Boomerang Distinguisher for the SIMD-512 Compression Function

Size: px

Start display at page:

Download "Boomerang Distinguisher for the SIMD-512 Compression Function"

Kory Cummings
5 years ago
Views:

1 Boomerang Dstngusher for the SIMD-512 Compresson Functon Floran Mendel and Tomslav Nad Insttute for Appled Informaton Processng and Communcatons (IAIK) Graz Unversty of Technology, Inffeldgasse 16a, A-8010 Graz, Austra. Abstract. In ths paper, we present a dstngusher for the permutaton of SIMD-512 wth complexty We extend the attack to a dstngusher for the compresson functon wth complexty The attack s based on the applcaton of the boomerang attack for hash functons. Startng from the mddle of the compresson functon we use technques from codng theory to search for two dfferental characterstcs, one for the backward drecton and one for the forward drecton to construct a second-order dfferental. Both characterstcs hold wth hgh probablty. The drect applcaton of the second-order dfferental leads to a dstngusher for the permutaton. Based on ths dfferental we extend the attack to dstngusher for the compresson functon. Keywords: SHA-3, SIMD, cryptanalyss, hgher-order dfferentals, hash functon, dstngusher 1 Introducton Recently, the NIST hash functon competton [21] has started. In ths publc competton to fnd an alternatve hash functon to replace the SHA-1 and SHA-2 hash functons, many new desgns have been proposed. In November 2008, round one has started and n total 51 out of 64 submssons have been accepted. In December 2009 the 14 round 2 canddates and n December 2010 the fnal fve were announced. Durng the competton dstngushng attacks on hash functons and ther buldng blocks are gettng more attenton. In such attacks an adversary utlzes specfc propertes of a hash functon to defne a dstngushng property such that one can dstngush the output of a hash functon from a random functon. Usually, the exstence of such propertes s not ntended by the desgners. However, as shown n [4] for wde-ppe desgns the mpact of dstngushers s lmted. In ths paper, we present a dstngusher for the compresson functon of SIMD-512. SIMD, desgned by Leurent et al. [13], was submtted to the NIST competton and was one of the second round canddates. It s an teratve hash functon based on the Merkle-Damgård desgn prncple [5,18]. It s a wde-ppe desgn [14] producng a hash value up to 512 bts, denoted by SIMD-n, where n s the output length. The desgn of the compresson functon s smlar to the D.J. Bernsten and S. Chatterjee (Eds.): INDOCRYPT 2011, LNCS 7107, pp , The orgnal publcaton s avalable at c Sprnger-Verlag Berln Hedelberg 2011

2 256 Floran Mendel and Tomslav Nad MD4 famly. For the remander of ths paper wherever we menton SIMD we refer to SIMD-512. We wll show how one can use the boomerang attack on a hash functon to construct a dstngusher wth hgh probablty. The frst result s a dstngushng attack for the full permutaton of SIMD-512 wth complexty Next we show how ths dstngusher can be extended to the full compresson functon of SIMD-512. wth complexty The strategy to construct such second order dfferentals s based on the recently proposed cryptanalyss of reduced SHA-2 [12] and Blake [3]. The structure of ths paper s as follows. In Secton 2, we recall the basc defntons needed for the attack and gve an overvew how hgher-order dfferentals can be used to attack hash functons. A short descrpton of SIMD s gven n Secton 3. Secton 4 presents the applcaton on the permutaton of SIMD-512. In Secton 5, we show how the attack can be extended to the compresson functon of SIMD-512. Fnally, we dscuss the results n Secton Related Work The amount of avalable cryptanalyss of SIMD s low compared to other canddates. Mendel and Nad presented the frst attack on the full SIMD-512 compresson functon [15]. They used technques from codng theory to fnd a dfferental characterstc that holds wth probablty Based on ths characterstc and the dfferental multcollson dstngusher ntroduced by Bryukov et al. [1] they constructed a dstngushng attack for the SIMD-512 compresson functon. Usng IV/message modfcaton the attack complexty was reduced to The dfferental path used some unwanted propertes n the permutaton of SIMD. Therefore, the desgners tweaked the hash functon by changng the permutatons and round constants of SIMD to prevent the attack. A round reduced verson of tweaked SIMD was attacked by Nkolć et al. [8]. They presented dstngushers for the compresson functon of SIMD-512 reduced to 24 round wth a lnearzed message expanson and SIMD-512 reduced to 12 rounds wth unmodfed message expanson. Both are based on rotatonal propertes of the compresson functon. The success probabltes for the dstngushers are and 2 236, respectvely. Later Yu and Wang [27] presented a free-start near-collson attack for SIMD- 256 reduced to 20 rounds and for SIMD-512 reduced to 24 rounds. The attack complextes are and 2 208, respectvely. Furthermore, they showed a dstngusher for the full compresson functon wth complexty Fnally, the desgners [4] publshed a free-start dstngusher for the compresson functon explotng the exstence of symmetrc states. Furthermore, they showed that dstngushers wthout dfferences n the message have only a mnmal mpact on the securty of the hash functon. Hgher-order dfferentals have been ntroduced by La n [11] and frst appled to block cphers by Knudsen n [10]. The applcaton to stream cphers was proposed by Dnur and Shamr n [6] and Velhaber n [23].

