rebound attack
play

Rebound Attack Florian Mendel Institute for Applied Information - PowerPoint PPT Presentation

Sep 23, 2023 •273 likes •1.01k views

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

  1. Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/

  2. Outline Motivation 1 2 Whirlpool Hash Function Application of the Rebound Attack 3 Summary 4

  3. SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt

  4. SHA-3 competition Abacus ECHO Lesamnta SHAMATA ARIRANG ECOH Luffa SHAvite-3 AURORA Edon-R LUX SIMD BLAKE EnRUPT Maraca Skein Blender ESSENCE MCSSHA-3 Spectral Hash Blue Midnight Wish FSB MD6 StreamHash Boole Fugue MeshHash SWIFFTX Cheetah Grøstl NaSHA Tangle CHI Hamsi NKS2D TIB3 CRUNCH HASH 2X Ponic Twister CubeHash JH SANDstorm Vortex DCH Keccak Sarmal WaMM Dynamic SHA Khichidi-1 Sgàil Waterfall Dynamic SHA2 LANE Shabal ZK-Crypt

  5. The Rebound Attack [MRST09] Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl AES-based designs allow a simple application of the idea Has been applied to a wide range of hash functions Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, . . .

  6. The Rebound Attack E bw E in E fw inbound outbound outbound Applies to block cipher and permutation based designs: E = E fw ◦ E in ◦ E bw P = P fw ◦ P in ◦ P bw

  7. The Rebound Attack E bw E in E fw inbound outbound outbound Inbound phase efficient meet-in-the-middle phase in E in using available degrees of freedom Outbound phase probabilistic part in E bw and E fw repeat inbound phase if needed

  8. The Whirlpool Hash Function M 1 M 2 M 3 M t f f f f H ( m ) IV designed by Barretto and Rijmen [BR00] evaluated by NESSIE standardized by ISO/IEC 10118-3:2003 iterative, based on the Merkle-Damg˚ ard design principle message block, chaining values, hash size: 512 bit

  9. The Whirlpool Compression Function key schedule H j − 1 SB SC MR AC state update M j H j SB SC MR AK 512-bit hash value and using 512-bit message blocks Block-cipher based design (similar to AES) Miyaguchi-Preneel mode with conservative key schedule

  10. The Whirlpool Round Transformations SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + The state update and the key schedule update an 8 × 8 state S and K of 64 bytes 10 rounds each AES like round transformation r i = AK ◦ MR ◦ SC ◦ SB

  11. Notations Round i C i K SB K SC K MR K i − 1 K i i i i SB SC MR AC S SB S SC S MR S i − 1 S i i i i SB SC MR AK

  12. Collision Attack on Whirlpool key schedule H j − 1 SB SC MR AC state update M j H j SB SC MR AK 1-block collision: fixed H j − 1 (to IV ) f ( M j , H j − 1 ) = f ( M ∗ j , H j − 1 ) , M j � = M ∗ j generic complexity 2 256 ( n = 512)

  13. Collision Attack on Whirlpool key schedule H j − 1 SB SC MR AC state update ∆ M j H j SB SC MR AK 1-block collision: fixed H j − 1 (to IV ) f ( M j , H j − 1 ) = f ( M ∗ j , H j − 1 ) , M j � = M ∗ j generic complexity 2 256 ( n = 512)

  14. Collision Attack on 4 Rounds K 0 K 1 K 2 K 3 K 4 SB SB SB SB IV SC SC SC SC MR MR MR MR AC AC AC AC S 0 S 3 S 1 S 2 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: ( 2 − 5 ) 81 = 2 − 405

  15. Collision Attack on 4 Rounds K 0 K 1 K 2 K 3 K 4 constant SB SB SB SB IV SC SC SC SC MR MR MR MR AC AC AC AC S 0 S 3 S 1 S 2 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: ( 2 − 5 ) 81 = 2 − 405

  16. Collision Attack on 4 Rounds K 0 K 1 K 2 K 3 K 4 constant SB SB SB SB IV SC SC SC SC MR MR MR MR AC AC AC AC S 0 S 3 S 1 S 2 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK Differential trail with minimum number of active S-boxes 81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: ( 2 − 5 ) 81 = 2 − 405 How to find a message pair following the differential trail?

  17. First: Use Truncated Differences S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK byte-wise truncated differences: active / not active we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2 − 56 for 8 → 1 we can remove many restrictions (more freedom) hopefully less complexity of message search

  18. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification?

  19. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification? meet in the middle?

  20. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification? meet in the middle? inside out?

  21. How to Find a Message Pair? S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK message modification? meet in the middle? inside out? rebound!

  22. Rebound Attack on 4 Rounds [MRST09] S 0 S 1 S 2 S 3 S 4 SB SB SB SB M 1 SC SC SC SC H 1 MR MR MR MR AK AK AK AK outbound phase inbound phase outbound phase Inbound phase (1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state Outbound phase (3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward

  23. Inbound Phase S SB S SC S MR S 2 2 3 3 3a c0 e6 MR SC b9 SB 5a AK MR 8c 08 c0 get values (1) Start with arbitrary differences in state S MR 3

  24. Inbound Phase S SB S SC S MR S 2 2 3 3 e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3

  25. Inbound Phase S SB S SC S MR S 2 2 3 3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences differences get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3 linearly propagate row-wise forward from S SC to S 2 2

  26. Inbound Phase S SB S SC S MR S 2 2 3 3 ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 85 50 cc 6d 9a 49 43 c5 c0 0d cc 01 0a 70 43 e9 27 e6 ? MR a2 b1 63 11 96 1e 4d 04 SC b9 SB b1 60 20 f4 1e cd bf 10 5a AK MR f8 ed 85 b7 43 5a d5 fc 8c 16 27 51 43 15 de 2b f8 08 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences get values get values (1) Start with arbitrary differences in state S MR 3 linearly propagate all differences backward to S SB 3 linearly propagate row-wise forward from S SC to S 2 2 (2) Match-in-the-middle at SubBytes layer check if differences can be connected (for each S-box) with probability 2 − xx we get 2 xx solutions for each row

  27. Match-in-the-Middle for Single S-box ∆ a Sbox ∆ b Check for matching input/output differences Sbox ( x ) ⊕ Sbox ( x ⊕ ∆ a ) = ∆ b Use Difference Distribution Table (DDT)

  28. Difference Distribution Table (Whirlpool) in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 01 0 6 2 0 0 6 2 0 0 0 4 0 0 0 0 0 02 0 0 0 0 0 0 0 2 0 0 0 0 4 0 0 0 03 0 2 2 0 2 2 0 0 2 0 0 0 0 0 0 2 04 0 0 2 2 0 4 0 0 0 2 2 2 2 0 2 0 05 0 0 0 0 0 2 0 2 0 0 0 0 0 0 4 2 06 . 4 0 2 0 0 2 0 0 2 6 2 4 0 2 2 0 . 07 . 0 2 2 0 0 2 0 0 4 0 2 0 2 0 2 0 . 08 . 0 0 0 0 2 2 2 0 0 0 0 2 2 4 4 0 . 09 8 0 0 0 2 4 2 2 0 0 0 0 0 2 0 2 0a 0 0 0 0 2 0 2 0 2 0 2 0 0 0 0 0 0b 8 2 2 2 2 0 0 0 0 2 2 2 2 2 0 4 0c 0 2 2 0 0 0 0 4 0 2 2 0 0 2 4 2 0d 0 2 2 0 0 2 4 4 0 0 2 2 0 0 0 2 0e 4 0 4 2 0 0 0 0 2 0 2 0 4 2 0 0 0f 0 2 0 0 0 2 0 0 0 0 0 0 2 0 2 2 . . . Differences can be connected if there is a non-zero entry in the table

Recommend

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

783 views • 46 slides
Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and

Unaligned Rebound Attack Application to K ECCAK Alexandre Duc 1 , Jian Guo 2 , Thomas Peyrin 3 and Lei Wei 3 1 Ecole Polytechnique Fdrale de Lausanne, Switzerland 2 Institute for Infocomm Research, Singapore 3 Nanyang Technological University,

945 views • 51 slides
The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied

556 views • 23 slides
Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

562 views • 35 slides
Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa

Applications with Little or No Rebound Digitalization and the Rebound Effect HS2019 Vanessa Anas Tschichold Go Goal: No Rebound! after an efficiency improvement to produce one unit, price will not decrease and therefore demand will

786 views • 39 slides
How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash

How to Improve Rebound Attacks Mar a Naya-Plasencia FHNW - Switzerland Outline 1 Hash Functions and the SHA-3 Competition 2 The Rebound Attack and Motivation 3 Merging Lists with Respect to t Problem 1 Problem 2 4 Results

543 views • 27 slides
Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas

Improved Rebound Attack on the Finalist Grstl Jrmy Jean 1 Mara Naya-Plasencia 2 Thomas Peyrin 3 1 cole Normale Suprieure, France 2 University of Versailles, France 3 Nanyang Technological University, Singapore FSE2012 March 19,

1.24k views • 71 slides
The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys

The Restaurant Rebound Welcome to the Restaurant Rebound, a bi-weekly report on the industrys recovery, providing an analysis of recent OpenTable booking data and the latest news out of the sector. Future issues will also include first-hand

48 views • 3 slides
Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse

Rebound Effects Digitalization and the Rebound Effect - Seminar HS2019 Martin Blapp Greenhouse gas abatement potential for Switzerland in 2025 Hilty, University of Zurich Research Report, 2017 2 Historical Perspective The Rebound Effect How

746 views • 41 slides
REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference,

REBOUND EFFECT FOR PRIVATE TRANSPORT AND ENERGY SERVICES IN THE UK IAEE European Conference, Vienna, September 3-6, 2017 Mona Chitnis (University of Surrey) Roger Fouquet (LSE) Steve Sorrell (University of Sussex) Outline Rebound

300 views • 17 slides
The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio

The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio

The Walkable Urban Rebound San Antonio at the Tipping Point Alex Steinberger San Antonio Housing Summit Fregonese Associates September 30 th , 2016 The (Walkable) Urban Rebound Walkable urbanism development is now propelling real estate

614 views • 46 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation

Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/345431176 Slides for When Does Eco-Efficiency Rebound or Backfire? An Analytical Model Presentation November 2020 CITATIONS READ 0

298 views • 27 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with

Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with

1 Brita Bye, Taran Fhn, Orvika Rosnes: Residential energy efficiency and carbon policies: Costs, rebound and emissions CGE-analysis with bottom-up information 22 nd Annual Conference of EAERE Zrich June 2016 1 Background One of the

544 views • 35 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
Fingolimod rebound management Tim Soane Neurology Registrar, Forth Valley Royal Hospital

Fingolimod rebound management Tim Soane Neurology Registrar, Forth Valley Royal Hospital

Fingolimod rebound management Tim Soane Neurology Registrar, Forth Valley Royal Hospital Background 45 year old right handed lady Physiotherapist PMHx Migraines, Depression Allergic to sulphonamides Lived with husband and

375 views • 16 slides
Low-level Viremia below 50 cps/mL in treated HIV-infected patients predicts viral load rebound

Low-level Viremia below 50 cps/mL in treated HIV-infected patients predicts viral load rebound

Low-level Viremia below 50 cps/mL in treated HIV-infected patients predicts viral load rebound above 400 cps/mL independently of adherence levels P Vitiello , T Doyle , C Smith , V Cambiano , A Owen*, A Philips , AM Geretti

811 views • 17 slides
SUPERCHARGING THE REBOUND 4 .0 EVENTS IN THE AGE OF COVID-19: LET'S TALK LEGAL ISSUES! WITH BRAD

SUPERCHARGING THE REBOUND 4 .0 EVENTS IN THE AGE OF COVID-19: LET'S TALK LEGAL ISSUES! WITH BRAD

SUPERCHARGING THE REBOUND 4 .0 EVENTS IN THE AGE OF COVID-19: LET'S TALK LEGAL ISSUES! WITH BRAD STEELE, J. D. You will hear silence until the webinar begins at 10:00am PDT / 12:00pm CDT / 1:00pm EDT YOUR HOST. . . LYNNE LAFOND DELUCA

630 views • 25 slides
Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine

Com m ents on General Equilibrium Rebound from Energy Efficiency Policies by Derek Lem oine Stefan Ambec Ecole dEconomie de Toulouse (INRA-LERNA-IDEI) Auteur Main Point Impact of energy policy (tax): Engineering approach:

174 views • 4 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Drivers for direct and indirect rebound effects The case of energy efficiency technologies for

Drivers for direct and indirect rebound effects The case of energy efficiency technologies for

Drivers for direct and indirect rebound effects The case of energy efficiency technologies for heating and mobility in Austria Sebastian Seebauer Veronika Kulmer, Claudia Fruhmann Wegener Center for Climate and LIFE Centre for Climate,

545 views • 12 slides
Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect

Seminar HS2019 Distributed Systems Group (Prof. Mattern) Digitalization and the Rebound Effect Moti tivati tion n we e need eed t to halve e our emi emissions ea each dec ecade Image scource: (Rockstrm et al. 2017): A roadmap

737 views • 25 slides
Rebound: Scalable Checkpointing for Coherent Shared Memor for Coherent Shared Memory Rishi

Rebound: Scalable Checkpointing for Coherent Shared Memor for Coherent Shared Memory Rishi

Rebound: Scalable Checkpointing for Coherent Shared Memor for Coherent Shared Memory Rishi Agarwal, Pranav Garg, and Josep Torrellas D Department of Computer Science f C S i University of Illinois at Urbana-Champaign

685 views • 33 slides

More recommend