the rebound attack cryptanalysis of reduced whirlpool and
play

The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl - PowerPoint PPT Presentation

Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl affer 1 , Sren S. Thomsen 2 1 Institute for Applied


  1. Technical University of Denmark - Graz University of Technology The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl Florian Mendel 1 , Christian Rechberger 1 , Martin Schl¨ affer 1 , Søren S. Thomsen 2 1 Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology, Inffeldgasse 16a, A-8010 Graz, Austria 2 Department of Mathematics, Technical University of Denmark Matematiktorvet 303S, DK-2800 Kgs. Lyngby, Denmark FSE 2009 1

  2. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 2

  3. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 3

  4. Technical University of Denmark - Graz University of Technology Motivation NIST SHA-3 Competition diversity of designs diversity of cryptanalytic tools needed Many AES based designs how to analyze them? we contribute with new attack to this toolbox Applications? idea of attack is widely applicable Whirlpool, Grøstl FSE 2009 4

  5. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 5

  6. Technical University of Denmark - Graz University of Technology Collision Attacks on Hash Functions iterated hash function h ( M , IV ) compression function f : H t = f ( M t , H t − 1 ) , H 0 = IV different types of collision attacks: (1) collision: fixed IV f ( M t , IV ) = f ( M ′ t , IV ) , M t � = M ′ t (2) semi-free-start collision: random chaining input f ( M t , H t − 1 ) = f ( M ′ t , H t − 1 ) , M t � = M ′ t (3) free-start collision: random differences and values of chaining input f ( M t , H t − 1 ) = f ( M ′ t , H ′ t − 1 ) , M t � = M ′ t , H t − 1 � = H ′ t − 1 ⇒ increasing degrees of freedom FSE 2009 6

  7. Technical University of Denmark - Graz University of Technology The Rebound Attack E bw E in E fw inbound outbound outbound Applies to block-cipher and permutation based designs: E = E fw ◦ E in ◦ E bw P = P fw ◦ P in ◦ P bw Inbound phase: efficient meet-in-the-middle phase in E in aided by available degrees of freedom called match-in-the-middle Outbound phase: probabilistic part in E bw and E fw repeat inbound phase if needed FSE 2009 7

  8. Technical University of Denmark - Graz University of Technology Comparison with other Strategies M t ,H t-1 H t inside-out approach: M t ,H t-1 H t meet-in-the-middle attack: rebound attack: M t ,H t-1 H t inbound outbound outbound FSE 2009 8

  9. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 9

  10. Technical University of Denmark - Graz University of Technology The Whirlpool Hash Function H t-1 Block cipher W Key Schedule SB SC MR AC H t State Update SB SC MR AK + M t Designed by Barretto and Rijmen submitted to NESSIE in 2000 standardized by ISO/IEC 10118-3:2003 512-bit hash value and using 512-bit message blocks Block-cipher based (AES) Miyaguchi-Preneel mode with conservative key-schedule No attacks in 8 years of existence FSE 2009 10

  11. Technical University of Denmark - Graz University of Technology The Whirlpool Round Transformations SubBytes ShiftColumns MixRows AddRoundKey K i S(x) + 10 rounds AES like round transformations on two 8 × 8 states k i = AC ◦ MR ◦ SC ◦ SB r i = AK ◦ MR ◦ SC ◦ SB K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 SB SB SB SB SB SB SB SB SB SB SC SC SC SC SC SC SC SC SC SC H t-1 MR MR MR MR MR MR MR MR MR MR AC AC AC AC AC AC AC AC AC AC S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 SB SB SB SB SB SB SB SB SB SB M t H t SC SC SC SC SC SC SC SC SC SC + MR MR MR MR MR MR MR MR MR MR AK AK AK AK AK AK AK AK AK AK r 1 r 2 r 3 r 4 r 5 r 6 r 7 r 8 r 9 r 10 FSE 2009 11

  12. Technical University of Denmark - Graz University of Technology Wide-Trails in Whirlpool K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 SB SB SB SB SB SB SB SB SB SB SC SC SC SC SC SC SC SC SC SC H t-1 MR MR MR MR MR MR MR MR MR MR AC AC AC AC AC AC AC AC AC AC S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 M t SB SB SB SB SB SB SB SB SB SB H t SC SC SC SC SC SC SC SC SC SC + MR MR MR MR MR MR MR MR MR MR AK AK AK AK AK AK AK AK AK AK r 1 r 2 r 3 r 4 r 5 r 6 r 7 r 8 r 9 r 10 Minimum number of active S-boxes 81 for any 4-round trail: (8 − 64 − 8 − 1) 81 = 2 − 405 maximum differential probability: ( 2 − 5 ) Collision attack on Whirlpool: < 2 256 use “message modification” techniques (first rounds) 64 = 2 − 320 a full active state remains: probability ( 2 − 5 ) FSE 2009 12

  13. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 13

  14. Technical University of Denmark - Graz University of Technology The Rebound Attack on Whirlpool K 0 K 1 K 2 K 3 K 4 SB SB SB SB SC SC SC SC MR MR MR MR H t-1 AC AC AC AC S 0 S 1 S 2 S 3 S 4 SB SB SB SB M t H t SC SC SC SC + MR MR MR MR AK AK AK AK r 1 r 2 r 3 r 4 inbound outbound outbound Inbound phase: (1) start with differences in round r 2 and r 3 (2) match-in-the-middle at S-box using values of the state Outbound phase: (3) probabilistic propagation in MixRows of r 1 and r 4 (4) match one-byte difference of feed-forward FSE 2009 14

  15. Technical University of Denmark - Graz University of Technology Inbound Phase K 2 S 2 S 2 S 3 S 3 SC SB MR MR SC SB AK MR r 2 r 3 r 3 Step 1 Step 2 Step 1 (1) Start with differences in state S SC and S MR 3 2 linear propagation to full active state of S 2 and S SB 3 deterministic due to MDS property of MixRows (2) Match-in-the-middle at S-box of round r 3 differential match for single S-box: probability ∼ 2 − 1 for each match we get 2-8 possible values for the S-box ⇒ with a complexity of 2 64 , we get 2 64 matches FSE 2009 15

  16. Technical University of Denmark - Graz University of Technology Outbound Phase K 1 K 2 K 3 K 4 S 0 S 1 S 2 S 3 S 4 SB SB SB SB M t H t SC SC SC SC + MR MR MR MR AK AK AK AK r 1 r 2 r 3 r 4 Step 3 Step 3 Step 4 Step 4 (3) Propagate through MixRows of r 1 and r 4 using truncated differences (active bytes: 8 → 1) probability: 2 − 56 in each direction (4) Match difference in one active byte of feed-forward ⇒ complexity for 4 round collision of Whirlpool: 2 120 FSE 2009 16

  17. Technical University of Denmark - Graz University of Technology Extension to more Rounds K 2 K 3 S 2 SB S 2 MR S 2 S 3 SB S 3 S 4 SB S 4 MR SC SC SC SC AK SB MR SB MR MR MR AK r 2 r 2 r 3 r 3 r 4 r 4 Step 1 Step 1 Step 2b Step 2a Step 2a Step 1 Semi-free-start collision on 5 rounds extend inbound phase using degrees of freedom in key same complexity (2 120 ) as in 4 round attack K 1 K 2 K 3 K 4 K 5 K 6 K 7 S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 7.5 H t SB SB SB SB SB SB SB M t SC SC SC SC SC SC SC SB + + MR MR MR MR MR MR MR SC AK AK AK AK AK AK AK r 1 r 2 r 3 r 4 r 5 r 6 r 7 r 7.5 Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 3 Step 4 Step 4 Semi-free-start near-collision on 7.5 rounds extend outbound phase with probability one (MixRows) near-collision on 52 of 64 bytes (2 128 ) FSE 2009 17

  18. Technical University of Denmark - Graz University of Technology Overview 1 Motivation The Rebound Attack 2 The Whirlpool Hash Function 3 Rebound Attack on Whirlpool 4 5 Rebound Attack on Grøstl Results and Conclusions 6 FSE 2009 18

  19. Technical University of Denmark - Graz University of Technology SHA-3 Candidate Grøstl M t Q 512 AC SB ShB MB H t-1 H t P 512 AC SB ShB MB + + Compression function of Grøstl permutation based, no key-schedule inputs AES based round transformations (AC, SB, ShB, MB) Grøstl-256: 8 × 8 state for P 512 and Q 512 8 × 8 state for P 512 and Q 512 10 rounds each FSE 2009 19

  20. Technical University of Denmark - Graz University of Technology Rebound Attack on Grøstl-256 Q 0 Q 1 Q 2 Q 3 Q 4 Q 5 Q 6 AC AC AC AC AC AC M t SB SB SB SB SB SB ShB ShB ShB ShB ShB ShB MB MB MB MB MB MB Step 3 Step 3 Step 1 Step 2 Step 1 Step 3 Step 3 Step 4 Step 4 P 0 P 1 P 2 P 3 P 4 P 5 P 6 AC AC AC AC AC AC H t-1 H t SB SB SB SB SB SB + + ShB ShB ShB ShB ShB ShB MB MB MB MB MB MB r 1 r 2 r 3 r 4 r 5 r 6 Semi-free-start collision on 6 rounds of Grøstl-256 less degrees of freedom (no key schedule input) maximize using differential trails in both permutations birthday match on input and output differences Complexity of attack: ∼ 2 120 FSE 2009 20

Recommend


More recommend