improved linear differential attacks on cubehash
play

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 - PowerPoint PPT Presentation

Feb 09, 2024 •331 likes •506 views

Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2 Deian Stefan 3 1 EPFL, Switzerland 2 FHNW, Switzerland 3 The Cooper Union, USA AFRICACRYPT 2010, Mai 03-06, Stellenbosch Abstract Follow-up of

  1. Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2 Deian Stefan 3 1 EPFL, Switzerland 2 FHNW, Switzerland 3 The Cooper Union, USA AFRICACRYPT 2010, Mai 03-06, Stellenbosch

  2. Abstract ◮ Follow-up of [4] Brier, Khazaei, Meier, Peyrin: Linearization Framework for Collision Attacks: Applications to CubeHash and MD6 , ASIACRYPT 2009. ◮ Better differences lead to improved collision attacks of CubeHash ◮ Main results 5/96: practical collisions 8/96: collision in 2 80 ◮ No attack on official CubeHash-16/32

  3. Outline Description of CubeHash Attack using Linearization Framework Finding Better Differences Random Search Backword Computation Summary of Results

  4. Description of CubeHash ◮ Hash function designed in 2008 by Dan Bernstein ◮ NIST SHA-3 second round candidate ◮ Internal state of 128 bytes ◮ Variants CubeHash-r/b (official version 16/32) M 0 M 1 M t − 1 finalization ❄ ❄ ❄ ✲ ⊕ ✲ ✲ ⊕ ✲ ✲ ⊕ ✲ ✲ r r r IV rounds rounds rounds ✲ ✲ ✲ ✲ M = M 0 || M 1 || . . . || M t − 1 padded message with b -byte blocks

  5. One Round Internal state = 32 words of 32 bits A round consists in: ◮ 32 additions ◮ 32 rotations ◮ 32 swaps ◮ 32 XORs Linearization: replace additions by XORs

  6. Attack using Linearization Framework Compress : { 0 , 1 } 8 bt → { 0 , 1 } 1024 − 8 b M 0 M 1 M t − 1 ❄ ❄ ❄ ✲ ⊕ ✲ ✲ ⊕ ✲ ✲ ⊕ ✲ r r r IV rounds rounds rounds ✲ ✲ ✲ ✲ Collision attack: Find M and ∆ such that Compress ( M ) = Compress ( M ⊕ ∆) Every collision for Compress extends to a full collision.

  7. Finding ∆ Compress lin : { 0 , 1 } 8 bt → { 0 , 1 } 1024 − 8 b ∆ 0 ∆ 1 ∆ t − 1 ❄ ❄ ❄ ✲ ⊕ ✲ ✲ ⊕ ✲ ✲ ⊕ ✲ r linear r linear r linear 0 rounds rounds rounds ✲ ✲ ✲ ✲ ∆ in the kernel of Compress lin ⇒ Compress lin ( M ) = Compress lin ( M ⊕ ∆) α (∆) , β (∆) : concatenation of left/right addends (XORSs) excluding MSBs Number of conditions y = wt ( α (∆) ∨ β (∆))

  8. What is a good ∆ ? Raw probability p ∆ = 2 − y ⇒ finding M takes 2 y queries ◮ can be reduced to c ∆ using concepts of [4]: ◮ condition function ◮ dependency table ◮ backtracking algorithm ≈ automatic message modification techniques c ∆ = estimated complexity of the attack Two aspects of a good ∆ : 1. small total number of conditions 2. sparse conditions in later rounds

  9. Finding ∆ : Exhaustive Subset Search Goal: Find ∆ with small total number of conditions Method in [4]: 1. Determine a kernel basis 2. Exhaustive search over linear combinations of at most 3 basis vectors But: kernel basis is not unique! y 6/32 6/64 6/96 7/96 8/96 [4] 400 351 142 251 266 NTL 700 700 165 652 329 2 182 2 144 c ∆

  10. Finding ∆ : Randomize the Search Method adapted from: [11] Pramstaller, Rechberger, Rijmen: Exploiting Coding Theory for Collision Attacks on SHA-1 , IMA Int. Conf. 2005. Kernel basis: ∆ 0 , . . . , ∆ τ − 1  ∆ 0 || α (∆ 0 ) || β (∆ 0 )  Build matrix G = || ||   . . . ∆ τ − 1 || α (∆ τ − 1 ) || β (∆ τ − 1 ) ◮ Choose random pivot G i , j ◮ Eliminate all one’s in column j ◮ Keep row with lowest number of conditions

  11. Finding ∆ : Randomize the Search Minimal number of conditions found with random search (RS) y 6/32 6/64 6/96 7/96 8/96 [4] 400 351 142 251 266 NTL 700 700 165 652 329 RS 394 309 90 251 151 2 180 2 132 2 51 2 192 2 80 c ∆ Generic attack for b = 96 has complexity of about 2 128

  12. Finding ∆ : Backword Computation Goal: Find ∆ with sparse conditions in late rounds lin : { 0 , 1 } 8 bt → { 0 , 1 } 1024 − 8 b Compress b ∆ t − 1 ∆ 1 ∆ 0 ❄ ❄ ❄ ∆ t r linear ✛ ⊕ r linear ✛ ⊕ r linear ✛ ⊕ ✛ ✛ ✛ ✛ inverse inverse inverse 0 ✛ ✛ ✛ ✛ rounds rounds rounds ∆ = ∆ t || ∆ t − 1 || . . . || ∆ 1 lies in the kernel of Compress lin

  13. CubeHash-5/96, t = 1 Two different distributions of conditions y i = number of conditions at round i y y 1 y 2 y 3 y 4 y 5 c ∆ 2 69 127 14 17 23 30 43 2 32 134 44 36 25 17 12 Collisions found after 2 23 to 2 32 . 25 function calls.

  14. Collision for CubeHash-5/96 M = F06BB068 487C5FE1 CCCABA70 0A989262 801EDC3A 69292196 8848F445 B8608777 C037795A 10D5D799 FD16C037 A52D0B51 63A74C97 FD858EEF 7809480F 43EB264C D6631863 2A8CCFE2 EA22B139 D99E4888 8CA844FB ECCE3295 150CA98E B16B0B92 3DB4D4EE 02958F57 8EFF307A 5BE9975B 4D0A669E E6025663 8DDB6421 BAD8F1E4 384FE128 4EBB7E2A 72E16587 1E44C51B DA607FD9 1DDAD41F 4180297A 1607F902 2463D259 2B73F829 C79E766D 0F672ECC 084E841B FC700F05 3095E865 8EEB85D5 ∆ = 08000208 08000208 00000000 00000000 40000100 00000000 00400110 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0800A000 00000000 08000888 08000208 00000000 00000000 40011000 00000000 00451040 00000000 80000000 00000000 80000000 00000000 00000000 00000000 00000000 00000000 00400000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000080 00000000 00000080 00000000 00040000 00000000 00000000

  15. Summary of Improved Results Backward Computation: ◮ Collisions for CubeHash-5/96 in practical time Randomized Search ◮ Improved collision attacks 6/32: 2 180 6/64: 2 132 6/96: 2 51 ◮ First collision attack for 8 rounds 8/96: 2 80 Far away from an attack on official CubeHash-16/32

  16. Improved Linear Differential Attacks on CubeHash Shahram Khazaei 1 Simon Knellwolf 2 Willi Meier 2 Deian Stefan 3 1 EPFL, Switzerland 2 FHNW, Switzerland 3 The Cooper Union, USA AFRICACRYPT 2010, Mai 03-06, Stellenbosch

Recommend

Combined Attacks from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman

Combined Attacks from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman

Introduction Boomerang Diff-Lin Summary Combined Attacks from Boomerangs to Sandwiches and Differential-Linear Orr Dunkelman Department of Computer Science, University of Haifa June 5th, 2014 Orr Dunkelman Combined Attacks 1/ 36

656 views • 36 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of

790 views • 28 slides
Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas

Introduction Results ECHO Grstl Improved Differential Attacks for ECHO and Grstl (extended version available on eprint) Thomas Peyrin CRYPTO 2010 Santa Barbara - November 19, 2010 Introduction Results ECHO Grstl Outline

382 views • 23 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan

Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan

Overview Cartesian differential categories Examples of Non-linear CDCS Differential forms Cohomology Non-linear tangent categories Differential forms in non-linear Cartesian differential categories Hayley Reid and Jonathan Bradet-Legris

409 views • 30 slides
Second Order Linear Differential Equations A second order linear differential equa- tion is an

Second Order Linear Differential Equations A second order linear differential equa- tion is an

Second Order Linear Differential Equations A second order linear differential equa- tion is an equation which can be writ- ten in the form y + p ( x ) y + q ( x ) y = f ( x ) where p, q , and are continuous f functions on some

1.04k views • 65 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
A logical account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

A logical account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

Differential Linear Logic Smooth classical models Distributions LPDEs MFPS 2018, Halifax A logical account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e Paris Diderot kerjean@irif.fr Differential Linear Logic

800 views • 53 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Higher Order Linear Differential Equations Familiar stuff Example Homogeneous equations Math

Higher Order Linear Differential Equations Familiar stuff Example Homogeneous equations Math

Higher Order Linear Differential Equations Math 240 Linear DE Linear differential operators Higher Order Linear Differential Equations Familiar stuff Example Homogeneous equations Math 240 Calculus III Summer 2015, Session II

417 views • 25 slides
Smooth models of Linear Logic : Towards a Type Theory for Linear Partial Differential Equations

Smooth models of Linear Logic : Towards a Type Theory for Linear Partial Differential Equations

Proofs and smooth objects An interpretation for ! and A model with Distributions Linear PDE as exponentials Chocola, LYON, June 2017 Smooth models of Linear Logic : Towards a Type Theory for Linear Partial Differential Equations Marie

754 views • 64 slides
Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin

Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 14 : 590.03 Fall 12 1 Outline Differential Privacy Implementations PINQ: Privacy Integrated Queries [McSherry SIGMOD

1.22k views • 40 slides
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2

Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1 ebastien Coron 2 Rina Zeitoun 1 Jean-S 1 IDEMIA, France 2 University of Luxembourg CHES 2018 Side-channel Attacks Differential Power Analysis [KJJ99] Group by

620 views • 47 slides
Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques Patarin CANS 2013 20 November 2013 Outline Introduction 1 State of the Art Our Contribution Definition of the schemes Attacks on Type-1

893 views • 45 slides
Smooth Linear Logic and Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

Smooth Linear Logic and Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

Proofs and smooth objects A model with Distributions Linear PDEs as exponentials TLLA, Oxford, September 2017 Smooth Linear Logic and Linear Partial Differential Equations Marie Kerjean IRIF, Universit e Paris Diderot kerjean@irif.fr

429 views • 32 slides
Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto

Remarks on the Data Complexity of Zero-Correlation Linear Attacks C eline Blondeau Aalto University ESC, Luxembourg 2015 Outline Zero-Correlation Linear Attacks Data Complexity of Zero-Correlation Attacks Repetition of Plaintexts Data

464 views • 35 slides
Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended

FSE 2020 Multiple Linear Cryptanalysis Using Linear Statistics Jung-Keun Lee and Woo-Hwan Kim ETRI Our contribution improved and extended approach of multiple linear cryptanalysis[BCQ04] (exploit dominant statistically independent linear

714 views • 30 slides
A Logical Account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

A Logical Account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e

LICS 2018, Oxford A Logical Account for Linear Partial Differential Equations Marie Kerjean IRIF, Universit e Paris Diderot kerjean@irif.fr 1/ 19 Linear Logic is about joining Logic and Algebra. Differential Linear Logic is about joining

502 views • 37 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography

Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation,

933 views • 11 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Lecture 2.5: Linear differential equations Matthew Macauley Department of Mathematical Sciences

Lecture 2.5: Linear differential equations Matthew Macauley Department of Mathematical Sciences

Lecture 2.5: Linear differential equations Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 2080, Differential Equations M. Macauley (Clemson) Lecture 2.5: Linear differential

622 views • 8 slides

More recommend