M/A ⎜ ⎟ p = 2 − 16 ⎜ ⎟ ⎝ ⎠ . . . . . . . .

Hash collisions Cryptanalysis of WIDEA Truncated differential Introduction 9/24 FSE 2013 Conclusion Truncated differential trail G. Leurent Microelectronics Laboratory UCL Crypto Group Key recovery . . . . . . . . . . . . . . . . . . . X 0 X 1 X 2 X 3 . X 0 , 0 . X 1 , 0 X 0 . X 1 X 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X 1 X 2 X 3 ▶ One input slice active X 2 X 3 X 2 , 0 X 3 , 0 Z 0 Z 1 Z 2 Z 3 Z 0 Z 2 Z 3 Z 1 Z 0 Z 1 Z 2 Z 3 Z 0 , 0 Z 1 , 0 Z 2 , 0 Z 3 , 0 X i , 0 ≠ X ′ i , 0 X i , j = X i , j ▶ Zero difference at the Z 4 Z 4 Z 4 , 0 Z 4 input of the MDS with probability 2 − 16 M Z 5 Z 5 Z 5 , 0 Z 5 ▶ No effect on other slices Y i , 0 ≠ Y ′ i , 0 Y i , j = Y i , j Y 0 Y 1 Y 2 Y 3 Y 0 Y 1 Y 2 Y 3 Y 0 Y 1 Y 2 Y 3 Y 0 , 0 Y 1 , 0 Y 2 , 0 Y 3 , 0 . . . . . . . .

Hash collisions Cryptanalysis of WIDEA Truncated differential Introduction 9/24 FSE 2013 Conclusion Truncated differential trail G. Leurent Microelectronics Laboratory UCL Crypto Group Key recovery . . . . . . . . . . . . . . . . . . . X 0 X 1 X 2 X 3 . X 0 , 0 . X 1 , 0 X 0 . X 1 X 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X 1 X 2 X 3 ▶ One input slice active X 2 X 3 X 2 , 0 X 3 , 0 Z 0 Z 1 Z 2 Z 3 Z 0 Z 2 Z 3 Z 1 Z 0 Z 1 Z 2 Z 3 Z 0 , 0 Z 1 , 0 Z 2 , 0 Z 3 , 0 X i , 0 ≠ X ′ i , 0 X i , j = X i , j ▶ Zero difference at the Z 4 Z 4 Z 4 , 0 Z 4 input of the MDS with probability 2 − 16 M Z 5 Z 5 Z 5 , 0 Z 5 ▶ No effect on other slices Y i , 0 ≠ Y ′ i , 0 Y i , j = Y i , j Y 0 Y 1 Y 2 Y 3 Y 0 Y 1 Y 2 Y 3 Y 0 Y 1 Y 2 Y 3 Y 0 , 0 Y 1 , 0 Y 2 , 0 Y 3 , 0 . . . . . . . .

Main idea Truncated differential UCL Crypto Group Hash collisions Microelectronics Laboratory G. Leurent Key recovery Cryptanalysis of WIDEA FSE 2013 Conclusion 10/24 Introduction . . . . . . . . . . . . . . . . . . . ▶ Consider differential attack. ▶ Can we keep a single slice active? . . . . . . . 1R p = 2 − 16 ▶ Inside the MAD box: ⎛ ⎞ . . . . . . . . ⎜ ⎟ ⎜ ⎟ . . . . MDS . . . . . M/A M/A ⎜ ⎟ ⎜ p = 2 − 16 ⎟ ⎝ ⎠ . . . . . . . .

Main idea Truncated differential UCL Crypto Group Hash collisions Microelectronics Laboratory G. Leurent Key recovery Cryptanalysis of WIDEA FSE 2013 Conclusion 10/24 Introduction . . . . . . . . . . . . . . . . . . . ▶ Consider differential attack. ▶ Can we keep a single slice active? . . . . . . . 8.5R p = 2 − 128 ▶ Inside the MAD box: ⎛ ⎞ . . . . . . . . ⎜ ⎟ ⎜ ⎟ . . . . MDS . . . . . M/A M/A ⎜ ⎟ ⎜ p = 2 − 16 ⎟ ⎝ ⎠ . . . . . . . .

Key recovery Truncated differential UCL Crypto Group Microelectronics Laboratory Finding good pairs G. Leurent Conclusion Cryptanalysis of WIDEA FSE 2013 Hash collisions 11/24 Introduction . . . . . . . . . . . . . . . . . . . ▶ Truncated trail for full 8.5 rounds: . . . . . . . 8.5R p = 2 − 128 ▶ Use a structure of 2 64 plaintexts . x w y z . . . . . ▶ 2 64 values for one slice ▶ Fixed value for the other slices ▶ 2 127 candidate pairs with one active slice 􏿵􏿵 w , x , y , z 􏿸 , 􏿵 w ′ , x ′ , y ′ , z ′ 􏿸􏿸 ▶ One good pair with two structures ▶ Look for collisions in inactive slices ▶ Distinguisher with complexity 2 65 (succes rate 63%) ▶ Strong filtering: no wrong pairs, can break more than 8 rounds . . . . . . . .

Hash collisions 12/24 Key recovery Truncated differential Introduction Outline Conclusion Hash collisions Key recovery Truncated differential Conclusion Introduction Cryptanalysis of WIDEA FSE 2013 G. Leurent Microelectronics Laboratory UCL Crypto Group . . . . . . . . . . . . . . . . . . . . . . . . . . .

Key recovery UCL Crypto Group Using right pairs: first round Microelectronics Laboratory Conclusion G. Leurent Hash collisions Cryptanalysis of WIDEA FSE 2013 Truncated differential 13/24 Introduction . . . . . . . . . . . . . . . . . . . Extract key information form right pairs: ▶ Denote the MDS input as D ▶ A right pair gives D = D ′ D = 􏿶􏿵( X 0 ⊙ Z 0 ) ⊕ ( X 2 ⊞ Z 2 )􏿸 ⊙ Z 4 􏿹 ⊞ 􏿵( X 1 ⊞ Z 1 ) ⊕ ( X 3 ⊙ Z 3 )􏿸 D ′ = 􏿶􏿵( X ′ 0 ⊙ Z 0 ) ⊕ ( X ′ 2 ⊞ Z 2 )􏿸 ⊙ Z 4 􏿹 ⊞ 􏿵( X ′ 1 ⊞ Z 1 ) ⊕ ( X ′ 3 ⊙ Z 3 )􏿸 ▶ Filtering Z 0 , Z 1 , Z 2 , Z 3 , Z 4 ▶ 5 pairs should be enough ▶ Experimental results: need 8 pair ▶ One bit cannot be recovered (linear): MSB of Z 1 . . . . . . . .