Security Analysis of SIMD

Transcription

1 Securty Analyss of SIMD Charles Boullaguet, Perre-Alan Fouque, Gaëtan Leurent To cte ths verson: Charles Boullaguet, Perre-Alan Fouque, Gaëtan Leurent. Securty Analyss of SIMD. Alex Bryukov. Selected Areas n Cryptography, 10th Annual Internatonal Workshop, SAC 2010, 2010, Ontaro, Canada. Sprnger, 2010, Lecture Notes n Computer Scence. <nra > HAL Id: nra Submtted on 17 Jan 2011 HAL s a mult-dscplnary open access archve for the depost and dssemnaton of scentfc research documents, whether they are publshed or not. The documents may come from teachng and research nsttutons n France or abroad, or from publc or prvate research centers. L archve ouverte plurdscplnare HAL, est destnée au dépôt et à la dffuson de documents scentfques de nveau recherche, publés ou non, émanant des établssements d ensegnement et de recherche franças ou étrangers, des laboratores publcs ou prvés.

2 Securty Analyss of SIMD Charles Boullaguet, Perre-Alan Fouque, and Gaëtan Leurent École Normale Supéreure Département d Informatque, 45 rue d Ulm, Pars Cedex 05, France {Charles.Boullaguet,Gaetan.Leurent,Perre-Alan.Fouque}@ens.fr Abstract. In ths paper we study the securty of the SHA-3 canddate SIMD. We frst show a new free-start dstngusher based on symmetry relatons. It allows to dstngush the compresson functon of SIMD from a random functon wth a sngle evaluaton. However, we also show that ths property s very hard to explot to mount any attack on the hash functon because of the mode of operaton of the compresson functon. Essentally, f one can buld a par of symmetrc states, the symmetry property can only be trggered once. In the second part, we show that a class of free-start dstngushers s not a threat to the wde-ppe hash functons. In partcular, ths means that our dstngusher has a mnmal mpact on the securty of the hash functon, and we stll have a securty proof for the SIMD hash functon. Intutvely, the reason why ths dstngusher does not weaken the functon s that gettng nto a symmetrc state s about as hard as fndng a premage. Fnally, n the thrd part we study dfferental path n SIMD, and gve an upper bound on the probablty of related key dfferental paths. Our bound s n the order of 2 n/2 usng very weak assumptons. Resstance to related key attacks s often overlooked, but t s very mportant for hash functon desgns. Key words: SIMD, SHA-3, hash functon, dstngusher, securty proof wth dstngushers. 1 Introducton SIMD s a SHA-3 canddate desgned by Leurent, Fouque and Boullaguet [12]. Its man feature s a strong message expanson whose am s to thwart dfferental attacks. Ths paper provdes three mportant contrbutons to the securty analyss of SIMD. In Secton 2 we study ts resstance aganst self-smlarty attacks [4]. Ths class of attack s nspred by the complementaton property of DES and ncludes symmetry based attacks. In the case of SIMD, we show that t s possble to explot the symmetry of the desgn usng specal messages. Ths shows that the constants ncluded n the message expanson of SIMD are not suffcent to prevent symmetry relatons, and non-symmetrc constants should be added n the last steps of the message expanson. The study of ths symmetry property shows that t s much weaker than symmetry propertes n CubeHash [1,9] or Lesamnta [4]. More precsely, most symmetry propertes can be used to generate many symmetrc states out of a sngle state, but ths s not the case for SIMD. In Secton 3, we show a proof of securty for the mode of operaton used n SIMD, the truncated prefx-free Merkle-Damgård, n the presence of some effcent dstngushers on the compresson functon. The class of dstngusher we consder ncludes the symmetry based dstngusher, and also ncludes dfferental paths wth a non-zero channg value dfference. Ths shows that the propertes of the compresson functon of SIMD found so far do not affect the securty of the terated hash functon. Ths part s also of ndependent nterest and apples to other wde-ppe hash functons. In Secton 4, we study dfferental attacks, and bound the probablty of paths wth a non-zero message dfference,.e., related key attacks on the block cpher. We show an upper bound on such paths on the order of 2 n/2, and we argue that the best paths are probably much worse than ths bound. We note that there are very few results known regardng resstance to related key attack for block cphers. In partcular, the dfferental propertes of the AES have been extensvely studed [17] but related key dfferental attacks have been shown recently [3]. In many hash functon desgns (n partcular those based on the Daves-Meyer constructon), related key attacks are a real concern and should be studed accordngly. By combnng the results of Secton 3 and 4, we show that SIMD s resstant to dfferental cryptanalyss: a path wth a non-zero dfference n the channg value nput cannot be used to attack the hash functon The full verson of ths paper appears as IACR eprnt report 2010/323 [5].

3 h 1 2n D 0 C 0 B 0 A 0 D 1 C 1 B 1 A 1 M 2n E 16n 32 steps w φ r w φ r s s 4 steps h D 0 C 0 B 0 A 0 D 1 C 1 B 1 A 1 Fg. 1. SIMD modfed Daves- Meyer mode Fg. 2. SIMD compresson rounds. There are 4 parallel Festels n SIMD-256, and 8 parallel Festels n SIMD-512. because t s wde-ppe, whle a path a non-zero dfference n the message can only have a low success probablty. Fnally, n Secton 5 we express our vews on the securty of SIMD. 1.1 Bref Descrpton of SIMD SIMD s bult usng a modfed Daves-Meyer mode wth a strong message expanson, as shown n Fgure 1. The compresson part s bult from 4 parallel Festel ladders (8 for SIMD-512) wth 32-bt regsters, and s shown n Fgure 2. We can descrbe the step update functon as: D j ( ) s D j W () () j φ () (A j, B j, C j ) A p () (j) r() (A j, B j, C j, D j ) (D j, A r() j, B j, C j ) where j denotes the Festel number, and denotes the round number. A, B, C, and D are the four regsters of the Festel ladders, whle φ () s the Boolean functon used at round (whch can be ether IF or MAJ) and W s the expanded message. The parallel Festels nteract through the permutatons p (), whch are bult as p () (j) = j α, for some α. There are no explct constants n the round functon, but there are mplct constants n the message expanson. The Message Expanson. The message expanson of SIMD s defned wth the followng operatons: 1. Use a NTT transform (whch s the same as a FFT over F 257 ) to double the sze of the message. The NTT s actually used as a Reed-Solomon code. 2. Make two copes of the NTT output. 3. The frst copy s multpled by 185, whle the second copy s multpled by 233. Ths step also doubles the sze of the message, as the output are 16-bt words. 4. Permute the 16-bt words and pack them nto 32-bt words. Constants are added n the NTT layer, and make t an affne code nstead of a lnear one. They avod specal expanded messages such as the all-zero message. For more detals, see the specfcaton of SIMD [12]. 1.2 Prevous Cryptanalyss Results As far as we know, the followng results have been found on SIMD: In [10], Gauravaram and Bagher showed that the modfed Daves-Meyer constructon used n SIMD allows to fnd partal fxed-ponts (ths s a weaker verson of Daves-Meyer s fxed-ponts). There s no easy way to fnd full fxed-ponts as n the orgnal Daves-Meyer constructon, but those partal fxedponts gve an easy dstngusher of the compresson functon. Just lke the fxed-ponts of Daves-Meyer, ths property does not affect the securty of a wde-ppe hash functon, and the mode can be proven secure under the assumpton that the block cpher s deal [8].

4 In [15], Mendel and Nad showed a dfferental path wth probablty for the compresson functon of the round-1 verson of SIMD-512. They used t to make a dstngushng attack on the compresson functon wth complexty 2 427, usng IV/message modfcatons. In ths path, no dfference s ntroduced n the message, but a specfc dfference n n the channg value can go to a dfference out. Because of the need to control the channg value dfference, ths path cannot be used to attack the terated hash functon. In Secton 3, we show that even f there of a path wth probablty one, we only loose a factor 2 n the ndfferentablty proof. However, ths path was usng some unwanted propertes of the permutatons used n the compresson functon, and t was decded to remove those propertes by tweakng the desgn for the second round of the SHA-3 competton [13]. More recently, n [20] Yu and Wang studed dfferental paths for the round-2 verson of SIMD. They descrbe near-collsons n reduced versons of the compresson functon (20 steps for SIMD-256 and 24 steps for SIMD-512) and buld a dfferental path wth probablty for the full compresson functon of SIMD-512. Ths path can be used to buld a dstngusher wth complexty 2 398, yeldng par of nputs and outputs wth a fxed dfference. Lke the prevous result, ths work uses a dfference n the channg value and no dfference n the message. For ths reason t does not threaten the terated hash functon. It should be noted that for ths dstngusher, the attacker needs to choose both nput channg values, and not only the dfference between the channg values (t s a free-start attack, whle the attack on the round-1 verson could be mounted as a sem-free-start attack). That makes t even less threatenng to a wde-ppe desgn. Moreover we found several mstakes n the path descrbed n the preprnt of ther work, whch cast a doubt on the valdty of the path. In [16], Nkolć et al. appled rotatonal cryptanalyss to the compresson functon of SIMD-512. They showed that 24 rounds can be dstngushed from a random functon wth complexty f the constants are removed from the desgn. In the real desgn, they can only dstngush 12 rounds (out of 36) because of the non-lnear message expanson. Ths s clearly not a threat for SIMD A Dstngusher for the Compresson Functon of SIMD Our dstngusher s based on symmetres n the desgn, and follows the deas of [4]. Symmetry based propertes have already been found n several hash functon desgns, such as CubeHash [1,9] or Lesamnta [4]. We descrbe the dstngusher n the case of SIMD-256, but t apples smlarly to SIMD Buldng the Symmetrc Messages The basc dea s to buld a message so that the expanded message s symmetrc. Then, f the nternal state s also symmetrc, the compresson rounds preserve the symmetry. Ths can also be used wth a par of symmetrc messages, and a par of symmetrc states. The NTT layer of the message expanson s an affne transformaton, therefore t s easy to fnd nputs that satsfy some affne condtons on the output. Snce t only doubles the sze of the nput, we have enough degrees of freedom to force equaltes between pars of output. The next expanson step s a multplcaton by a constant, and t wll preserve equalty relatons. Then f we look at the permutatons used n the message expanson, they have the followng property 1 : the NTT words used to buld the message words W () 0, W () 1, W () 2, W () 3 are always of the form (y k1, y k2 ),(y k1+2, y k2+2),(y k1+4, y k2+4),(y k1+6, y k2+6) for some k 1 and k 2 (wth k = 0 mod 8 or k = 1 mod 8). The full permutatons are gven n [12, Table 1.1]. Because of ths property, f we have y = y 2 after the NTT, then we have W () 0 = W () 1 and W () 2 = W () 3. Ths allows us to buld a symmetrc message. An example of such a symmetrc message s gven n Appendx A. More precsely, let us use the notaton to denote ths symmetry relaton, and and to denote the other two possble symmetres: (a, b,c, d) = (b, a,d, c) (a, b,c, d) = (c, d,a, b) 1 Ths desgn choce was guded by mplementaton effcency (a, b,c, d) = (d, c,b, a)

5 We now consder two messages M and M. We use y to denote the NTT output for M, and y to denote the NTT output for M. The equalty constrants on the NTT output that are necessary to buld a par of symmetrc expanded messages are (we use E to denote the message expanson): y = y 2 E(M) = E(M ) y = y 4 E(M) = E(M ) y = y 6 E(M) = E(M ) By solvng the correspondng lnear systems, we can compute the sets of symmetrc messages (the sets are descrbed n the full verson of ths paper). We can count the symmetrc messages M such that E(M) = E(M), and the pars of messages M, M such that E(M) = E(M ): Symm. class (SIMD-256) # msg # pars y = y 2 W = W y = y 4 W = W ( ) 2 y = y 6 W = W Symm. class (SIMD-512) # msg # pars y = y 2 W = W y = y 4 W = W ( ) 2 y = y 6 W = W y = y 8 W = W ( ) 4 y = y 10 W = W y = y 12 W = W ( ) 2 y = y 14 W = W An mportant property of these message classes s that they are all dsjont: t s not possble to use the ntersecton of two symmetry classes. 2.2 Symmetry Property on the Compresson Functon Let us consder a par of symmetrc messages for one of the symmetry relatons (wthout loss of generalty, we assume t s the symmetry): E(M ) = E(M). We can take advantage of the symmetry of the Festel part usng those messages. If we have a par of states S (), S () wth S () = S () and we compute one Festel step wth messages W and W such that W = W, we obtan a new par of states wth S (+1) = S (+1). The xor-based symmetry classes commute wth the xor-based permutatons p () used to mx the Festels (and they are the only symmetry classes to do so). Because the compresson functon s bult usng a modfed Daves-Meyer mode (Fgure 1), we need to start wth H 1 such that H 1 M s symmetrc: H 1 M = H 1 M. Then, n the feed-forward, H 1 s used as the key to a few Festel rounds, and snce H 1 s not symmetrc, those rounds wll break the symmetry. However, t turns out the symmetrc messages are very sparse, so H wll be almost symmetrc, and the feed-forward wll mostly preserve the symmetry of the outputs. Ths gves a dstngusher on the compresson functon: an almost symmetrc channg value s transformed nto a somewhat symmetrc channg value. See Appendx A for a concrete example. The dstngusher can be used ether wth a par of messages and channg values wth E(M ) = E(M) and H 1 M = H 1 M, or wth a sngle channg value and message, wth E(M) = E(M) and H 1 M = H 1 M. 2.3 Non-Idealty of the Compresson Functon Here we defne the bas of the compresson functon wth the notatons that wll be used n Secton 3. For each symmetrc message M under a symmetry relaton (denoted by wthout loss of generalty), we have a frst order relaton between the nputs and output of the compresson functon: ( R M 1 (h, m,h ) := m = M h m = ) h m P 1 (h, h) = P 1 (h, h) We use the feed-forward permutaton P to defne the relaton, because t s trcky to descrbe exactly the somewhat symmetry of h after the feed-forward. We have about 2 16 such relatons for SIMD-256 and about

6 2 32 relatons for SIMD-512. Smlarly, for each symmetrc message par M, M, ths gves a second order relaton (there are about 2 32 such relatons for SIMD-256 and 2 64 for SIMD-512): R M,M 2 (h 1, m 1, h 2, m 2, h 1, h 2) := ( m 1 = M m 2 = M h 1 m 1 = ) h 2 m 2 P 1 (h 1, h 1 ) = P 1 (h 2, h 2 ) The correspondng weak states are: W M 1 := {x M x = x } W M,M 2 := The study of the symmetry classes of SIMD shows that: { (h, h M } M ) W 1 = for SIMD-256 W 1 = for SIMD-512 W 2 = (( ) ) < for SIMD-256 W 2 = (( ) ( ) ) < for SIMD-512 Each channg value can be used wth less than 2 32 related channg values (less than 2 64 for SIMD-512) and each such par can be used wth a sngle message. 2.4 Impact of the Symmetry-based Dstngusher There are two man classes of attacks based on symmetrc propertes of the compresson functon. To attack the compresson functon, one can use the symmetry property to force the output of the compresson functon nto a small subspace. Ths allows to fnd collsons n the compresson functon more effcently than brute force, wth the effcency of ths attack dependng on the sze of the symmetry classes. On the other hand, to attack the hash functon, one can frst try to reach a symmetrc state usng random messages, and then use symmetrc messages to buld a large set of symmetrc states. To expand the set, the attacker wll buld a tree, startng wth the symmetrc state that was reached randomly. The degree and the depth of the tree can be lmted dependng on the symmetry property. In the case of SIMD, none of these attacks are effectve for the followng reasons: Frst, the modfed Daves-Meyer mode of operaton means that the compresson functon does not transform a symmetrc state nto a symmetrc state, but t transforms an almost symmetrc state nto a somewhat symmetrc state. We show n the full verson of the paper that a somewhat symmetrc output par can only be used as an almost symmetrc nput par wth a very small probablty. Ths prevents attacks based on buldng long chans of symmetrc messages, lke the attacks on CubeHash [1,9]. Second, f a par of almost symmetrc states s reached, there s only a sngle message par that can be used to reach a symmetrc state n the Festel rounds. Ths prevents attacks lke the herdng attack on Lesamnta [4], where one reaches a symmetrc state and then uses a lot of dfferent messages n order to explore the subset of symmetrc outputs. Thrd, the fnal transformaton of SIMD uses the message length as nput. Therefore, the symmetry property can only be seen n the output of the hash functon wth messages of unrealstc length (almost bts for SIMD-256 and almost bts for SIMD-512). Note that computng the hash of such a message s vastly more expensve than fndng a premage. Moreover the symmetry classes do not ntersect. It s not possble to buld a smaller symmetry classes n order to show collsons n the compresson functon, as was done for CubeHash [1,9]. Fndng collsons n the compresson functon usng the symmetry property costs 2 n/2. It s more effcent than generc attacks on the compresson functon, but cannot be used to fnd collsons n the hash functon faster than the brthday attack. We also note that the ntal state of the SIMD hash functon s not symmetrc. To summarze, reachng a symmetrc state n SIMD s far less nterestng than reachng a symmetrc state n CubeHash or n Lesamnta. Table 1 gves a comparson of the symmetry propertes found n these functons.

7 Table 1. Comparson of symmetry propertes n several hash functons. Reach Max. Max. Free-start Functon symm. state length degree Collsons Lesamnta (sem-free-start) CubeHash (symm C 1..C 7) (sem-free-start) CubeHash (symm C 8..C 15) (sem-free-start) SIMD Another very mportant factor s that SIMD s a wde-ppe desgn. Therefore reachng a symmetrc state s about as hard a fndng a premage for the hash functon. In the next secton, we provde a formal proof that ths dstngusher has only a small effect on the securty of SIMD. We can prove that the hash functon behaves as a random oracle under the assumpton that the compresson functon s a weak perfect functon havng ths symmetry property. 3 Free-start Dstngushers, Non-Ideal Compresson Functons and Wde-Ppe Desgns In ths secton, we dscuss the securty of the prefx-free teraton of non-deal compresson functons. Whle our prmary objectve s to show that the dstngusher for the compresson functon of SIMD presented n Secton 2 does not vod the securty proof of SIMD, the reasonng and the proof presented here are pretty general and could very well be adapted to other functons. Let H = {0,1} p denote the set of channg values, M = {0,1} m denote the set of message blocks, and F be the set of all functons H M H. Let F F be a compresson functon takng as nput an p-bt channg value and an m-bt message block. A mode of operaton for a hash functon H combned wth a compresson functon F yelds a full hash functon H F. Followng [14,8], we rely on the noton of ndfferentablty of systems to reduce the securty of SIMD to that of ts compresson functon. The usual way of establshng the soundness of a mode of operaton H s to show that t s ndfferentable from a random oracle. Ths s done by constructng a smulator S such that any dstngusher D cannot tell apart (H F, F) and (RO, S) wthout a consderable effort, where RO s a varable-nput-length random oracle (VIL-RO, for short). When ths s establshed, t s shown n [14] that any cryptosystem makng use of a VIL-RO s not less secure when the random oracle s replaced by the hash functon H F, where F s an deal compresson functon (.e., a fxed-nput-length random oracle, FIL-RO for short). Informally, f F s deal (.e., has no specal property that a random functon would not have), then H F s secure up to the level offered by the ndfferentablty proof. More precsely, f H s (t D, t S, q S, q 0, ε)-ndfferentable from a VIL-RO when the compresson functon s assumed to be a FIL-RO, then ths means that there exsts a smulator runnng n tme t S, such that any dstngusher runnng n tme t D and ssung at most q S (resp. q 0 ) queres to the FIL-RO (resp. VIL-RO) has success probablty at most ε. A property of ths methodology s that as soon as the compresson functon used n a hash functon turns out to be non-deal, then the securty argument offered by the ndfferentablty proof becomes vacuous. For nstance, dstngushers exhbtng a non-random behavor of the compresson functon are usually advertsed by ther authors to nullfy the securty proof of the full hash functon. Ths problematc stuaton was frst tackled by the desgners of Shabal, who provded a securty proof takng nto account the exstence of an effcent dstngusher on the nternal permutaton of ther proposal [6]. We wll follow ther track and demonstrate that the securty of SIMD can be proved despte the exstence of an effcent dstngusher on ts compresson functon. The mode of operaton of SIMD can be concsely descrbed as beng the wde-ppe prefx-free 2 teraton of the compresson functon. Let H F therefore denote the prefx-free Merkle-Damgård teraton of F. Formally, g : {0,1} M s a prefx-free encodng f for all x, x, g(x) s not a prefx of g(x ). The mode of operaton H smply apples the Merkle-Damgård teraton of F to the prefx-free encodng of the message. 2 ths s not explctly stated n the submsson document, but SIMD has a dfferent fnalzaton functon that effectvely acts as a prefx-free encodng.

8 The orgnal securty argument was that f the nternal state and the hash are both p-bt wde, then prefx-free Merkle-Damgård s ndfferentable from a random oracle up to about 2 p/2 queres [8]. Theorem 1 below gves a formal statement of ths result. Theorem 1. Prefx-Free Merkle-Damgård s (t D, t S, q S, q O, ε)-ndfferentable from a VIL-RO when the compresson functon s modeled by a FIL-RO, for any runnng tme t D of the dstngusher, and t S = O ((q O + κ q S ) 2) where κ s an upper-bound on the sze of the queres sent to the VIL-RO. If q = q S + κ q O + 1, then the success probablty of the dstngusher s upper-bounded by: ε = 8 q2 2 p In SIMD where the nternal state s 2n bts, ths ensures the ndfferentablty of the whole functon up to roughly 2 n queres (f H s ndfferentable up to q queres, then the composton of a truncaton that truncates half of the output and of H s also secure up to q queres). To restore the securty argument damaged by the dstngusher, we wll show that the prefx-free teraton of a non-deal compresson functon s to some extent stll ndfferentable from a VIL-RO. 3.1 Determnstc Dstngushers for the Compresson Functon Let us consder a non-deal compresson functon F. For nstance, t may have weak states, that are such that queryng F thereon wth a well-chosen message block produces a specal output allowng to dstngush F from random n one query. Known examples nclude for nstance the symmetry on the compresson functon of Lesamnta [4], CubeHash [1,9], and SIMD (descrbed n Secton 2). But F can also have bad second-order propertes, meanng that the output of F on correlated nput states (wth well-chosen message blocks) produces correlated outputs, allowng to dstngush F from random n two queres. A notable example of ths property nclude the exstence of dfferental paths wth probablty one n the compresson functon of Shabal [2]. Symmetry propertes also gve second order relatons, whch means that Lesamnta, CubeHash and SIMD have bad second-order propertes as well. Followng the methodology ntroduced n [6], we model ths stuaton by sayng that there are two relatons R 1 and R 2 such that: (h, m) H M : R 1 (h, m,f(h, m)) = 1 (h 1, h 2, m 1, m 2 ) H 2 M 2 : R 2 (h 1, m 1, h 2, m 2, F(h 1, m 1 ), F(h 2, m 2 )) = 1 We denote by R the relaton formed by the unon of R 1 and R 2, and we wll denote by F[R] the subset of F such that the above two equatons hold. We requre the relatons to be effcently checkable,.e., that gven h, m and h, t s effcent to check whether R 1 (h, m,h ) = 1. The relaton can thus be used as an effcent dstngushng algorthm that tells F[R] apart from F. A weak state s a state on whch t s possble to falsfy the relaton R 1. We formally defne the set of weak states for R 1 n the followng way: W = {h H m, h M H such that R 1 (h, m,h ) = 0} W should be a relatvely small subset of H because the loss of securty wll be related to the sze of W. Moreover, we requre that the IV s not n W. In the same ven, a weak par s a par of states on whch t s possble to falsfy the relaton R 2. We therefore defne the set of weak pars for R 2 by an undrected graph G R2 = (H, WP), where WP s defned by: WP = { h 1 h 2 m 1, m 2, h 1, h 2 M 2 H 2 such that R 2 (h 1, m 1, h 2, m 2, h 1, h 2) = 0 }

9 Smlarly, WP should be a relatvely small subset of H 2 because the securty loss wll be related to the sze of WP. For the sake of expressng thngs convenently, we defne a varant of the same graph, G R 2 = (H M, WP ), where WP s defned by: WP = { (h 1, m 1 ) (h 2, m 2 ) h 1, h 2 H 2 such that R 2 (h 1, m 1, h 2, m 2, h 1, h 2) = 0 } To smplfy the proof we also requre that the connected component of G R 2 have sze at most two. Ths rules out some second-order relatons, but t ncludes for nstance the exstence of a dfferental path wth probablty one wth a non-zero dfference n the nput channg value, as well as the symmetry n the compresson functon of SIMD or Lesamnta. We expect a smlar result wth larger connected components, but there wll be a loss of securty related to ther sze. We also requre the exstence of samplng algorthms for R, namely of two effcent algorthms Sampler 1 and Sampler 2 such that: Sampler 1 (h, m) : h $ {f(h, m) f F[R]} ;return h Sampler 2 (h 1, m 1, h 2, m 2, h 1) : h 2 $ {f(h 2, m 2 ) f F[R] and F(h 1, m 1 ) = h 1} ;return h 2 Informally, the samplng algorthms should produce an output that looks as f t were produced by a random functon constraned to conform to R. 3.2 Adaptng the Indfferentablty Proof to Non-Ideal Compresson Functons We now assume that the compresson functon s a publc functon chosen unformly at random n F[R], and for the sake of convenence we wll call t a based FIL-RO. We show that the prefx-free teraton of based FIL-RO s ndfferentable from a VIL-RO. In fact, we extend Theorem 1 to the case where the compresson functon s based. Theorem 2. Prefx-Free Merkle-Damgård s (t D, t S, q S, q O, ε)-ndfferentable from a VIL-RO, when the compresson functon s modeled by ( a based FIL-RO conformng to the relaton R, for any runnng tme t D of the dstngusher, and t S = O (q O + κ q S ) 2) where κ s an upper-bound on the sze of the queres sent to the VIL-RO. If q = q S + κ q o + 1, then the probablty of success of the dstngusher s upper-bounded by: ε = 16 q2 2 p + 4 W q 2 p + 4 WP q 2 (2 p q) 2 The frst term of the expresson of ε s smlar to the result gven n Theorem 1, when the compresson functon s deal (up to a factor two that could be avoded by makng the argument slghtly more nvolved). The two other terms reflect the fact that the compresson functon s based. The relaton nduces a securty loss f W s at least of order 2 p/2, or f WP s at least of order 2 p. Informally, t seems possble to terate compresson functons havng a relatvely hgh bas n a secure way. Applcaton to Free-start Dfferental Attacks. Let us assume that the compresson functon s weak because of the exstence of a good dfferental path wth a non-zero dfference n the nput channg value. Even f the probablty of the dfferental path s 1, ths has a very lmted effect on the securty of the hash functon: ths leads to W = and WP = 2 p 1. The advantage of the dstngusher s at most twce as hgh, compared to the teraton of an deal FIL-RO. Applcaton to SIMD. In SIMD-256 (resp. SIMD-512), the nternal state has p = 512 bts (resp. p = 1024 bts), and the dstngusher of Secton 2 yelds W = 2 p/2+16, WP = 2 p+32 (resp. W = 2 p/2+32, WP = 2 p+64 ). Therefore the advantage of any dstngusher n tellng apart SIMD-256 from a VIL-RO wth q queres s upper-bounded by: ε = 16 q2 2 p + 4 2p/2+16 q 2 p p+32 q 2 (2 p q) 2 SIMD-256 s then secure up to roughly queres (SIMD-512 s secure up to queres).

10 Applcaton to Lesamnta. Lesamnta follows the prefx-free Merkle-Damgård mode of operaton due to ts specal fnalzaton functon. An effcent dstngusher based on symmetres was shown n [4], wth W = 2 p/2 and WP = 2 p 1. Accordng to Theorem 2, the advantage of any dstngusher n tellng apart Lesamnta-256 from a random oracle wth q queres s upper-bounded by: ε = 16 q2 2 p + 4 2p/2 q 2 p p 1 q 2 (2 p q) 2 22 q 2 p/2 Note that snce Lesamnta s a narrow-ppe desgn, we have p = n. Our result shows that Lesamnta remans secure aganst generc attacks up to the brthday bound. Ths s the best achevable proof for Lesamnta, snce t does not behave as a good narrow-ppe hash functon beyond that bound: a dedcated herdng attack based on the symmetry property s shown n [4], wth complexty 2 n/2. The proof s heavly based on the proof n the extended verson of [8]. Due to space constrants, the proof s not ncluded n ths paper, but can be found n the full verson. 4 On Dfferental Attacks aganst SIMD In ths secton we wll present our results concernng dfferental paths n SIMD. Usng Integer Lnear Programmng, we show that f there s a dfference n the message, then the probablty of the path wll be at most of the order of 2 n/2. We stress that ths result s not tght, but the computatonal power needed to mprove the bound usng ths technque grows exponentally. Related Work. The frst attempt to avod dfferental attack n a SHA/MD-lke hash functon was proposed n [11], where Jutla and Patthak descrbed a lnear code smlar to the message expanson of SHA-1, and proved that t has a much better mnmal dstance than the orgnal SHA-1 message expanson. They proposed to use SHA-1 wth ths new message expanson and called the new desgn SHA-1-IME. Our Results. The desgn of SIMD follows the same dea, usng a strong message expanson wth a hgh mnmal dstance. In ths paper we show that we can prove the securty of SIMD more rgorously than the securty of SHA-1-IME. Whle the securty of SHA-1-IME s based on the heurstc assumpton that the path s bult out of local collsons, our proof gves an upper bound on the probablty of any dfferental characterstc wth a non-zero dfference n the message. Our results prove the followng: for any message par wth a non-zero dfference, the probablty of gong from an nput dfference n to an output dfference out s bounded by for SIMD-256, and for SIMD Modelng Dfferental Paths To study dfferental attacks aganst SIMD, we assume that the attacker bulds a dfferental path. The dfferental path specfes the message dfference and the state dfference at each step. For each step, we study the probablty p() that the new step dfference conforms to the dfferental path, assumng that the prevous state dfference and the message dfference conforms to the path, but that the values themselves are random. Snce SIMD heavly uses modular addtons, our analyss s based on a sgned dfferental, as used by Wang et al. [19]. A sgned dfference gves better dfferental paths than an XOR dfference f two actve bts cancel each other out: wth an XOR dfference ths gves a probablty 1/2, but wth a sgned dfference we have a probablty 1 f the sgns are opposed. To study dfferental paths, we wll consder the nner state of SIMD, and the Boolean functons φ (). s called actve f t takes two dfferent values for a message par followng the dfferental path. Smlarly, a Boolean functon s called actve f at least one of ts nputs s actve. A dfferental path conssts of a set of actve message bts, actve state bts, actve Boolean functon, and the sgn of each actve element. We assume that the adversary frst bulds such a dfferental path, and then looks for a conformng par of messages and channg values. If we dsregard the frst and last rounds, each Boolean functon has three nputs, and each state bt enters three Boolean functons. We use ths smplfcaton n Secton 4.4. A state bt A () j

11 4.2 The Message Expanson The mnmal dstance of the message expanson of SIMD s at least 520. Ths dstance counts the number of actve bts, but we can also show that even f consecutve bts can collapse to gve a sngle sgned dfference, we stll have a mnmal dstance of 455 (respectvely 903 for SIMD-512). The only case where adjacent dfferences can collapse to gve a smaller sgned dfference s when the bts 15 and 16 are actve n the two 16-bt words that are packed nto a 32-bt word. In Secton 4.4, we dsregard ths property and we just consder that the message ntroduces 520 dfferences through the message expanson, but the model used n Secton 4.5 accounts precsely for that. 4.3 Structure of a Dfferental Path The basc dea of our analyss s to use the lower bound on the number of actve message bts to derve a lower bound on the number of actve state bts. Each message dfference must ether ntroduce a new dfference n the state, or cancel the propagaton of a prevous state dfference. A sngle dfference propagates to between 2 and 5 dfferences, dependng on whether the Boolean functons absorb t or let t go through. Ths means that a collson corresponds to between 3 and 6 message dfferences. For nstance, f a dfference s ntroduced n the state A (5) 1 by W (5) 1, t wll appear n A (5) 1, B(6) 1, C(7) 1, D(8) 1. 1 can ether absorb t or pass t. Ths dfference wll propagate to Each of the Boolean functon φ (6) 1, φ(7) 1, φ(8) A (6) 0, and to A(9) 1. Moreover, t can propagate to A(6) 1, A(7) 1 and A (8) 1 f the Boolean functons do not absorb t. Up to fve actve message bts can be used to cancel ths propagaton: W (4) 1, W (8) 1, W (5) 0, and possbly W (5) 1, W (6) 1, W (7) 1 f the correspondng Boolean functons are not absorbng. We consder two parts of the compresson functon: the computaton of φ, and the modular sum. In order to study the probabltes assocated wth these computatons, we wll count the condtons needed for a message par to follow the characterstc. φ-condtons. The Boolean functons MAJ and IF used n SIMD can ether absorb or pass dfferences. When there s a sngle actve nput, the probablty to absorb and to pass s 1/2. Each tme a state dfference enters a Boolean functon, the dfferental characterstc specfes whether the dfference should be passed or absorbed, and ths gves one condton f the Boolean functons have a sngle actve nput. Thus, each solated dfference n the state wll account for 3 φ-condtons: one for each Boolean functon they enter. -condtons. When a dfference s ntroduced n the state, t has to come from one of the nputs of the round functon: ( ) s A () j = D ( 1) j W () j φ () (A ( 1) j, B ( 1) j, C ( 1) () ( ) r j ) A ( 1) () p () (j) The round functon s essentally a sum of 4 terms, and the dfferental characterstc wll specfy whch nput bts and whch output bts are actve. Thus, the dfferental characterstc specfes how the carry should propagate, and ths gves at least one condton per state dfference. In the end, a state dfference accounts for 4 condtons. 4.4 Heurstcs We frst gve some results based on heurstcs. We assume that the adversary can fnd message pars that gve a mnmal dstance n the expanded message, and we allow hm to add some more constrants to the expanded message. Note that fndng a message par wth a low dfference n the expanded message s already qute dffcult wth the message expanson of SIMD. Heurstc I assumes that the adversary can fnd message pars wth mnmal dstance, but no other useful property. The adversary gets a message par wth mnmal dstance, and connects the dots to buld a dfferental characterstc. Heurstc II assumes that the adversary can fnd message pars wth mnmal dstance and controls the relatve postons of the message dfference. He wll use that ablty to create local collsons. Heurstc III assumes that the adversary can fnd a message par wth any message dfference, lmted only by the mnmal weght of the code. He wll cluster local collsons to avod many condtons.

12 Heurstc I. In ths secton, we assume that the adversary can fnd a message par such that the expanded messages reach the mnmal dstance of the code, but we assume that the message par has no further useful propertes. In ths case, ths adversary gets a message par wth a small dfference and he has to connect the dots to buld a dfferental path. Ths s somewhat smlar to the attacks on MD4 [18]: the messages are chosen so as to make a local collson n the last round, and the attacker has to connect all the remanng dfferences nto a path wth a good probablty. It seems safe to assume that such a dfferental path wll at least have as many actve state bts as actve message bts. Snce an solated dfference n the state costs 4 condtons, we expect at least 2080 condtons (resp for SIMD-512), whch s very hgh. Heurstc II. We now assume that the adversary can force some structure n the expanded message dfference. Namely, he can choose the relatve locaton of the dfferences n the expanded message. Snce the probablty of the path s essentally gven by the number of actve bts n the state, the path should mnmze ths. Ths s acheved wth local collsons, and each local collson wll use as many message dfferences as possble. Due to the structure of the round functon of SIMD, a local collson can use between 3 and 6 message dfferences, dependng on whether the Boolean functons absorb or pass the dfferences. In order to mnmze the number of state dfferences, the path wll make all the Boolean functons pass the dfferences, yeldng sx message dfferences per state dfference. Ths s somewhat counter-ntutve because most attacks try to mnmze the propagaton of dfferences by absorbng them. However, n our case t s more effcent to let the dfferences go through the Boolean functons, and to use more message dfferences to cancel them, because we have a lower bound on the number of message dfferences. Snce the adversary only controls the relatve poston of the message dfferences, we assume that most local collsons wll be solated, so that each local collson gves 4 condtons. Thus, a dfferental s expected to have at least 520 4/6 347 condtons (688 for SIMD-512). Ths leaves a sgnfcant securty margn, and even f the adversary can use message modfcatons n the frst 16 rounds, t can only avod half of those condtons. Ths can be compared to the attacks on SHA-1 [7,19]. These attacks are based on local collsons, but we do not know how to fnd a message par whch would have both mnmal dstance and yeld a seres of local collsons n SHA-1. Instead, attacks on SHA-1 use the fact that the message expanson s lnear and crculant: gven a codeword, f we shft t by a few rounds we get another vald codeword and smlarly f we rotate each word we get another vald codeword. Then we can combne a few rotated and/or shfted codewords so as to buld local collsons. The attacks on SHA-1 start wth a codeword of mnmal dstance, and combnes 6 rotated versons. Thus the weght of the actual expanded message dfference used n the attack s sx tmes the mnmal weght of the code. Note that message expanson of SIMD s more complex than the one from SHA-1, and t seems very hard to fnd ths knd of message pars n SIMD. Moreover, the trck used n SHA-1 cannot be used here because the message expanson s nether lnear nor crculant. Heurstc III. We now remove all heurstc assumptons and we try to gve a bound on any dfferental tral. However, to keep ths analyss smple, we stll dsregard the specfctes of the frst round, and the fact that one can combne some of the message dfferences. The adversary wll stll use local collsons to mnmze the number of dfferences n the state, but he wll also try to reduce the number of condtons for each local collson by clusterng them. We have seen that an solated state dfference costs 4 condtons, but f two state dfferences are next to each other, the cost can be reduced when usng a sgned dfference. For nstance, f two nputs of the MAJ functon are actve, the adversary does not have to pay any probablty: f both actve nputs have the same sgn, then the output s actve wth the same sgn, but f the nputs have opposte sgns then the output wll be nactve. In ths secton we consder that a Boolean functon wth more than one actve nput does not cost any probablty. Thus, the best strategy for the adversary s to place the state dfferences so that each actve Boolean functon has two actve nputs, n order to avod any φ-condtons. Each state dfference costs only one -condton, and gets 4.5 message dfferences (these message dfferences correspondng to the Boolean functons are shared between two Boolean functons). Ths gves a lower bound of 116 condtons.

13 Program 1 Lnear Program Mnmze S + α β wth the constrants: α 0 s the number of Boolean functons wth at least one actve nput β 0 s the number of Boolean functons wth at least two actve nputs γ 0 s the number of Boolean functons wth at least three actve nputs S 0 s the number of actve state bts 3S = α + β + γ (1) 520 3S + α (2) γ β α (3) More rgorously, ths can be descrbed by a lnear program, as shown n Lnear Program 1. Equaton (1) comes from countng the number of actve nputs to the Boolean functons n two dfferent ways, whle Equaton (2) counts the number of message dfferences that can be used. The objectve value S + α β counts the condtons: one for each state dfference, plus one for each Boolean functon wth exactly one actve nput. The optmal soluton to ths program s 520/ In the next secton we wll see how to mprove ths bound and get a bound on the probablty of any dfferental path. Comparson wth SHA-1-IME. The securty of SHA-1-IME s based on a heurstc that s qute smlar to our Heurstc I. Jutla and Patthak assume that the adversary wll use the same technque as the attacks on SHA-1,.e. create local collsons usng the fact that the code s lnear and crculant. They deduce that the probablty of a dfferental characterstc wll be about They mplctly assume that the adversary cannot fnd mnmal codewords that would already gve local collsons. Our Heurstc II assumes that the attacker can fnd such codewords, and f we apply t to SHA-1-IME, t would only guarantee that we have at least 13 local collsons (each local collson accounts for 6 message dfferences). Snce a local collson n SHA-1 has an average probablty of 2 2.5, ths would only prove that an attack has at least a complexty = Ths shows that our Heurstc II and III are much weaker than the heurstc used n SHA-1-IME. 4.5 Upper Boundng the Probablty of a Dfferental Path The bound gven by Heurstc III s slghtly lower than n/2 so we would lke to mprove t. To fnd a better bound, we wll follow the approach of Lnear Program 1. Note that n the optmal soluton, all the Boolean functons have ether zero or two actve nputs, but t s unlkely that such a path actually exsts because of the way the Boolean functons share nputs. In order to remove some mpossble solutons, we use a more detaled modelng of dfferental paths where each ndvdual state bt s treated separately. Ths also allows us to express some extra constrants that wll help to mprove the lower bound. Constrants related to the message expanson. We know that the message expanson gves at least 520 dfferences n the expanded message, but there are some constrants on the postons of these dfferences. Namely, we have at least 65 actve words n each copy of the message, and each actve word has at least 4 actve bts. For nstance, a dfference pattern wth 3 actve bts n each word would have 768 bt dfferences, but t s not a vald pattern. Moreover, the actve words n both copes have to be the same up to the permutaton P. To nclude these constrants n our model, we add a set of bnary varables Y whch encode whether word s actve n the output of the NTT. Ths s modeled by Equatons (4) and (5). Note that ths stll allows many dfference patterns that cannot be the output of a real message par. Better cost estmaton. In Program 1, we only count a condton for the Boolean functons wth a sngle actve nput. In fact, f we look at the truth table of the Boolean functons we see that the IF functon stll needs a condton when nputs 1 and 2, or 1 and 3 are actve. Snce we are usng dstnct varables for each of these nputs, we can nclude ths n our descrpton.

14 Program 2 Integer Lnear Program (smplfed) Mnmze P S (j)[k] S (j 1)[k] + P α (j)[k] + S (j 2)[k] P β (j)[k] + S (j 3)[k] 15X k=0 wth the constrants: = α (j)[k] + β (j)[k] + γ (j)[k] (1 ) W (j)[k] S (j)[k+s j] + S (j 4)[k r j] + S (j 1)[k r j+s j ] p j () + α (j)[k] (2 ) γ (j)[k] W (j)[k] β (j)[k] 4Y P1 (,j) α (j)[k] (3 ) 31X k=16 W (j)[k] 4Y P0 (,j) (4) X Y 65 (5) α (j)[k] B s true ff φ (j)[k] has at least one actve nput β (j)[k] B s true ff φ (j)[k] has at least two actve nput γ (j)[k] B s true ff φ (j)[k] has at least three actve nput S (j)[k] B s true ff the state bt A (j)[k] s actve W (j)[k] B s true ff the expended message bt W (j)[k] s actve Y B s true ff the word s actve n the output of the NTT We can wrte all these constrants as a huge optmsaton problem wth approxmately 30,000 varables and 80,000 equatons, but we need some tool to fnd the optmal soluton of the system, or at least fnd a lower bound. We decded to wrte our problem as an Integer Lnear Program. Integer Lnear Programmng. Integer Lnear Programmng (ILP) s a generalsaton of Lnear Programmng (LP) where some varables are restrcted to nteger values. Whle LP s solvable n polynomal tme, ILP s NP-complete. ILP solvers usually use some varants of the branch-and-bound algorthm. In the case of mnmzaton problem, the branch-and-bound algorthm computes a lower bound to the optmal soluton and ncrementally rases ths lower bound. Meanwhle, non-optmal solutons gve an upper bound, and when the two bounds meet, the search s over. Results. A smplfed verson of the ILP s gven by Program 2. The frst equatons and the objectve value mrrors Program 1, but use many varables to allow for more precse extra constrants. The full program has 28,576 varables and 80,162 equatons for SIMD-256. We used the solver SYMPHONY, an open-source solver for mxed-nteger lnear programs, avalable at The solver could not fnd an optmal soluton to the program, but t reached an nterestng lower bound after some tme: a dfferental path for SIMD-256 has at least 132 condtons, whle a dfferental path for SIMD-512 has at least 253. The computaton for SIMD-512 took one month on a b-quadcore machne. Summary. The optmal strategy of the attacker s to use local collsons (avodng any dfference propagaton) and to cluster the local collsons so as to avod most condtons. Our modelng allows the adversary to do ths because he can choose the message dfference and the expanded message dfference ndependently, and he can poston the dfferences arbtrarly n the nner code. However, ths s not possble n practce, and most solutons of the Integer Lnear Program wll requre an expanded message dfference that s not actually feasble. Therefore, we expect that the best dfferental path n SIMD s much worse that the optmal soluton of our Integer Lnear Program. Moreover, the program s too large to be solved to optmalty, and we only have a lower bound on the number of condtons (ths lower bound keep mprovng f we let the solver run).

15 5 Securty Status of SIMD 5.1 On the Symmetry-based Dstngusher The dstngusher of Secton 2 shows that the compresson functon of SIMD s not deal. It does not affect the securty of the hash functon, but t s nonetheless an unwanted property. Snce ths dstngusher s based on symmetry propertes, t s easy to avod ths property by slghtly changng the desgn. Therefore, we plan to tweak the SIMD desgn by addng non-symmetrc constants, f gven such an opportunty. We also note that other SHA-3 canddates are n a smlar stuaton: CubeHash has strong symmetry propertes n ts round transformaton [1,9]. It s thought that snce the ntal state n not symmetrc, t s not possble to reach a symmetrc state. Shabal has strong dstngushers on ts compresson functon: there are dfferental paths wth probablty 1 [2], and the nverse permutaton does not have full dffuson (some nput bts do not depend on all output bts). The Shabal team has shown that these dstngushers do not affect the securty [6]. Countermeasures. An nterestng way to avod the symmetry propertes would be to add a counter to the expanded message after the multplcaton by a constant (step 3 of the message expanson). Ths would ensure that each expanded message word has a dfferent value modulo 185 (respectvely modulo 223), and t prevents equalty constrants between the expanded message words. 5.2 On Dfferental Attacks Concernng dfferental attacks, our results are two-fold: 1. A dfferental path wth a non-zero dfference n the nput channg value does not affect the securty of the hash functon because t s wde-ppe 2. A dfferental path wth a non-zero dfference n the message cannot have a hgh success probablty, because of the strong message expanson. Ths shows that successful attacks on the hash functon based on dfferental propertes are very unlkely. Acknowledgments We would lke to thank Praveen Gauravaram from Techncal Unversty of Denmark, Copenhagen for dscussons on the proof of ndfferentablty. We would also lke to thank Franck Landelle from CELLAR for nsghtful comments on the securty of SIMD and lmtatons of our ntal study of dfferental paths. Part of ths work was supported by CELLAR. Part of ths work was supported by the European Commsson through ECRYPT, and by the French government through the Saphr RNRT project. References 1. Aumasson, J.P., Brer, E., Meer, W., Naya-Plasenca, M., Peyrn, T.: Insde the Hypercube. In Boyd, C., Neto, J.M.G., eds.: ACISP. Volume 5594 of Lecture Notes n Computer Scence., Sprnger (2009) Aumasson, J.P., Mashatan, A., Meer, W.: More on Shabal s permutaton. OFFICIAL COMMENT (2009) 3. Bryukov, A., Khovratovch, D.: Related-Key Cryptanalyss of the Full AES-192 and AES-256. In Matsu, M., ed.: ASIACRYPT. Volume 5912 of Lecture Notes n Computer Scence., Sprnger (2009) Boullaguet, C., Dunkelman, O., Fouque, P.A., Leurent, G.: Another Look at the Complementaton Property. In Hong, S., Iwata, T., eds.: FSE 10. Lecture Notes n Computer Scence, Sprnger (2010) 5. Boullaguet, C., Fouque, P.A., Leurent, G.: Securty analyss of smd. Cryptology eprnt Archve, Report 2010/323 (2010) 6. Bresson, E., Canteaut, A., Chevaller-Mames, B., Claver, C., Fuhr, T., Gouget, A., Icart, T., Msarsky, J.F., Naya-Plasenca, M., Paller, P., Pornn, T., Renhard, J.R., Thullet, C., Vdeau, M.: Indfferentablty wth Dstngushers: Why Shabal Does Not Requre Ideal Cphers. Cryptology eprnt Archve, Report 2009/199 (2009)