3 Boomerang Dstngusher for the SIMD-512 Compresson Functon 257 Recently, Lamberger and Mendel [12] showed how hgher-order dfferentals can be used to attack SHA-256 and presented a dstngusher for 46 The attack stands between the boomerang attack and the nsde-out attack whch were both ntroduced by Wagner n the cryptanalyss of block cphers [24]. A prevous applcaton of the boomerang attack to hash functons s due to Joux and Peyrn [9], who used the boomerang attack as a neutral bts tool to speed-up exstng collson attacks. Another smlar attack strategy for hash functons s the rebound attack ntroduced by Mendel et al. [17] and ts extensons [7,16]. Furthermore, Bryukov et al. [3] presented a boomerang attack on the SHA-3 fnalst Blake resultng n a dstngusher for 7 rounds of the Blake-32 compresson functon wth a complexty of Notaton. For the remander of ths paper we use the notaton presented n Table 1. Table 1. Notaton notaton descrpton X nverson of X X Y bt-wse XOR of X and Y X + Y modular addton of X and Y X n bt-rotaton of X by n postons to the left X n bt-rotaton of X by n postons to the rght X n bt-shft of X by n postons to the left X n bt-shft of X by n postons to the rght 2 Hgher-order Dfferentals and Hash Functon In order to fnd a dstngushng property we construct a second order dfferental collson for the compresson functon. In ths secton we recall the basc defntons and gve a hgh level descrpton of the attack strategy. Whle a standard dfferental attack explots the propagaton of the dfference between a par of nputs to the correspondng outputs, a hgher-order dfferental attack explots the propagaton of the dfference between dfferences. Hgherorder dfferental cryptanalyss was ntroduced by La n [11] and subsequently appled to block cphers by Knudsen n [10]. We recall the basc defntons that we wll need n the subsequent sectons. Defnton 1. Let (S, +) and (T, +) be Abelan groups. For a functon F : S T, the dervatve at a pont a S s defned as a F (x) = F (x + a) F (x). (1)

4 258 Floran Mendel and Tomslav Nad The -th dervatve of F at (a 1, a 2,..., a ) s then recursvely defned as () a 1,...,a F (x) = a ( ( 1) a 1,...,a 1 F (x)). (2) When applyng dfferental cryptanalyss to a hash functon, a collson for the hash functon corresponds to a par of nputs wth output dfference zero. Smlarly, when usng hgher-order dfferentals we defne a hgher-order dfferental collson for a functon F as follows. Defnton 2. An -th order dfferental collson for a functon F s an -tuple (a 1, a 2,..., a ) together wth a value x 0 such that () a 1,...,a F (x 0 ) = 0. (3) Note that the common defnton of a collson for hash functons corresponds to a hgher-order dfferental collson of order = 1. From (3) we see that we can freely choose + 1 of the nput parameters,.e. x 0 and a 1,..., a, whch then fx the remanng nput. Hence, the expected number of solutons to (3) s one after choosng 2 n/(+1) values for the nputs and the query complexty s: 2 n/(+1) (4) In the followng, we wll only consder the case = 2 for whch the query complexty of the attack s 2 n/3. In order to construct a second-order dfferental collson for the functon F, we use a strategy recently proposed n cryptanalyss of reduced SHA-2 n [12]. The dea of the attack s qute smple. Assume we are gven two dfferentals for F 0 and F 1 wth F = F 1 F 0, where one holds n the forward drecton and one n the backward drecton. To be more precse, we have and 0 (y + β) 0 (y) = α F 1 (y + γ) F 1 (y) = δ where the dfferental n 0 holds wth probablty p 0 and n F 1 holds wth probablty p 1. Usng these two dfferentals, we can now construct a second order dfferental collson for F. Ths can be summarzed as follows (see also Fgure 1). 1. Choose a random value for X and compute X = X + β, Y = X + γ, and Y = X + γ. 2. Compute backward from X, X, Y, Y usng F0 1 to obtan P, P, Q, Q. 3. Compute forward from X, X, Y, Y usng F 1 to obtan R, R, S, S. 4. Check f P P = Q Q and S R = S R s fulflled. Snce P P = Q Q = α, resp. S R = S R = δ, (5) wll hold wth probablty at least p 2 0 n the backward drecton, resp. p 2 1 n the forward drecton and assumng that the dfferentals are ndependent the attack succeeds wth a probablty of p 2 0 p 2 1. Hence, the expected number of solutons to (5) s 1, f we repeat the attack about 1/(p 2 0 p 2 1) tmes.

5 Boomerang Dstngusher for the SIMD-512 Compresson Functon 259 Q α Q P α P X γ Y β 0 β X γ Y F 1 F 1 F 1 F 1 δ S δ S R R Fg. 1. Schematc vew of the attack. 3 Descrpton of SIMD SIMD s an teratve hash functon that follows the Merkle-Damgård desgn. The man component of a Merkle-Damgård hash functon s the compresson functon. In the case of SIMD-512 to compute the hash of a message M, t s frst dvded nto k chunks of 1024 bts. By the use of a message expanson one block s expanded to 8192 bts. Then the compresson functon s used to compress the message chunks and the nternal state. The paddng rule to fll the last blocks s known as the Merkle-Damgård strengthenng. The ntal value of the nternal state s called IV and s fxed n the specfcaton of the hash functon. The output of the hash functon s gven by computng a fnalzaton functon on the last nternal state, whch s a truncaton for SIMD. The nternal state of SIMD contans bt words and s therefore twce as large as the output. SIMD consst of 4 rounds where each round consst of 8 steps. The feed-forward conssts of four addtonal steps wth the channg value as message nput. Snce we nject dfferences only n the state varables and not n the message, our attack s ndependent from the message expanson and works for any gven message. Therefore, we omt the descrpton of the message expanson. For a detaled descrpton of the hash functon we refer to [13]. 3.1 SIMD Step Functon The core part of SIMD s the step functon of the state update. Fgure 2 llustrates the step functon at step t. The state update conssts of eght step functons n parallel. To make the step functon dependent from each other,

6 260 Floran Mendel and Tomslav Nad (A t 1 p t () rt ) s ncluded n a modular addton, where p t () s a permutaton, whch s dfferent for each step. A t 1 B t 1 C t 1 D t 1 Φ t r t w t s t A t 1 p t () rt A t B t C t D t Fg. 2. Update functon of SIMD at step t. = 0,, 7. Equaton (6) s the formal defnton of the step functon, where + denotes the addton modulo A t = (D t 1 B t = A t 1 r t C t = B t 1 D t = C t 1 + w t + Φ(A t 1.B t 1, C t 1 )) s t + (A t 1 p t () rt ) (6) The permutaton p for SIMD-512 s gven by: p 0 (x) = x 1 p 1 (x) = x 6 p 2 (x) = x 2 p 3 (x) = x 3 p 4 (x) = x 5 p 5 (x) = x 7 p 6 (x) = x 4 The permutaton used at step t s p t mod 7. As mentoned before, the 32 steps of SIMD are dvded nto 4 rounds, each consstng of 8 steps. The boolean functon Φ and the rotaton constants (s and r) for a round are gven n Table 2. The

7 Boomerang Dstngusher for the SIMD-512 Compresson Functon 261 Table 2. Φ and rotaton constants for a round. step Φ r s 0 IF π 0 π 1 1 IF π 1 π 2 2 IF π 2 π 3 3 IF π 3 π 0 4 MAJ π 0 π 1 5 MAJ π 1 π 2 6 MAJ π 2 π 3 7 MAJ π 3 π 0 Boolean functons IF and MAJ are defned as follows: f IF (x, y, z) = (x y) ( x z) f IF (x, y, z) = (x y) (x z) (y z). In Table 3 the rotaton constants for each round are gven. The feed-forward Table 3. Rotaton constants for each round. round π 0 π 1 π 2 π consst of four steps usng the same step functon. Table 4 lsts the used Boolean functon and the rotaton constants for the feed-forward. In the feed-forward the Table 4. Φ and rotaton constants for the feed-forward of SIMD step Φ r s 0 IF IF IF IF 25 4 channg value s used as message nput. In the frst step A 0, n the second step B 0, n the thrd C0 and n the fourth D 0 for = 0,..., 7 are used.

8 262 Floran Mendel and Tomslav Nad 4 Applcaton on SIMD-512 In ths secton we wll show how to construct a second order dfferental collson whch suts as a dstngushng property for the full permutaton (compresson functon wthout feed-forward) of SIMD-512. For the permutaton of SIMD-512 the attack strategy can be drectly appled usng a good dfferental characterstc for the forward and backward drecton. We show how we construct such dfferental characterstc and compute the complextes. In contrast to the attack on SHA-256 [12], where the second-order collson for the nternal block cpher mmedately transfers to the compresson functon, we need to overcome the feed-forward whch performs 4 addtonal steps wth the channg value as message nput. In Secton 5 we show how the attack can be extended to the compresson functon usng a weaker attack scenaro. 4.1 Searchng for Characterstcs A common approach to construct dfferental characterstcs, whch have a hgh probablty, s to use a lnearzed approxmaton of the attacked hash functon. As observed by Rjmen and Oswald [22], all dfferental characterstcs for a lnearzed hash functon can be seen as the codewords of a lnear code. To fnd good dfferental characterstcs we used the same technque as Mendel and Nad n the cryptanalyss of the frst verson of SIMD [15]. The procedure can be descrbed n the followng way: Lnearze the step functon of SIMD,.e. replace all nonlnear operatons wth lnear ones. Construct a generator matrx. Use a probablstc algorthm from codng theory to search for codewords wth low Hammng weght. The nonlnear parts of the step functon are the modular addtons and the Boolean functon IF and MAJ. In the attack, we replace all modular addtons by XORs. Snce we am for a characterstc wth low Hammng weght, we replace the Boolean functons wth the 0-functon,.e. we block each nput dfference n Φ such that the output dfference s always zero. Ths has probablty 1/2 n most cases. Note that there s exactly one nput dfference for IF and one for MAJ where the output dfference s always one. Such characterstcs are dscarded. For the search we used the CodngTool Lbrary [20], whch s an open-source mplementaton of the needed codng theoretc algorthms and data structures. We searched for good dfferental characterstcs for the backward and forward drecton wth no dfferences n the message. Moreover, we also searched for a good startng step. One would expect that startng from the exact mddle (round 16) would result n the best probablty, but t turns out that movng the startng step two steps further, results n a better overall probablty.

9 Boomerang Dstngusher for the SIMD-512 Compresson Functon 263 Dfferental Characterstcs. The complete dfferental characterstcs are gven n Appendx A. To descrbe the dfferental characterstcs we used sgnedbt dfferences ntroduced by Wang et al. [26] n the cryptanalyss of MD5. The advantage of usng sgned-bt dfferences s that there exsts a unque mappng to both XOR and modular dfferences. The characterstc for the backward drecton conssts of the frst 18 steps of the permutaton and has Hammng weght 72. The characterstc for the forward drecton conssts of the last 14 steps of the permutaton and has Hammng weght 52. To estmate the success probablty of each characterstc we used the same heurstc as n [15]. The probablty for blockng a dfference n one bt at the nput of IF or MAJ s 1/2 or 0 for some cases, but then the characterstc s dscarded. Hence, the total probablty s determned by the sum of all dfferences at the nput. Dfferences at the same bt postons are counted only once. For the modular addtons carres are not prevented for each bt dfference. By allowng carres n the frst addton, one can compensate them at the second addton. However, the rotaton after the frst modular addton needs to be consdered. Therefore, the probablty n ths part s slghtly decreased, but results n a overall ncrease. Table 5 summarzes the overall probablty of each characterstc. Table 5. Summary of the success probabltes. characterstc Hammng weght probablty backward forward Independency of the Characterstcs The assumpton on ndependent characterstcs s qute strong (cf. [19]). Nevertheless, one can check ths property easly for few steps n both drectons, whch was done for the presented characterstcs. Furthermore, the used characterstcs have a low Hammng weght, whch makes t very unlkely that they nterfere wth each other. 4.3 Complexty of the Attack As descrbed n Secton 2 the generc complexty for the attack s 2 n/3. For the SIMD compresson functon n s 1024 bts. Hence, the generc complexty s The total complexty of the attack based on the presented characterstc s ( ) whch can be mproved by gnorng condtons at the end. As was already observed by Wang et al. [25] n the cryptanalyss

10 264 Floran Mendel and Tomslav Nad of SHA-1 condtons resultng from the modular addton n the last steps of the dfferental characterstc can be gnored, due to the fact that carres can be gnored snce the modular dfference at the output stays the same. Ths reduces the complexty by a factor n the backward drecton and 2 2 n the forward drecton whch mproves the overall complexty by a factor of resultng n Remark: Note that we also have the freedom to choose the actual values for the state (at the begnnng of each characterstc) and for the message. Message/channg nput modfcaton can be used to mprove the attack complextes further. 5 Extendng the Attack to the Compresson Functon In contrast to SHA-2 t s not easy to extend the second-order dfferental collson to the compresson functon snce the feed-forward of SIMD s non-lnear. However, the frst step of the feed-forward s almost lnear and therefore we can show non-random propertes n the output of the state varables D for = 0,..., 7. In the feed-forward 4 addtonal steps wth the ntal value as message nput are performed. Ths destroys the dstngushng property at the output of the permutaton. However, the values of D 36 for = 0,..., 7 (output of the feedforward) are determned already n the frst step of the feed-forward and not modfed n the other three steps. By consderng only D 36 for = 0,..., 7 and accordngly only A 0 for = 0,..., 7 of the ntal value the attack complexty s only slghtly ncreased. Consequently, the dmenson of the nput and output space for the dstngusher s reduced to 256 bts (8 32). However, by fxng the dfferences n the rectangle n the mddle of the second-order dfferental characterstc one can construct a dstngusher for the compresson functon. 5.1 Dstngusher for the Compresson Functon For the feed-forward of SIMD we extend the scheme shown n Fgure 1 to the one shown n Fgure 3. The functon F 2 takes two nputs, namely the state of the last step and the channg value. As mentoned before we consder only A 0 n the ntal value and D 36 at the output whch s denoted by the quartets {P A, PA, Q A, Q A } and { R D, R D, S D, S D }, respectvely. So far we have consdered the nputs X, β and γ to be unrelated. Due to the way we buld the second-order collsons, we can see that they are the nputs to a rectangle, hence they are related n the mddle of the rectangle (gray layer n Fgure 3). Therefore, we can extend the attacks by fxng β and γ, snce the complexty of the generc case for ths type of attacks s 2 n (or 2 t ) [3]. Snce we show non-randomness only n part of the output, namely D for = 0,..., 7, the generc complexty of the attack becomes 2 t = = Hence, by usng the second-order dfferental characterstc from Secton 4.1 one can construct a

11 Boomerang Dstngusher for the SIMD-512 Compresson Functon 265 dstngusher for the compresson functon of SIMD. Note that the dstngusher becomes even more powerful f the attacker can fnd several of the above quartets wth the same dfference. To summarze, the algorthm works as follows: 1. Use the dfferental from Secton Choose a random value for X and compute X = X + β, Y = X + γ, and Y = X + γ. 3. Compute backward from X, X, Y, Y usng F0 1 to obtan P A, PA, Q A, Q A. 4. Compute forward from X, X, Y, Y usng F 1 and F 2 to obtan R D, R D, S D, S D. 5. Check f PA P A = Q A Q A and S D R D = S D R D and therefore PA P A Q A + Q A + S D R D S D + R D = 0 s fulflled. Q A α A Q A P A α A P A X γ Y β 0 β X γ Y F 1 F 1 R F 1 δ S R F 1 δ S F 2 F 2 F 2 F 2 δ D S D δd S D R D R D Fg. 3. Extendng the attack to the compresson functon. 5.2 Complexty of the Attack As mentoned before the attack complexty s ncreased slghtly by the feedforward. In fact usng the backward and forward characterstcs from Table 6

12 266 Floran Mendel and Tomslav Nad and Table 7 the addtonal costs are neglgble. In backward drecton we have at the end only a dfference n A 1 6 whch needs to be consdered. Ths dfference s rotated to the left by s bts. In the forward drecton we have dfferences n B0 31 and A Both are nput to the Boolean IF functon. Blockng each dfference at the nput of the IF functon costs 2 2 for both dfferences. Addtonally, A 31 3 s used to compute A 32 6 n the followng way: A 32 6 = ( D A 1 6 +IF ( A31 6, B6 31, C6 31 )) s 32 +( A 31 3 r 32 ) (7) In Equaton (7) only A 1 6 and A 31 3 have dfferences. Only the rotaton to the left by s 32 bts adds a complexty about 2 1 [15]. Fnally, we can gnore the costs of the last three steps n the backward ( ) and forward ( ) drecton snce we only consder the state varables A and D for = 0,..., 7 respectvely. The dfferences n these varables do not change n the last three steps. Therefore, the total complexty s ( ) Hence, one can dstngush the compresson functon of SIMD from a random functon wth a complexty of about Note that the generc complexty for ths attack s Conclusons and Dscusson In ths paper, we present a dstngusher for the full permutaton of SIMD-512 by an applcaton of the boomerang attack on hash functons. Startng from the mddle of the compresson functon we used technques from codng theory to search for two dfferental characterstcs, one for the backward drecton and one for the forward drecton, whch hold wth hgh probablty. Then we construct a second-order dfferental and defne a dstngushng property such that we can dstngush the permutaton from a random permutaton wth a complexty of Furthermore, we extend the attack to the full compresson functon of SIMD By fxng the dfferences n the rectangle we can dstngush the output of the compresson functon from a random functon wth a complexty of compresson functon evaluatons. Ths s a sgnfcant mprovement to the current best known dstngusher wth complexty [27]. However, our attack does not nvaldate the securty clams of the desgners snce t seems dffcult to extend such an attack to the hash functon and most of the securty comes from the message expanson. In [4] the desgners presented a more detaled analyss of SIMD regardng dfferental paths wthout dfferences n the message and are clamng that such characterstcs does not affect the securty of the SIMD hash functon. Nevertheless, the results presented n ths paper show how boomerang lke attacks can be effectvely used on compresson functons. Furthermore, the results contrbute to a better understandng of the securty margn of SIMD.

13 Boomerang Dstngusher for the SIMD-512 Compresson Functon 267 Acknowledgments The work n ths paper has been supported by the European Commsson under contract ICT (ECRYPT II) and by the Austran Scence Fund (FWF, project P21936). References 1. Alex Bryukov, Dmtry Khovratovch, and Ivca Nkolć. Dstngusher and Related- Key Attack on the Full AES-256. In Sha Halev, edtor, CRYPTO, volume 5677 of LNCS, pages Sprnger, Alex Bryukov, Maro Lamberger, Floran Mendel, and Ivca Nkolc. Second-Order Dfferental Collsons for Reduced SHA-256. In ASIACRYPT, Io appear. 3. Alex Bryukov, Ivca Nkolc, and Arnab Roy. Boomerang Attacks on BLAKE-32. In Antone Joux, edtor, FSE, volume 6733 of LNCS, pages Sprnger, Charles Boullaguet, Perre-Alan Fouque, and Gatan Leurent. Securty Analyss of SIMD. Cryptology eprnt Archve, Report 2010/323, Ivan Damgård. A Desgn Prncple for Hash Functons. In Glles Brassard, edtor, CRYPTO, volume 435 of LNCS, pages Sprnger, Ita Dnur and Ad Shamr. Cube Attacks on Tweakable Black Box Polynomals. In Antone Joux, edtor, EUROCRYPT, volume 5479 of LNCS, pages Sprnger, Henr Glbert and Thomas Peyrn. Super-Sbox Cryptanalyss: Improved Attacks for AES-Lke Permutatons. In Seokhe Hong and Tetsu Iwata, edtors, FSE, volume 6147 of LNCS, pages Sprnger, Przemyslaw Sokolowsk Ivca Nkolć, Josef Peprzyk and Ron Stenfeld. Rotatonal Cryptanalyss of (Modfed) Versons of BMW and SIMD. Avalable onlne, Antone Joux and Thomas Peyrn. Hash Functons and the (Amplfed) Boomerang Attack. In Alfred Menezes, edtor, CRYPTO, volume 4622 of LNCS, pages Sprnger, Lars R. Knudsen. Truncated and Hgher Order Dfferentals. In Bart Preneel, edtor, FSE, volume 1008 of LNCS, pages Sprnger, Xueja La. Hgher order dervatves and dfferental cryptanalyss. In Rchard Blahut, Danel Costello Jr., Uel Maurer, and Thomas Mttelholzer, edtors, Communcatons and Cryptography, pages Kluwer, Maro Lamberger and Floran Mendel. Hgher-Order Dfferental Attack on Reduced SHA-256. Cryptology eprnt Archve, Report 2011/037, Gaëtan Leurent, Charles Boullaguet, and Perre-Alan Fouque. SIMD Is a Message Dgest. Submsson to NIST (Round 2), September Avalable onlne: http: //csrc.nst.gov/groups/st/hash/sha-3/round2/submssons_rnd2.html. 14. Stefan Lucks. A Falure-Frendly Desgn Prncple for Hash Functons. In Bmal K. Roy, edtor, ASIACRYPT, volume 3788 of LNCS, pages Sprnger, Floran Mendel and Tomslav Nad. A Dstngusher for the Compresson Functon of SIMD-512. In Bmal K. Roy and Ncolas Sendrer, edtors, INDOCRYPT, volume 5922 of LNCS, pages Sprnger, Floran Mendel, Thomas Peyrn, Chrstan Rechberger, and Martn Schläffer. Improved Cryptanalyss of the Reduced Grøstl Compresson Functon, ECHO Permutaton and AES Block Cpher. In Mchael J. Jacobson Jr., Vncent Rjmen, and Rehaneh Safav-Nan, edtors, Selected Areas n Cryptography, volume 5867 of LNCS, pages Sprnger, 2009.

