new collision attacks on round reduced keccak
play

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 - PowerPoint PPT Presentation

Jun 06, 2023 •166 likes •530 views

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

  1. New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, China 2 Nanyang Technological University, Singapore 3 Data Assurance and Communication Research Center, Chinese Academy of Sciences, China 4 University of Chinese Academy of Sciences, China Paris, France Eurocrypt 2017 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 1 / 27

  2. Outlines Introduction 1 Overview of Collision Attack 2 Search for Differential Trails 3 Results 4 Future work 5 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 2 / 27

  3. Introduction Outline Introduction 1 Description of Keccak Previous Work and Our Contribution Main Idea Overview of Collision Attack 2 Search for Differential Trails 3 Results 4 Future work 5 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 3 / 27

  4. Introduction Description of Keccak SHA-3 Hash Function Structure of Keccak –Sponge construction http://keccak.noekeon.org/ Keccak - f permutation 1600 bits: a 5 × 5 array of 64-bit lanes 24 round R each round consists of five steps: R = ι ◦ χ ◦ π ◦ ρ ◦ θ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 3 / 27

  5. Introduction Description of Keccak SHA-3 Hash Function Keccak - f permutation: the internal state http://www.iacr.org/authors/tikz/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 4 / 27

  6. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ θ step: adding two columns to current bit http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 5 / 27

  7. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ρ step: lane level rotations http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 6 / 27

  8. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ π step: permutation on lanes http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 7 / 27

  9. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ χ step: the only nonlinear operation http://keccak.noekeon.org/ K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 8 / 27

  10. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ι step: adding constant Adding one round-dependent constant to the first ”lane”, to destroy the symmetry, usually irrelevant with cryptanalysis details. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 9 / 27

  11. Introduction Description of Keccak SHA-3 Hash Function Keccak permutation Internal state A: a 5 × 5 array of 64-bit lanes θ step C [ x ] = A [ x , 0 ] ⊕ A [ x , 1 ] ⊕ A [ x , 2 ] ⊕ A [ x , 3 ] ⊕ A [ x , 4 ] D [ x ] = C [ x − 1 ] ⊕ ( C [ x + 1 ] ≪ 1 ) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ step A [ x , y ] = a [ x , y ] ≪ r [ x , y ] - The constants r [ x , y ] are the rotation offsets. π step B [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] χ step A [ x , y ] = B [ x , y ] ⊕ (( B [ x + 1 , y ])& B [ x + 2 , y ]) ι step A [ 0 , 0 ] = A [ 0 , 0 ] ⊕ RC - RC [ i ] are the round constants. The only non-linear operation is χ step. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 10 / 27

  12. Introduction Previous Work and Our Contribution Previous Work and Our Contribution Collision attacks on round-reduced Keccak Practical Results: 3-round Keccak -384 (Dinur et al., FSE2013) 3-round Keccak -512 (Dinur et al., FSE2013) 4-round Keccak -224 (Dinur et al., FSE2012) 4-round Keccak -256 (Dinur et al., FSE2012) Theoretical results: 4-round Keccak -384: 2 147 (Dinur et al., FSE2013) 5-round Keccak -256: 2 115 (Dinur et al., FSE2013) K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 11 / 27

  13. Introduction Previous Work and Our Contribution Previous Work and Our Contribution Collision attacks on round-reduced Keccak Practical Results: 3-round Keccak -384 (Dinur et al., FSE2013) 3-round Keccak -512 (Dinur et al., FSE2013) 4-round Keccak -224 (Dinur et al., FSE2012) 4-round Keccak -256 (Dinur et al., FSE2012) 5-round SHAKE128 – a member in SHA-3 (This) 5-round Keccak [ r = 1440 , c = 160 , d = 160 ] (This) 5-round Keccak [ r = 640 , c = 160 , d = 160 ] (This) Theoretical results: 4-round Keccak -384: 2 147 (Dinur et al., FSE2013) 5-round Keccak -256: 2 115 (Dinur et al., FSE2013) 5-round Keccak -224: 2 101 (This) 6-round Keccak [ r = 1440 , c = 160 , d = 160 ] : 2 70 . 24 (This) K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 11 / 27

  14. Introduction Main Idea Main Idea An extended algebraic and differential hybrid method: S-box linearization in affine subspaces 1 A dedicated strategy for searching differential trails 2 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 12 / 27

  15. Overview of Collision Attack Outline Introduction 1 Overview of Collision Attack 2 Overview of 5-round collision attack S-box linearization and affine subspaces A connector covering two rounds Search for Differential Trails 3 Results 4 Future work 5 K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 13 / 27

  16. Overview of Collision Attack Overview of 5-round collision attack Overview of 5-round collision attack ∆ S I ∆ S O d r c diff diff 3-round differential value value 2-round connector 3-round differential: ∆ S I → ∆ S O 2-round connector: linking ∆ S I with the initial value by linear systems Find ( M , M ′ ) s s.t. ( R i : i iterations of R ) R 2 ( M || 0 c ) + R 2 ( M ′ || 0 c ) = ∆ S I , E ∆ – solution is the difference of two messages E M – solution space is the message/searching space K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 13 / 27

