Analysis of Differential Attacks in ARX Constructions

Similar documents
Practical Free-Start Collision Attacks on 76-step SHA-1

Algebraic properties of SHA-3 and notable cryptanalysis results

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Construction of Differential Characteristics in ARX Designs Application to Skein

Second-Order Differential Collisions for Reduced SHA-256

How to Improve Rebound Attacks. María Naya-Plasencia FHNW - Switzerland

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Rotational Cryptanalysis of ARX Revisited

Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials

Improved (Pseudo) Preimage Attack and Second Preimage Attack on Round-Reduced Grøstl

MILP Modeling for (Large) S-boxes to Optimize Probability of Differential Characteristics

The SHA Family of Hash Functions: Recent Results

Time-memory Trade-offs for Near-collisions

Preimage Attacks on 3, 4, and 5-Pass HAVAL

Mixed-integer Programming based Differential and Linear Cryptanalysis

Weaknesses in the HAS-V Compression Function

Analysis of cryptographic hash functions

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Rotational Cryptanalysis in the Presence of Constants

Preimages for Step-Reduced SHA-2

Rebound Attack on Reduced-Round Versions of JH

Improved Collision Attacks on the Reduced-Round Grøstl Hash Function

LS-Designs. Bitslice Encryption for Efficient Masked Software Implementations

Preimage Attacks on Reduced Tiger and SHA-2

Preimage Attacks on 3, 4, and 5-pass HAVAL

New Preimage Attacks Against Reduced SHA-1

A Brief Comparison of Simon and Simeck

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Improved Collision Search for SHA-0

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Zero-Sum Partitions of PHOTON Permutations

Related Key Differential Cryptanalysis of Midori

Finding good differential patterns for attacks on SHA-1

Rebound Distinguishers: Results on the Full Whirlpool Compression Function

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Quantum Differential and Linear Cryptanalysis

Rebound Attack. Florian Mendel

New attacks on Keccak-224 and Keccak-256

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Practical Free-Start Collision Attacks on full SHA-1

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Avoiding collisions Cryptographic hash functions. Table of contents

Differential Analaysis of Block Ciphers SIMON and SPECK

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Construction of Lightweight S-Boxes using Feistel and MISTY structures

Subspace Trail Cryptanalysis and its Applications to AES

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

The Hash Function JH 1

Rotational cryptanalysis of round-reduced Keccak

Complementing Feistel Ciphers

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Revisit and Cryptanalysis of a CAST Cipher

Martin Cochran. August 24, 2008

The Advanced Encryption Standard

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

Time-memory Trade-offs for Near-collisions

observations on the simon block cipher family

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Revisiting AES Related-Key Differential Attacks with Constraint Programming

The Invariant Set Attack 26th January 2017

Block Ciphers and Side Channel Protection

Linear Cryptanalysis of Reduced-Round Speck

Linear Analysis of Reduced-Round CubeHash

Why not SHA-3? A glimpse at the heart of hash functions.

Cryptanalysis of Luffa v2 Components

Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation

Linear Analysis of Reduced-Round CubeHash

Multiplicative Complexity Gate Complexity Cryptography and Cryptanalysis

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512

Practical Near-Collisions and Collisions on Round-Reduced ECHO-256 Compression Function

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Unaligned Rebound Attack: Application to Keccak

Differential-Linear Cryptanalysis of Serpent

Linear Cryptanalysis

Practical Near-Collisions on the Compression Function of BMW

How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Impact of Rotations in SHA-1 and Related Hash Functions

The Differential Analysis of S-functions,

Differential and Rectangle Attacks on Reduced-Round SHACAL-1

Introduction Description of MD5. Message Modification Generate Messages Summary

Higher-order differential properties of Keccak and Luffa

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

A (Second) Preimage Attack on the GOST Hash Function

Deterministic Constructions of 21-Step Collisions for the SHA-2 Hash Family

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function

Cryptographic Hash Functions Part II

Near-Collisions on the Reduced-Round Compression Functions of Skein and BLAKE

Automatic Search for Differential Trails in ARX Ciphers (extended version)

Title of Presentation

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

CPSC 467: Cryptography and Computer Security

Higher-order differential properties of Keccak and Luffa

Transcription:

.. Analysis of Differential Attacks in ARX Constructions Gaëtan Leurent UCL Crypto Group University of Luxembourg Asiacrypt 2012 G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 1 / 20

.. ARX Constructions Two main categories of designs in symmetric cryptography: ARX designs SBox designs Additions, Rotations, Xors Inspired by MD/SHA Lots of light rounds S Boxes and Linear Layers Inspired by the AES Few heavy rounds The SHA-3 competition 51 submissions in 2008; Winner: Keccak in October 2012 2 of the 5 finalists are ARX designs G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 2 / 20

. Differential attacks against ARX. Most of the cryptanalysis of ARX designs is bit twiddling As opposed to SBox based designs Building/Verifying differential trails for ARX designs is hard Many trails built by hand Problems with MD5 and SHA 1 attacks [Manuel, DCC 2011] Problems with differential trails SHACAL [Wang, Keller Dunkelman, SAC 2007] Problems reported with boomerang attacks (incompatible trails): HAVAL [Sasaki, SAC 2011] SHA 256 [BLMN, Asiacrypt 2011] Some tools are described in literature, but most are not available G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 3 / 20

