Practical attacks on AES-like cryptographic hash functions Stefan K - PowerPoint PPT Presentation

Practical attacks on AES-like cryptographic hash functions Stefan K¨ olbl, Christian Rechberger DTU - Technical University of Denmark September 12, 2014

Cryptographic Hash Functions “Today is the 12th of September...” h 4981A99EDA782 2/23

Cryptographic Hash Functions “Today is the 13th of September...” h 11F9C8023AB0A 3/23

Cryptographic Hash Functions Applications: ◮ Message Integrity ◮ Digital Signature Schemes ◮ Password Protection ◮ Key Derivation ◮ Payment Schemes (Bitcoin) ◮ ... Features: ◮ No secret parameter is involved. ◮ Fast to compute. 4/23

Cryptographic Hash Functions Security Requirements ◮ Preimage Resistance: Given h ( x ) find x ◮ Second-Preimage Resistance: Given x , h ( x ) find y � = x s.t. h ( x ) = h ( y ) ◮ Collision Resistance: Find x , y with x � = y s.t. h ( x ) = h ( y ) Generic Attack Complexity 2 n for (second) preimage and 2 n / 2 for collisions. 5/23

Cryptographic Hash Functions Security Properties M Hash Function IV h 6/23

Cryptographic Hash Functions Security Properties m 0 m 1 m n f f f IV h x 1 x n Analyze the collision resistance of the compression function f ◮ semi-free-start collision : Find { m i , m ′ i , x i } s.t. f ( m i , x i ) = f ( m ′ i , x i ) ◮ free-start collision : Find { m i , m ′ i , x i , x ′ i } s.t. f ( m i , x i ) = f ( m ′ i , x ′ i ) 7/23

AES-based hash functions Compression functions based on AES are common ◮ Whirlpool (ISO/IEC 10118-3) ◮ Maelstrom ◮ Whirlwind ◮ Streebog (GOST R 34.11-2012) ◮ SHA-3 Competiton ◮ Grøstl ◮ ECHO ◮ LANE 8/23

GOST R 34.11-2012 Compression Function m i E h i +1 h i SPL 9/23

GOST R 34.11-2012 Block Cipher E with 12 rounds of ◮ AK Adds the key byte-wise by XORing it to the state. ◮ S Substitutes each byte of the state independently using an 8-bit S-Box. ◮ P Transposes the state. ◮ L Multiplies each row by an 8 × 8 MDS matrix. K 1 L 0 AK 1 S 1 P 1 L 1 AK S P L 10/23

GOST R 34.11-2012 Block Cipher E with 12 rounds of ◮ AK Adds the key byte-wise by XORing it to the state. ◮ S Substitutes each byte of the state independently using an 8-bit S-Box. ◮ P Transposes the state. ◮ L Multiplies each row by an 8 × 8 MDS matrix. K 1 L 0 AK 1 S 1 P 1 L 1 AK S P L 10/23

GOST R 34.11-2012 Block Cipher E with 12 rounds of ◮ AK Adds the key byte-wise by XORing it to the state. ◮ S Substitutes each byte of the state independently using an 8-bit S-Box. ◮ P Transposes the state. ◮ L Multiplies each row by an 8 × 8 MDS matrix. K 1 L 0 AK 1 S 1 P 1 L 1 AK S P L 10/23

GOST R 34.11-2012 Block Cipher E with 12 rounds of ◮ AK Adds the key byte-wise by XORing it to the state. ◮ S Substitutes each byte of the state independently using an 8-bit S-Box. ◮ P Transposes the state. ◮ L Multiplies each row by an 8 × 8 MDS matrix. K 1 L 0 AK 1 S 1 P 1 L 1 AK S P L 10/23

Related Work Overview of practical attacks on the compression function Function Rounds Time Memory Type Reference 2 64 2 16 4 . 5 collision [WYW13] 2 8 4 . 75 practical near-collision [AKY13] 2 19 . 8 2 16 4 collision this work GOST R 2 19 . 8 2 16 4 . 5 collision this work 2 64 2 64 5 . 5 collision [WYW13] 2 64 2 16 6 . 5 collision this work 2 25 . 1 2 16 4 collision this work 2 25 . 1 2 16 6 . 5 near-collision this work Whirlpool 2 8 2 8 collision 1 4 [WYW13] 2 64 2 8 collision 1 7 [SWWW12] 1 free-start collision 11/23

Differential Cryptanalysis x ∆ x x ∗ h h y ∆ y y ∗ ◮ ∆ x � = 0 and ∆ y = 0 gives a collision. ◮ Find a differential characteristic leading to zero output difference. ◮ Find a confirming message pair. 12/23

Rebound Attacks Powerful technique for analysis of hash functions [MRST09] AK 0 AK 1 AK 2 AK 3 AK 4 S S S S P P P P L L L L AK AK AK AK Inbound Outbound Outbound Two parts: ◮ Inbound phase: Match-in-the-middle ◮ Outbound phase: Probabilistic Many improvements over the last few years... 13/23

Finding the characteristic Technique similar to start-from-the-middle AK 0 AK 1 AK 2 AK 3 AK 4 S S S S P P P P L L L L AK AK AK AK 1 2 3 1. Propagate difference from AK 4 to S 2 . 2. Choose differences in AK 2 to ensure 64–8 by using freedom of S-Box. 3. Solve 8–1 by swapping values ( a , b ) ↔ ( b , a ). Complexity Finding the characteristic 2 19 . 8 14/23

Finding the message pair We need to fulfill conditions on 81 bytes. AK 0 AK 1 AK 2 AK 3 AK 4 S S S S P P P P L L L L AK AK AK AK ◮ First we fix the values of AK 2 such that S 2 = S ( AK 2 ). ◮ This solves 64 byte conditions but uses all degrees of freedom we have for the state. 15/23

Finding the message pair We need to fulfill conditions on 81 bytes. AK 0 AK 1 AK 2 AK 3 AK 4 S S S S P P P P L L L L AK AK AK AK ◮ First we fix the values of AK 2 such that S 2 = S ( AK 2 ). ◮ This solves 64 byte conditions but uses all degrees of freedom we have for the state. 15/23

Finding the message pair We need to fulfill conditions on 81 bytes. AK 0 AK 1 AK 2 AK 3 AK 4 S S S S P P P P L L L L AK AK AK AK ◮ How to solve the conditions for AK 1 = S ( S 1 )... 16/23

Finding the message pair AK 1 S 1 P 1 L 1 K 1 AK S P L AC S P AK 2 S 2 P 2 L 2 L K 2 AK S P L 17/23

Finding the message pair AK 1 S 1 P 1 L 1 K 1 AK S P L AC S P AK 2 S 2 P 2 L 2 L K 2 AK S P L 17/23

Finding the message pair AK 1 S 1 P 1 L 1 K 1 AK S P L AC S P AK 2 S 2 P 2 L 2 L K 2 AK S P L 17/23

Finding the message pair AK 1 S 1 P 1 L 1 K 1 AK S P L AC S P AK 2 S 2 P 2 L 2 L K 2 AK S P L 17/23

Finding the message pair We need to fulfill conditions on 81 bytes. AK 0 AK 1 AK 2 AK 3 AK 4 S S S S P P P P L L L L AK AK AK AK ◮ How to solve the conditions for AK 3 = S ( S 3 )... 18/23

Finding the message pair AC 2 KS 2 KP 2 K 2 AK 2 AC S P L AK AC 3 KS 3 KP 3 K 3 AK 3 AC S P L AK 19/23

Finding the message pair AC 2 KS 2 KP 2 K 2 AK 2 AC S P L AK AC 3 KS 3 KP 3 K 3 AK 3 AC S P L AK 19/23

Finding the message pair AC 2 KS 2 KP 2 K 2 AK 2 AC S P L AK AC 3 KS 3 KP 3 K 3 AK 3 AC S P L AK 19/23

Finding the message pair We need to fulfill conditions on 81 bytes. AK 0 AK 1 AK 2 AK 3 AK 4 S S S S P P P P L L L L AK AK AK AK ◮ One byte condition remaining in AK 1 . ◮ ∆ AK 0 = ∆ AK 4 . Complexity Repeat message finding procedure 2 16 times. 20/23

Attack Summary of Attack on GOST R ◮ Finding Characteristic: 2 19 . 8 ◮ Finding Message Pair: 2 16 Costs depend on properties of the S-Box # S 2 S-Box MDP ANS Matching Costs 2 − 6 2 6 . 42 2 55 . 91 AES 127 2 − 5 2 25 . 10 2 53 . 32 Whirlpool 101 . 49 2 − 5 2 19 . 77 2 53 . 94 GOST R 107 . 05 21/23

Conclusion Function Rounds Time Memory Type 2 19 . 8 2 16 4 collision 2 19 . 8 2 16 4 . 5 collision GOST R 2 64 2 16 6 . 5 collision 2 25 . 1 2 16 4 collision Whirlpool 2 25 . 1 2 16 6 . 5 near-collision ◮ Technique could be used to fulfill more conditions ◮ Application on other designs ◮ https://github.com/kste/aeshash 22/23

Thank you for your attention! 23/23

References I Riham AlTawy, Aleksandar Kircanski, and Amr M. Youssef, Rebound Attacks on Stribog , Cryptology ePrint Archive, Report 2013/539, 2013, http://eprint.iacr.org/ . Mario Lamberger, Florian Mendel, Martin Schl¨ affer, Christian Rechberger, and Vincent Rijmen, The Rebound Attack and Subspace Distinguishers: Application to Whirlpool , Journal of Cryptology (2013), 1–40 (English). Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen, The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , FSE (Orr Dunkelman, ed.), Lecture Notes in Computer Science, vol. 5665, Springer, 2009, pp. 260–276. 1/2

References II Yu Sasaki, Lei Wang, Shuang Wu, and Wenling Wu, Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , vol. 7658, pp. 562–579, Springer Berlin Heidelberg, 2012. Zongyue Wang, Hongbo Yu, and Xiaoyun Wang, Cryptanalysis of GOST R Hash Function , Cryptology ePrint Archive, Report 2013/584, 2013, http://eprint.iacr.org/ . 2/2