  17. Overview of Collision Attack Overview of 5-round collision attack Property of Keccak S-box Given ( δ in , δ out ) , V = { x : S ( x ) + S ( x + δ in ) = δ out } an affine 1 subspace. Given δ out , { δ in : DDT ( δ in , δ out ) > 0 } contains at least five 2 2-dimensional affine subspaces. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 14 / 27

  18. Overview of Collision Attack Overview of 5-round collision attack 1-round connector α 1 (∆ S I ) α 0 β 0 χ L Dinur et al. ’s target difference algorithm: find ( M , M ′ ) s s.t. R 1 ( M || 0 c ) + R 1 ( M ′ || 0 c ) = ∆ S I Difference phase : find exact input difference β 0 to the χ layer For each active S-box, choose an affine subspace with 4 potential input differences A more flexible approach Value phase : obtain the actual message pairs that lead to the target difference ∆ S I - Given β 0 , the value phase reduces to solving linear equations. K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 15 / 27

  19. Overview of Collision Attack Overview of 5-round collision attack Extension the 1-round connector to 2-round 1-round connector 2-round connector α 1 (∆ S I ) α 2 (∆ S I ) α 0 β 0 α 0 β 0 α 1 β 1 ? −→ χ χ χ L L L K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 16 / 27

  20. Overview of Collision Attack S-box linearization and affine subspaces S-box linearization Definition (Linearizable affine subspace, LAS) Linearizable affine subspaces are affine input subspaces on which S-box substitution is equivalent to a linear transformation. If V is a linearizable affine subspace of an S-box operation S ( · ) , ∀ x ∈ V , S ( x ) = A · x + b , where A is a matrix and b is a constant vector. Example (Linearizable affine subspace) V = { 00000 , 00001 , 00100 , 00101 } , S ( V ) = { 00000 , 01001 , 00101 , 01100 } , S-box is equivalent to linear transformation  1 0 1 0 0        0 1 0 0 0           y =  0 0 1 0 0  · x .           1 0 0 1 0           0 0 0 0 1   K. Qiao, L. Song, M. Liu, J. Guo New Collision Attacks on Round-Reduced Keccak Paris, France Eurocrypt 2017 17 / 27

Recommend

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak Meicheng Liu joint work with Jian Guo and Ling Song Asiacrypt 2016 1/28 Outline Introduction SHA-3 hash function Linear Structures Linear structures of Keccak-f

474 views • 43 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav

Collision Attacks on the Reduced Dual-Stream Hash Function RIPEMD-128 Florian Mendel 1 , Tomislav Nad 2 , Martin Schl affer 2 Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium Graz University of Technology, IAIK, Austria FSE 2012

650 views • 34 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson,

Cube Testers and Key-Recovery Attacks on Reduced-Round MD6 and Trivium Jean-Philippe Aumasson, Itai Dinur, Willi Meier, Adi Shamir 1 / 27 Cube attacks 2 / 27 Timeline Aug 08 : Shamir presents cube attacks at CRYPTO Sep 08 : Dinur/Shamir paper

515 views • 27 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK

Conditional Cube Attacks on Keccak - p Based Constructions Ling Song, Jian Guo, Danping Shi ASK 2017 @ Changsha, China L. Song, J. Guo, D. Shi Conditional Cube Attacks on Keccak - p Based Constructions ASK 2017 1 / 30 Outlines 1 Keccak 2

614 views • 45 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido

Keccak From: 1.The Keccak reference 2. Keccak and the SHA-3 Standardization written by ! Guido Bertoni (STMicroelectronics) , ! Joan Daemen (STMicroelectronics) , ! Michal Peeters (NXP Semiconductors) , ! Gilles Van Assche

488 views • 26 slides
New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu

New Techniques for Searching Di ff erential Trails in Keccak Guozhen Liu, Weidong Qiu, Yi Tu Nanyang Technological University, Singapore Shanghai Jiao Tong University, China 3-Round Di ff erential Trail Core Search of Keccak Permutation 1 / 21

392 views • 21 slides
New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song,

New MILP Modeling: Improved Conditional Cube Attacks on Keccak-Based Constructions Ling Song, Jian Guo, Danping Shi, San Ling 4 Dec 2018 @ Brisbane, Australia Song et al. Improved Conditional Cube Attacks on Keccak-Based Constructions 1 / 25

930 views • 44 slides
Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

602 views • 23 slides
Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

603 views • 59 slides
Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1

Single-Trace Attacks on Keccak Matthias J. Kannwischer 1 , Peter Pessl 2 , Robert Primas 3 1 Radboud University, Nijmegen 2 Graz University of Technology (now with Infineon Technologies) 3 Graz University of Technology Side-Channel Attacks on Hash

569 views • 39 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1 , Orr Dunkelman 1,2 and

5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1 , Orr Dunkelman 1,2 and

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1 , Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel Keccak (Bertoni, Daemen, Peeters and Van

496 views • 30 slides

More recommend