the usage of counter revisited second preimage attack on
play

The Usage of Counter Revisited: Second-Preimage Attack on New - PowerPoint PPT Presentation

Aug 16, 2023 •425 likes •847 views

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jrmy Jean 1 joint work with: Jian Guo 1 Gatan Leurent 2 Thomas Peyrin 1 Lei Wang 1 1 Nanyang Technological University, Singapore 2 INRIA, France

  1. The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jérémy Jean 1 joint work with: Jian Guo 1 Gaëtan Leurent 2 Thomas Peyrin 1 Lei Wang 1 1 Nanyang Technological University, Singapore 2 INRIA, France SAC 2014 – August 14, 2014

  2. Introduction Our observation Diamond attack Expandable message attack Conclusion Streebog : new Russian hash function. New hash function standard in Russia. ◮ Standardized name: GOST R 34.11-2012 ◮ Nickname of that function: Streebog . ◮ Previous standard: GOST R 34.11-94. ◮ Theoretical weaknesses. ◮ Rely on the GOST block cipher from the same standard. ◮ This block cipher has also been weakened by third-party ◮ cryptanalysis. SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 2/19

  3. Introduction Our observation Diamond attack Expandable message attack Conclusion Specifications: domain extension. Two versions: Streebog-256 and Streebog-512 . ◮ 10 ∗ padding: m 1 || · · · || m t || m (blocks of 512 bits). ◮ Compression function: g . ◮ Checksum: Σ , over the message blocks m i (addition modulo 2 512 ). ◮ Counter: N , HAIFA input to g over the number of processed bits. ◮ Three stages: initialization, message processing and finalization. ◮ . . . Σ m 1 m 2 m t m h t − 1 h t + 1 h t + 2 h 1 h 2 h t . . . h 0 = IV g g g g g g h . . . N | M | 512 512 512 0 0 Stage 1 Stage 2 Stage 3 SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 3/19

  4. Introduction Our observation Diamond attack Expandable message attack Conclusion Specifications: compression function. Simplification: the counter counts #blocks, not #bits. ◮ g compresses ( h i − 1 , i , m i ) to h i using: h i = f ( h i − 1 ⊕ i , m i ) ⊕ h i − 1 . ◮ Our attack is independent of the specifications of f (deterministic). ◮ m i i g h i − 1 h i f g is one instantiation of a HAIFA compression function. ◮ The counter is simply XORed to the input of the f function. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 4/19

  5. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  6. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ m i i h i − 1 f SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  7. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ m i i h i − 1 h i ⊕ i f SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  8. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ m i i i h i − 1 h i f SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  9. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent compression function. m i i h i − 1 h i f � h i = F ( h i − 1 ⊕ i , m i ) ⊕ i , h i = h i − 1 ⊕ f ( h i − 1 ⊕ i , m i ) ⇐ ⇒ F ( x , m i ) = f ( x , m i ) ⊕ x . m i i i h i − 1 h i f F The function F is independent of the counter value! SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 5/19

  10. Introduction Our observation Diamond attack Expandable message attack Conclusion Iteration of the equivalent compression function. We have an equivalent representation of the compression function. ◮ Its iteration allows to combine the counter additions. ◮ m i m i + 1 i + 1 i + 1 i i h i − 1 h i + 1 f f F F def ∆( i ) = i ⊕ ( i + 1 ) , def F ∆( i ) ( X , Y ) = F ( X , Y ) ⊕ ∆( i ) . i i i + 1 i + 1 i + 2 h i − 1 h i + 1 F F ∆( i ) ∆( i + 1 ) F ∆( i ) F ∆( i + 1 ) SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 6/19

