Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Transcription

1 Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology February 24, SIAM Conference on Parallel Processing for Scientific Computing Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 1 / 34

2 Outline 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 2 / 34

3 Cube Test Cube Test Published by Aumasson et al. in 2009 [1] Variation of the cube attack published by Dinur and Shamir in 2009 [2] Probes the polynomial structure of a black box cryptographic primitive Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 3 / 34

4 Cube Test Cryptographic Primitive Block cipher Stream cipher Hash function Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 4 / 34

5 Cube Test Crypto Primitive as Boolean Function Cube inputs c 1, c 2,..., c C Superpoly inputs s 1, s 2,..., s S Output = F(c 1, c 2,..., c C, s 1, s 2,..., s S ) Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 5 / 34

6 Superpoly Cube Test Output F is expressed as a polynomial in GF(2) Factor F as follows: F = c 1 c 2 c C Q(s 1,..., s S ) + R(c 1,..., c C, s 1,..., s S ) Q = Superpoly of F w.r.t. cube inputs c 1,..., c C R = Remainder Q and R also are polynomials in GF(2) Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 6 / 34

7 Cube Test Superpoly Calculation Theorem (Dinur & Shamir [2]) Proof. Q(s 1, s 2,..., s S ) = c 1 c 2...c C = F (c 1, c 2,..., c C, s 1, s 2,..., s S ). In the summation over the 2 C combinations of c 1 c 2... c C, each term in R is added in an even number of times, since no term in R contains all of c 1 c 2... c C. Therefore, in GF(2) arithmetic, the terms in R sum up to 0. The terms in Q, however, are added in only once, when c 1 c 2... c C = Therefore, the summation yields just Q. Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 7 / 34

8 Cube Test Superpoly Calculation Procedure To compute Q(s 1, s 2,..., s S ): Set unused inputs of F to 0 Set superpoly inputs of F to s 1, s 2,..., s S Q 0 For each combination of c 1, c 2,..., c C from to : Q Q F(c 1, c 2,..., c C, s 1, s 2,..., s S ) We can calculate Q without even knowing the formula for Q, treating F solely as a black box! To calculate Q takes 2 C iterations! But it s massively parallel! Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 8 / 34

9 Cube Test Multiple Simultaneous Superpolys The cryptographic primitive calculates multiple Boolean functions F 1, F 2,..., F N simultaneously And thus multiple superpolys Q 1, Q 2,..., Q N Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 9 / 34

10 Superpoly Tests Cube Test Now that we can calculate Q i, we can do tests on Q i In cryptography, Q i should be a random polynomial If it isn t, the cryptographic primitive is weak Calculate Q i for: A randomly chosen set of C cube inputs A randomly chosen set of S superpoly inputs A random sample of superpoly input values Do statistical tests on the Q i values under the null hypothesis that Q i is a random polynomial Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 10 / 34

11 Outline CubeHash 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 11 / 34

12 CubeHash CubeHash One-way hash function invented by Daniel Bernstein [3] Candidate submitted to the NIST SHA-3 competition [4] Parameters: r = 16, number of mixing rounds per message block b = 32, message block size (bytes) h = 224, 256, 384, or 512, hash value size (bits) Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 12 / 34

13 CubeHash CubeHash Algorithm Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 13 / 34

14 CubeHash CubeHash Round Function Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 14 / 34

15 CubeHash For This Investigation Primitive: CubeHash16 32/512 Input: 248 bits (31 bytes) Output: 512 bits Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 15 / 34

16 Outline Parallel Cube Tests on CubeHash 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 16 / 34

17 Parallel Cube Tests on CubeHash CubeTest Program Arguments: C = Number of cube variables S = Number of superpoly variables N = Number of random samples Procedure: Choose C inputs at random to be cube variables c 1,..., c C Choose S inputs at random to be superpoly variables s 1,..., s S For i = 1 to N: Choose values at random for s 1,..., s S without replacement Calculate Q 1 (s 1,..., s S ) through Q 512 (s 1,..., s S ) Store s 1,..., s S and Q 1,..., Q 512 in output file Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 17 / 34

18 Parallel Cube Tests on CubeHash Hybrid SMP Cluster Parallel Program Design Partition s 1,..., s S samples among cluster nodes Partition c 1,..., c C values among node s CPUs and calculate F Shared memory parallel reduction of F values to calculate Q Gather Q values into one node and write output file Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 18 / 34

19 Parallel Cube Tests on CubeHash Parallel Program Execution Coded in Java using the Parallel Java Library [5, 6] Run on the tardis hybrid SMP cluster parallel computer Ten nodes, four 2.6-GHz cores and 8 GB memory per node 1 Gbps Ethernet backend network Run with 2 to 22 cube variables, 2 to 22 superpoly variables, 1,000 samples Time per CubeHash16 32/512 calculation on 40 cores = 337 nsec Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 19 / 34

20 Outline Statistical Tests 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 20 / 34

21 Statistical Tests Balance Test of One Superpoly Null hypothesis: Q i is 0 or 1 with equal probability Chi-square test procedure: Choose N = 100 samples at random from output file n 0 = Count of 0s n 1 = Count of 1s N 0 = Expected count of 0s = 0.5 N N 1 = Expected count of 1s = 0.5 N Compute χ 2 and p-value (χ 2 distribution with 1 d.o.f.) If p significance = 0.01, test fails χ 2 = (n 0 N 0 ) 2 N 0 + (n 1 N 1 ) 2 N 1 Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 21 / 34

22 Statistical Tests Balance Test of All Superpolys Null hypothesis: Each superpoly s balance test passes with probability 0.99 and fails with probability 0.01 Chi-square test procedure: Choose N = 100 balance test results at random n p = Number of passed tests n f = Number of failed tests N p = Expected number of passed tests = 0.99 N N f = Expected number of failed tests = 0.01 N Compute χ 2 and p-value (χ 2 distribution with 1 d.o.f.) χ 2 = (n p N p ) 2 N p + (n f N f ) 2 N f Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 22 / 34

23 Statistical Tests Balance Test Results, One Run java Analyze BalanceAnalyzer ch_16_16_101.dat File date = Thu Feb 18 05:38:00 EST 2010 Target = CubeHashTarget(16,32,512) C = 16 S = 16 Seed = Cube variables = Superpoly variables = N = 512 Bit 0 1 chi^2 p *** *** *** *** *** *** *** *** *** Sample pass 96 Sample fail 4 Chi^ P Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 23 / 34

24 Statistical Tests Balance Test Results, All Runs S C Pass Fail Chi^2 P Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 24 / 34

25 Statistical Tests Balance Test Results, All Runs CubeHash16/ Balance Test Number of cube variables, C Number of superpoly variables, S Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 25 / 34

26 Statistical Tests Input/Output Independence Test Null hypothesis: Q i is 0 or 1 with equal probability whether s j is 0 or 1 Chi-square test procedure: Choose N = 100 samples at random from output file n 0 = Count of Q i 0, s j 0 N 0 = 0.5 (n 0 + n 2 ) n 1 = Count of Q i 0, s j 1 N 1 = 0.5 (n 1 + n 3 ) n 2 = Count of Q i 1, s j 0 N 2 = 0.5 (n 0 + n 2 ) n 3 = Count of Q i 1, s j 1 N 3 = 0.5 (n 1 + n 3 ) Compute χ 2 and p-value (χ 2 distribution with 2 d.o.f.) If p significance = 0.01, test fails χ 2 = 4 (n k N k ) 2 k=1 N k Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 26 / 34

27 Statistical Tests Input/Output Independence Test Results CubeHash16/ Input/Output Independence Test Number of cube variables, C Number of superpoly variables, S Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 27 / 34

28 Statistical Tests Output/Output Independence Test Null hypothesis: Q i is 0 or 1 independently of whether Q j is 0 or 1 Chi-square test procedure: Choose N = 100 samples at random from output file n 0 = Count of Q i 0, Q j 0 N 0 = 0.25 N n 1 = Count of Q i 0, Q j 1 N 1 = 0.25 N n 2 = Count of Q i 1, Q j 0 N 2 = 0.25 N n 3 = Count of Q i 1, Q j 1 N 3 = 0.25 N Compute χ 2 and p-value (χ 2 distribution with 3 d.o.f.) If p significance = 0.01, test fails χ 2 = 4 (n k N k ) 2 k=1 N k Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 28 / 34

29 Statistical Tests Output/Output Independence Test Results CubeHash16/ Output/Output Independence Test Number of cube variables, C Number of superpoly variables, S Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 29 / 34

30 Outline Conclusions 1 Cube Test 2 CubeHash 3 Parallel Cube Tests on CubeHash 4 Statistical Tests 5 Conclusions Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 30 / 34

31 Conclusions Conclusions Overall, the statistical test results were as expected for a significance level of 0.01 The statistical tests did not reveal nonrandom behavior of CubeHash CubeHash is still a viable SHA-3 candidate Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 31 / 34

32 Future Work Conclusions Test larger numbers of cube variables and superpoly variables Perform additional statistical tests Linear superpoly variables Neutral superpoly variables Test other SHA-3 candidate hash functions Port the cube testing framework to the GPU Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 32 / 34

33 References Conclusions [1] J. Aumasson, I. Dinur, W. Meier, and A. Shamir. Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In Fast Software Encryption, [2] I. Dinur and A. Shamir. Cube attacks on tweakable black box polynomials. Cryptology eprint Archive Report 2008/385, January 26, [3] D. Bernstein. CubeHash specification (2.B.1). [4] NIST Cryptographic Hash Algorithm Competition. [5] A. Kaminsky. Parallel Java: A unified API for shared memory and cluster parallel programming in 100% Java. In 21st IEEE International Parallel and Distributed Processing Symposium (IPDPS 2007), [6] A. Kaminsky. Parallel Java Library. Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 33 / 34

34 Contact Information Conclusions Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of Technology 102 Lomb Memorial Drive Rochester, NY Alan Kaminsky (RIT) Cube Tests on CubeHash SIAM PP10 34 / 34