.. Outline Introduction G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 4 / 20

. δa =.---x δb = -x-x Differential Characteristic. δc = xx-- δu = -x-- 2 δv = ---x c = a + b u = c + d v = u 2 δd = x--- Choose a difference operation: A differential only specifies the input and output difference A differential characteristic specifies the difference of each internal variable Compute probability for each operation G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 5 / 20

. δa =.---x δb = -x-x Differential Characteristic. δc = xx-- δu = -x-- 2 δv = ---x c = a + b u = c + d v = u 2 δd = x--- Choose a difference operation: A differential only specifies the input and output difference A differential characteristic specifies the difference of each internal variable Compute probability for each operation G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 5 / 20

. δa =.---x δb = -x-x Differential Characteristic. δc = xx-- δu = -x-- 2 δv = ---x c = a + b u = c + d v = u 2 δd = x--- Choose a difference operation: A differential only specifies the input and output difference A differential characteristic specifies the difference of each internal variable Compute probability for each operation G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 5 / 20

.. Signed difference A trail defines a set of good pairs: x [i] x [i] = 0 x [i], x [i] (0, 0), (1, 1) x [i] x [i] = 1 x [i], x [i] (0, 1), (1, 0) Wang introduced a signed difference: δ x [i], x [i] = 0 (x [i], x [i] ) (0, 0), (1, 1) δ x [i], x [i] = +1 (x [i], x [i] ) (0, 1) δ x [i], x [i] = 1 (x [i], x [i] ) (1, 0) Captures both xor difference and modular difference Generalized constraints [De Cannière Rechberger 06] G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 6 / 20

.. Generalized constraints [De Cannière & Rechberger 06] (x, x ): (0, 0) (0, 1) (1, 0) (1, 1)? anything - x = x x x x 0 x = x = 0 u (x, x ) = (0, 1) n (x, x ) = (1, 0) 1 x = x = 0 # incompatible 3 x = 0 5 x = 0 7 A x = 1 B C x = 1 D E G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 7 / 20

.. Outline Introduction G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 8 / 20

. We study carry propagation Multi-bit Constraints. δa = ---x. δb = ---- δa = ---x δb = ---- δu = -xxx u = a + b δu = -<>x u = a + b Two possibilities: δa = ---u and δu = -unn δa = ---n and δu = -nuu Active bits signs are linked We introduce new constraints > {nn, uu}: x [i] x [i] = x [i 1] < {nu, un}: x [i] x [i] x [i 1] G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 9 / 20

.. Multi-bit Constraints Carry propagation leads to constraints of the form x [i] = x [i 1] We use multi bit constraints to capture this information We consider subsets of (x [i], x [i], x [i 1] ) (1.5 bit), instead of (x [i], x [i] ) (1 bit) Captures more accurately the behavior of modular addition Only source of non linearity in pure ARX designs (Boolean functions in MD/SHA) G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 10 / 20

.. Generalization 1.5 bit constraints: subsets of (x [i], x [i], x [i 1] Relations between carry extensions 2 bit constraints: subsets of (x [i], x [i], x [i 1], x [i 1] ) Describe exactly the set {x, x x = x Δ} for any Δ 2.5 bit constraints: subsets of (x [i], x [i], x [i 1], x [i 1], x [i 2] Relations between potential carry extensions. See examples Limitations We have to use reduced sets of constraints (full set of 2.5 bit constraints: 2 32 ) Propagation for 2.5 bit constraints is slow G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 11 / 20

.. Comparison Experiments with a few rounds of a reduced Skein (4 bit words and 6 bit words) We look at the number of accepted input/output differences 2 rounds (total: 2 32 ) 3 rounds (sparse) Method Accepted Fp. Accepted Fp. Exhaustive search 2 25.1 (35960536) 0 2 18.7 ( 427667) 2.5 bit constraints 2 25.3 (40820032) 0.14 2 19.5 ( 746742) 0.7 1.5 bit constraints 2 25.3 (40820032) 0.14 2 20.4 (1372774) 2.2 1 bit constraints 2 25.4 (43564288) 0.21 2 20.7 (1762857) 3.1 Check adds indep. 2 25.8 (56484732) 0.57 G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 12 / 20

.. Outline Introduction G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 13 / 20

.. Verifying trails Problem Most analysis assume that operations are independent and multiply the probabilities. But sometimes, operations are not independent... Known problem in Boomerang attacks. [Murphy, TIT 2011] We compute necessary conditions. This allows to detect cases of incompatibility We have detected problems in several published works Incompatible trails seem to appear quite naturally G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 14 / 20

.. Incompatibility with additions Some natural differentials do not work with additions: δa = -x δb =. -x δc = -x δa = --xxxxx-. δb = ---xx--- δu = -x u = a + b + c δu = -xxxx-x- u = a + b Linearized trail Seems valid with signed difference Found in Skein near collision [eprint 2011/148] G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 15 / 20

