SIMD Is a Message Digest Gatan Leurent, Pierre-Alain Fouque, Charles - PowerPoint PPT Presentation

Introduction Description Security Implementation SIMD Is a Message Digest Gaëtan Leurent, Pierre-Alain Fouque, Charles Bouillaguet École Normale Supérieure Paris, France http://www.di.ens.fr/~leurent/simd.html First SHA-3 Conference A 0 B 0 C 0 D 0 A 1 B 1 C 1 D 1 A 2 B 2 C 2 D 2 A 3 B 3 C 3 D 3 Φ Φ Φ Φ W 0 W 1 W 2 W 3 ≪ r ≪ r ≪ r ≪ r ≪ s ≪ s ≪ s ≪ s A 0 B 0 C 0 D 0 A 1 B 1 C 1 D 1 A 2 B 2 C 2 D 2 A 3 B 3 C 3 D 3 G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 1 / 26

Introduction Description Security Implementation Main Features of SIMD ◮ Security ◮ Strong message expansion ◮ Proof of security against differential cryptanalysis ◮ Parallelism ◮ Small scale parallelism (inside the compression function): good for hardware / software with SIMD instructions ◮ Can use two cores: message expansion / compression ◮ Performance ◮ Very good on high-end desktops: 11 cycles/byte on Core2 ◮ Good if SIMD instructions are available: SSE on x86, AltiVec on PowerPC, IwMMXt on ARM, VIS on SPARC... ◮ Drawback: no portable efficient implementation. G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 2 / 26

Introduction Description Security Implementation General Design ◮ Merkle-Damgård-like iteration ◮ Davies-Meyer-like compression function ◮ Feistel-based block cipher ◮ Two versions: Message block size m Internal state size p SIMD -256 512 512 SIMD -512 1024 1024 can be truncated ( e.g. SIMD -224, SIMD -384) G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 3 / 26

Introduction Description Security Implementation Outline Introduction Description Mode of operation Compression Function Message Expansion Security Resistance to Differential Cryptanalysis Implementation Performance G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 4 / 26

Introduction Description Security Implementation Iteration mode The iteration mode is based on ChopMD ( a.k.a. wide pipe). M | M | M 0 M 1 M 2 M 3 C ′ C C C C T h ( M ) IV H 0 H 1 H 2 H 3 H 4 ◮ Pad with zeros ◮ Use the message length as input of the last block: quite constrained, kind of blank round ◮ Tweaked final compression function ( i.e. prefix-free encoding) ◮ Security proof: indifferentiable up to 2 n G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 5 / 26

Introduction Description Security Implementation How to build a compression function? Two inputs: H i − 1 hard to control / M easy to control Davies-Meyer: Matyas-Meyer-Oseas: H i − 1 M H i − 1 M E E H i H i H i = E H i − 1 ( M ) ⊕ M H i = E M ( H i − 1 ) ⊕ H i − 1 ◮ differential attack on C ◮ differential attack on C � differential attacks E � related key attack on E ◮ Message expansion can reduce control over M G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 6 / 26

Introduction Description Security Implementation How to build a compression function? Two inputs: H i − 1 hard to control / M easy to control Davies-Meyer: Matyas-Meyer-Oseas: H i − 1 M H i − 1 M E E H i H i H i = E H i − 1 ( M ) ⊕ M H i = E M ( H i − 1 ) ⊕ H i − 1 ◮ differential attack on C ◮ differential attack on C � differential attacks E � related key attack on E ◮ Message expansion can reduce control over M G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 6 / 26

Introduction Description Security Implementation The Compression Function ◮ Modified Davies-Meyer mode. H i − 1 ◮ XOR M in the beginning: M no message modifications ◮ Use some more Feistel rounds as the feed-forward: avoids some fixed points and multiblock attacks M ◮ Same security proofs as DM: E good if E if good ◮ Feistel-based cipher ◮ Strong message expansion P H i G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 7 / 26

Introduction Description Security Implementation The Feistel Round A 0 B 0 C 0 D 0 A 1 B 1 C 1 D 1 A 2 B 2 C 2 D 2 A 3 B 3 C 3 D 3 Φ Φ Φ Φ W 0 W 1 W 2 W 3 ≪ r ≪ r ≪ r ≪ r ≪ s ≪ s ≪ s ≪ s A 0 B 0 C 0 D 0 A 1 B 1 C 1 D 1 A 2 B 2 C 2 D 2 A 3 B 3 C 3 D 3 ◮ 4 parallel Feistel ladders (8 for SIMD -512) with 32 bit words ◮ 4 (expanded) message words enter each round ◮ Interaction between the Feistel ladders via the permutations p ( i ) ◮ Constants hidden in the message expansion � � ≪ s ( i ) � � ≪ r ( i ) D ( i − 1 ) ⊞ φ ( i ) ( A ( i − 1 ) , B ( i − 1 ) , C ( i − 1 ) A ( i − 1 ) A ( i ) ⊞ W ( i ) = ) ⊞ j j j j j j p ( i ) ( j ) ≪ r ( i ) = A ( i − 1 ) = B ( i − 1 ) = C ( i − 1 ) B ( i ) C ( i ) D ( i ) j j j j j j G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 8 / 26

