NORWAY

Transcription

1 A Document descriing all modifications made on the Blue Midnight Wish cryptographic hash function efore entering the Second Round of SHA-3 hash competition Danilo Gligoroski 1 and Vlastimil Klima 2 1 Department of Telematics, Norwegian University of Science and Technology, O.S.Bragstads plass 2B, N-7491 Trondheim, NORWAY danilo.gligoroski@item.ntnu.no 2 Independent cryptologist - consultant, Czech Repulic v.klima@volny.cz Astract. In this document we elaorate changes to the original Blue Midnight Wish, as it will enter the Second Round of SHA-3 competition. Generally, we can say that there are two technical changes (or typo corrections) and two minor tweaks in the design. The first technical change is in correcting a typo in the initial doule pipe value for the 224 and 384 versions, and the second technical change is in correcting a typo in the order of the use of two logical functions s 4 and s 5. The tweaks in the design consist of tweaks in functions f 0 and f 1 and an additional (final) use of the compression function. For us as designers of Blue Midnight Wish it is very important that the tweaks do not introduce any new uilding locks which would need new analysis. The chosen tweaks are quite simple. They use the same uilding locks which were used in the original Blue Midnight Wish hash function. Only the inputs of the uilding locks are changed in a fully transparent manner. The goals of the proposed tweaks are also simple and transparent. For instance the first tweak adds the old doule pipe to the result of the function f 0 and to the key of the function f 1. This strongly decouples the original input M H into two independently acting variales M and H. The second tweak is an additional (final) invocation of the compression function. It also uses the old uilding lock and it is a pivotal security countermeasure against many types of preimage, near, pseudo and other types of attacks. At first glance it may seem that y this additional final invocation of the compression function we have over-designed Blue Midnight Wish. However having in mind the excellent speed performance of oth non-tweaked and tweaked function we can say that this additional final invocation of the compression function rings additional rise in our confidence of the strength and quality of Blue Midnight Wish with only a minor efficiency penalty. In fact, the introduced tweaks do not affect the speed of the hash computation on messages longer than 1000 ytes, ut it ecomes visile on hashing extremely short or short messages, as would e expected. On the other hand, for the optimized versions of the tweaked Blue Midnight Wish we have documented higher operating speed than the speed reported in the documentation for the non-tweaked function. 1 Methodology We will elaorate all changes y the following methodology: 1. We will give the non-tweaked (or non-changed) part in the old sumission, 2. We will give the new tweaked (or changed) part, 3. We will give a rationale for the tweak (technical change). 2 Technical change Nr. 1 The original sumission of Blue Midnight Wish for the 224-it digest size had the initial doule pipe given in Tale 1. Note the value 13 = 0x ! The value should e H(0) 13 = 0x , so the corrected H(0) for BMW224 now is given in Tale 2.

2 0 = 0x = 0x = 0x08090A0B 3 = 0x0C0D0E0F 4 = 0x = 0x = 0x18191A1B 7 = 0x1C1D1E1F 8 = 0x = 0x = 0x28292A2B H(0) 11 = 0x2C2D2E2F 12 = 0x H(0) 13 = 0x = 0x38393A3B H(0) 15 = 0x3C3D3E3F Tale 1. Initial doule pipe for old BMW224 0 = 0x = 0x = 0x08090A0B 3 = 0x0C0D0E0F 4 = 0x = 0x = 0x18191A1B 7 = 0x1C1D1E1F 8 = 0x = 0x = 0x28292A2B H(0) 11 = 0x2C2D2E2F 12 = 0x H(0) 13 = 0x = 0x38393A3B H(0) 15 = 0x3C3D3E3F Tale 2. Initial doule pipe for tweaked BMW224 0 = 0x = 0x08090A0B0C0D0E0F 2 = 0x = 0x18191A1B1C1D1E1F 4 = 0x = 0x28292A2B2C2D2E2F 6 = 0x = 0x38393A3B3C3D3E3F 8 = 0x = 0x48494A4B4C4D4E4F 10 = 0x H(0) 11 = 0x58595A5B5C5D5E5F 12 = 0x H(0) 13 = 0x68696A6B6C6D6E6F 14 = 0x H(0) 15 = 0x78797A7B7C7D7E7F Tale 3. Initial doule pipe for old BMW384 The original sumission of Blue Midnight Wish for the 384-it digest size had the initial doule pipe given in Tale 3. Note the value 6 = 0x ! The value should e 6 = 0x , so the corrected for BMW384 now is given in Tale 4. 0 = 0x = 0x08090A0B0C0D0E0F 2 = 0x = 0x18191A1B1C1D1E1F 4 = 0x = 0x28292A2B2C2D2E2F 6 = 0x = 0x38393A3B3C3D3E3F 8 = 0x = 0x48494A4B4C4D4E4F 10 = 0x H(0) 11 = 0x58595A5B5C5D5E5F 12 = 0x H(0) 13 = 0x68696A6B6C6D6E6F 14 = 0x H(0) 15 = 0x78797A7B7C7D7E7F Tale 4. Initial doule pipe for tweaked BMW384 2

3 3 Tweak Nr. 1 The tweak Nr. 1 was performed to make infeasile finding free-start near collisions and finding pseudopreimages and pseudo-collisions as hard as finding real preimages and real collisions. To achieve that we tweaked oth f 0 and f 1 functions. 3.1 Tweak in f 0 The old f 0 had the following form: f 0 : {0, 1} 2m {0, 1} m Input: Message lock M = (M 0, M 1,..., M 15 ), and the previous doule pipe H(i 1) = (H (i 1) 15 ). Output: First part of the quadruple pipe Q a = (Q 0, Q 1,..., Q 15 ). 1. Biective transform of M H (i 1) : 0 = (M + (M 1 = (M 8 ) + (M 11 H(i 1) 1 (M 2 = (M 0 ) + (M 9 ) (M 12 H(i 1) 1 3 = (M 4 = (M 9 ) (M 11 H(i 1) 11 ) (M 5 = (M 10 H(i 1) 1 12 H(i 1) 1 6 = (M 11 H(i 1) 1 7 = (M 1 ) (M 12 H(i 1) 12 ) (M 8 = (M 2 ) (M 6 ) + (M (M 9 = (M 3 ) + (M = (M 1 ) (M = (M 2 ) (M 5 ) + (M 9 ) = (M 9 ) + (M 10 H(i 1) 10 ) = (M 4 ) + (M 11 H(i 1) 11 ) = (M 5 ) + (M 11 H(i 1) 11 ) (M 12 H(i 1) 12 ) = (M 12 H(i 1) 12 ) (M 9 ) + (M 2. Further iective transform of, = 0,..., 15: Q Q Q Q 12 0 = s 0( 0 4 = s 4( 4 8 = s 3( 8 = s2(w 12 ); Q ); Q ); Q ); Q 13 1 = s 1( 1 5 = s 0( 5 9 = s 4( 9 = s3(w 13 ); Q ); Q ); Q 10 ); Q 14 2 = s 2( 2 6 = s 1( 6 = s0(w 10 = s4(w 14 ); Q ); Q ); Q 11 ); Q 15 3 = s 3( 3 ); 7 = s 2( 7 ); = s1(w 11 ); 15 ); = s0(w Tale 5. Definition of the function f 0 in the old Blue Midnight Wish 3

4 The tweak in f 0 is done in the Step 2: f 0 : {0, 1} 2m {0, 1} m Input: Message lock M = (M 0, M 1,..., M 15 ), and the previous doule pipe H(i 1) = (H (i 1) 15 ). Output: First part of the quadruple pipe Q a = (Q 0, Q 1,..., Q 15 ). 1. Biective transform of M H (i 1) : 0 = (M + (M 1 = (M 8 ) + (M 11 H(i 1) 1 (M 2 = (M 0 ) + (M 9 ) (M 12 H(i 1) 1 3 = (M 4 = (M 9 ) (M 11 H(i 1) 11 ) (M 5 = (M 10 H(i 1) 1 12 H(i 1) 1 6 = (M 11 H(i 1) 1 7 = (M 1 ) (M 12 H(i 1) 12 ) (M 8 = (M 2 ) (M 6 ) + (M (M 9 = (M 3 ) + (M = (M 1 ) (M = (M 2 ) (M 5 ) + (M 9 ) = (M 9 ) + (M 10 H(i 1) 10 ) = (M 4 ) + (M 11 H(i 1) 11 ) = (M 5 ) + (M 11 H(i 1) 11 ) (M 12 H(i 1) 12 ) = (M 12 H(i 1) 12 ) (M 9 ) + (M 2. Further iective transform of, = 0,..., 15: Q 0 = s 0( 0 ) + H(i 1) 1 ; Q 1 = s 1( 1 ) + H(i 1) 2 ; Q 2 = s 2( 2 ) + H(i 1) 3 ; Q 3 = s 3( 3 ) + H(i 1) 4 ; Q 4 = s 4( 4 ) + H(i 1) 5 ; Q 5 = s 0( 5 ) + H(i 1) 6 ; Q 6 = s 1( 6 ) + H(i 1) 7 ; Q 7 = s 2( 7 ) + H(i 1) 8 ; Q 8 = s 3( 8 ) + H(i 1) 9 ; Q 9 = s 4( 9 ) + H(i 1) 10 ; Q 10 Q 12 = s2(w 12 ) + H(i 1) 13 ; Q 13 = s3(w 13 ) + H(i 1) 14 ; Q 14 = s0(w 10 ) + H(i 1) 11 ; Q 11 = s4(w 14 ) + H(i 1) 15 ; Q 15 Tale 6. Definition of the function f 0 of the tweaked Blue Midnight Wish = s1(w 11 ) + H(i 1) 12 ; = s0(w 15 ) + H(i 1) 0 ; If we denote the Step 1 of f 0 as a transformation A 1 : {0, 1} (16 2)w {0, 1} 16w and the Step 2 as a transformation A 2 : {0, 1} (16 2)w {0, 1} 16w, (where w is 32 or 64) then we can descrie the function f 0 as f 0 (M i, H i 1 ) A 2 (A 1 (M i H i 1 )) + ROT L 1 (H i 1 ), where we denote y ROT L 1 (H i 1 ) = (H (i 1) 1, H (i 1) 2,..., H (i 1) 15, H (i 1) 0 ) the rotation y one position to the left of the vector (H (i 1) 15 ). The reason why we put this additional term ROT L 1 (H i 1 ) (see that it is not present in the Round 1 version of Blue Midnight Wish) is that we installed two actions of a decoupling the M i and H i 1 in order to prevent pseudo-attacks that can use the fact that M i H i 1 = 0 iff M i = H i 1. This is the first such decoupling, and the second one is installed in the expansion function f 1. 4

5 3.2 Tweak in f 1 The old function f 1 had the following description: Input: Message lock M = (M 0, M Q a = (Q 0, Q 1,..., Q 15 ). Output: Second part of the quadruple pipe Q f 1 : {0, 1} (16 2)w {0, 1} 16w 1,..., M 15 ), and the first part of quadruple pipe = (Q 16, Q 17,..., Q 31 ). 1. Doule pipe expansion according to the tunale parameters ExpandRounds 1 and ExpandRounds For ii = 0 to ExpandRounds 1 1 Q ii+16 = expand1(ii + 16) 1.2 For ii = ExpandRounds 1 to ExpandRounds 1 + ExpandRounds 2 1 = expand2(ii + 16) Q ii+16 Tale 7. Definition of the old function f 1 The tweaked function f 1 has the following description: f 1 : {0, 1} (16 3)w {0, 1} 16w Input: Message lock M = (M 0, M 1,..., M 15 ), the previous doule pipe H (i 1) = (H (i 1) 15 ) and the first part of the quadruple pipe Q a Output: Second part of the quadruple pipe Q = (Q 16, Q 17,..., Q 31 ). = (Q 0, Q 1,..., Q 15 ). 1. Doule pipe expansion according to the tunale parameters ExpandRounds 1 and ExpandRounds For ii = 0 to ExpandRounds 1 1 Q ii+16 = expand1(ii + 16) 1.2 For ii = ExpandRounds 1 to ExpandRounds 1 + ExpandRounds 2 1 = expand2(ii + 16) Q ii+16 Tale 8. Definition of the tweaked function f 1 of Blue Midnight Wish So in the tweaked f 1 we are also using the values of the previous doule pipe H (i 1) which was not used in the old version od Blue Midnight Wish. We will descrie how concretely we are using the values H (i 1) in the tweaked version y the following comparison. 5

6 The description of logical functions used in old Blue Midnight Wish was the following: BMW224/BMW256 BMW384/BMW512 s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 19 (x) s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 37 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 8 (x) ROT L 23 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 13 (x) ROT L 43 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 12 (x) ROT L 25 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 19 (x) ROT L 53 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 15 (x) ROT L 29 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 28 (x) ROT L 59 (x) s 4 (x) = SHR 1 (x) x s 4 (x) = SHR 1 (x) x s 5 (x) = SHR 2 (x) x s 5 (x) = SHR 2 (x) x r 1 (x) = ROT L 3 (x) r 1 (x) = ROT L 5 (x) r 2 (x) = ROT L 7 (x) r 2 (x) = ROT L 11 (x) r 3 (x) = ROT L 13 (x) r 3 (x) = ROT L 27 (x) r 4 (x) = ROT L 16 (x) r 4 (x) = ROT L 32 (x) r 5 (x) = ROT L 19 (x) r 5 (x) = ROT L 37 (x) r 6 (x) = ROT L 23 (x) r 6 (x) = ROT L 43 (x) r 7 (x) = ROT L 27 (x) r 7 (x) = ROT L 53 (x) AddElement() = M + M +3 M K +16 AddElement() = M + M +3 M K +16 expand 1 () = s 1 (Q 16 ) + s 1 (Q 12 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) 13 ) expand 1 () = s 1 (Q 16 ) 9 ) + s 1 (Q 12 ) 5 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q 13 ) + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q 9 ) + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q 5 ) + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 5(Q 2 ) + s 4(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 5(Q 2 ) + s 4(Q 1 ) Tale 9. Logic functions used in old Blue Midnight Wish. Note that for the function AddElement() index expressions involving the variale for M are computed modulo 16. The new description of the used logical functions is the following: BMW224/BMW256 BMW384/BMW512 s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 19 (x) s 0 (x) = SHR 1 (x) SHL 3 (x) ROT L 4 (x) ROT L 37 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 8 (x) ROT L 23 (x) s 1 (x) = SHR 1 (x) SHL 2 (x) ROT L 13 (x) ROT L 43 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 12 (x) ROT L 25 (x) s 2 (x) = SHR 2 (x) SHL 1 (x) ROT L 19 (x) ROT L 53 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 15 (x) ROT L 29 (x) s 3 (x) = SHR 2 (x) SHL 2 (x) ROT L 28 (x) ROT L 59 (x) s 4 (x) = SHR 1 (x) x s 4 (x) = SHR 1 (x) x s 5 (x) = SHR 2 (x) x s 5 (x) = SHR 2 (x) x r 1 (x) = ROT L 3 (x) r 1 (x) = ROT L 5 (x) r 2 (x) = ROT L 7 (x) r 2 (x) = ROT L 11 (x) r 3 (x) = ROT L 13 (x) r 3 (x) = ROT L 27 (x) r 4 (x) = ROT L 16 (x) r 4 (x) = ROT L 32 (x) r 5 (x) = ROT L 19 (x) r 5 (x) = ROT L 37 (x) r 6 (x) = ROT L 23 (x) r 6 (x) = ROT L 43 (x) r 7 (x) = ROT L 27 (x) ( r 7 (x) = ROT L 53 (x) ( AddElement() = ROT L (+1) (M ) + ROT L (+4) (M +3 ) AddElement() = ROT L (+1) (M ) + ROT L (+4) (M +3 ) ) ) ROT L (+11) (M +10 ) + K +16 H +7 ROT L (+11) (M +10 ) + K +16 H +7 expand 1 () = s 1 (Q 16 ) + s 1 (Q 12 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) 13 ) expand 1 () = s 1 (Q 16 ) 9 ) + s 1 (Q 12 ) 5 ) + s 1 (Q 8 ) + s 1 (Q 4 ) + AddElement( 16) + s 2(Q 15 ) + s 3(Q 14 ) + s 0(Q 13 ) + s 2(Q 11 ) + s 3(Q 10 ) + s 0(Q 9 ) + s 2(Q 7 ) + s 3(Q 6 ) + s 0(Q 5 ) + s 2(Q 3 ) + s 3(Q 2 ) + s 0(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 4(Q 2 ) + s 5(Q 1 ) expand 2 () = Q 16 + Q 12 + Q 8 + Q 4 + AddElement( 16) + r 1 (Q 15 ) + Q 14 + r 2 (Q 13 ) + r 3 (Q 11 ) + Q 10 + r 4 (Q 9 ) + r 5 (Q 7 ) + Q 6 + r 6 (Q 5 ) + r 7 (Q 3 ) + s 4(Q 2 ) + s 5(Q 1 ) Tale 10. Logic functions used in tweaked Blue Midnight Wish. Note that for the function AddElement() index expressions involving the variale for left rotations, M and H are computed modulo 16. 6

7 By comparing old and new list of logical functions used in f 1 the difference is in the definition of the element AddElement(). The old term was giving a chance an attacker to make changes in the most significant its of the message and due to the operations of addition, those changes were canceling each other up to the last variale Q 31, thus giving free-start near collisions in the compression function. The new (tweaked) expression for AddElement() rotates the values of the message M, and additionally operates with the vector ROT L 7 (H i 1 ) = (H (i 1) 7, H (i 1) 8,..., H (i 1) 5, H (i 1) 6 ) which is a rotation y seven position to the left of the vector (H (i 1) 15 ). This is our second introduction of expressions that decouples the input values of the message M and the chaining doule pipe H (i 1) with the particular values from M and H (i 1) that are repeatedly used in the Blue Midnight Wish expressions. 4 A technical typo correction in f 1 We have corrected another technical typo that was present in the previous version of Blue Midnight Wish. Namely, in the old f 1 we had the following order of using the logical functions s 4 and s 5 in the expression expand 2 () =... + s 5 (Q 2 ) + s 4(Q 1 ) +... The proper order of using s 4 and s 5 should e as it is done in the new tweaked version: 5 Tweak Nr. 2 expand 2 () =... + s 4 (Q 2 ) + s 5(Q 1 ) +... The second tweak consist of an additional (final) use of the compression function. The generic description of the old Blue Midnight Wish had the following structure: Algorithm: Blue Midnight Wish Input: Message M of length l its, and the message digest size n. Output: A message digest Hash, that is long n its. 1. Preprocessing (a) Pad the message M. () Parse the padded message into N, m-it message locks, M (1), M (2),..., M (N). (c) Set the initial value of the doule pipe. 2. Hash computation For i = 1 to N { Q a = f 0(M, H (i 1) ); Q = f 1(M, Q a ); H = f 2(M, Q a, Q ); } 3. Hash =Take n Least Significant Bits(H (N) ). Tale 11. A generic description of the Blue Midnight Wish hash algorithm Together with the tweak introduced in f 0 and f 1 the generic description of the tweaked Blue Midnight Wish has the following structure: 7

8 Algorithm: Blue Midnight Wish Input: Message M of length l its, and the message digest size n. Output: A message digest Hash, that is n its long. 1. Preprocessing (a) Pad the message M. () Parse the padded message into N, m-it message locks, M (1), M (2),..., M (N). (c) Set the initial value of the doule pipe. 2. Hash computation For i = 1 to N { Q a = f 0(M, H (i 1) ); Q = f 1(M, H (i 1), Q a ); H = f 2(M, Q a, Q ); } 3. Finalization Q final a = f 0(H (N), CONST final ); Q final = f 1(H (N), CONST final, Q final a ); H final = f 2(H (N), Q final a, Q final ); 4. Hash =Take n Least Significant Bits(H final ). Tale 12. A generic description of the Blue Midnight Wish hash algorithm As it is shown in Tale 12, in the final invocation of the compression function we have changed the role of the chaining doule pipe and the message. Since there is no more message to e digested, the role that the message data was performing in the previous invocations of the compression function is now given to the last otained doule pipe H (N). In such a case the role of the chaining doule pipe is fixed to a constant that we denote as: CONST final. We have chosen 16 components of the vector CONST final = (CONST final 0,..., CONST final 15 ) to e CONST final = 0xaaaaaaa0 +, = 0, 1,..., 15 for BMW224 and BMW256. CONST final = 0xaaaaaaaaaaaaaaa0 +, = 0, 1,..., 15 for BMW384 and BMW512. By fixing the CONST final we are removing this variale from the attacker s repository, in his attempt to find pseudo collisions and pseudo-preimages. Additionally the final invocation of the compression function is a measure for any attack that can find near collisions or near-pseudo-collisions or near preimages or near-pseudo-preimages of the compression function of Blue Midnight Wish. Acknowledgement We would like to thank Søren S. Thomsen, the memer of Grøstl team, for his analysis and his discovery of near and pseudo attacks on the initial Blue Midnight Wish sumission and to Niels Ferguson, the memer of Skein team, for his remark (send to us privately in his analysis of Edon-R) aout the cryptographic value of having additional final invocation of the compression function. 8