.. Carry incompatibility δa = -xx---. δb = xxx--- δc = ------ 2 Each operation has a non zero probability Trail seems valid with signed difference Consider the 1 st addition Constraint: c [4] c [5] δc = ------ δd = ---xx- Consider the 2 nd addition Constraint: c [2] = c [3] δu = ---xx- Incompatible! Detected with the multi bit constraints G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 16 / 20

.. Carry incompatibility δa = -xx---. δb = xxx--- δc = -=/---- 2 Each operation has a non zero probability Trail seems valid with signed difference Consider the 1 st addition Constraint: c [4] c [5] δc = ---=/-- δd = ---xx- Consider the 2 nd addition Constraint: c [2] = c [3] δu = ---xx- Incompatible! Detected with the multi bit constraints G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 16 / 20

.. Carry incompatibility δa = -xx---. δb = xxx--- δc = -=---- 2 Each operation has a non zero probability Trail seems valid with signed difference Consider the 1 st addition Constraint: c [4] c [5] δc = ---=-- δd = ---xx- Consider the 2 nd addition Constraint: c [2] = c [3] δu = ---xx- Incompatible! Detected with the multi bit constraints G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 16 / 20

.. Carry incompatibility δa = -xx---. δb = xxx--- δc = -#---- 2 Each operation has a non zero probability Trail seems valid with signed difference Consider the 1 st addition Constraint: c [4] c [5] δc = ---#-- δd = ---xx- Consider the 2 nd addition Constraint: c [2] = c [3] δu = ---xx- Incompatible! Detected with the multi bit constraints G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 16 / 20

.. Graphical tool To study more complex cases, we have a graphical tool We can manually constrain some bits and propagate. G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 17 / 20

. Verifying characteristics Several published attacks are invalid.. Boomerang attacks on Blake [Biryukov al., FSE 2011] Basic linearized trails, with MSB difference Proposed attack on 7/8 round for KP and 6/6.5 for CF do not work 7 round KP attack can be made with the 6 round trail 8 round KP attack and 6/6.5 round CF attack can be fixed using another active bit (non MSB) Boomerang attacks on Skein 512 [Chen Jia, ISPEC 2010] Basic linearized trails, with MSB difference Proposed attacks do not work on Skein 512 Similar trails work on Skein 256 [Leurent Roy, CT RSA 2012] Can be fixed using another active bit [Yu, Chen Wang, SAC 2012] Near collision attack on Skein [eprint 2011/148] Complex rebound like handcrafted characteristic Path is not satisfiable G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 18 / 20

.. Our results 1 New constraints Multi bit constraints Better targeted to pure ARX designs Boomerang constraints 2 Tools for analysis of differential characteristics Publicly available Code and documentation available at: http://www.di.ens.fr/~leurent/arxtools.html http://www.cryptolux.org/arxtools 3 Problems found in several proposed attacks Incompatible trails seem to appear quite naturally G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 19 / 20

.. Thanks With the support of: FNR Luxembourg ERC project CRASH G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 20 / 20

Extra slides Outline Extra slides G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 21 / 20

Extra slides Multi-bit Constraints as S-systems We use the theory of S functions to study multi bit constraints [Mouha al., SAC 2010] We can write a bitwise function f so that: (x, x ) is a right pair f(x, x, x x) = 1 We can count the number of solutions efficiently Testing for zero or non zero very efficient We use the same tools to propagate constraints: 1 Split each subset in two smaller subsets 2 If one subset gives zero solutions, the characteristic can be restricted to the other subset.? -/x - 0/1, =/! x u/n, </> G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 22 / 20

Extra slides 1.5-bit Constraints Table (x x, x 2x, x): (0, 0, 0) (0, 0, 1) (0, 1, 0) (0, 1, 1) (1, 0, 0) (1, 0, 1) (1, 1, 0) (1, 1, 1)? anything - x = x x x x 0 x = x = 0 u (x, x ) = (0, 1) n (x, x ) = (1, 0) 1 x = x = 0 # incompatible 3 x = 0 C x = 1 5 x = 0 A x = 1 = {00, 11}! {01, 10} > {nn, uu} < {nu, un} G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 23 / 20

Extra slides Comparison Simple situations with a modular difference of ±1: Diff, carry 1 bit cstr. 1.5 bit cstr. 2 bit cstr. 2.5 bit cstr. +1, k bit -unnn -unnn -unnn -unnn (2 n k ) (2 n k ) (2 n k ) (2 n k ) (2 n k ) ±1, k bit -xxxx -><<x -><<x -><<x (2 n k+1 ) (2 n ) (2 n k+1 ) (2 n k+1 ) (2 n k+1 ) +1, any????x????x UUUUx UUUUx (2 n ) (2 2n 1 ) (2 2n 1 ) (2 n ) (2 n ) ±1, any????x????x XXXXx ///Xx (2 n+1 ) (2 2n 1 ) (2 2n 1 ) (2 n n) (2 n+1 ). Back to the talk G. Leurent (UCL & uni.lu) Analysis of Differential Attacks in ARX Constructions Asiacrypt 2012 24 / 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback