security of sha 3 and related constructions
play

Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ - PowerPoint PPT Presentation

Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ Paris, France. 27th March 2019 J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 1 / 49 Acknowledgements Thomas Peyrin FSE 2019 @ Paris Security of SHA-3


  1. Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ Paris, France. 27th March 2019 J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 1 / 49

  2. Acknowledgements Thomas Peyrin FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Lei Wei Ling Song Danping Shi Jean-René Reinhard Kexin Qiao Meicheng Liu Many thanks go to my collaborators on this topic: Guozhen Liu San Ling Guohong Liao Jérémy Jean Henri Gilbert Thomas Fuhr Alexandre Duc Colin Chaigneau 2 / 49

  3. Outlines 5 FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Concluding Remarks 6 Key-Recovery Attacks Distinguishers 1 4 Collision Attacks 3 Preimage Attacks 2 Introduction to Keccak 3 / 49

  4. Outline 5 FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Concluding Remarks 6 Key-Recovery Attacks Distinguishers 1 4 Collision Attacks 3 Preimage Attacks 2 Introduction to Keccak 4 / 49

  5. SHA-3 ( Keccak ) Hash Function The sponge construction [BDPV11] b -bit permutation f The message is padded and then split into r -bit blocks. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 4 / 49 Two parameters: bitrate r , capacity c , and b = r + c .

  6. SHA-3 Hash Function Keccak - f permutation FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo http://www.iacr.org/authors/tikz/ 5 / 49 steps: each round R consists of five 24 rounds of 64-bit lanes, 1600 bits: seen as a 5 × 5 array A [ x , y ] , 0 ≤ x , y < 5 Row Lane Column Slice R = ι ◦ χ ◦ π ◦ ρ ◦ θ χ : the only nonlinear operation

  7. SHA-3 Hash Function http://keccak.noekeon.org/ The Column Parity kernel J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 6 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ θ step: adding two columns to the current bit C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ◮ If C [ x ] = 0 , 0 ≤ x < 5 , then the state A is in the CP kernel.

  8. SHA-3 Hash Function 21 10 43 25 39 41 45 15 8 20 18 2 61 56 14 J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 3 7 / 49 55 28 http://keccak.noekeon.org/ 1 62 0 27 36 44 6 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ρ step: lane level rotations, A [ x , y ] = A [ x , y ] ≪ r [ x , y ] Rotation offsets r [ x , y ] x = 0 x = 1 x = 2 x = 3 x = 4 y = 0 y = 1 y = 2 y = 3 y = 4

  9. SHA-3 Hash Function J. Guo FSE 2019 @ Paris Security of SHA-3 and Related Constructions 8 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ π step: permutation on lanes 0,0 1,0 2,0 3,0 4,0 0,0 1,1 2,2 3,3 4,4 0,1 1,1 2,1 3,1 4,1 3,0 4,1 0,2 1,3 2,4 π 0,2 1,2 2,2 3,2 4,2 1,0 2,1 3,2 4,3 0,4 0,3 1,3 2,3 3,3 4,3 4,0 0,1 1,2 2,3 3,4 0,4 1,4 2,4 3,4 4,4 2,0 3,1 4,2 0,3 1,4 A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ]

  10. SHA-3 Hash Function The algebraic degrees of FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo 9 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ χ step: 5-bit S-boxes, nonlinear operation on rows x 0 x 1 x 2 x 3 x 4 y 0 = x 0 ⊕ ( x 1 ⊕ 1) · x 2 y 1 = x 1 ⊕ ( x 2 ⊕ 1) · x 3 y 2 = x 2 ⊕ ( x 3 ⊕ 1) · x 4 y 3 = x 3 ⊕ ( x 4 ⊕ 1) · x 0 y 4 = x 4 ⊕ ( x 0 ⊕ 1) · x 1 y 0 y 1 y 2 y 3 y 4 χ and χ − 1 are 2 and 3.

  11. SHA-3 Hash Function Adding one round-dependent constant to the first ”lane”, to destroy the symmetry. The round function would be symmetric. All rounds would be the same. Fixed points exist. Vulnerable to rotational attacks, slide attacks, ... J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 10 / 49 Keccak permutation: ι ◦ χ ◦ π ◦ ρ ◦ θ ι step: adding a round constant to the state Without ι

  12. SHA-3 Hash Function Round function of Keccak - f FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo 11 / 49 Internal state A: a 5 × 5 array of 64-bit lanes θ step C [ x ] = A [ x , 0] ⊕ A [ x , 1] ⊕ A [ x , 2] ⊕ A [ x , 3] ⊕ A [ x , 4] D [ x ] = C [ x − 1] ⊕ ( C [ x + 1] ≪ 1) A [ x , y ] = A [ x , y ] ⊕ D [ x ] ρ step A [ x , y ] = A [ x , y ] ≪ r [ x , y ] - The constants r [ x , y ] are the rotation offsets. π step A [ y , 2 ∗ x + 3 ∗ y ] = A [ x , y ] χ step A [ x , y ] = A [ x , y ] ⊕ (( A [ x + 1 , y ]) & A [ x + 2 , y ]) ι step A [0 , 0] = A [0 , 0] ⊕ RC - RC [ i ] are the round constants. L � π ◦ ρ ◦ θ The only non-linear operation is χ step.

  13. Outline 5 FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo Concluding Remarks 6 Key-Recovery Attacks Distinguishers 1 4 Collision Attacks 3 Preimage Attacks 2 Introduction to Keccak 12 / 49

  14. Preimage Attacks — Linear Structures Core ideas: treat the bits of message block as variables, and convert the preimage finding problem into a system of linear equation; the rounds as possible. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 12 / 49 algebraic degree of the variables is kept to be at most 1 for as many limit the algebraic degrees increased by χ . limit the diffusion effect of θ by forcing the variables in CP kernel.

  15. Observation When there is no neighbouring variables in the input of an Sbox, the application of does NOT increase algebraic degrees. Allows at most independent variables, i.e., at least out of bits need to be fixed in each Sbox. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 13 / 49 How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 .

  16. Observation When there is no neighbouring variables in the input of an Sbox, the Allows at most independent variables, i.e., at least out of bits need to be fixed in each Sbox. J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 13 / 49 How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees.

  17. 13 / 49 Allows at most FSE 2019 @ Paris Observation When there is no neighbouring variables in the input of an Sbox, the Security of SHA-3 and Related Constructions J. Guo need to be fixed in each Sbox. bits out of independent variables, i.e., at least How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees. 0 1 x 0 c x 2 x 0 + 1 + 0 c √ x 2 c · x 2 x 0 · c

  18. 13 / 49 Allows at most FSE 2019 @ Paris Observation When there is no neighbouring variables in the input of an Sbox, the Security of SHA-3 and Related Constructions J. Guo need to be fixed in each Sbox. bits out of independent variables, i.e., at least How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees. 0 1 x 0 c x 2 x 1 x 2 c x 0 + 1 + 0 c + c √ x 2 c · x 2 x 0 · c x 1 · x 2 ×

  19. 13 / 49 need to be fixed in each Sbox. FSE 2019 @ Paris Observation When there is no neighbouring variables in the input of an Sbox, the Security of SHA-3 and Related Constructions J. Guo How to keep χ linear The expression of b = χ ( a ) is of algebraic degree 2: b i = a i + a i +1 · a i +2 , for i = 0 , 1 , . . . , 4 . application of χ does NOT increase algebraic degrees. 0 1 x 0 c x 2 x 1 x 2 c x 0 + 1 + 0 c + c √ x 2 c · x 2 x 0 · c x 1 · x 2 × Allows at most 2 independent variables, i.e., at least 3 out of 5 bits

  20. Linear Structure — A Simple Example Figure: 1-round linear structure of Keccak -p * [w] ith the degrees of FSE 2019 @ Paris Security of SHA-3 and Related Constructions J. Guo All variables do not multiply with each other in the first round. : 0. 1; : : algebraic degree at most 1; : variables; freedom up to 512, where 14 / 49 0,0 1,0 2,0 3,0 4,0 0,0 1,0 2,0 3,0 4,0 0,0 1,1 2,2 3,3 4,4 0,0 1,1 2,2 3,3 4,4 0,1 1,1 2,1 3,1 4,1 0,1 1,1 2,1 3,1 4,1 3,0 4,1 0,2 1,3 2,4 3,0 4,1 0,2 1,3 2,4 π ◦ ρ ι ◦ χ θ 0,2 1,2 2,2 3,2 4,2 0,2 1,2 2,2 3,2 4,2 1,0 2,1 3,2 4,3 0,4 1,0 2,1 3,2 4,3 0,4 0,3 1,3 2,3 3,3 4,3 0,3 1,3 2,3 3,3 4,3 4,0 0,1 1,2 2,3 3,4 4,0 0,1 1,2 2,3 3,4 0,4 1,4 2,4 3,4 4,4 0,4 1,4 2,4 3,4 4,4 2,0 3,1 4,2 0,3 1,4 2,0 3,1 4,2 0,3 1,4 = = � = 0 � = 0 Result : one-round linear structure with dimension up to 512 . The θ effect is limited by forcing � = 0 (or 1 ) in two columns.

Recommend


More recommend