Introduction Description Security Implementation Round Parameters ◮ Rotations and ◮ Permutations: Boolean functions: chosen for maximal diffusion φ ( i ) r ( i ) s ( i ) p ( j ) = j + 1 IF π 0 π 1 IF π 1 π 2 IF π 2 π 3 p ( j ) = j + 2 IF π 3 π 0 MAJ π 0 π 1 MAJ π 1 π 2 MAJ π 2 π 3 MAJ π 3 π 0 G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 9 / 26

Introduction Description Security Implementation Round Parameters ◮ Rotations and ◮ Permutations: Boolean functions: chosen for maximal diffusion φ ( i ) r ( i ) s ( i ) p ( j ) = j + 1 IF π 0 π 1 IF π 1 π 2 IF π 2 π 3 p ( j ) = j + 2 IF π 3 π 0 MAJ π 0 π 1 MAJ π 1 π 2 MAJ π 2 π 3 MAJ π 3 π 0 G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 9 / 26

Introduction Description Security Implementation The Message Expansion Message block Expanded message Minimal distance SIMD -256 512 bits 4096 bits 520 bits SIMD -512 1024 bits 8192 bits 1032 bits ◮ Provides resistance to differential attack ◮ Based on (error correcting) codes with a good minimal distance ◮ Concatenated code: ◮ outer code gives a high word distance ◮ inner code gives a high bit distance G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 10 / 26

Introduction Description Security Implementation H i − 1 M W 16 steps ⊠ 185 P 1 M NTT W ⊠ 233 16 steps P 2 4 steps 4 steps H i G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 11 / 26

Introduction Description Security Implementation Outer Code Reed-Solomon code ◮ Interpret the input ( k words) as a polynomial of degree k − 1 over some finite field ◮ Evaluate on n points ( n > k ) ◮ MDS code: minimal distance n − k + 1 k n d SIMD -256 64 128 65 SIMD -512 128 256 129 ◮ Efficiency: ◮ Compute with an FFT algorithm ◮ Use the field F 257 ◮ Add a constant part: affine code G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 12 / 26

Introduction Description Security Implementation Inner code We encode the output words of the NTT twice, through two different inner codes. Very efficient codes, with a single 16-bit multiplication. I 185 : F 257 �→ Z 2 16 x → 185 ⊠ � where − 128 ≤ � x ≤ 128 and � x = x ( mod 257 ) x I 233 : F 257 �→ Z 2 16 x → 233 ⊠ � where − 128 ≤ � x ≤ 128 and � x = x ( mod 257 ) x The magic constants 185 and 233 give a minimal distance of 4 bits. (also for signed difference) G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 13 / 26

Introduction Description Security Implementation Security of SIMD ◮ The mode of operation is indifferentiable. ◮ No generic multicollision attack, second-preimage on long messages, or herding attack ◮ Any attack has to use some property of the block cipher. ◮ The most obvious property is to find differential trails. G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 14 / 26

Introduction Description Security Implementation Security Proof: Attacker goal We model a differential attacker: Attacker game ◮ Choose a message difference ∆ ◮ Build a differential path u � v ◮ Find a message M s.t. ( M , M + ∆ ) follows the path At each step there is a probability p that the path is followed i.e. there are c conditions, c = − log 2 ( p ) . We want to show that c ≥ 128. G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 15 / 26

Introduction Description Security Implementation Differential attacks Two possible differentials: ◮ XOR difference: specifies which bits are modified ◮ Easy to use ◮ No condition for carry on bit 31 (limited number due to the inner code) ◮ Signed difference: specifies which bits go up or down ◮ More powerful: Used by Wang et al. to break MD4, MD5, SHA-1, HAVAL, ... ◮ No condition when differences cancel out in ⊞ ◮ Less conditions on the Boolean functions ◮ Need a condition for the sign of bit 31 G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 16 / 26

Introduction Description Security Implementation State Differences A 1 B 1 C 1 D 1 φ W 1 ≪ r ≪ s A 1 B 1 C 1 D 1 φ W 1 ◮ We consider a single isolated ≪ r ≪ s difference bit in the state. A 1 B 1 C 1 D 1 φ W 1 ≪ r ◮ One condition to control the carry ≪ s when the difference is introduced A 1 B 1 C 1 D 1 φ ◮ Three conditions for the W 1 ≪ r ≪ s Boolean functions A 1 B 1 C 1 D 1 φ W 1 ≪ r ≪ s A 1 B 1 C 1 D 1 G. Leurent (ENS) SIMD Is a Message Digest First SHA-3 Conference 17 / 26