  11. Introduction Our observation Diamond attack Expandable message attack Conclusion Relations between functions F ∆( i ) for 1 ≤ i ≤ t (1/2). Recall that t is the number of full blocks m 1 || · · · || m t || m , | m | < 512. We observe that: For all even i , ∆( i ) = i ⊕ ( i + 1 ) = 1. ◮ = ⇒ The same function F 1 is used every other time. Sequence of ∆( i ) is very structured. ◮ i : 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ∆( i ) : 1 3 1 7 1 3 1 15 1 3 1 7 1 3 1 31 1 3 1 7 1 3 1 15 Let s > 0, and denoting � i � the s -bit binary representation of i < 2 s − 1: � � � � ∆( i + 2 s ) = 1 ||� i � ⊕ 1 ||� i + 1 � = � i � ⊕ � i + 1 � = ∆( i ) . More generally: F ∆( i ) = F ∆( i + j · 2 s ) for all 0 ≤ i ≤ 2 s − 1 and j ≥ 0. For example, with s = 2, F 1 and F 1 + 2 2 = F 5 are equal. SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 7/19

  12. Introduction Our observation Diamond attack Expandable message attack Conclusion Relations between functions F ∆( i ) for 1 ≤ i ≤ t (2/2). Given an integer s > 0, we have: ∀ i ∈ { 0 , . . . , 2 s − 2 } , ∀ j > 0 : F ∆( i ) = F ∆( j · 2 s + i ) 512 − s bits s bits 512 − s bits s bits 0 < i > j < i > 0 < i + 1 > j < i + 1 > = < i ⊕ ( i + 1 ) > = < i ⊕ ( i + 1 ) > 0 0 ∆( i ) ∆( i + j · 2 s ) Consequently: The same sequence of 2 s − 1 functions are used in the domain ◮ extension algorithm. This seems weaker than a true HAIFA mode. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 8/19

  13. Introduction Our observation Diamond attack Expandable message attack Conclusion Equivalent description of stage 2 of the domain extension. The last function differs in each 2 s -chunk. ◮ = ⇒ We call it G j = F ∆( j × 2 s − 1 ) . We define l as the number of ( 2 s − 1 ) -chains of F functions: ◮ � t � . Moreover, let p be the remainder of t modulo 2 s . l = 2 s That is: the function F 2 s − 2 ◦ · · · F 1 ◦ F 0 is reused l times. ◮ 0 F 2 s − 2 ◦ · · · F 1 ◦ F 0 . . . F 2 s − 2 IV F 0 F 1 G 1 . . . . . . . . . . . . . . . F 0 F 1 F 2 s − 2 G l . . . F p F 0 F 1 h t t + 1 SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 9/19

  14. Introduction Our observation Diamond attack Expandable message attack Conclusion Cryptographic consequences of the HAIFA instantiation. Streebog is one choice of counter usage from the HAIFA framework. Consequences of this choice: Counters at steps i and i + 1 can be combined. ◮ Distinction of compression function calls in the HAIFA framework ◮ not achieved. Domain extension similar to a Merkle-Damgård scheme. ◮ = ⇒ Possibility to apply existing known second-preimage attacks. SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19

  15. Introduction Our observation Diamond attack Expandable message attack Conclusion Cryptographic consequences of the HAIFA instantiation. Streebog is one choice of counter usage from the HAIFA framework. Consequences of this choice: Counters at steps i and i + 1 can be combined. ◮ Distinction of compression function calls in the HAIFA framework ◮ not achieved. Domain extension similar to a Merkle-Damgård scheme. ◮ = ⇒ Possibility to apply existing known second-preimage attacks. Our second-preimage attacks on Streebog (security level: 2 512 ): Using a diamond structure: ◮ Original message of at least 2 179 blocks. ◮ 2 342 compression function evaluations. ◮ Using a expandable message: ◮ Original message of at least 2 259 blocks. ◮ 2 266 compression function evaluations. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 10/19

  16. Introduction Our observation Diamond attack Expandable message attack Conclusion Diamond structure (1/2) Diamond structure: F 2 s − 3 ◦···◦ F 1 F 2 s − 2 F 0 Introduced in [KK06]. ◮ Complete binary tree. ◮ h 0 1 Nodes: chaining values. ◮ m 0 1 Edges: 1-block n -bit messages. ◮ 2 2 s − 1 h ⋄ Depth d . ◮ m 1 1 Construction: h 1 1 Levels constructed sequentially. ◮ Complexity: 2 ( n + d ) / 2 calls. ◮ Evaluation done in [KK13]. ◮ SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 11/19

  17. Introduction Our observation Diamond attack Expandable message attack Conclusion Diamond structure (2/2) Diamond used in our attack: F 2 s − 3 ◦···◦ F 1 F 2 s − 2 F 0 Root h ⋄ . ◮ Depth d = 2 s − 1. ◮ h 0 1 F i ’s used to join the levels. ◮ m 0 1 #leaves=2 2 s − 1 . ◮ 2 2 s − 1 h ⋄ Remarks: m 1 1 Same function at each level in h 1 ◮ 1 the original attack on Merkle-Damgård. Here, full control of the counter ◮ effect in the ( 2 s − 1 ) -chains with different functions F i . SAC 2014 – J. Guo, J. Jean, G. Leurent, T. Peyrin, L. Wang – Cryptanalysis of Streebog 12/19

Recommend

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

(Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo

SKLOIS (Pseudo) Preimage Attack on Reduced-Round Grstl Hash Function and Others Shuang Wu, Dengguo Feng, Wenling Wu, Jian Guo, Le Dong, Jian Zou March 20, 2012 Institute for

381 views • 26 slides
Below the Stomach 121 Counter Attack Lines close close Bearish Bullish Bearish Bullish 122

Below the Stomach 121 Counter Attack Lines close close Bearish Bullish Bearish Bullish 122

Below the Stomach 121 Counter Attack Lines close close Bearish Bullish Bearish Bullish 122 Not Counter Attack Lines Second session did not open high enough Both sessions were not long real bodies 123 Bullish Counter Attack 124

211 views • 20 slides
Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de

Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de

Mangers Attack revisited Falko Strenzke 1 1 - FlexSecure GmbH, Germany, strenzke@flexsecure.de February 8, 2013 Mangers Attack revisited Falko Strenzke 1 / 1 Mangers Attack RSA-OAEP Encoding introduced to thwart Bleichenbachers

1.11k views • 86 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical

Attack on Broadcast RC4 Revisited S. Maitra 1 G. Paul 2 S. Sen Gupta 1 1 Indian Statistical Institute, Kolkata 2 Jadavpur University, Kolkata FSE 2011, Lyngby, Denmark 15 February 2011 Outline of the Talk Introduction Basics of RC4 Stream

739 views • 38 slides
Office for Security &amp; Counter Terrorism Learning from the Skripal attack for CBRN

Office for Security &amp; Counter Terrorism Learning from the Skripal attack for CBRN

OFFICIAL-SENSITIVE Office for Security &amp; Counter Terrorism Learning from the Skripal attack for CBRN Preparedness. Presented by: Anita Friend Date: 24 th April 2019 OFFICIAL-SENSITIVE Reflections Skripal response The response was

510 views • 7 slides
Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&amp;Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&amp;Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&amp;Sec 09 Calibration Revisited 1 / 16 What is Calibration? 2002 - Calibration introduced (attack on F5) Part of feature extraction procedure for blind

544 views • 43 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
Fo Four on Embedded Device ces with Strong Co Counter ermea measures es Ag Against S t

Fo Four on Embedded Device ces with Strong Co Counter ermea measures es Ag Against S t

Fo Four on Embedded Device ces with Strong Co Counter ermea measures es Ag Against S t Side-Channel Attack cks CHES 2017 September 26-28, Taipei, Taiwan Zhe Liu Patrick Longa Geovandro C. C. F. Pereira Oscar Reparaz

853 views • 49 slides
8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim

8051 Serial Port and Timer/Counter Serial Port Timer Counter Chatchai Jantaraprim (cj@coe.psu.ac.th) 8051 Timer/Counter Two internal Timers/Counters 16-bit timer/counter Timer uses system clock as source of input pulses Counter uses external

273 views • 8 slides
T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz &lt;at&gt; signal11.eu www.signal11.eu Motivation Are we able to counteratack ? Different possibilities: Traditional network scan and attack

1.02k views • 52 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford

Counter Braids: A novel counter architecture Balaji Prabhakar Balaji Prabhakar Stanford University Joint work with: Yi Lu, Andrea Montanari , Sarang Dharmapurikar and Abdul Kabbani Overview Counter Braids Background: current

601 views • 30 slides
WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1

WEP Weak IVs Revisited Kazukuni Kobara and Hideki Imai IIS, Univ. of Tokyo RCIS, AIST 1 Outline Available options for securing WLAN access WEP and its key recovery attack Condition to recover the WEP key Good and bad strategies

378 views • 24 slides
Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle

Man-in-the-Middle attacks revisited Hugo Jonker, Rolando Trujillo, Sjouke Mauw Man-in-the-middle attack Diffie-Hellman Alice Bob new na new nb g na g nb K = (g nb ) na K = (g na ) nb Man-in-the-middle attack Diffie-Hellman Alice Bob Alice

401 views • 25 slides
Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and Ext, Revisited Hom and Ext, Revisited Joint work with Hailong Dao and Mohammad Eghbali JL Hom and Ext, Revisited Hom

871 views • 45 slides
Section 2.3 Section Summary ! Definition of a Function. ! Domain, Cdomain ! Image, Preimage !

Section 2.3 Section Summary ! Definition of a Function. ! Domain, Cdomain ! Image, Preimage !

Section 2.3 Section Summary ! Definition of a Function. ! Domain, Cdomain ! Image, Preimage ! Injection, Surjection, Bijection ! Inverse Function ! Function Composition ! Graphing Functions ! Floor, Ceiling, Factorial ! Partial Functions (optional)

310 views • 30 slides
Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C

Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C

C.1 C.2 Counter/Timers Overview ATmega328P has two 8-bit and one 16-bit counter/timers. Unit C Timers and Counters Can count at some rate up to a value, generate an interrupt and start over counting from 0. Useful for performing

402 views • 5 slides
Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do

Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do

Can We Understand Performance Counter Results? Vince Weaver ICL Lunch Talk 23 July 2010 How Do We Know if Counters are Working? Three common failures: Wrong counter (PAPI, Kernel, User) Counter works but gives wrong values Counter

376 views • 36 slides
LETS PLAY! 100 99 98 97 96 O o p s , S o Salty just got a little u r P s u s

LETS PLAY! 100 99 98 97 96 O o p s , S o Salty just got a little u r P s u s

How to play: Each player puts their counter on the space that says 'START'. Take it in turns to roll the dice. Move your counter forward the number of spaces shown on the dice. If your counter lands at the bottom of a ladder, you can move up to

390 views • 5 slides
An Effective Attack Method Based on Information Exposed by Search Engines Antonios Gouglidis,

An Effective Attack Method Based on Information Exposed by Search Engines Antonios Gouglidis,

An Effective Attack Method Based on Information Exposed by Search Engines Antonios Gouglidis, University of Macedonia IT Security for the Next Generation European Cup, Prague 17-19 February, 2012 Motivation Extensive usage of Web 2.0

285 views • 13 slides
For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit

For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit

For Loops and Arrays November 13, 2008 Counting Initialize counter Test counter against limit int fireworkCount = 0; while (fireworkCount &lt; NUM_IN_FINALE) { new Firework (...); Repeating Task fireworkCount++; } Increment counter

527 views • 4 slides
Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological

Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological

Description of SHA-2 Description of Preimage Attack Application to SHA-2 Conclusions Preimages for Step-Reduced SHA-2 Jian Guo 1 Krystian Matusiewicz 2 Nanyang Technological University, Singapore Technical University of Denmark NTU, 25 Nov

249 views • 21 slides
Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri

Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri

Decidable Problems for Counter Systems Day 1 Introduction to Counter Systems St ephane Demri demri@lsv.ens-cachan.fr LSV, ENS Cachan, CNRS, INRIA ESSLLI 2010, Copenhagen, August 2010 What is in the course? Analysis of Counter Systems

778 views • 65 slides

More recommend