14 268 Floran Mendel and Tomslav Nad 17. Floran Mendel, Chrstan Rechberger, Martn Schläffer, and Søren S. Thomsen. The Rebound Attack: Cryptanalyss of Reduced Whrlpool and Grøstl. In Orr Dunkelman, edtor, FSE, volume 5665 of LNCS, pages Sprnger, Ralph C. Merkle. One Way Hash Functons and DES. In Glles Brassard, edtor, CRYPTO, volume 435 of LNCS, pages Sprnger, Sean Murphy. The return of the cryptographc boomerang. IEEE Transactons on Informaton Theory, 57(4): , Tomslav Nad. The CodngTool Lbrary. Workshop on Tools for Cryptanalyss 2010, codngtool/. 21. Natonal Insttute of Standards and Technology. Cryptographc Hash Algorthm Competton, November Avalable onlne: ST/hash/sha-3/ndex.html. 22. Vncent Rjmen and Elsabeth Oswald. Update on SHA-1. In Alfred Menezes, edtor, CT-RSA, volume 3376 of LNCS, pages Sprnger, Mchael Velhaber. Breakng ONE.FIVIUM by AIDA an Algebrac IV Dfferental Attack. Cryptology eprnt Archve, Report 2007/413, Davd Wagner. The Boomerang Attack. In Lars R. Knudsen, edtor, FSE, volume 1636 of LNCS, pages Sprnger, Xaoyun Wang, Yqun Lsa Yn, and Hongbo Yu. Fndng Collsons n the Full SHA-1. In Vctor Shoup, edtor, CRYPTO, volume 3621 of LNCS, pages Sprnger, Xaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functons. In Ronald Cramer, edtor, EUROCRYPT, volume 3494 of LNCS, pages Sprnger, Hongbo Yu and Xaoyun Wang. Cryptanalyss of the Compresson Functon of SIMD. In Udaya Parampall and Phlp Hawkes, edtors, ACISP, volume 6812 of LNCS, pages Sprnger, A Dfferental Characterstcs for the Forward and Backward Drecton

15 Boomerang Dstngusher for the SIMD-512 Compresson Functon 269 Table 6. Backward characterstc. The state at step 1 s the channg value. step state probablty 1 D0 : 28, D3 : 7, B5 : 12, C5 : +4, A6 : +3, C6 : +25, C7 : +5, D7 : 15 0 A0 : 19, A3 : 30, C5 : 12, D5 : +4, B6 : +6, D6 : +25, D7 : B0 : 10, B3 : 21, D5 : 12, C6 : +6, A7 : C0 : 10, C3 : 21, D6 : +6, B7 : D0 : 10, D3 : 21, A6 : +9, C7 : A0 : 1, B6 : +12, D7 : B0 : 24, C6 : C0 : 24, D6 : D0 : 24, A6 : B6 : C6 : D6 : A6 : A1 : +3, B6 : B1 : +22, A5 : +22, C6 : C1 : +22, A4 : +12, B5 : +12, D6 : D1 : +22, A2 : +19, B4 : +19, C5 : +12, A6 : A0 : +16, A1 : +31, B2 : +16, A4 : +28, C4 : +19, D5 : +12, B6 : B0 : +25, B1 : +8, A2 : +8, C2 : +16, A3 : +25, B4 : +5, D4 : +19, A5 : +27, C6 : +28, A7 :

16 270 Floran Mendel and Tomslav Nad Table 7. Forward characterstc. step state probablty 17 B0 : +24, D0 : +32, C2 : 29, D3 : +1, C4 : 7, A6 : 23, B6 : +14, B7 : +3, C7 : A0 : +5, C0 : +24, D2 : 29, D4 : 7, B6 : 6, C6 : +14, C7 : +3, D7 : B0 : +10, D0 : +24, A2 : 26, A4 : 4, C6 : 6, D6 : +14, D7 : C0 : +10, B2 : 23, B4 : 1, D6 : 6, A7 : D0 : +10, C2 : 23, C4 : 1, B7 : A0 : +15, D2 : 23, D4 : 1, C7 : B0 : +20, A4 : 30, D7 : C0 : +20, B4 : D0 : +20, C4 : A0 : +13, D4 : B0 : C0 : D0 : A0 : B0 : +24, A3 :

Message modification, neutral bits and boomerangs

Message modification, neutral bits and boomerangs Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental