pseudo preimage attack on reduced round gr stl hash
play

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and - PowerPoint PPT Presentation

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute for


  1. SKLOIS 信息安全国家重点实验室 (Pseudo) Preimage Attack on Reduced-Round Grøstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 中国科学院软件研究所 Institute for Infocomm Research, Singapore Institute of Software, Chinese Academy of Sciences .

  2. Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 2 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  3. Introduction Meet-in-the-Middle pre-image attacks  Applied to full MD4, MD5,HAVAL-3/4,Tiger and reduced-round HAS-160, RIPEMD, SHA-0/1, SHA-2 etc.  Tricks:  Splice and Cut Techniques  Bicliques, Initial Structure (Message Stealing), local collision  Partial-Matching (Relations between deterministic values) 信息安全国家重点实验室 中国科学院软件研究所 3 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  4. Introduction Meet-in-the-Middle pre-image attacks  Yu Sasaki proposed the MitM preimage attack on AES- like structures for the first time at FSE 2011  Target: Whirlpool and AES hash modes  Use freedom degrees of the state for chunk separation 信息安全国家重点实验室 中国科学院软件研究所 4 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  5. Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 5 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  6. Pseudo-Preimage Attack on 5-round Grøstl-256 Specification of Grøstl hash function  Wide-pipe MD structure with output transformation  Permutations P and Q are AES-like structures with 8 × 8 states(Grøstl-256) and 8 × 16 states(Grøstl-512)  10 rounds for Grøstl-256 and 14 rounds for Grøstl-512 M Q H i-1 P H i X P 信息安全国家重点实验室 中国科学院软件研究所 6 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  7. Pseudo-Preimage Attack on 5-round Grøstl-256 Properties of the compression function  2n-bit state, 𝐺 𝐼 , 𝑁 = 𝑄 𝐼 ⊕ 𝑁 ⊕ 𝑅 𝑁 ⊕ 𝐼  With 𝐼 ′ = 𝐼 ⊕ 𝑁 , 𝐺 𝐼′ , 𝑁 = 𝑄 𝐼′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁  Bounds for generic attacks  Pre-image attack: 2 𝑜 • 𝑄 𝐼′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁 = 𝑈 • birthday attack on 2n-bit state 2𝑜  Collision attack: 2 3 ′ ⊕ 𝐼 1 ′ ⊕ 𝑅 𝑁 1 ⊕ 𝑁 1 ⊕ 𝑄 𝐼 2 ′ ⊕ 𝐼 2 ′ ⊕ 𝑅 𝑁 2 ⊕ 𝑁 2 = 0 • 𝑄 𝐼 1 • generalized birthday attack on 2n-bit state with four entries M Q H i H i-1 P 信息安全国家重点实验室 中国科学院软件研究所 7 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  8. Outline of the attack 信息安全国家重点实验室 中国科学院软件研究所 8 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  9. Pseudo-Preimage Attack on 5-round Grøstl-256 Attack outline  Pseudo pre-image (H,M)  𝐺 𝐼 , 𝑁 = 𝑌 , 𝑄 𝑌 ⊕ 𝑌 = ∗ || 𝑈  X is a pre-image of the output transformation  With 𝐼 ′ = 𝐼 ⊕ 𝑁 , 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁 ⊕ 𝑌 = 0 M Q X X H P P T 信息安全国家重点实验室 中国科学院软件研究所 9 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  10. Pseudo-Preimage Attack on 5-round Grøstl-256 How to convert the partial pre-images of 𝑄 𝑌 ⊕ 𝑌 into pseudo pre-image of the hash function 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ ⊕ = 0 𝑅 𝑁 ⊕ 𝑁 𝑌 2 𝑦 3 × 2 𝑦 2 × 2 𝑦 1 × b 2n-b 2n 2n Lookup table 1 Lookup table 2 2 𝑦 1 +𝑦 2 −𝑐 × b 2n-b 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 ≥ 1 ⇒ 𝑦 1 + 𝑦 2 + 𝑦 3 ≥ 2𝑜 zero 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 × 2n unknown 信息安全国家重点实验室 中国科学院软件研究所 10 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  11. Pseudo-Preimage Attack on 5-round Grøstl-256 Complexity evaluation  X: Fixed position partial preimage (n-bit) of 𝑄 𝑌 ⊕ 𝑌  Let complexity to find one X be 2 𝐷 1 ( 2𝑜 , 𝑜 )  M: Randomly chosen message with padding  Complexity=one Q call=1/2 compression function call  H’: Chosen position partial preimage (b-bit) of 𝑄 𝐼 ′ ⊕ 𝐼 ′  Let complexity to find one H’ be 2 𝐷 2 ( 2𝑜 , 𝑐 ) 信息安全国家重点实验室 中国科学院软件研究所 11 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  12. Pseudo-Preimage Attack on 5-round Grøstl-256 Overall complexity of the attack is 2 𝑦 1 +𝐷 1 ( 2𝑜 , 𝑜 ) + 2 𝑦 3 +𝐷 2 ( 2𝑜 , 𝑐 ) + 2 𝑦 2 −1 + 2 𝑦 1 +𝑦 2 −𝑐 𝐷 𝑈𝑈 2 𝑦 2 −1 (1 + 𝐷 𝑈𝑈 ) 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ ⊕ = 0 𝑅 𝑁 ⊕ 𝑁 𝑌 2 𝑦 3 × 2 𝑦 2 × 2 𝑦 1 × b 2n-b 2n 2n 2 𝑦 1 +𝐷 1 ( 2𝑜 , 𝑜 ) 2 𝑦 3 +𝐷 2 ( 2𝑜 , 𝑐 ) Lookup table 1 Lookup table 2 2 𝑦 1 +𝑦 2 −𝑐 × b 2n-b 2 𝑦 1 +𝑦 2 −𝑐 𝐷 𝑈𝑈 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 × 2n 信息安全国家重点实验室 中国科学院软件研究所 12 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  13. Partial preimage attacks on 𝑄 𝑌 ⊕ 𝑌 信息安全国家重点实验室 中国科学院软件研究所 13 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  14. Pseudo-Preimage Attack on 5-round Grøstl-256 Evaluation of 𝐷 1 ( 2𝑜 , 𝑜 ) (fixed position partial preimage)  Freedom degrees in blue and red bytes: 64 and 48 bits  Size of the matching point: 64 bits  Size of the full match: 256 bits  Complexity: 2 207 P(X) calls = 2 206 compression function calls 信息安全国家重点实验室 中国科学院软件研究所 14 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  15. Pseudo-Preimage Attack on 5-round Grøstl-256 Evaluation of 𝐷 2 ( 2𝑜 , 𝑐 ) (chosen position partial preimage)  Note: we can choose the positions of the target zero bits  Choose optimal positions to maximize the size of the matching point 信息安全国家重点实验室 中国科学院软件研究所 15 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  16. Pseudo-Preimage Attack on 5-round Grøstl-256 Graphs of 𝑛 ( 𝑐 ) and 𝐷 2 ( 2𝑜 , 𝑐 ) for different b Grøstl-256 信息安全国家重点实验室 中国科学院软件研究所 16 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  17. Pseudo-Preimage Attack on 5-round Grøstl-256 Overall complexity of pseudo-preimage attack on 5-round Grøstl-256  When 𝑐 = 35 , the overall complexity reaches its minimum value 2 244 . 85 信息安全国家重点实验室 中国科学院软件研究所 17 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  18. Results on Grøstl-512 信息安全国家重点实验室 中国科学院软件研究所 18 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  19. Pseudo-Preimage Attack on 8-round Grøstl-512 Preimage attack on the output transformation 信息安全国家重点实验室 中国科学院软件研究所 19 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  20. Summary of results Algorithm Target Type Rounds Time Memory Source Martin 2 64 - Hash Function Collision 3 Schlæffer Compression Semi-Free-Start Martin 2 112 2 64 6 Function Collision Schlæffer Jérémy 2 368 2 64 Permutation Distinguisher 9 Jean et al. Grøstl-256 Zero-Sum Christina 2 509 - Permutation 10 Distinguisher Boura et al. Output 2 206 2 48 Preimage 5 Ours Transformation Pseudo 2 244 . 85 2 230 . 13 Hash Function 5 Ours Preimage Martin 2 192 - Hash Function Collision 3 Schlæffer Compression Semi-Free-Start 2 152 2 56 7 Yu Sasaki Function Collision Jérémy 2 392 2 64 Grøstl-512 Permutation Distinguisher 10 Jean et al. Output 2 495 2 16 Preimage 8 Ours Transformation Pseudo 2 507 . 32 2 507 . 00 Hash Function 8 Ours Preimage 信息安全国家重点实验室 中国科学院软件研究所 20 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

  21. Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 21 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security

Recommend


More recommend