SKLOIS 信息安全国家重点实验室 (Pseudo) Preimage Attack on Reduced-Round Grøstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 中国科学院软件研究所 Institute for Infocomm Research, Singapore Institute of Software, Chinese Academy of Sciences .
Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 2 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Introduction Meet-in-the-Middle pre-image attacks Applied to full MD4, MD5,HAVAL-3/4,Tiger and reduced-round HAS-160, RIPEMD, SHA-0/1, SHA-2 etc. Tricks: Splice and Cut Techniques Bicliques, Initial Structure (Message Stealing), local collision Partial-Matching (Relations between deterministic values) 信息安全国家重点实验室 中国科学院软件研究所 3 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Introduction Meet-in-the-Middle pre-image attacks Yu Sasaki proposed the MitM preimage attack on AES- like structures for the first time at FSE 2011 Target: Whirlpool and AES hash modes Use freedom degrees of the state for chunk separation 信息安全国家重点实验室 中国科学院软件研究所 4 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 5 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Specification of Grøstl hash function Wide-pipe MD structure with output transformation Permutations P and Q are AES-like structures with 8 × 8 states(Grøstl-256) and 8 × 16 states(Grøstl-512) 10 rounds for Grøstl-256 and 14 rounds for Grøstl-512 M Q H i-1 P H i X P 信息安全国家重点实验室 中国科学院软件研究所 6 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Properties of the compression function 2n-bit state, 𝐺 𝐼 , 𝑁 = 𝑄 𝐼 ⊕ 𝑁 ⊕ 𝑅 𝑁 ⊕ 𝐼 With 𝐼 ′ = 𝐼 ⊕ 𝑁 , 𝐺 𝐼′ , 𝑁 = 𝑄 𝐼′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁 Bounds for generic attacks Pre-image attack: 2 𝑜 • 𝑄 𝐼′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁 = 𝑈 • birthday attack on 2n-bit state 2𝑜 Collision attack: 2 3 ′ ⊕ 𝐼 1 ′ ⊕ 𝑅 𝑁 1 ⊕ 𝑁 1 ⊕ 𝑄 𝐼 2 ′ ⊕ 𝐼 2 ′ ⊕ 𝑅 𝑁 2 ⊕ 𝑁 2 = 0 • 𝑄 𝐼 1 • generalized birthday attack on 2n-bit state with four entries M Q H i H i-1 P 信息安全国家重点实验室 中国科学院软件研究所 7 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Outline of the attack 信息安全国家重点实验室 中国科学院软件研究所 8 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Attack outline Pseudo pre-image (H,M) 𝐺 𝐼 , 𝑁 = 𝑌 , 𝑄 𝑌 ⊕ 𝑌 = ∗ || 𝑈 X is a pre-image of the output transformation With 𝐼 ′ = 𝐼 ⊕ 𝑁 , 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ 𝑅 𝑁 ⊕ 𝑁 ⊕ 𝑌 = 0 M Q X X H P P T 信息安全国家重点实验室 中国科学院软件研究所 9 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 How to convert the partial pre-images of 𝑄 𝑌 ⊕ 𝑌 into pseudo pre-image of the hash function 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ ⊕ = 0 𝑅 𝑁 ⊕ 𝑁 𝑌 2 𝑦 3 × 2 𝑦 2 × 2 𝑦 1 × b 2n-b 2n 2n Lookup table 1 Lookup table 2 2 𝑦 1 +𝑦 2 −𝑐 × b 2n-b 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 ≥ 1 ⇒ 𝑦 1 + 𝑦 2 + 𝑦 3 ≥ 2𝑜 zero 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 × 2n unknown 信息安全国家重点实验室 中国科学院软件研究所 10 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Complexity evaluation X: Fixed position partial preimage (n-bit) of 𝑄 𝑌 ⊕ 𝑌 Let complexity to find one X be 2 𝐷 1 ( 2𝑜 , 𝑜 ) M: Randomly chosen message with padding Complexity=one Q call=1/2 compression function call H’: Chosen position partial preimage (b-bit) of 𝑄 𝐼 ′ ⊕ 𝐼 ′ Let complexity to find one H’ be 2 𝐷 2 ( 2𝑜 , 𝑐 ) 信息安全国家重点实验室 中国科学院软件研究所 11 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Overall complexity of the attack is 2 𝑦 1 +𝐷 1 ( 2𝑜 , 𝑜 ) + 2 𝑦 3 +𝐷 2 ( 2𝑜 , 𝑐 ) + 2 𝑦 2 −1 + 2 𝑦 1 +𝑦 2 −𝑐 𝐷 𝑈𝑈 2 𝑦 2 −1 (1 + 𝐷 𝑈𝑈 ) 𝑄 𝐼 ′ ⊕ 𝐼 ′ ⊕ ⊕ = 0 𝑅 𝑁 ⊕ 𝑁 𝑌 2 𝑦 3 × 2 𝑦 2 × 2 𝑦 1 × b 2n-b 2n 2n 2 𝑦 1 +𝐷 1 ( 2𝑜 , 𝑜 ) 2 𝑦 3 +𝐷 2 ( 2𝑜 , 𝑐 ) Lookup table 1 Lookup table 2 2 𝑦 1 +𝑦 2 −𝑐 × b 2n-b 2 𝑦 1 +𝑦 2 −𝑐 𝐷 𝑈𝑈 2 𝑦 1 +𝑦 2 +𝑦 3 −2𝑜 × 2n 信息安全国家重点实验室 中国科学院软件研究所 12 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Partial preimage attacks on 𝑄 𝑌 ⊕ 𝑌 信息安全国家重点实验室 中国科学院软件研究所 13 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Evaluation of 𝐷 1 ( 2𝑜 , 𝑜 ) (fixed position partial preimage) Freedom degrees in blue and red bytes: 64 and 48 bits Size of the matching point: 64 bits Size of the full match: 256 bits Complexity: 2 207 P(X) calls = 2 206 compression function calls 信息安全国家重点实验室 中国科学院软件研究所 14 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Evaluation of 𝐷 2 ( 2𝑜 , 𝑐 ) (chosen position partial preimage) Note: we can choose the positions of the target zero bits Choose optimal positions to maximize the size of the matching point 信息安全国家重点实验室 中国科学院软件研究所 15 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Graphs of 𝑛 ( 𝑐 ) and 𝐷 2 ( 2𝑜 , 𝑐 ) for different b Grøstl-256 信息安全国家重点实验室 中国科学院软件研究所 16 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 5-round Grøstl-256 Overall complexity of pseudo-preimage attack on 5-round Grøstl-256 When 𝑐 = 35 , the overall complexity reaches its minimum value 2 244 . 85 信息安全国家重点实验室 中国科学院软件研究所 17 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Results on Grøstl-512 信息安全国家重点实验室 中国科学院软件研究所 18 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Pseudo-Preimage Attack on 8-round Grøstl-512 Preimage attack on the output transformation 信息安全国家重点实验室 中国科学院软件研究所 19 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Summary of results Algorithm Target Type Rounds Time Memory Source Martin 2 64 - Hash Function Collision 3 Schlæffer Compression Semi-Free-Start Martin 2 112 2 64 6 Function Collision Schlæffer Jérémy 2 368 2 64 Permutation Distinguisher 9 Jean et al. Grøstl-256 Zero-Sum Christina 2 509 - Permutation 10 Distinguisher Boura et al. Output 2 206 2 48 Preimage 5 Ours Transformation Pseudo 2 244 . 85 2 230 . 13 Hash Function 5 Ours Preimage Martin 2 192 - Hash Function Collision 3 Schlæffer Compression Semi-Free-Start 2 152 2 56 7 Yu Sasaki Function Collision Jérémy 2 392 2 64 Grøstl-512 Permutation Distinguisher 10 Jean et al. Output 2 495 2 16 Preimage 8 Ours Transformation Pseudo 2 507 . 32 2 507 . 00 Hash Function 8 Ours Preimage 信息安全国家重点实验室 中国科学院软件研究所 20 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Outline Introduction Attack on Gr ø stl Other results Conclusion 信息安全国家重点实验室 中国科学院软件研究所 21 Institute of Software, Chinese Academy of Sciences The State Key Laboratory Of Information Security
Recommend
More recommend