Algebraic properties of SHA-3 and notable cryptanalysis results

Transcription

1 Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, / 51

2 Cryptographic Hash Functions H : {0,1} {0,1} n m H h = H(m) = }{{} n bits Security properties: Preimage resistance (Complexity of the generic attack: 2 n ) Second-preimage resistance (Complexity of the generic attack: 2 n ) Collision resistance (Complexity of the generic attack: 2 n/2 ) Applications: password protection, digital signatures, key derivation, random number generation,... 2 / 51

3 Hash functions before 2004 MD4, MD5, SHA-0, SHA-1, SHA-2... Merkle-Damgård was normal way to build hashes. MD4 was known to be broken by Dobbertin, but still saw occasional use MD5 was known to have theoretical weaknesses from Den Boer/Bosselaers and Dobbertin, but still in wide use. SHA-0 was known to have weaknesses and wasn t used. SHA-1 was thought to be very strong. SHA-2 looked like the future, with security up to 256 bits. John Kelsey, NIST, August / 51

4 The NIST SHA-3 competition Devastating attacks against MD5, SHA-1,... by Wang et al. (2004) Lack of confidence in SHA-2 (standard). NIST launches in 2008 a public competition for defining a new standard. 64 submissions (October 2008) 51 first-round candidates 14 second-round candidates (July 2009) 5 finalists (December 2010) Winner of the competition (October 2012): Keccak SHA-3 standard: Draft FIPS PUB 202 (May 2014) 4 / 51

5 Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 5 / 51

6 Keccak s specifications Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 6 / 51

7 Keccak s specifications The Keccak team Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche STMicroelectronics, NXP Semiconductors 7 / 51

8 Keccak s specifications The sponge construction [Bertoni, Daemen, Peeters, Van Assche 08] m 1 m 2 m k z 1 z 2 z 3 r c f f f f f... absorbing squeezing Variable input length, variable output length Fixed-length permutation (or transformation) Two parameters: bitrate r, capacity c, with r +c = b, where b is the size of the permutation. 8 / 51

9 Keccak s specifications Security Claims Traditionally, for fixed-length output functions, resistance to hash function attacks is expressed by means of the output length n. Sponges are variable-length output constructions. Define the strength of the construction, in function of some size parameters. 9 / 51

10 Keccak s specifications The sponge construction with capacity c Use the parameter c as an indicator for the security of the construction (flat sponge claim). No generic attacks below 2 c/2 (Unless easier generically). Collision: min(2 c/2,2 n/2 ) Preimage: min(2 c/2,2 n ) Second Preimage: min(2 c/2,2 n ) Performance and security trade-off. 10 / 51

11 Keccak s specifications The SHA-3 standard Based on the sponge construction with a fixed permutation of 1600 bits, called Keccak-f. Four SHA3 fixed-length hash functions: SHA3-{224, 256, 384, 512}, with c = 2n. Remplacements for SHA2 Two SHA3 XOFs (Extendable-Output Functions): SHAKE-256 SHAKE-512 (SHAKE = SHA + KEccak) 11 / 51

12 Keccak s specifications The Keccak-f permutation Keccak-f Permutation 1600-bit state, seen as a 3-dimensional matrix 24 rounds R = ι χ π ρ θ Linear layer: L = π ρ θ. Nonlinear layer: 320 parallel applications of a 5 5 S-box χ 12 / 51

13 Keccak s specifications The θ transformation 4 4 a[x][y][z] a[x][y][z]+ a[x 1][y ][z]+ a[x+1][y ][z 1] y =0 y =0 13 / 51

14 Keccak s specifications The ρ transformation x = 3 x = 4 x = 0 x = 1 x = 2 y = y = y = y = y = / 51

15 Keccak s specifications The π transformation 15 / 51

16 Keccak s specifications The χ transformation 320 parallel applications of a 5 5 bit Sbox. χ(x 0,x 1,x 2,x 3,x 4 ) = (x 0 +x 2 +x 1 x 2, x 1 +x 3 +x 2 x 3, x 2 +x 4 +x 3 x 4, x 3 +x 0 +x 4 x 0, x 4 +x 1 +x 0 x 1 ). Can be implemented by using an XOR, an AND and a NOT operation. 16 / 51

17 Keccak s specifications The ι transformation XOR of round-dependent constant to lane in origin Break symmetry: Without ι the round mapping would be symmetric rotational cryptanalysis?... all rounds would be the same slide attacks?...simple fixed points: (000 and 111) 17 / 51

18 Keccak s specifications The reasons for choosing Keccak High security margin Simple and elegant design Flexibility in choosing parameters Good performance in software (not as good as SHA2, Skein or BLAKE) but still more than acceptable Excellent performance in hardware (better than all the other candidates and better than SHA2!) Built-in authenticated-encryption mode Different design than SHA2 18 / 51

19 Algebraic properties of Keccak-f Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 19 / 51

20 Algebraic properties of Keccak-f Random behaviour of cryptographic primitives Cryptographic primitives should behave like random functions: A distinguishing property may be the starting point for some attacks. Security proofs of many constructions assume random building blocks. e.g. hermetic sponge strategy: the underlying permutation f of a sponge construction should not have any structural distinguishers. Does Keccak-f behave like a random permutation of F ? 20 / 51

21 Algebraic properties of Keccak-f Algebraic degree of a vectorial function F : F n 2 Fm 2 Example: F(x 0,x 1,x 2,x 3,x 4 ) = (x 0 +x 2 +x 4 +x 1 x 2 +x 1 x 4 +x 3 x 4 +x 1 x 3 x 4, x 0 +x 1 +x 3 +x 0 x 2 +x 0 x 4 +x 2 x 3 +x 0 x 2 x 4, x 1 +x 2 +x 4 +x 0 x 1 +x 1 x 3 +x 3 x 4 +x 0 x 1 x 3, x 0 +x 2 +x 3 +x 0 x 4 +x 1 x 2 +x 2 x 4 +x 1 x 2 x 4, x 1 +x 3 +x 4 +x 0 x 1 +x 0 x 3 +x 2 x 3 +x 0 x 2 x 3 ). 21 / 51

22 Algebraic properties of Keccak-f Algebraic degree of a vectorial function F : F n 2 Fm 2 Example: F(x 0,x 1,x 2,x 3,x 4 ) = (x 0 +x 2 +x 4 +x 1 x 2 +x 1 x 4 +x 3 x 4 +x 1 x 3 x 4, x 0 +x 1 +x 3 +x 0 x 2 +x 0 x 4 +x 2 x 3 +x 0 x 2 x 4, x 1 +x 2 +x 4 +x 0 x 1 +x 1 x 3 +x 3 x 4 +x 0 x 1 x 3, x 0 +x 2 +x 3 +x 0 x 4 +x 1 x 2 +x 2 x 4 +x 1 x 2 x 4, x 1 +x 3 +x 4 +x 0 x 1 +x 0 x 3 +x 2 x 3 +x 0 x 2 x 3 ). The algebraic degree of F is / 51

23 Algebraic properties of Keccak-f Some attacks exploiting a low algebraic degree Algebraic attacks Write the equations defining the primitive and try to solve the polynomial system. Cube attacks [Dinur-Shamir 08] The factor of some monomial depends linearly on the key bits. Higher-order differential attacks [Lai 94] [Knudsen 94] Let F : F n 2 Fn 2. For every subspace V with dimv > degf, D V F(x) = v V F(x+v) = 0, for every x F n / 51

24 Algebraic properties of Keccak-f Zero-Sums For block ciphers (known-key attack) [Knudsen - Rijmen 07] For hash functions [Aumasson - Meier 09, Boura - Canteaut 10] Definition Let F : F n 2 Fn 2. A zero-sum for F of size K is a subset {x 1,...,x K } F n 2 such that K x i = i=1 K F(x i ) = 0. i=1 Proposition. [Boura-Canteaut 10] For any function F, there exists at least a zero-sum of size / 51

25 Algebraic properties of Keccak-f Zero-Sum Partitions Definition Let P be a permutation from F n 2 Fn 2. A zero-sum partition for P of size K = 2 k is a collection of 2 n k disjoint zero-sums. 24 / 51

26 Algebraic properties of Keccak-f Exploiting a low algebraic degree P = R r R 1. Let F r t = R r R t+1 and G t = R1 1 R 1 Let V F n 2 with dimv > max(degf r t,degg t ). P t. G t F r t X a V +a P(X a ) X a = {G t (z +a),z V}, is a zero-sum partition of F n 2 of size 2dimV for P. x = G t (z +a) = D V G t (a) = 0 x X a z V P(x) = F r t (z +a) = D V F r t (a) = 0 x X a z V 25 / 51

27 Algebraic properties of Keccak-f Trivial bounds 24 rounds of a permutation R of degree 2 over F after r rounds, deg(r r ) 2 r What is usually expected a full degree after 11 rounds existence of zero-sum partitions up to 16 rounds of size : deg(r 10 ) 2 10 anddeg((r 1 ) 6 ) 3 6 R 16 R 6 R 10 X a V +a R 16 (X a ) 26 / 51

28 Algebraic properties of Keccak-f A new bound exploiting the structure of the non-linear layer χ χ χ χ Linear Layer χ χ χ χ Linear Layer χ χ χ χ Linear Layer 27 / 51

29 Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. 28 / 51

30 Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. Exemple (d = 13) deg(π) 2δ 5 +δ / 51

31 Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. Exemple (d = 13) deg(π) δ 5 +2δ 3 +δ / 51

32 Algebraic properties of Keccak-f χ χ χ χ Find the maximal degree of the product π of d output coodinates. δ k = maximal degree of the product of k coordinates of χ. deg(π) avec x 1 +2x 2 +3x 3 +4x 4 = d. max (δ 1x 1 +δ 2 x 2 +δ 3 x 3 +δ 4 x 4 ) (x 1,x 2,x 3,x 4 ) 28 / 51

33 Algebraic properties of Keccak-f Bound on δ k For χ: δ k = maximal degree of the product of k coordinates of χ. k δ k / 51

34 Algebraic properties of Keccak-f Bound on δ k For χ: δ k = maximal degree of the product of k coordinates of χ. k δ k Proposition. If S is a permutation of F n 2, δ k = n if and only if k = n 29 / 51

35 Algebraic properties of Keccak-f Bound on δ k For χ: δ k = maximal degree of the product of k coordinates of χ. k δ k Proposition. If S is a permutation of F n 2, δ k = n if and only if k = n 29 / 51

36 Algebraic properties of Keccak-f A bound on the degree of SPN constructions [Boura Canteaut De Cannière FSE 2011] Theorem: Let F = (S,...,S) a permutation of F n 2 F n 0 2. Then with S defined over deg(g F) n n deg(g), γ(s) where n 0 k γ(s) = max 1 k n 0 1 n 0 δ k (S). 30 / 51

37 Algebraic properties of Keccak-f Application to Keccak-f We deduce 5 k γ(χ) = max 1 k 4 5 δ k (χ). k δ k (χ) ( 4 γ(χ) = max 3, 3 1, 2 1, 1 = 3 1) deg(r r ) deg(rr 1 ) 3 31 / 51

38 Algebraic properties of Keccak-f r deg(r r ) / 51

39 Algebraic properties of Keccak-f Application to the inverse of Keccak-f Observation [Duan-Lai 11] γ(χ 1 5 k ) = max 1 k 4 5 δ k (χ 1 ). k δ k (χ 1 ) δ 2 (χ 1 ) = 3 33 / 51

40 Algebraic properties of Keccak-f Influence of the degree of the inverse Question: Is δ 2 (χ 1 ) related to deg(χ)? 34 / 51

41 Algebraic properties of Keccak-f Influence of the degree of the inverse Question: Is δ 2 (χ 1 ) related to deg(χ)? Theorem.[Boura-Canteaut 13] Let F be a permutation on F n 2. Then, for any integers k and l, δ l (F) < n k if and only if δ k (F 1 ) < n l. Case of Keccak: For F = χ 1, k = 1 and l = 2 δ 1 (χ) = 2 < 5 2 implies δ 2 (χ 1 ) < 5 1 = / 51

42 Algebraic properties of Keccak-f A new bound Theorem: Let F = (S,...,S) a permutation of F n 2 with S defined over F n 0 2. Then where We can prove that For the inverse of Keccak-f: deg(g F) n n deg(g), γ(s) n 0 k γ(s) = max 1 k n 0 1 n 0 δ k (S). ( n0 1 γ(s) max n 0 degs, n ) 0 2 1,deg(S 1 ) γ(χ 1 ) 2 35 / 51

43 Algebraic properties of Keccak-f r deg(r r ) deg(r r ) (improv.) deg(rr ) deg(rr 1 ) 2 36 / 51

44 Algebraic properties of Keccak-f Zero-sum partitions for full Keccak-f deg(r 12 ) 1536 deg((r 1 ) 11 ) 1572 X a = {(R 1 ) 11 (a+z), z V}, is a zero-sum partition of size for 24 rounds of Keccak-f. 37 / 51

45 Algebraic properties of Keccak-f Consequences? The security proof still holds if the inner permutation has a given structural property involving more than 2 c+1 2 input-output pairs. The existence of the zero-sum partitions pushed the authors to increase the number of rounds from 18 to / 51

46 Collision attacks against reduced-round Keccak Outline 1 Keccak s specifications 2 Algebraic properties of Keccak-f 3 Collision attacks against reduced-round Keccak 39 / 51

47 Collision attacks against reduced-round Keccak Summary of cryptanalysis results Target Attack Type Output Variant CF Call Reference Keccak-f Distinguisher all 24 rounds [Boura et al. and Duan-Lai 2011] Keccak-f Distinguisher all 8 rounds [Duc et al. 2012] Keccak-f Distinguisher all 6 rounds 2 11 [Kuila et al. 2014] Hash function Distinguisher 224,256 4 rounds 2 25 [Naya-Plasencia et al. 2011] Hash function Collision 224, rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage 224, rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage rounds [Bernstein 2010] Hash Function 2nd preimage rounds [Bernstein 2010] Hash Function 2nd preimage rounds [Bernstein 2010] Hash Function Collision 224,256 4 rounds Example [Dinur et al. 2012] Hash Function Collision rounds [Dinur et al. 2013] Hash Function Collision rounds Example [Dinur et al. 2013] Hash Function Collision rounds [Dinur et al. 2013] Hash Function Collision rounds Example [Dinur et al. 2013] 40 / 51

48 Collision attacks against reduced-round Keccak Summary of cryptanalysis results Target Attack Type Output Variant CF Call Reference Keccak-f Distinguisher all 24 rounds [Boura et al. 2010] Keccak-f Distinguisher all 8 rounds [Duc et al. 2012] Keccak-f Distinguisher all 6 rounds 2 11 [Kuila et al. 2014] Hash function Distinguisher 224,256 4 rounds 2 25 [Naya-Plasencia et al. 2011] Hash function Collision 224, rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage 224, rounds Example [Naya-Plasencia et al. 2011] Hash function 2nd preimage rounds [Bernstein 2010] Hash function 2nd preimage rounds [Bernstein 2010] Hash function 2nd preimage rounds [Bernstein 2010] Hash Function Collision 224,256 4 rounds Example [Dinur et al. 2012] Hash Function Collision rounds [Dinur et al. 2013] Hash Function Collision rounds Example [Dinur et al. 2013] Hash Function Collision rounds [Dinur et al. 2013] Hash Function Collision rounds Example [Dinur et al. 2013] 40 / 51

49 Collision attacks against reduced-round Keccak Summary of cryptanalysis results Target Attack Type Output Variant CF Call Reference Keccak-f Distinguisher all 24 rounds [Boura et al. 2010] Keccak-f Distinguisher all 8 rounds [Duc et al. 2012] Keccak-f Distinguisher all 6 rounds 2 11 [Kuila et al. 2014] Hash function Distinguisher 224,256 4 rounds 2 25 [Naya-Plasencia et al. 2011] Hash function Collision 224, rounds Example [Naya-Plasencia et al. 2011] Hash Function 2nd preimage 224, rounds Example [Naya-Plasencia et al. 2011] Hash function 2nd preimage rounds [Bernstein 2010] Hash function 2nd preimage rounds [Bernstein 2010] Hash function 2nd preimage rounds [Bernstein 2010] Hash Function Collision 224,256 4 rounds Example [Dinur et al. 2012] Hash Function Collision rounds [Dinur et al. 2013] Hash Function Collision rounds Example [Dinur et al. 2013] Hash Function Collision rounds [Dinur et al. 2013] Hash Function Collision rounds Example [Dinur et al. 2013] 40 / 51

50 Collision attacks against reduced-round Keccak Practical collision attacks against reduced-round Keccak Practical Analysis of Reduced-Round Keccak, M. Naya-Plasencia, A. Röck and W. Meier, Indocrypt Exploit the Column Parity Kernel (CP-Kernel) leading to 2-round low Hamming weight characteristics Practical collisions and second-preimage for 2-round Keccak-{224,256} New attacks on Keccak-224 and Keccak-256, I. Dinur, O. Dunkelman and A. Shamir, FSE Extend the previous 2-round CP-Kernel characteristics. Exploit that χ is of degree 2. Practical collisions for 4-round Keccak-{224,256}. 41 / 51

51 Collision attacks against reduced-round Keccak Differential cryptanalysis Introduced by Biham and Shamir in Based on the notion of differentials (δ in δ out ). Let F : F n 2 Fn 2 : x F y δ in δ out x+δ in F x+δ out DP F (δ in δ out ) = {(x,x ) : x x = δ in and F(x) F(x ) = δ out } 2 n 42 / 51

52 Collision attacks against reduced-round Keccak Differential characteristics Let F = f r. δ 1 δ in = δ 0 δ 2 δ 3 δ4 = δ out r 1 DP F (δ 0 δ r ) = DP f (δ i δ i+1 ). i=0 Differential characteristics of high probability can be used as distinguishers, lead to key-recovery attacks (in block ciphers), collision attacks (in hash functions). 43 / 51

53 Collision attacks against reduced-round Keccak Low Hamming-weight characteristics Crucial transformations : θ, and χ Properties of θ: Column Parity Kernel (Keccak team) : For states in which all columns have even parity, θ is the identity. Lowest Hamming weight for states in CP-kernel: / 51

54 Collision attacks against reduced-round Keccak Low Hamming-weight characteristics Crucial transformations : θ, and χ Properties of θ: Column Parity Kernel (Keccak team) : For states in which all columns have even parity, θ is the identity. Lowest Hamming weight for states in CP-kernel: / 51

55 Collision attacks against reduced-round Keccak Low Hamming-weight characteristics Crucial transformations : θ, and χ Properties of θ: Column Parity Kernel (Keccak team) : For states in which all columns have even parity, θ is the identity. Lowest Hamming weight for states in CP-kernel: 2. Properties of χ: 1-bit differences stay the same with probability / 51

56 Collision attacks against reduced-round Keccak Searching for double kernels Image from [Naya-Plasencia, Röck, Meier, 2011] 45 / 51

57 Collision attacks against reduced-round Keccak Collisions on 2-round Keccak-256 Initial differences in the message part. 2-round 4-slice characteristics of weight 16. probability 2 32 Output difference δ out not in the hash part. 46 / 51

58 Collision attacks against reduced-round Keccak Practical Collisions for 4-round Keccak-{224,256} [Dinur, Dunkelman, Shamir 2012] Target difference algorithm 1 round Characteristic extended backwards 1 round High probability differential characteristic δ in δ out 2 rounds Use the two-round low Hamming weight differential characteristics found in [Naya-Plasencia, Röck, Meier 2011]. Place them after the second round and extend one round backwards (target difference). Find message pairs having the target difference after one round of Keccak-f. 47 / 51

59 Collision attacks against reduced-round Keccak Extending one round backwards: The θ effect Inverse of θ: Applying θ 1 to a difference with a single active bit results in a difference with about half of the bits active. 48 / 51

60 Collision attacks against reduced-round Keccak Link to the target difference 0 Target difference Controlable part 49 / 51

61 Collision attacks against reduced-round Keccak The target difference algorithm Two problems to deal with: 1 The target difference is extended backwards with very low probability. 2 Initial state has many bits fixed to a certain value. But: Many available degrees of freedom Method: χ function of degree 2, so when differentiating once has to deal with a linear system. 50 / 51

62 Collision attacks against reduced-round Keccak Conclusions Efforts of the cryptographic community concentrated on the security analysis of SHA-3. Analyze equally the security of keyed versions (recent cube attacks) and of other constructions based on Keccak-f. Analyse Keccak with smaller permutation sizes (use in constrained devices). SHA-3 seems to have a (very) big security margin. 51 / 51

63 Collision attacks against reduced-round Keccak Conclusions Efforts of the cryptographic community concentrated on the security analysis of SHA-3. Analyze equally the security of keyed versions (recent cube attacks) and of other constructions based on Keccak-f. Analyse Keccak with smaller permutation sizes (use in constrained devices). SHA-3 seems to have a (very) big security margin. Thank you for your attention! 51 / 51